2 Unix SMB/CIFS implementation.
4 Copyright (C) Gerald (Jerry) Carter 2006.
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 /* AIX resolv.h uses 'class' in struct ns_rr */
30 /* resolver headers */
32 #include <sys/types.h>
33 #include <netinet/in.h>
34 #include <arpa/nameser.h>
38 #define MAX_DNS_PACKET_SIZE 0xffff
40 #ifdef NS_HFIXEDSZ /* Bind 8/9 interface */
41 #if !defined(C_IN) /* AIX 5.3 already defines C_IN */
44 #if !defined(T_A) /* AIX 5.3 already defines T_A */
47 # define T_SRV ns_t_srv
48 #if !defined(T_NS) /* AIX 5.3 already defines T_NS */
53 # define NS_HFIXEDSZ HFIXEDSZ
55 # define NS_HFIXEDSZ sizeof(HEADER)
56 # endif /* HFIXEDSZ */
58 # define NS_PACKETSZ PACKETSZ
59 # else /* 512 is usually the default */
60 # define NS_PACKETSZ 512
61 # endif /* PACKETSZ */
65 /*********************************************************************
66 *********************************************************************/
68 static BOOL ads_dns_parse_query( TALLOC_CTX *ctx, uint8 *start, uint8 *end,
69 uint8 **ptr, struct dns_query *q )
77 if ( !start || !end || !q || !*ptr)
80 /* See RFC 1035 for details. If this fails, then return. */
82 namelen = dn_expand( start, end, p, hostname, sizeof(hostname) );
87 q->hostname = talloc_strdup( ctx, hostname );
89 /* check that we have space remaining */
91 if ( PTR_DIFF(p+4, end) > 0 )
94 q->type = RSVAL( p, 0 );
95 q->in_class = RSVAL( p, 2 );
103 /*********************************************************************
104 *********************************************************************/
106 static BOOL ads_dns_parse_rr( TALLOC_CTX *ctx, uint8 *start, uint8 *end,
107 uint8 **ptr, struct dns_rr *rr )
113 if ( !start || !end || !rr || !*ptr)
117 /* pull the name from the answer */
119 namelen = dn_expand( start, end, p, hostname, sizeof(hostname) );
124 rr->hostname = talloc_strdup( ctx, hostname );
126 /* check that we have space remaining */
128 if ( PTR_DIFF(p+10, end) > 0 )
131 /* pull some values and then skip onto the string */
133 rr->type = RSVAL(p, 0);
134 rr->in_class = RSVAL(p, 2);
135 rr->ttl = RIVAL(p, 4);
136 rr->rdatalen = RSVAL(p, 8);
140 /* sanity check the available space */
142 if ( PTR_DIFF(p+rr->rdatalen, end ) > 0 ) {
147 /* save a point to the rdata for this section */
157 /*********************************************************************
158 *********************************************************************/
160 static BOOL ads_dns_parse_rr_srv( TALLOC_CTX *ctx, uint8 *start, uint8 *end,
161 uint8 **ptr, struct dns_rr_srv *srv )
168 if ( !start || !end || !srv || !*ptr)
171 /* Parse the RR entry. Coming out of the this, ptr is at the beginning
172 of the next record */
174 if ( !ads_dns_parse_rr( ctx, start, end, ptr, &rr ) ) {
175 DEBUG(1,("ads_dns_parse_rr_srv: Failed to parse RR record\n"));
179 if ( rr.type != T_SRV ) {
180 DEBUG(1,("ads_dns_parse_rr_srv: Bad answer type (%d)\n", rr.type));
186 srv->priority = RSVAL(p, 0);
187 srv->weight = RSVAL(p, 2);
188 srv->port = RSVAL(p, 4);
192 namelen = dn_expand( start, end, p, dcname, sizeof(dcname) );
194 DEBUG(1,("ads_dns_parse_rr_srv: Failed to uncompress name!\n"));
197 srv->hostname = talloc_strdup( ctx, dcname );
202 /*********************************************************************
203 *********************************************************************/
205 static BOOL ads_dns_parse_rr_ns( TALLOC_CTX *ctx, uint8 *start, uint8 *end,
206 uint8 **ptr, struct dns_rr_ns *nsrec )
213 if ( !start || !end || !nsrec || !*ptr)
216 /* Parse the RR entry. Coming out of the this, ptr is at the beginning
217 of the next record */
219 if ( !ads_dns_parse_rr( ctx, start, end, ptr, &rr ) ) {
220 DEBUG(1,("ads_dns_parse_rr_ns: Failed to parse RR record\n"));
224 if ( rr.type != T_NS ) {
225 DEBUG(1,("ads_dns_parse_rr_ns: Bad answer type (%d)\n", rr.type));
231 /* ame server hostname */
233 namelen = dn_expand( start, end, p, nsname, sizeof(nsname) );
235 DEBUG(1,("ads_dns_parse_rr_ns: Failed to uncompress name!\n"));
238 nsrec->hostname = talloc_strdup( ctx, nsname );
243 /*********************************************************************
244 Sort SRV record list based on weight and priority. See RFC 2782.
245 *********************************************************************/
247 static int dnssrvcmp( struct dns_rr_srv *a, struct dns_rr_srv *b )
249 if ( a->priority == b->priority ) {
251 /* randomize entries with an equal weight and priority */
252 if ( a->weight == b->weight )
255 /* higher weights should be sorted lower */
256 if ( a->weight > b->weight )
262 if ( a->priority < b->priority )
268 /*********************************************************************
269 Simple wrapper for a DNS query
270 *********************************************************************/
272 #define DNS_FAILED_WAITTIME 30
274 static NTSTATUS dns_send_req( TALLOC_CTX *ctx, const char *name, int q_type,
275 uint8 **buf, int *resp_length )
277 uint8 *buffer = NULL;
279 int resp_len = NS_PACKETSZ;
280 static time_t last_dns_check = 0;
281 static NTSTATUS last_dns_status = NT_STATUS_OK;
282 time_t now = time(NULL);
284 /* Try to prevent bursts of DNS lookups if the server is down */
286 /* Protect against large clock changes */
288 if ( last_dns_check > now )
291 /* IF we had a DNS timeout or a bad server and we are still
292 in the 30 second cache window, just return the previous
293 status and save the network timeout. */
295 if ( (NT_STATUS_EQUAL(last_dns_status,NT_STATUS_IO_TIMEOUT) ||
296 NT_STATUS_EQUAL(last_dns_status,NT_STATUS_CONNECTION_REFUSED)) &&
297 (last_dns_check+DNS_FAILED_WAITTIME) > now )
299 DEBUG(10,("last_dns_check: Returning cached status (%s)\n",
300 nt_errstr(last_dns_status) ));
301 return last_dns_status;
307 TALLOC_FREE( buffer );
309 buf_len = resp_len * sizeof(uint8);
312 if ( (buffer = TALLOC_ARRAY(ctx, uint8, buf_len)) == NULL ) {
313 DEBUG(0,("ads_dns_lookup_srv: talloc() failed!\n"));
314 last_dns_status = NT_STATUS_NO_MEMORY;
315 last_dns_check = time(NULL);
316 return last_dns_status;
320 if ( (resp_len = res_query(name, C_IN, q_type, buffer, buf_len)) < 0 ) {
321 DEBUG(3,("ads_dns_lookup_srv: Failed to resolve %s (%s)\n", name, strerror(errno)));
322 TALLOC_FREE( buffer );
323 last_dns_status = NT_STATUS_UNSUCCESSFUL;
325 if (errno == ETIMEDOUT) {
326 last_dns_status = NT_STATUS_IO_TIMEOUT;
328 if (errno == ECONNREFUSED) {
329 last_dns_status = NT_STATUS_CONNECTION_REFUSED;
331 last_dns_check = time(NULL);
332 return last_dns_status;
334 } while ( buf_len < resp_len && resp_len < MAX_DNS_PACKET_SIZE );
337 *resp_length = resp_len;
339 last_dns_check = time(NULL);
340 last_dns_status = NT_STATUS_OK;
341 return last_dns_status;
344 /*********************************************************************
345 Simple wrapper for a DNS SRV query
346 *********************************************************************/
348 static NTSTATUS ads_dns_lookup_srv( TALLOC_CTX *ctx, const char *name, struct dns_rr_srv **dclist, int *numdcs )
350 uint8 *buffer = NULL;
352 struct dns_rr_srv *dcs = NULL;
353 int query_count, answer_count, auth_count, additional_count;
359 if ( !ctx || !name || !dclist ) {
360 return NT_STATUS_INVALID_PARAMETER;
363 /* Send the request. May have to loop several times in case
366 status = dns_send_req( ctx, name, T_SRV, &buffer, &resp_len );
367 if ( !NT_STATUS_IS_OK(status) ) {
368 DEBUG(3,("ads_dns_lookup_srv: Failed to send DNS query (%s)\n",
374 /* For some insane reason, the ns_initparse() et. al. routines are only
375 available in libresolv.a, and not the shared lib. Who knows why....
376 So we have to parse the DNS reply ourselves */
378 /* Pull the answer RR's count from the header. Use the NMB ordering macros */
380 query_count = RSVAL( p, 4 );
381 answer_count = RSVAL( p, 6 );
382 auth_count = RSVAL( p, 8 );
383 additional_count = RSVAL( p, 10 );
385 DEBUG(4,("ads_dns_lookup_srv: %d records returned in the answer section.\n",
389 if ( (dcs = TALLOC_ZERO_ARRAY(ctx, struct dns_rr_srv, answer_count)) == NULL ) {
390 DEBUG(0,("ads_dns_lookup_srv: talloc() failure for %d char*'s\n",
392 return NT_STATUS_NO_MEMORY;
398 /* now skip the header */
402 /* parse the query section */
404 for ( rrnum=0; rrnum<query_count; rrnum++ ) {
407 if ( !ads_dns_parse_query( ctx, buffer, buffer+resp_len, &p, &q ) ) {
408 DEBUG(1,("ads_dns_lookup_srv: Failed to parse query record!\n"));
409 return NT_STATUS_UNSUCCESSFUL;
413 /* now we are at the answer section */
415 for ( rrnum=0; rrnum<answer_count; rrnum++ ) {
416 if ( !ads_dns_parse_rr_srv( ctx, buffer, buffer+resp_len, &p, &dcs[rrnum] ) ) {
417 DEBUG(1,("ads_dns_lookup_srv: Failed to parse answer record!\n"));
418 return NT_STATUS_UNSUCCESSFUL;
423 /* Parse the authority section */
424 /* just skip these for now */
426 for ( rrnum=0; rrnum<auth_count; rrnum++ ) {
429 if ( !ads_dns_parse_rr( ctx, buffer, buffer+resp_len, &p, &rr ) ) {
430 DEBUG(1,("ads_dns_lookup_srv: Failed to parse authority record!\n"));
431 return NT_STATUS_UNSUCCESSFUL;
435 /* Parse the additional records section */
437 for ( rrnum=0; rrnum<additional_count; rrnum++ ) {
441 if ( !ads_dns_parse_rr( ctx, buffer, buffer+resp_len, &p, &rr ) ) {
442 DEBUG(1,("ads_dns_lookup_srv: Failed to parse additional records section!\n"));
443 return NT_STATUS_UNSUCCESSFUL;
446 /* only interested in A records as a shortcut for having to come
447 back later and lookup the name. For multi-homed hosts, the
448 number of additional records and exceed the number of answer
452 if ( (rr.type != T_A) || (rr.rdatalen != 4) )
455 for ( i=0; i<idx; i++ ) {
456 if ( strcmp( rr.hostname, dcs[i].hostname ) == 0 ) {
457 int num_ips = dcs[i].num_ips;
459 struct in_addr *tmp_ips;
461 /* allocate new memory */
463 if ( dcs[i].num_ips == 0 ) {
464 if ( (dcs[i].ips = TALLOC_ARRAY( dcs,
465 struct in_addr, 1 )) == NULL )
467 return NT_STATUS_NO_MEMORY;
470 if ( (tmp_ips = TALLOC_REALLOC_ARRAY( dcs, dcs[i].ips,
471 struct in_addr, dcs[i].num_ips+1)) == NULL )
473 return NT_STATUS_NO_MEMORY;
476 dcs[i].ips = tmp_ips;
480 /* copy the new IP address */
482 buf = (uint8*)&dcs[i].ips[num_ips].s_addr;
483 memcpy( buf, rr.rdata, 4 );
488 qsort( dcs, idx, sizeof(struct dns_rr_srv), QSORT_CAST dnssrvcmp );
496 /*********************************************************************
497 Simple wrapper for a DNS NS query
498 *********************************************************************/
500 NTSTATUS ads_dns_lookup_ns( TALLOC_CTX *ctx, const char *dnsdomain, struct dns_rr_ns **nslist, int *numns )
502 uint8 *buffer = NULL;
504 struct dns_rr_ns *nsarray = NULL;
505 int query_count, answer_count, auth_count, additional_count;
511 if ( !ctx || !dnsdomain || !nslist ) {
512 return NT_STATUS_INVALID_PARAMETER;
515 /* Send the request. May have to loop several times in case
518 status = dns_send_req( ctx, dnsdomain, T_NS, &buffer, &resp_len );
519 if ( !NT_STATUS_IS_OK(status) ) {
520 DEBUG(3,("ads_dns_lookup_ns: Failed to send DNS query (%s)\n",
526 /* For some insane reason, the ns_initparse() et. al. routines are only
527 available in libresolv.a, and not the shared lib. Who knows why....
528 So we have to parse the DNS reply ourselves */
530 /* Pull the answer RR's count from the header. Use the NMB ordering macros */
532 query_count = RSVAL( p, 4 );
533 answer_count = RSVAL( p, 6 );
534 auth_count = RSVAL( p, 8 );
535 additional_count = RSVAL( p, 10 );
537 DEBUG(4,("ads_dns_lookup_ns: %d records returned in the answer section.\n",
541 if ( (nsarray = TALLOC_ARRAY(ctx, struct dns_rr_ns, answer_count)) == NULL ) {
542 DEBUG(0,("ads_dns_lookup_ns: talloc() failure for %d char*'s\n",
544 return NT_STATUS_NO_MEMORY;
550 /* now skip the header */
554 /* parse the query section */
556 for ( rrnum=0; rrnum<query_count; rrnum++ ) {
559 if ( !ads_dns_parse_query( ctx, buffer, buffer+resp_len, &p, &q ) ) {
560 DEBUG(1,("ads_dns_lookup_ns: Failed to parse query record!\n"));
561 return NT_STATUS_UNSUCCESSFUL;
565 /* now we are at the answer section */
567 for ( rrnum=0; rrnum<answer_count; rrnum++ ) {
568 if ( !ads_dns_parse_rr_ns( ctx, buffer, buffer+resp_len, &p, &nsarray[rrnum] ) ) {
569 DEBUG(1,("ads_dns_lookup_ns: Failed to parse answer record!\n"));
570 return NT_STATUS_UNSUCCESSFUL;
575 /* Parse the authority section */
576 /* just skip these for now */
578 for ( rrnum=0; rrnum<auth_count; rrnum++ ) {
581 if ( !ads_dns_parse_rr( ctx, buffer, buffer+resp_len, &p, &rr ) ) {
582 DEBUG(1,("ads_dns_lookup_ns: Failed to parse authority record!\n"));
583 return NT_STATUS_UNSUCCESSFUL;
587 /* Parse the additional records section */
589 for ( rrnum=0; rrnum<additional_count; rrnum++ ) {
593 if ( !ads_dns_parse_rr( ctx, buffer, buffer+resp_len, &p, &rr ) ) {
594 DEBUG(1,("ads_dns_lookup_ns: Failed to parse additional records section!\n"));
595 return NT_STATUS_UNSUCCESSFUL;
598 /* only interested in A records as a shortcut for having to come
599 back later and lookup the name */
601 if ( (rr.type != T_A) || (rr.rdatalen != 4) )
604 for ( i=0; i<idx; i++ ) {
605 if ( strcmp( rr.hostname, nsarray[i].hostname ) == 0 ) {
606 uint8 *buf = (uint8*)&nsarray[i].ip.s_addr;
607 memcpy( buf, rr.rdata, 4 );
618 /****************************************************************************
619 Store and fetch the AD client sitename.
620 ****************************************************************************/
622 #define SITENAME_KEY "AD_SITENAME/DOMAIN/%s"
624 static char *sitename_key(const char *realm)
628 if (asprintf(&keystr, SITENAME_KEY, strupper_static(realm)) == -1) {
636 /****************************************************************************
637 Store the AD client sitename.
638 We store indefinately as every new CLDAP query will re-write this.
639 ****************************************************************************/
641 BOOL sitename_store(const char *realm, const char *sitename)
647 if (!gencache_init()) {
651 if (!realm || (strlen(realm) == 0)) {
652 DEBUG(0,("sitename_store: no realm\n"));
656 key = sitename_key(realm);
658 if (!sitename || (sitename && !*sitename)) {
659 DEBUG(5,("sitename_store: deleting empty sitename!\n"));
660 ret = gencache_del(key);
665 expire = get_time_t_max(); /* Store indefinately. */
667 DEBUG(10,("sitename_store: realm = [%s], sitename = [%s], expire = [%u]\n",
668 realm, sitename, (unsigned int)expire ));
670 ret = gencache_set( key, sitename, expire );
675 /****************************************************************************
676 Fetch the AD client sitename.
678 ****************************************************************************/
680 char *sitename_fetch(const char *realm)
682 char *sitename = NULL;
685 const char *query_realm;
688 if (!gencache_init()) {
692 if (!realm || (strlen(realm) == 0)) {
693 query_realm = lp_realm();
698 key = sitename_key(query_realm);
700 ret = gencache_get( key, &sitename, &timeout );
703 DEBUG(5,("sitename_fetch: No stored sitename for %s\n",
706 DEBUG(5,("sitename_fetch: Returning sitename for %s: \"%s\"\n",
707 query_realm, sitename ));
712 /****************************************************************************
713 Did the sitename change ?
714 ****************************************************************************/
716 BOOL stored_sitename_changed(const char *realm, const char *sitename)
722 if (!realm || (strlen(realm) == 0)) {
723 DEBUG(0,("stored_sitename_changed: no realm\n"));
727 new_sitename = sitename_fetch(realm);
729 if (sitename && new_sitename && !strequal(sitename, new_sitename)) {
731 } else if ((sitename && !new_sitename) ||
732 (!sitename && new_sitename)) {
735 SAFE_FREE(new_sitename);
739 /********************************************************************
740 Query with optional sitename.
741 ********************************************************************/
743 static NTSTATUS ads_dns_query_internal(TALLOC_CTX *ctx,
744 const char *servicename,
745 const char *dc_pdc_gc_domains,
747 const char *sitename,
748 struct dns_rr_srv **dclist,
753 name = talloc_asprintf(ctx, "%s._tcp.%s._sites.%s._msdcs.%s",
754 servicename, sitename,
755 dc_pdc_gc_domains, realm);
757 name = talloc_asprintf(ctx, "%s._tcp.%s._msdcs.%s",
758 servicename, dc_pdc_gc_domains, realm);
761 return NT_STATUS_NO_MEMORY;
763 return ads_dns_lookup_srv( ctx, name, dclist, numdcs );
766 /********************************************************************
768 ********************************************************************/
770 NTSTATUS ads_dns_query_dcs(TALLOC_CTX *ctx,
772 const char *sitename,
773 struct dns_rr_srv **dclist,
778 status = ads_dns_query_internal(ctx, "_ldap", "dc", realm, sitename,
781 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
782 NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_REFUSED)) {
787 ((!NT_STATUS_IS_OK(status)) ||
788 (NT_STATUS_IS_OK(status) && (numdcs == 0)))) {
789 /* Sitename DNS query may have failed. Try without. */
790 status = ads_dns_query_internal(ctx, "_ldap", "dc", realm,
791 NULL, dclist, numdcs);
796 /********************************************************************
798 ********************************************************************/
800 NTSTATUS ads_dns_query_gcs(TALLOC_CTX *ctx,
802 const char *sitename,
803 struct dns_rr_srv **dclist,
808 status = ads_dns_query_internal(ctx, "_ldap", "gc", realm, sitename,
811 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
812 NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_REFUSED)) {
817 ((!NT_STATUS_IS_OK(status)) ||
818 (NT_STATUS_IS_OK(status) && (numdcs == 0)))) {
819 /* Sitename DNS query may have failed. Try without. */
820 status = ads_dns_query_internal(ctx, "_ldap", "gc", realm,
821 NULL, dclist, numdcs);
826 /********************************************************************
828 Even if our underlying kerberos libraries are UDP only, this
829 is pretty safe as it's unlikely that a KDC supports TCP and not UDP.
830 ********************************************************************/
832 NTSTATUS ads_dns_query_kdcs(TALLOC_CTX *ctx,
833 const char *dns_forest_name,
834 const char *sitename,
835 struct dns_rr_srv **dclist,
840 status = ads_dns_query_internal(ctx, "_kerberos", "dc",
841 dns_forest_name, sitename, dclist,
844 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
845 NT_STATUS_EQUAL(status, NT_STATUS_CONNECTION_REFUSED)) {
850 ((!NT_STATUS_IS_OK(status)) ||
851 (NT_STATUS_IS_OK(status) && (numdcs == 0)))) {
852 /* Sitename DNS query may have failed. Try without. */
853 status = ads_dns_query_internal(ctx, "_kerberos", "dc",
854 dns_forest_name, NULL,
860 /********************************************************************
861 Query for AD PDC. Sitename is obsolete here.
862 ********************************************************************/
864 NTSTATUS ads_dns_query_pdc(TALLOC_CTX *ctx,
865 const char *dns_domain_name,
866 struct dns_rr_srv **dclist,
869 return ads_dns_query_internal(ctx, "_ldap", "pdc", dns_domain_name,
870 NULL, dclist, numdcs);
873 /********************************************************************
874 Query for AD DC by guid. Sitename is obsolete here.
875 ********************************************************************/
877 NTSTATUS ads_dns_query_dcs_guid(TALLOC_CTX *ctx,
878 const char *dns_forest_name,
879 const struct GUID *domain_guid,
880 struct dns_rr_srv **dclist,
883 /*_ldap._tcp.DomainGuid.domains._msdcs.DnsForestName */
886 const char *guid_string;
888 guid_string = GUID_string(ctx, domain_guid);
890 return NT_STATUS_NO_MEMORY;
894 domains = talloc_asprintf(ctx, "%s.domains", guid_string);
896 return NT_STATUS_NO_MEMORY;
899 return ads_dns_query_internal(ctx, "_ldap", domains, dns_forest_name,
900 NULL, dclist, numdcs);