2 Unix SMB/CIFS implementation.
4 bind9 dlz driver for Samba
6 Copyright (C) 2010 Andrew Tridgell
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "param/param.h"
25 #include "lib/events/events.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "dsdb/common/util.h"
28 #include "auth/auth.h"
29 #include "auth/session.h"
30 #include "auth/gensec/gensec.h"
31 #include "librpc/gen_ndr/security.h"
32 #include "auth/credentials/credentials.h"
33 #include "system/kerberos.h"
34 #include "auth/kerberos/kerberos.h"
35 #include "gen_ndr/ndr_dnsp.h"
36 #include "gen_ndr/server_id.h"
37 #include "messaging/messaging.h"
39 #include "lib/util/dlinklist.h"
40 #include "dlz_minimal.h"
41 #include "dnsserver_common.h"
42 #include "lib/util/smb_strtox.h"
43 #include "lib/util/access.h"
54 struct b9_zone *prev, *next;
57 struct dlz_bind9_data {
58 struct b9_options options;
59 struct ldb_context *samdb;
60 struct tevent_context *ev_ctx;
61 struct loadparm_context *lp;
62 int *transaction_token;
64 struct b9_zone *zonelist;
66 /* Used for dynamic update */
67 struct smb_krb5_context *smb_krb5_ctx;
68 struct auth4_context *auth_context;
69 struct auth_session_info *session_info;
72 /* helper functions from the dlz_dlopen driver */
74 dns_sdlz_putrr_t *putrr;
75 dns_sdlz_putnamedrr_t *putnamedrr;
76 dns_dlz_writeablezone_t *writeable_zone;
79 static struct dlz_bind9_data *dlz_bind9_state = NULL;
80 static int dlz_bind9_state_ref_count = 0;
82 static const char *zone_prefixes[] = {
83 "CN=MicrosoftDNS,DC=DomainDnsZones",
84 "CN=MicrosoftDNS,DC=ForestDnsZones",
85 "CN=MicrosoftDNS,CN=System",
90 * Get a printable string representation of an isc_result_t
92 static const char *isc_result_str( const isc_result_t result) {
95 return "ISC_R_SUCCESS";
97 return "ISC_R_NOMEMORY";
99 return "ISC_R_NOPERM";
101 return "ISC_R_NOSPACE";
103 return "ISC_R_NOTFOUND";
105 return "ISC_R_FAILURE";
106 case ISC_R_NOTIMPLEMENTED:
107 return "ISC_R_NOTIMPLEMENTED";
109 return "ISC_R_NOMORE";
110 case ISC_R_INVALIDFILE:
111 return "ISC_R_INVALIDFILE";
112 case ISC_R_UNEXPECTED:
113 return "ISC_R_UNEXPECTED";
114 case ISC_R_FILENOTFOUND:
115 return "ISC_R_FILENOTFOUND";
122 return the version of the API
124 _PUBLIC_ int dlz_version(unsigned int *flags)
126 return DLZ_DLOPEN_VERSION;
130 remember a helper function from the bind9 dlz_dlopen driver
132 static void b9_add_helper(struct dlz_bind9_data *state, const char *helper_name, void *ptr)
134 if (strcmp(helper_name, "log") == 0) {
137 if (strcmp(helper_name, "putrr") == 0) {
140 if (strcmp(helper_name, "putnamedrr") == 0) {
141 state->putnamedrr = ptr;
143 if (strcmp(helper_name, "writeable_zone") == 0) {
144 state->writeable_zone = ptr;
149 * Add a trailing '.' if it's missing
151 static const char *b9_format_fqdn(TALLOC_CTX *mem_ctx, const char *str)
156 if (str == NULL || str[0] == '\0') {
161 if (str[len-1] != '.') {
162 tmp = talloc_asprintf(mem_ctx, "%s.", str);
170 * Format a record for bind9.
172 * On failure/error returns false, OR sets *data to NULL.
173 * Callers should check for both!
175 static bool b9_format(struct dlz_bind9_data *state,
177 struct dnsp_DnssrvRpcRecord *rec,
178 const char **type, const char **data)
184 switch (rec->wType) {
187 *data = rec->data.ipv4;
192 *data = rec->data.ipv6;
197 *data = b9_format_fqdn(mem_ctx, rec->data.cname);
202 tmp = talloc_asprintf(mem_ctx, "\"%s\"", rec->data.txt.str[0]);
203 for (i=1; i<rec->data.txt.count; i++) {
204 tmp = talloc_asprintf_append(tmp, " \"%s\"", rec->data.txt.str[i]);
211 *data = b9_format_fqdn(mem_ctx, rec->data.ptr);
216 fqdn = b9_format_fqdn(mem_ctx, rec->data.srv.nameTarget);
220 *data = talloc_asprintf(mem_ctx, "%u %u %u %s",
221 rec->data.srv.wPriority,
222 rec->data.srv.wWeight,
229 fqdn = b9_format_fqdn(mem_ctx, rec->data.mx.nameTarget);
233 *data = talloc_asprintf(mem_ctx, "%u %s",
234 rec->data.mx.wPriority, fqdn);
239 *data = b9_format_fqdn(mem_ctx, rec->data.ns);
246 /* we need to fake the authoritative nameserver to
247 * point at ourselves. This is how AD DNS servers
248 * force clients to send updates to the right local DC
250 mname = talloc_asprintf(mem_ctx, "%s.%s.",
251 lpcfg_netbios_name(state->lp),
252 lpcfg_dnsdomain(state->lp));
256 mname = strlower_talloc(mem_ctx, mname);
261 fqdn = b9_format_fqdn(mem_ctx, rec->data.soa.rname);
266 state->soa_serial = rec->data.soa.serial;
268 *data = talloc_asprintf(mem_ctx, "%s %s %u %u %u %u %u",
270 rec->data.soa.serial,
271 rec->data.soa.refresh,
273 rec->data.soa.expire,
274 rec->data.soa.minimum);
279 state->log(ISC_LOG_ERROR, "samba_dlz b9_format: unhandled record type %u",
287 static const struct {
288 enum dns_record_type dns_type;
292 { DNS_TYPE_A, "A" , false},
293 { DNS_TYPE_AAAA, "AAAA" , false},
294 { DNS_TYPE_CNAME, "CNAME" , true},
295 { DNS_TYPE_TXT, "TXT" , false},
296 { DNS_TYPE_PTR, "PTR" , false},
297 { DNS_TYPE_SRV, "SRV" , false},
298 { DNS_TYPE_MX, "MX" , false},
299 { DNS_TYPE_NS, "NS" , false},
300 { DNS_TYPE_SOA, "SOA" , true},
305 see if a DNS type is single valued
307 static bool b9_single_valued(enum dns_record_type dns_type)
310 for (i=0; i<ARRAY_SIZE(dns_typemap); i++) {
311 if (dns_typemap[i].dns_type == dns_type) {
312 return dns_typemap[i].single_valued;
319 get a DNS_TYPE_* value from the corresponding string
321 static bool b9_dns_type(const char *type, enum dns_record_type *dtype)
324 for (i=0; i<ARRAY_SIZE(dns_typemap); i++) {
325 if (strcasecmp(dns_typemap[i].typestr, type) == 0) {
326 *dtype = dns_typemap[i].dns_type;
334 #define DNS_PARSE_STR(ret, str, sep, saveptr) do { \
335 (ret) = strtok_r(str, sep, &saveptr); \
336 if ((ret) == NULL) return false; \
339 #define DNS_PARSE_UINT(ret, str, sep, saveptr) do { \
340 char *istr = strtok_r(str, sep, &saveptr); \
342 if ((istr) == NULL) return false; \
343 (ret) = smb_strtoul(istr, NULL, 10, &error, SMB_STR_STANDARD); \
350 parse a record from bind9
352 static bool b9_parse(struct dlz_bind9_data *state,
353 const char *rdatastr,
354 struct dnsp_DnssrvRpcRecord *rec)
356 char *full_name, *dclass, *type;
357 char *str, *tmp, *saveptr=NULL;
360 str = talloc_strdup(rec, rdatastr);
365 /* parse the SDLZ string form */
366 DNS_PARSE_STR(full_name, str, "\t", saveptr);
367 DNS_PARSE_UINT(rec->dwTtlSeconds, NULL, "\t", saveptr);
368 DNS_PARSE_STR(dclass, NULL, "\t", saveptr);
369 DNS_PARSE_STR(type, NULL, "\t", saveptr);
371 /* construct the record */
372 for (i=0; i<ARRAY_SIZE(dns_typemap); i++) {
373 if (strcasecmp(type, dns_typemap[i].typestr) == 0) {
374 rec->wType = dns_typemap[i].dns_type;
378 if (i == ARRAY_SIZE(dns_typemap)) {
379 state->log(ISC_LOG_ERROR, "samba_dlz: unsupported record type '%s' for '%s'",
384 switch (rec->wType) {
386 DNS_PARSE_STR(rec->data.ipv4, NULL, " ", saveptr);
390 DNS_PARSE_STR(rec->data.ipv6, NULL, " ", saveptr);
394 DNS_PARSE_STR(rec->data.cname, NULL, " ", saveptr);
398 rec->data.txt.count = 0;
399 rec->data.txt.str = talloc_array(rec, const char *, rec->data.txt.count);
400 tmp = strtok_r(NULL, "\t", &saveptr);
402 rec->data.txt.str = talloc_realloc(rec, rec->data.txt.str, const char *,
403 rec->data.txt.count+1);
406 rec->data.txt.str[rec->data.txt.count] = talloc_strndup(rec, &tmp[1], strlen(tmp)-2);
408 rec->data.txt.str[rec->data.txt.count] = talloc_strdup(rec, tmp);
410 rec->data.txt.count++;
411 tmp = strtok_r(NULL, " ", &saveptr);
416 DNS_PARSE_STR(rec->data.ptr, NULL, " ", saveptr);
420 DNS_PARSE_UINT(rec->data.srv.wPriority, NULL, " ", saveptr);
421 DNS_PARSE_UINT(rec->data.srv.wWeight, NULL, " ", saveptr);
422 DNS_PARSE_UINT(rec->data.srv.wPort, NULL, " ", saveptr);
423 DNS_PARSE_STR(rec->data.srv.nameTarget, NULL, " ", saveptr);
427 DNS_PARSE_UINT(rec->data.mx.wPriority, NULL, " ", saveptr);
428 DNS_PARSE_STR(rec->data.mx.nameTarget, NULL, " ", saveptr);
432 DNS_PARSE_STR(rec->data.ns, NULL, " ", saveptr);
436 DNS_PARSE_STR(rec->data.soa.mname, NULL, " ", saveptr);
437 DNS_PARSE_STR(rec->data.soa.rname, NULL, " ", saveptr);
438 DNS_PARSE_UINT(rec->data.soa.serial, NULL, " ", saveptr);
439 DNS_PARSE_UINT(rec->data.soa.refresh, NULL, " ", saveptr);
440 DNS_PARSE_UINT(rec->data.soa.retry, NULL, " ", saveptr);
441 DNS_PARSE_UINT(rec->data.soa.expire, NULL, " ", saveptr);
442 DNS_PARSE_UINT(rec->data.soa.minimum, NULL, " ", saveptr);
446 state->log(ISC_LOG_ERROR, "samba_dlz b9_parse: unhandled record type %u",
451 /* we should be at the end of the buffer now */
452 if (strtok_r(NULL, "\t ", &saveptr) != NULL) {
453 state->log(ISC_LOG_ERROR, "samba_dlz b9_parse: unexpected data at end of string for '%s'",
462 send a resource record to bind9
464 static isc_result_t b9_putrr(struct dlz_bind9_data *state,
465 void *handle, struct dnsp_DnssrvRpcRecord *rec,
469 const char *type, *data;
470 TALLOC_CTX *tmp_ctx = talloc_new(state);
472 if (!b9_format(state, tmp_ctx, rec, &type, &data)) {
473 return ISC_R_FAILURE;
477 talloc_free(tmp_ctx);
478 return ISC_R_NOMEMORY;
483 for (i=0; types[i]; i++) {
484 if (strcmp(types[i], type) == 0) break;
486 if (types[i] == NULL) {
488 return ISC_R_SUCCESS;
492 result = state->putrr(handle, type, rec->dwTtlSeconds, data);
493 if (result != ISC_R_SUCCESS) {
494 state->log(ISC_LOG_ERROR, "Failed to put rr");
496 talloc_free(tmp_ctx);
502 send a named resource record to bind9
504 static isc_result_t b9_putnamedrr(struct dlz_bind9_data *state,
505 void *handle, const char *name,
506 struct dnsp_DnssrvRpcRecord *rec)
509 const char *type, *data;
510 TALLOC_CTX *tmp_ctx = talloc_new(state);
512 if (!b9_format(state, tmp_ctx, rec, &type, &data)) {
513 return ISC_R_FAILURE;
517 talloc_free(tmp_ctx);
518 return ISC_R_NOMEMORY;
521 result = state->putnamedrr(handle, name, type, rec->dwTtlSeconds, data);
522 if (result != ISC_R_SUCCESS) {
523 state->log(ISC_LOG_ERROR, "Failed to put named rr '%s'", name);
525 talloc_free(tmp_ctx);
532 static isc_result_t parse_options(struct dlz_bind9_data *state,
533 unsigned int argc, const char **argv,
534 struct b9_options *options)
538 struct poptOption long_options[] = {
539 { "url", 'H', POPT_ARG_STRING, &options->url, 0, "database URL", "URL" },
540 { "debug", 'd', POPT_ARG_STRING, &options->debug, 0, "debug level", "DEBUG" },
544 pc = poptGetContext("dlz_bind9", argc, argv, long_options,
545 POPT_CONTEXT_KEEP_FIRST);
546 while ((opt = poptGetNextOpt(pc)) != -1) {
549 state->log(ISC_LOG_ERROR, "dlz_bind9: Invalid option %s: %s",
550 poptBadOption(pc, 0), poptStrerror(opt));
552 return ISC_R_FAILURE;
557 return ISC_R_SUCCESS;
562 * Create session info from PAC
563 * This is called as auth_context->generate_session_info_pac()
565 static NTSTATUS b9_generate_session_info_pac(struct auth4_context *auth_context,
567 struct smb_krb5_context *smb_krb5_context,
569 const char *principal_name,
570 const struct tsocket_address *remote_addr,
571 uint32_t session_info_flags,
572 struct auth_session_info **session_info)
575 struct auth_user_info_dc *user_info_dc;
578 tmp_ctx = talloc_new(mem_ctx);
579 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
581 status = kerberos_pac_blob_to_user_info_dc(tmp_ctx,
583 smb_krb5_context->krb5_context,
587 if (!NT_STATUS_IS_OK(status)) {
588 talloc_free(tmp_ctx);
592 if (user_info_dc->info->authenticated) {
593 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
596 session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
598 status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
599 session_info_flags, session_info);
600 if (!NT_STATUS_IS_OK(status)) {
601 talloc_free(tmp_ctx);
605 talloc_free(tmp_ctx);
609 /* Callback for the DEBUG() system, to catch the remaining messages */
610 static void b9_debug(void *private_ptr, int msg_level, const char *msg)
612 static const int isc_log_map[] = {
613 ISC_LOG_CRITICAL, /* 0 */
614 ISC_LOG_ERROR, /* 1 */
615 ISC_LOG_WARNING, /* 2 */
616 ISC_LOG_NOTICE /* 3 */
618 struct dlz_bind9_data *state = private_ptr;
621 if (msg_level >= ARRAY_SIZE(isc_log_map) || msg_level < 0) {
622 isc_log_level = ISC_LOG_INFO;
624 isc_log_level = isc_log_map[msg_level];
626 state->log(isc_log_level, "samba_dlz: %s", msg);
629 static int dlz_state_debug_unregister(struct dlz_bind9_data *state)
631 /* Stop logging (to the bind9 logs) */
632 debug_set_callback(NULL, NULL);
637 called to initialise the driver
639 _PUBLIC_ isc_result_t dlz_create(const char *dlzname,
640 unsigned int argc, const char **argv,
643 struct dlz_bind9_data *state;
644 const char *helper_name;
650 char *errstring = NULL;
652 if (dlz_bind9_state != NULL) {
653 dlz_bind9_state->log(ISC_LOG_ERROR,
654 "samba_dlz: dlz_create ignored, #refs=%d",
655 dlz_bind9_state_ref_count);
656 *dbdata = dlz_bind9_state;
657 dlz_bind9_state_ref_count++;
658 return ISC_R_SUCCESS;
661 state = talloc_zero(NULL, struct dlz_bind9_data);
663 return ISC_R_NOMEMORY;
666 talloc_set_destructor(state, dlz_state_debug_unregister);
668 /* fill in the helper functions */
669 va_start(ap, dbdata);
670 while ((helper_name = va_arg(ap, const char *)) != NULL) {
671 b9_add_helper(state, helper_name, va_arg(ap, void*));
675 /* Do not install samba signal handlers */
676 fault_setup_disable();
678 /* Start logging (to the bind9 logs) */
679 debug_set_callback(state, b9_debug);
681 state->ev_ctx = s4_event_context_init(state);
682 if (state->ev_ctx == NULL) {
683 result = ISC_R_NOMEMORY;
687 result = parse_options(state, argc, argv, &state->options);
688 if (result != ISC_R_SUCCESS) {
692 state->lp = loadparm_init_global(true);
693 if (state->lp == NULL) {
694 result = ISC_R_NOMEMORY;
698 if (state->options.debug) {
699 lpcfg_do_global_parameter(state->lp, "log level", state->options.debug);
701 lpcfg_do_global_parameter(state->lp, "log level", "0");
704 if (smb_krb5_init_context(state, state->lp, &state->smb_krb5_ctx) != 0) {
705 result = ISC_R_NOMEMORY;
709 nt_status = gensec_init();
710 if (!NT_STATUS_IS_OK(nt_status)) {
711 result = ISC_R_NOMEMORY;
715 state->auth_context = talloc_zero(state, struct auth4_context);
716 if (state->auth_context == NULL) {
717 result = ISC_R_NOMEMORY;
721 if (state->options.url == NULL) {
722 state->options.url = talloc_asprintf(state,
724 lpcfg_binddns_dir(state->lp));
725 if (state->options.url == NULL) {
726 result = ISC_R_NOMEMORY;
730 if (!file_exist(state->options.url)) {
731 state->options.url = talloc_asprintf(state,
733 lpcfg_private_dir(state->lp));
734 if (state->options.url == NULL) {
735 result = ISC_R_NOMEMORY;
741 ret = samdb_connect_url(state,
744 system_session(state->lp),
750 if (ret != LDB_SUCCESS) {
751 state->log(ISC_LOG_ERROR,
752 "samba_dlz: Failed to connect to %s: %s",
753 errstring, ldb_strerror(ret));
754 result = ISC_R_FAILURE;
758 dn = ldb_get_default_basedn(state->samdb);
760 state->log(ISC_LOG_ERROR, "samba_dlz: Unable to get basedn for %s - %s",
761 state->options.url, ldb_errstring(state->samdb));
762 result = ISC_R_FAILURE;
766 state->log(ISC_LOG_INFO, "samba_dlz: started for DN %s",
767 ldb_dn_get_linearized(dn));
769 state->auth_context->event_ctx = state->ev_ctx;
770 state->auth_context->lp_ctx = state->lp;
771 state->auth_context->sam_ctx = state->samdb;
772 state->auth_context->generate_session_info_pac = b9_generate_session_info_pac;
775 dlz_bind9_state = state;
776 dlz_bind9_state_ref_count++;
778 return ISC_R_SUCCESS;
781 state->log(ISC_LOG_INFO,
782 "samba_dlz: FAILED dlz_create call result=%d #refs=%d",
784 dlz_bind9_state_ref_count);
792 _PUBLIC_ void dlz_destroy(void *dbdata)
794 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
796 dlz_bind9_state_ref_count--;
797 if (dlz_bind9_state_ref_count == 0) {
798 state->log(ISC_LOG_INFO, "samba_dlz: shutting down");
799 talloc_unlink(state, state->samdb);
801 dlz_bind9_state = NULL;
803 state->log(ISC_LOG_INFO,
804 "samba_dlz: dlz_destroy called. %d refs remaining.",
805 dlz_bind9_state_ref_count);
811 return the base DN for a zone
813 static isc_result_t b9_find_zone_dn(struct dlz_bind9_data *state, const char *zone_name,
814 TALLOC_CTX *mem_ctx, struct ldb_dn **zone_dn)
817 TALLOC_CTX *tmp_ctx = talloc_new(state);
818 const char *attrs[] = { NULL };
821 for (i=0; zone_prefixes[i]; i++) {
822 const char *casefold;
824 struct ldb_result *res;
825 struct ldb_val zone_name_val
826 = data_blob_string_const(zone_name);
828 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
830 talloc_free(tmp_ctx);
831 return ISC_R_NOMEMORY;
835 * This dance ensures that it is not possible to put
836 * (eg) an extra DC=x, into the DNS name being
840 if (!ldb_dn_add_child_fmt(dn,
843 talloc_free(tmp_ctx);
844 return ISC_R_NOMEMORY;
847 ret = ldb_dn_set_component(dn,
851 if (ret != LDB_SUCCESS) {
852 talloc_free(tmp_ctx);
853 return ISC_R_NOMEMORY;
857 * Check if this is a plausibly valid DN early
858 * (time spent here will be saved during the
859 * search due to an internal cache)
861 casefold = ldb_dn_get_casefold(dn);
863 if (casefold == NULL) {
864 talloc_free(tmp_ctx);
865 return ISC_R_NOTFOUND;
868 ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, "objectClass=dnsZone");
869 if (ret == LDB_SUCCESS) {
870 if (zone_dn != NULL) {
871 *zone_dn = talloc_steal(mem_ctx, dn);
873 talloc_free(tmp_ctx);
874 return ISC_R_SUCCESS;
879 talloc_free(tmp_ctx);
880 return ISC_R_NOTFOUND;
885 return the DN for a name. The record does not need to exist, but the
888 static isc_result_t b9_find_name_dn(struct dlz_bind9_data *state, const char *name,
889 TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
893 /* work through the name piece by piece, until we find a zone */
896 result = b9_find_zone_dn(state, p, mem_ctx, dn);
897 if (result == ISC_R_SUCCESS) {
898 const char *casefold;
900 /* we found a zone, now extend the DN to get
905 ret = ldb_dn_add_child_fmt(*dn, "DC=@");
908 return ISC_R_NOMEMORY;
911 struct ldb_val name_val
912 = data_blob_const(name,
915 if (!ldb_dn_add_child_val(*dn,
919 return ISC_R_NOMEMORY;
924 * Check if this is a plausibly valid DN early
925 * (time spent here will be saved during the
926 * search due to an internal cache)
928 casefold = ldb_dn_get_casefold(*dn);
930 if (casefold == NULL) {
931 return ISC_R_NOTFOUND;
934 return ISC_R_SUCCESS;
942 return ISC_R_NOTFOUND;
947 see if we handle a given zone
949 _PUBLIC_ isc_result_t dlz_findzonedb(void *dbdata, const char *name,
950 dns_clientinfomethods_t *methods,
951 dns_clientinfo_t *clientinfo)
953 struct timeval start = timeval_current();
954 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
955 isc_result_t result = ISC_R_SUCCESS;
957 result = b9_find_zone_dn(state, name, NULL, NULL);
958 DNS_COMMON_LOG_OPERATION(
959 isc_result_str(result),
971 static isc_result_t dlz_lookup_types(struct dlz_bind9_data *state,
972 const char *zone, const char *name,
973 dns_sdlzlookup_t *lookup,
976 TALLOC_CTX *tmp_ctx = talloc_new(state);
978 WERROR werr = WERR_DNS_ERROR_NAME_DOES_NOT_EXIST;
979 struct dnsp_DnssrvRpcRecord *records = NULL;
980 uint16_t num_records = 0, i;
981 struct ldb_val zone_name_val
982 = data_blob_string_const(zone);
983 struct ldb_val name_val
984 = data_blob_string_const(name);
986 for (i=0; zone_prefixes[i]; i++) {
988 const char *casefold;
989 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
991 talloc_free(tmp_ctx);
992 return ISC_R_NOMEMORY;
996 * This dance ensures that it is not possible to put
997 * (eg) an extra DC=x, into the DNS name being
1001 if (!ldb_dn_add_child_fmt(dn,
1003 zone_prefixes[i])) {
1004 talloc_free(tmp_ctx);
1005 return ISC_R_NOMEMORY;
1008 ret = ldb_dn_set_component(dn,
1012 if (ret != LDB_SUCCESS) {
1013 talloc_free(tmp_ctx);
1014 return ISC_R_NOMEMORY;
1017 ret = ldb_dn_set_component(dn,
1021 if (ret != LDB_SUCCESS) {
1022 talloc_free(tmp_ctx);
1023 return ISC_R_NOMEMORY;
1027 * Check if this is a plausibly valid DN early
1028 * (time spent here will be saved during the
1029 * search due to an internal cache)
1031 casefold = ldb_dn_get_casefold(dn);
1033 if (casefold == NULL) {
1034 talloc_free(tmp_ctx);
1035 return ISC_R_NOTFOUND;
1038 werr = dns_common_wildcard_lookup(state->samdb, tmp_ctx, dn,
1039 &records, &num_records);
1040 if (W_ERROR_IS_OK(werr)) {
1044 if (!W_ERROR_IS_OK(werr)) {
1045 talloc_free(tmp_ctx);
1046 return ISC_R_NOTFOUND;
1049 for (i=0; i < num_records; i++) {
1050 isc_result_t result;
1052 result = b9_putrr(state, lookup, &records[i], types);
1053 if (result != ISC_R_SUCCESS) {
1054 talloc_free(tmp_ctx);
1059 talloc_free(tmp_ctx);
1060 return ISC_R_SUCCESS;
1066 _PUBLIC_ isc_result_t dlz_lookup(const char *zone, const char *name,
1067 void *dbdata, dns_sdlzlookup_t *lookup,
1068 dns_clientinfomethods_t *methods,
1069 dns_clientinfo_t *clientinfo)
1071 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1072 isc_result_t result = ISC_R_SUCCESS;
1073 struct timeval start = timeval_current();
1075 result = dlz_lookup_types(state, zone, name, lookup, NULL);
1076 DNS_COMMON_LOG_OPERATION(
1077 isc_result_str(result),
1088 see if a zone transfer is allowed
1090 _PUBLIC_ isc_result_t dlz_allowzonexfr(void *dbdata, const char *name, const char *client)
1092 struct dlz_bind9_data *state = talloc_get_type(
1093 dbdata, struct dlz_bind9_data);
1095 const char **authorized_clients, **denied_clients;
1096 const char *cname="";
1098 /* check that the zone is known */
1099 ret = b9_find_zone_dn(state, name, NULL, NULL);
1100 if (ret != ISC_R_SUCCESS) {
1104 /* default is to deny all transfers */
1106 authorized_clients = lpcfg_dns_zone_transfer_clients_allow(state->lp);
1107 denied_clients = lpcfg_dns_zone_transfer_clients_deny(state->lp);
1109 /* The logic of allow_access() when both allow and deny lists are given
1110 * does not match our expectation here: it would allow clients thar are
1111 * neither allowed nor denied.
1112 * Here, we want to deny clients by default.
1113 * Using the allow_access() function is still useful as it takes care of
1114 * parsing IP adresses and subnets in a consistent way with other options
1117 * We will then check the deny list first, then the allow list, so that
1118 * we accept only clients that are explicitely allowed AND not explicitely
1121 if ((authorized_clients == NULL) && (denied_clients == NULL)) {
1122 /* No "allow" or "deny" lists given. Deny by default. */
1123 return ISC_R_NOPERM;
1126 if (denied_clients != NULL) {
1127 bool ok = allow_access(denied_clients, NULL, cname, client);
1129 /* client on deny list. Deny. */
1130 return ISC_R_NOPERM;
1134 if (authorized_clients != NULL) {
1135 bool ok = allow_access(NULL, authorized_clients, cname, client);
1138 * client is not on deny list and is on allow list.
1139 * This is the only place we should return "allow".
1141 return ISC_R_SUCCESS;
1144 /* We shouldn't get here, but deny by default. */
1145 return ISC_R_NOPERM;
1149 perform a zone transfer
1151 _PUBLIC_ isc_result_t dlz_allnodes(const char *zone, void *dbdata,
1152 dns_sdlzallnodes_t *allnodes)
1154 struct timeval start = timeval_current();
1155 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1156 const char *attrs[] = { "dnsRecord", NULL };
1157 int ret = LDB_ERR_NO_SUCH_OBJECT;
1159 struct ldb_dn *dn = NULL;
1160 struct ldb_result *res;
1161 TALLOC_CTX *tmp_ctx = talloc_new(state);
1162 struct ldb_val zone_name_val = data_blob_string_const(zone);
1163 isc_result_t result = ISC_R_SUCCESS;
1165 for (i=0; zone_prefixes[i]; i++) {
1166 const char *casefold;
1168 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
1170 talloc_free(tmp_ctx);
1171 result = ISC_R_NOMEMORY;
1176 * This dance ensures that it is not possible to put
1177 * (eg) an extra DC=x, into the DNS name being
1181 if (!ldb_dn_add_child_fmt(dn,
1183 zone_prefixes[i])) {
1184 talloc_free(tmp_ctx);
1185 result = ISC_R_NOMEMORY;
1189 ret = ldb_dn_set_component(dn,
1193 if (ret != LDB_SUCCESS) {
1194 talloc_free(tmp_ctx);
1195 result = ISC_R_NOMEMORY;
1200 * Check if this is a plausibly valid DN early
1201 * (time spent here will be saved during the
1202 * search due to an internal cache)
1204 casefold = ldb_dn_get_casefold(dn);
1206 if (casefold == NULL) {
1207 result = ISC_R_NOTFOUND;
1211 ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
1212 attrs, "objectClass=dnsNode");
1213 if (ret == LDB_SUCCESS) {
1217 if (ret != LDB_SUCCESS || dn == NULL) {
1218 talloc_free(tmp_ctx);
1219 result = ISC_R_NOTFOUND;
1223 for (i=0; i<res->count; i++) {
1224 struct ldb_message_element *el;
1225 TALLOC_CTX *el_ctx = talloc_new(tmp_ctx);
1226 const char *rdn, *name;
1227 const struct ldb_val *v;
1229 struct dnsp_DnssrvRpcRecord *recs = NULL;
1230 uint16_t num_recs = 0;
1232 el = ldb_msg_find_element(res->msgs[i], "dnsRecord");
1233 if (el == NULL || el->num_values == 0) {
1234 state->log(ISC_LOG_INFO, "failed to find dnsRecord for %s",
1235 ldb_dn_get_linearized(dn));
1236 talloc_free(el_ctx);
1240 v = ldb_dn_get_rdn_val(res->msgs[i]->dn);
1242 state->log(ISC_LOG_INFO, "failed to find RDN for %s",
1243 ldb_dn_get_linearized(dn));
1244 talloc_free(el_ctx);
1248 rdn = talloc_strndup(el_ctx, (char *)v->data, v->length);
1250 talloc_free(tmp_ctx);
1251 result = ISC_R_NOMEMORY;
1255 if (strcmp(rdn, "@") == 0) {
1258 name = talloc_asprintf(el_ctx, "%s.%s", rdn, zone);
1260 name = b9_format_fqdn(el_ctx, name);
1262 talloc_free(tmp_ctx);
1263 result = ISC_R_NOMEMORY;
1267 werr = dns_common_extract(state->samdb, el, el_ctx, &recs, &num_recs);
1268 if (!W_ERROR_IS_OK(werr)) {
1269 state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse dnsRecord for %s, %s",
1270 ldb_dn_get_linearized(dn), win_errstr(werr));
1271 talloc_free(el_ctx);
1275 for (j=0; j < num_recs; j++) {
1278 rc = b9_putnamedrr(state, allnodes, name, &recs[j]);
1279 if (rc != ISC_R_SUCCESS) {
1284 talloc_free(el_ctx);
1287 talloc_free(tmp_ctx);
1289 DNS_COMMON_LOG_OPERATION(
1290 isc_result_str(result),
1302 _PUBLIC_ isc_result_t dlz_newversion(const char *zone, void *dbdata, void **versionp)
1304 struct timeval start = timeval_current();
1305 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1306 isc_result_t result = ISC_R_SUCCESS;
1308 state->log(ISC_LOG_INFO, "samba_dlz: starting transaction on zone %s", zone);
1310 if (state->transaction_token != NULL) {
1311 state->log(ISC_LOG_INFO, "samba_dlz: transaction already started for zone %s", zone);
1312 result = ISC_R_FAILURE;
1316 state->transaction_token = talloc_zero(state, int);
1317 if (state->transaction_token == NULL) {
1318 result = ISC_R_NOMEMORY;
1322 if (ldb_transaction_start(state->samdb) != LDB_SUCCESS) {
1323 state->log(ISC_LOG_INFO, "samba_dlz: failed to start a transaction for zone %s", zone);
1324 talloc_free(state->transaction_token);
1325 state->transaction_token = NULL;
1326 result = ISC_R_FAILURE;
1330 *versionp = (void *)state->transaction_token;
1332 DNS_COMMON_LOG_OPERATION(
1333 isc_result_str(result),
1344 _PUBLIC_ void dlz_closeversion(const char *zone, isc_boolean_t commit,
1345 void *dbdata, void **versionp)
1347 struct timeval start = timeval_current();
1348 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1349 const char *data = NULL;
1351 data = commit ? "commit" : "cancel";
1353 if (state->transaction_token != (int *)*versionp) {
1354 state->log(ISC_LOG_INFO, "samba_dlz: transaction not started for zone %s", zone);
1359 if (ldb_transaction_commit(state->samdb) != LDB_SUCCESS) {
1360 state->log(ISC_LOG_INFO, "samba_dlz: failed to commit a transaction for zone %s", zone);
1363 state->log(ISC_LOG_INFO, "samba_dlz: committed transaction on zone %s", zone);
1365 if (ldb_transaction_cancel(state->samdb) != LDB_SUCCESS) {
1366 state->log(ISC_LOG_INFO, "samba_dlz: failed to cancel a transaction for zone %s", zone);
1369 state->log(ISC_LOG_INFO, "samba_dlz: cancelling transaction on zone %s", zone);
1372 talloc_free(state->transaction_token);
1373 state->transaction_token = NULL;
1377 DNS_COMMON_LOG_OPERATION(
1378 isc_result_str(ISC_R_SUCCESS),
1387 see if there is a SOA record for a zone
1389 static bool b9_has_soa(struct dlz_bind9_data *state, struct ldb_dn *dn, const char *zone)
1391 TALLOC_CTX *tmp_ctx = talloc_new(state);
1393 struct dnsp_DnssrvRpcRecord *records = NULL;
1394 uint16_t num_records = 0, i;
1395 struct ldb_val zone_name_val
1396 = data_blob_string_const(zone);
1399 * This dance ensures that it is not possible to put
1400 * (eg) an extra DC=x, into the DNS name being
1404 if (!ldb_dn_add_child_val(dn,
1407 talloc_free(tmp_ctx);
1412 * The SOA record is alwas stored under DC=@,DC=zonename
1413 * This can probably be removed when dns_common_lookup makes a fallback
1414 * lookup on @ pseudo record
1417 if (!ldb_dn_add_child_fmt(dn,"DC=@")) {
1418 talloc_free(tmp_ctx);
1422 werr = dns_common_lookup(state->samdb, tmp_ctx, dn,
1423 &records, &num_records, NULL);
1424 if (!W_ERROR_IS_OK(werr)) {
1425 talloc_free(tmp_ctx);
1429 for (i=0; i < num_records; i++) {
1430 if (records[i].wType == DNS_TYPE_SOA) {
1431 talloc_free(tmp_ctx);
1436 talloc_free(tmp_ctx);
1440 static bool b9_zone_add(struct dlz_bind9_data *state, const char *name)
1442 struct b9_zone *zone;
1444 zone = talloc_zero(state, struct b9_zone);
1449 zone->name = talloc_strdup(zone, name);
1450 if (zone->name == NULL) {
1455 DLIST_ADD(state->zonelist, zone);
1459 static bool b9_zone_exists(struct dlz_bind9_data *state, const char *name)
1461 struct b9_zone *zone = state->zonelist;
1464 while (zone != NULL) {
1465 if (strcasecmp(name, zone->name) == 0) {
1477 configure a writeable zone
1479 _PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb,
1482 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1483 TALLOC_CTX *tmp_ctx;
1487 state->log(ISC_LOG_INFO, "samba_dlz: starting configure");
1488 if (state->writeable_zone == NULL) {
1489 state->log(ISC_LOG_INFO, "samba_dlz: no writeable_zone method available");
1490 return ISC_R_FAILURE;
1493 tmp_ctx = talloc_new(state);
1495 for (i=0; zone_prefixes[i]; i++) {
1496 const char *attrs[] = { "name", NULL };
1498 struct ldb_result *res;
1500 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
1502 talloc_free(tmp_ctx);
1503 return ISC_R_NOMEMORY;
1506 if (!ldb_dn_add_child_fmt(dn, "%s", zone_prefixes[i])) {
1507 talloc_free(tmp_ctx);
1508 return ISC_R_NOMEMORY;
1511 ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
1512 attrs, "objectClass=dnsZone");
1513 if (ret != LDB_SUCCESS) {
1517 for (j=0; j<res->count; j++) {
1518 isc_result_t result;
1519 const char *zone = ldb_msg_find_attr_as_string(res->msgs[j], "name", NULL);
1520 struct ldb_dn *zone_dn;
1525 /* Ignore zones that are not handled in BIND */
1526 if ((strcmp(zone, "RootDNSServers") == 0) ||
1527 (strcmp(zone, "..TrustAnchors") == 0)) {
1530 zone_dn = ldb_dn_copy(tmp_ctx, dn);
1531 if (zone_dn == NULL) {
1532 talloc_free(tmp_ctx);
1533 return ISC_R_NOMEMORY;
1536 if (!b9_has_soa(state, zone_dn, zone)) {
1540 if (b9_zone_exists(state, zone)) {
1541 state->log(ISC_LOG_WARNING, "samba_dlz: Ignoring duplicate zone '%s' from '%s'",
1542 zone, ldb_dn_get_linearized(zone_dn));
1546 if (!b9_zone_add(state, zone)) {
1547 talloc_free(tmp_ctx);
1548 return ISC_R_NOMEMORY;
1551 result = state->writeable_zone(view, dlzdb, zone);
1552 if (result != ISC_R_SUCCESS) {
1553 state->log(ISC_LOG_ERROR, "samba_dlz: Failed to configure zone '%s'",
1555 talloc_free(tmp_ctx);
1558 state->log(ISC_LOG_INFO, "samba_dlz: configured writeable zone '%s'", zone);
1562 talloc_free(tmp_ctx);
1563 return ISC_R_SUCCESS;
1567 authorize a zone update
1569 _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
1570 const char *type, const char *key, uint32_t keydatalen, uint8_t *keydata,
1573 struct timeval start = timeval_current();
1574 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1575 TALLOC_CTX *tmp_ctx;
1577 struct cli_credentials *server_credentials;
1579 char *keytab_file = NULL;
1583 struct gensec_security *gensec_ctx;
1584 struct auth_session_info *session_info;
1587 struct ldb_result *res;
1588 const char * attrs[] = { NULL };
1589 uint32_t access_mask;
1590 struct gensec_settings *settings = NULL;
1591 const struct gensec_security_ops **backends = NULL;
1593 isc_boolean_t result = ISC_FALSE;
1597 /* Remove cached credentials, if any */
1598 if (state->session_info) {
1599 talloc_free(state->session_info);
1600 state->session_info = NULL;
1602 if (state->update_name) {
1603 talloc_free(state->update_name);
1604 state->update_name = NULL;
1607 tmp_ctx = talloc_new(state);
1608 if (tmp_ctx == NULL) {
1609 state->log(ISC_LOG_ERROR, "samba_dlz: no memory");
1614 ap_req = data_blob_const(keydata, keydatalen);
1615 server_credentials = cli_credentials_init(tmp_ctx);
1616 if (!server_credentials) {
1617 state->log(ISC_LOG_ERROR, "samba_dlz: failed to init server credentials");
1618 talloc_free(tmp_ctx);
1623 status = cli_credentials_set_krb5_context(server_credentials,
1624 state->smb_krb5_ctx);
1625 if (!NT_STATUS_IS_OK(status)) {
1626 state->log(ISC_LOG_ERROR,
1627 "samba_dlz: failed to set krb5 context");
1628 talloc_free(tmp_ctx);
1633 ok = cli_credentials_set_conf(server_credentials, state->lp);
1635 state->log(ISC_LOG_ERROR,
1636 "samba_dlz: failed to load smb.conf");
1637 talloc_free(tmp_ctx);
1642 keytab_file = talloc_asprintf(tmp_ctx,
1644 lpcfg_binddns_dir(state->lp));
1645 if (keytab_file == NULL) {
1646 state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!");
1647 talloc_free(tmp_ctx);
1652 if (!file_exist(keytab_file)) {
1653 keytab_file = talloc_asprintf(tmp_ctx,
1655 lpcfg_private_dir(state->lp));
1656 if (keytab_file == NULL) {
1657 state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!");
1658 talloc_free(tmp_ctx);
1664 keytab_name = talloc_asprintf(tmp_ctx, "FILE:%s", keytab_file);
1665 if (keytab_name == NULL) {
1666 state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!");
1667 talloc_free(tmp_ctx);
1672 ret = cli_credentials_set_keytab_name(server_credentials, state->lp, keytab_name,
1675 state->log(ISC_LOG_ERROR, "samba_dlz: failed to obtain server credentials from %s",
1677 talloc_free(tmp_ctx);
1681 talloc_free(keytab_name);
1683 settings = lpcfg_gensec_settings(tmp_ctx, state->lp);
1684 if (settings == NULL) {
1685 state->log(ISC_LOG_ERROR, "samba_dlz: lpcfg_gensec_settings failed");
1686 talloc_free(tmp_ctx);
1690 backends = talloc_zero_array(settings,
1691 const struct gensec_security_ops *, 3);
1692 if (backends == NULL) {
1693 state->log(ISC_LOG_ERROR, "samba_dlz: talloc_zero_array gensec_security_ops failed");
1694 talloc_free(tmp_ctx);
1698 settings->backends = backends;
1702 backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_KERBEROS5);
1703 backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
1705 nt_status = gensec_server_start(tmp_ctx, settings,
1706 state->auth_context, &gensec_ctx);
1707 if (!NT_STATUS_IS_OK(nt_status)) {
1708 state->log(ISC_LOG_ERROR, "samba_dlz: failed to start gensec server");
1709 talloc_free(tmp_ctx);
1714 gensec_set_credentials(gensec_ctx, server_credentials);
1716 nt_status = gensec_start_mech_by_oid(gensec_ctx, GENSEC_OID_SPNEGO);
1717 if (!NT_STATUS_IS_OK(nt_status)) {
1718 state->log(ISC_LOG_ERROR, "samba_dlz: failed to start spnego");
1719 talloc_free(tmp_ctx);
1725 * We only allow SPNEGO/KRB5 and make sure the backend
1726 * to is RPC/IPC free.
1728 * See gensec_gssapi_update_internal() as
1731 * It allows gensec_update() not to block.
1733 * If that changes in future we need to use
1734 * gensec_update_send/recv here!
1736 nt_status = gensec_update(gensec_ctx, tmp_ctx, ap_req, &ap_req);
1737 if (!NT_STATUS_IS_OK(nt_status)) {
1738 state->log(ISC_LOG_ERROR, "samba_dlz: spnego update failed");
1739 talloc_free(tmp_ctx);
1744 nt_status = gensec_session_info(gensec_ctx, tmp_ctx, &session_info);
1745 if (!NT_STATUS_IS_OK(nt_status)) {
1746 state->log(ISC_LOG_ERROR, "samba_dlz: failed to create session info");
1747 talloc_free(tmp_ctx);
1752 /* Get the DN from name */
1753 rc = b9_find_name_dn(state, name, tmp_ctx, &dn);
1754 if (rc != ISC_R_SUCCESS) {
1755 state->log(ISC_LOG_ERROR, "samba_dlz: failed to find name %s", name);
1756 talloc_free(tmp_ctx);
1761 /* make sure the dn exists, or find parent dn in case new object is being added */
1762 ldb_ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
1763 attrs, "objectClass=dnsNode");
1764 if (ldb_ret == LDB_ERR_NO_SUCH_OBJECT) {
1765 ldb_dn_remove_child_components(dn, 1);
1766 access_mask = SEC_ADS_CREATE_CHILD;
1768 } else if (ldb_ret == LDB_SUCCESS) {
1769 access_mask = SEC_STD_REQUIRED | SEC_ADS_SELF_WRITE;
1772 talloc_free(tmp_ctx);
1778 ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn,
1779 session_info->security_token,
1781 if (ldb_ret != LDB_SUCCESS) {
1782 state->log(ISC_LOG_INFO,
1783 "samba_dlz: disallowing update of signer=%s name=%s type=%s error=%s",
1784 signer, name, type, ldb_strerror(ldb_ret));
1785 talloc_free(tmp_ctx);
1790 /* Cache session_info, so it can be used in the actual add/delete operation */
1791 state->update_name = talloc_strdup(state, name);
1792 if (state->update_name == NULL) {
1793 state->log(ISC_LOG_ERROR, "samba_dlz: memory allocation error");
1794 talloc_free(tmp_ctx);
1798 state->session_info = talloc_steal(state, session_info);
1800 state->log(ISC_LOG_INFO, "samba_dlz: allowing update of signer=%s name=%s tcpaddr=%s type=%s key=%s",
1801 signer, name, tcpaddr, type, key);
1803 talloc_free(tmp_ctx);
1806 DNS_COMMON_LOG_OPERATION(
1807 isc_result_str(result),
1817 see if two dns records match
1819 static bool b9_record_match(struct dnsp_DnssrvRpcRecord *rec1,
1820 struct dnsp_DnssrvRpcRecord *rec2)
1822 if (rec1->wType != rec2->wType) {
1825 /* see if this type is single valued */
1826 if (b9_single_valued(rec1->wType)) {
1830 return dns_record_match(rec1, rec2);
1834 * Update session_info on samdb using the cached credentials
1836 static bool b9_set_session_info(struct dlz_bind9_data *state, const char *name)
1840 if (state->update_name == NULL || state->session_info == NULL) {
1841 state->log(ISC_LOG_ERROR, "samba_dlz: invalid credentials");
1845 /* Do not use client credentials, if we're not updating the client specified name */
1846 if (strcmp(state->update_name, name) != 0) {
1850 ret = ldb_set_opaque(
1853 state->session_info);
1854 if (ret != LDB_SUCCESS) {
1855 state->log(ISC_LOG_ERROR, "samba_dlz: unable to set session info");
1863 * Reset session_info on samdb as system session
1865 static void b9_reset_session_info(struct dlz_bind9_data *state)
1870 system_session(state->lp));
1874 add or modify a rdataset
1876 _PUBLIC_ isc_result_t dlz_addrdataset(const char *name, const char *rdatastr, void *dbdata, void *version)
1878 struct timeval start = timeval_current();
1879 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1880 struct dnsp_DnssrvRpcRecord *rec;
1882 isc_result_t result = ISC_R_SUCCESS;
1883 bool tombstoned = false;
1884 bool needs_add = false;
1885 struct dnsp_DnssrvRpcRecord *recs = NULL;
1886 uint16_t num_recs = 0;
1891 if (state->transaction_token != (void*)version) {
1892 state->log(ISC_LOG_INFO, "samba_dlz: bad transaction version");
1893 result = ISC_R_FAILURE;
1897 rec = talloc_zero(state, struct dnsp_DnssrvRpcRecord);
1899 result = ISC_R_NOMEMORY;
1903 rec->rank = DNS_RANK_ZONE;
1905 if (!b9_parse(state, rdatastr, rec)) {
1906 state->log(ISC_LOG_INFO, "samba_dlz: failed to parse rdataset '%s'", rdatastr);
1908 result = ISC_R_FAILURE;
1912 /* find the DN of the record */
1913 result = b9_find_name_dn(state, name, rec, &dn);
1914 if (result != ISC_R_SUCCESS) {
1919 /* get any existing records */
1920 werr = dns_common_lookup(state->samdb, rec, dn,
1921 &recs, &num_recs, &tombstoned);
1922 if (W_ERROR_EQUAL(werr, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST)) {
1926 if (!W_ERROR_IS_OK(werr)) {
1927 state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse dnsRecord for %s, %s",
1928 ldb_dn_get_linearized(dn), win_errstr(werr));
1930 result = ISC_R_FAILURE;
1936 * we need to keep the existing tombstone record
1942 /* there may be existing records. We need to see if this will
1943 * replace a record or add to it
1945 for (i=first; i < num_recs; i++) {
1946 if (b9_record_match(rec, &recs[i])) {
1950 if (i == UINT16_MAX) {
1951 state->log(ISC_LOG_ERROR,
1952 "samba_dlz: failed to find record to modify, and "
1953 "there are already %u dnsRecord values for %s",
1954 i, ldb_dn_get_linearized(dn));
1956 result = ISC_R_FAILURE;
1960 if (i == num_recs) {
1961 /* set dwTimeStamp before increasing num_recs */
1962 if (dns_name_is_static(recs, num_recs)) {
1963 rec->dwTimeStamp = 0;
1965 rec->dwTimeStamp = unix_to_dns_timestamp(time(NULL));
1967 /* adding space for a new value */
1968 recs = talloc_realloc(rec, recs,
1969 struct dnsp_DnssrvRpcRecord,
1973 result = ISC_R_NOMEMORY;
1979 * We are updating a record. Depending on whether aging is
1980 * enabled, and how old the old timestamp is,
1981 * dns_common_replace() will work out whether to bump the
1982 * timestamp or not. But to do that, we need to tell it the
1985 if (! dns_name_is_static(recs, num_recs)) {
1986 rec->dwTimeStamp = recs[i].dwTimeStamp;
1992 if (!b9_set_session_info(state, name)) {
1994 result = ISC_R_FAILURE;
1998 /* modify the record */
1999 werr = dns_common_replace(state->samdb, rec, dn,
2003 b9_reset_session_info(state);
2004 if (!W_ERROR_IS_OK(werr)) {
2005 state->log(ISC_LOG_ERROR, "samba_dlz: failed to %s %s - %s",
2006 needs_add ? "add" : "modify",
2007 ldb_dn_get_linearized(dn), win_errstr(werr));
2009 result = ISC_R_FAILURE;
2013 state->log(ISC_LOG_INFO, "samba_dlz: added rdataset %s '%s'", name, rdatastr);
2017 DNS_COMMON_LOG_OPERATION(
2018 isc_result_str(result),
2029 _PUBLIC_ isc_result_t dlz_subrdataset(const char *name, const char *rdatastr, void *dbdata, void *version)
2031 struct timeval start = timeval_current();
2032 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
2033 struct dnsp_DnssrvRpcRecord *rec;
2035 isc_result_t result = ISC_R_SUCCESS;
2036 struct dnsp_DnssrvRpcRecord *recs = NULL;
2037 uint16_t num_recs = 0;
2041 if (state->transaction_token != (void*)version) {
2042 state->log(ISC_LOG_ERROR, "samba_dlz: bad transaction version");
2043 result = ISC_R_FAILURE;
2047 rec = talloc_zero(state, struct dnsp_DnssrvRpcRecord);
2049 result = ISC_R_NOMEMORY;
2053 if (!b9_parse(state, rdatastr, rec)) {
2054 state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse rdataset '%s'", rdatastr);
2056 result = ISC_R_FAILURE;
2060 /* find the DN of the record */
2061 result = b9_find_name_dn(state, name, rec, &dn);
2062 if (result != ISC_R_SUCCESS) {
2067 /* get the existing records */
2068 werr = dns_common_lookup(state->samdb, rec, dn,
2069 &recs, &num_recs, NULL);
2070 if (!W_ERROR_IS_OK(werr)) {
2072 result = ISC_R_NOTFOUND;
2076 for (i=0; i < num_recs; i++) {
2077 if (b9_record_match(rec, &recs[i])) {
2078 recs[i] = (struct dnsp_DnssrvRpcRecord) {
2079 .wType = DNS_TYPE_TOMBSTONE,
2084 if (i == num_recs) {
2086 result = ISC_R_NOTFOUND;
2090 if (!b9_set_session_info(state, name)) {
2092 result = ISC_R_FAILURE;
2096 /* modify the record */
2097 werr = dns_common_replace(state->samdb, rec, dn,
2098 false,/* needs_add */
2101 b9_reset_session_info(state);
2102 if (!W_ERROR_IS_OK(werr)) {
2103 state->log(ISC_LOG_ERROR, "samba_dlz: failed to modify %s - %s",
2104 ldb_dn_get_linearized(dn), win_errstr(werr));
2106 result = ISC_R_FAILURE;
2110 state->log(ISC_LOG_INFO, "samba_dlz: subtracted rdataset %s '%s'", name, rdatastr);
2114 DNS_COMMON_LOG_OPERATION(
2115 isc_result_str(result),
2125 delete all records of the given type
2127 _PUBLIC_ isc_result_t dlz_delrdataset(const char *name, const char *type, void *dbdata, void *version)
2129 struct timeval start = timeval_current();
2130 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
2131 TALLOC_CTX *tmp_ctx;
2133 isc_result_t result = ISC_R_SUCCESS;
2134 enum dns_record_type dns_type;
2136 struct dnsp_DnssrvRpcRecord *recs = NULL;
2137 uint16_t num_recs = 0;
2141 if (state->transaction_token != (void*)version) {
2142 state->log(ISC_LOG_ERROR, "samba_dlz: bad transaction version");
2143 result = ISC_R_FAILURE;
2147 if (!b9_dns_type(type, &dns_type)) {
2148 state->log(ISC_LOG_ERROR, "samba_dlz: bad dns type %s in delete", type);
2149 result = ISC_R_FAILURE;
2153 tmp_ctx = talloc_new(state);
2155 /* find the DN of the record */
2156 result = b9_find_name_dn(state, name, tmp_ctx, &dn);
2157 if (result != ISC_R_SUCCESS) {
2158 talloc_free(tmp_ctx);
2162 /* get the existing records */
2163 werr = dns_common_lookup(state->samdb, tmp_ctx, dn,
2164 &recs, &num_recs, NULL);
2165 if (!W_ERROR_IS_OK(werr)) {
2166 talloc_free(tmp_ctx);
2167 result = ISC_R_NOTFOUND;
2171 for (ri=0; ri < num_recs; ri++) {
2172 if (dns_type != recs[ri].wType) {
2177 recs[ri] = (struct dnsp_DnssrvRpcRecord) {
2178 .wType = DNS_TYPE_TOMBSTONE,
2183 talloc_free(tmp_ctx);
2184 result = ISC_R_FAILURE;
2188 if (!b9_set_session_info(state, name)) {
2189 talloc_free(tmp_ctx);
2190 result = ISC_R_FAILURE;
2194 /* modify the record */
2195 werr = dns_common_replace(state->samdb, tmp_ctx, dn,
2196 false,/* needs_add */
2199 b9_reset_session_info(state);
2200 if (!W_ERROR_IS_OK(werr)) {
2201 state->log(ISC_LOG_ERROR, "samba_dlz: failed to modify %s - %s",
2202 ldb_dn_get_linearized(dn), win_errstr(werr));
2203 talloc_free(tmp_ctx);
2204 result = ISC_R_FAILURE;
2208 state->log(ISC_LOG_INFO, "samba_dlz: deleted rdataset %s of type %s", name, type);
2210 talloc_free(tmp_ctx);
2212 DNS_COMMON_LOG_OPERATION(
2213 isc_result_str(result),