examples: add bind9 patches for TSIG-GSS support

We will point at these from the Samba4 HOWTO

diff --git a/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch b/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch
new file mode 100644 (file)
index 0000000..3716dd4
--- /dev/null
+++ b/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch
@@ -0,0 +1,29 @@
+From 1d97835f07fd5142187629941422f87b33015414 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <tridge@samba.org>
+Date: Wed, 17 Feb 2010 10:47:59 +1100
+Subject: [PATCH 1/5] leave the question section in update responses.
+
+This fixes TSIG-GSS updates from windows7 and w2k8r2, which require
+the question to be included in the initial refusal for the unsigned
+update.
+---
+ lib/dns/message.c |    3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index b541635..ae4965f 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -2474,7 +2474,8 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
+       if (!msg->header_ok)
+               return (DNS_R_FORMERR);
+       if (msg->opcode != dns_opcode_query &&
+-          msg->opcode != dns_opcode_notify)
++          msg->opcode != dns_opcode_notify &&
++          msg->opcode != dns_opcode_update)
+               want_question_section = ISC_FALSE;
+       if (want_question_section) {
+               if (!msg->question_ok)
+--
+1.6.3.3
+

diff --git a/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch b/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch
new file mode 100644 (file)
index 0000000..22f0ce4
--- /dev/null
+++ b/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch
@@ -0,0 +1,34 @@
+From 31059dee4a706bb4f25f3dccaae7616451eabd8b Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <tridge@samba.org>
+Date: Wed, 17 Feb 2010 10:59:42 +1100
+Subject: [PATCH 2/5] prevent a valgrind uninitialised memory warning
+
+epoll uses a union, so to prevent passing uninitialised data in a
+syscall we need to zero it before use.
+---
+ lib/isc/unix/socket.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
+index d09fe51..4796ee4 100644
+--- a/lib/isc/unix/socket.c
++++ b/lib/isc/unix/socket.c
+@@ -652,6 +652,7 @@ watch_fd(isc_socketmgr_t *manager, int fd, int msg) {
+               event.events = EPOLLIN;
+       else
+               event.events = EPOLLOUT;
++      memset(&event.data, 0, sizeof(event.data));
+       event.data.fd = fd;
+       if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_ADD, fd, &event) == -1 &&
+           errno != EEXIST) {
+@@ -719,6 +720,7 @@ unwatch_fd(isc_socketmgr_t *manager, int fd, int msg) {
+               event.events = EPOLLIN;
+       else
+               event.events = EPOLLOUT;
++      memset(&event.data, 0, sizeof(event.data));
+       event.data.fd = fd;
+       if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_DEL, fd, &event) == -1 &&
+           errno != ENOENT) {
+--
+1.6.3.3
+

diff --git a/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch b/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch
new file mode 100644 (file)
index 0000000..e92dce3
--- /dev/null
+++ b/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch
@@ -0,0 +1,58 @@
+From ec22ed6c9797dbdcd820e352167bef8500ca00c6 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <tridge@samba.org>
+Date: Wed, 17 Feb 2010 12:20:35 +1100
+Subject: [PATCH 3/5] don't compress TSIG names
+
+windows DNS servers will refuse TSIG-GSS requests with compressed
+names
+---
+ bin/nsupdate/nsupdate.c |    4 ++++
+ lib/dns/message.c       |    2 ++
+ lib/dns/tsig.c          |    3 +++
+ 3 files changed, 9 insertions(+), 0 deletions(-)
+
+diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
+index 6cf4cf4..f7ce6db 100644
+--- a/bin/nsupdate/nsupdate.c
++++ b/bin/nsupdate/nsupdate.c
+@@ -1985,6 +1985,10 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
+               fprintf(stderr, "Sending update to %s\n", addrbuf);
+       }
+
++      /* windows doesn't like the tsig name to be compressed */
++      if (updatemsg->tsigname)
++              updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
++
+       result = dns_request_createvia3(requestmgr, updatemsg, srcaddr,
+                                       master, options, tsigkey, timeout,
+                                       udp_timeout, udp_retries, global_task,
+diff --git a/lib/dns/message.c b/lib/dns/message.c
+index ae4965f..cb4528f 100644
+--- a/lib/dns/message.c
++++ b/lib/dns/message.c
+@@ -1531,6 +1531,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
+               } else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) {
+                       msg->tsig = rdataset;
+                       msg->tsigname = name;
++                      /* TSIG names should not be compressed */
++                      msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
+                       rdataset = NULL;
+                       free_rdataset = ISC_FALSE;
+                       free_name = ISC_FALSE;
+diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
+index 74a7af3..3223942 100644
+--- a/lib/dns/tsig.c
++++ b/lib/dns/tsig.c
+@@ -889,6 +889,9 @@ dns_tsig_sign(dns_message_t *msg) {
+       msg->tsig = dataset;
+       msg->tsigname = owner;
+
++      /* windows does not like the tsig name being compressed */
++      msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
++
+       return (ISC_R_SUCCESS);
+
+  cleanup_rdatalist:
+--
+1.6.3.3
+

diff --git a/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch b/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch
new file mode 100644 (file)
index 0000000..3130a05
--- /dev/null
+++ b/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch
@@ -0,0 +1,94 @@
+From c73ceb48ffc518e171d1d40b82ae2b5f603fe038 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <tridge@samba.org>
+Date: Wed, 17 Feb 2010 15:27:44 +1100
+Subject: [PATCH 4/5] If tkey-gssapi initialisation fails, then heck for the most common
+ configuration errors so that the admin doesn't spend all day trying to
+ work out why the config is broken.
+
+---
+ lib/dns/gssapictx.c |   48 ++++++++++++++++++++++++++++++++++++++++++++++++
+ 1 files changed, 48 insertions(+), 0 deletions(-)
+
+diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
+index 11eadb9..879393c 100644
+--- a/lib/dns/gssapictx.c
++++ b/lib/dns/gssapictx.c
+@@ -66,6 +66,7 @@
+  * we include SPNEGO's OID.
+  */
+ #if defined(GSSAPI)
++#include <krb5/krb5.h>
+
+ static unsigned char krb5_mech_oid_bytes[] = {
+       0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
+@@ -191,6 +192,50 @@ log_cred(const gss_cred_id_t cred) {
+ }
+ #endif
+
++#ifdef GSSAPI
++/*
++ * check for the most common configuration errors.
++ *
++ * The errors checked for are:
++ *   - tkey-gssapi-credential doesn't start with DNS/
++ *   - the default realm in /etc/krb5.conf and the
++ *     tkey-gssapi-credential bind config option don't match
++ */
++static void dst_gssapi_check_config(const char *gss_name)
++{
++      const char *p;
++      krb5_context krb5_ctx;
++      char *krb5_realm = NULL;
++
++      if (strncasecmp(gss_name, "DNS/", 4) != 0) {
++              gss_log(ISC_LOG_ERROR, "tkey-gssapi-credential (%s) should start with 'DNS/'");
++              return;
++      }
++
++      if (krb5_init_context(&krb5_ctx) != 0) {
++              gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context");
++              return;
++      }
++      if (krb5_get_default_realm(krb5_ctx, &krb5_realm) != 0) {
++              gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm");
++              krb5_free_context(krb5_ctx);
++              return;
++      }
++      if (!(p = strchr(gss_name, '/'))) {
++              gss_log(ISC_LOG_ERROR, "badly formatted tkey-gssapi-credentials (%s)", gss_name);
++              krb5_free_context(krb5_ctx);
++              return;
++      }
++      if (strcasecmp(p+1, krb5_realm) != 0) {
++              gss_log(ISC_LOG_ERROR,"default realm from krb5.conf (%s) does not match tkey-gssapi-credential (%s)",
++                      krb5_realm, gss_name);
++              krb5_free_context(krb5_ctx);
++              return;
++      }
++      krb5_free_context(krb5_ctx);
++}
++#endif
++
+ isc_result_t
+ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
+                      gss_cred_id_t *cred)
+@@ -223,6 +268,8 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
+               gret = gss_import_name(&minor, &gnamebuf,
+                                      GSS_C_NO_OID, &gname);
+               if (gret != GSS_S_COMPLETE) {
++                      dst_gssapi_check_config((char *)array);
++
+                       gss_log(3, "failed gss_import_name: %s",
+                               gss_error_tostring(gret, minor, buf,
+                                                  sizeof(buf)));
+@@ -254,6 +301,7 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
+                       initiate ? "initiate" : "accept",
+                       (char *)gnamebuf.value,
+                       gss_error_tostring(gret, minor, buf, sizeof(buf)));
++              dst_gssapi_check_config((char *)array);
+               return (ISC_R_FAILURE);
+       }
+
+--
+1.6.3.3
+

diff --git a/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch b/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch
new file mode 100644 (file)
index 0000000..a44813d
--- /dev/null
+++ b/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch
@@ -0,0 +1,30 @@
+From 0f6a49d9fb4a3b9f917ee9caed3a94e44db045a5 Mon Sep 17 00:00:00 2001
+From: Andrew Tridgell <tridge@samba.org>
+Date: Wed, 17 Feb 2010 15:28:51 +1100
+Subject: [PATCH 5/5] windows doesn't return valid GSSAPI sequence numbers on its
+ TSIG-GSS DNS update replies
+
+---
+ lib/dns/gssapictx.c |    5 ++++-
+ 1 files changed, 4 insertions(+), 1 deletions(-)
+
+diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
+index 879393c..69b66c5 100644
+--- a/lib/dns/gssapictx.c
++++ b/lib/dns/gssapictx.c
+@@ -536,8 +536,11 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
+               gintokenp = NULL;
+       }
+
++      /* note that we don't set GSS_C_SEQUENCE_FLAG as Windows DNS
++       * servers don't like it
++       */
+       flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG |
+-              GSS_C_SEQUENCE_FLAG | GSS_C_INTEG_FLAG;
++              GSS_C_INTEG_FLAG;
+
+       gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx,
+                                   gname, GSS_SPNEGO_MECHANISM, flags,
+--
+1.6.3.3
+

diff --git a/examples/bind9-patches/README b/examples/bind9-patches/README
new file mode 100644 (file)
index 0000000..172d0e6
--- /dev/null
+++ b/examples/bind9-patches/README
@@ -0,0 +1,5 @@
+These patches fix the TSIG-GSS dynamic DNS updates in bind9 to allow
+dynamic updates to work with recent windows versions.
+
+The patches were developed against bind9 version 9.6.1, and were
+tested on Ubuntu Karmic.