From: Kai Blin <kai@samba.org>
Date: Fri, 16 Dec 2011 13:25:57 +0000 (+0100)
Subject: s4 dns: Allow updates based on smb.conf setting
X-Git-Url: http://git.samba.org/?p=mat%2Fsamba.git;a=commitdiff_plain;h=b1fdf4065e4569e58ffceb44e9f4105fa1f8740e

s4 dns: Allow updates based on smb.conf setting

Autobuild-User: Kai Blin <kai@samba.org>
Autobuild-Date: Sat Dec 17 04:19:40 CET 2011 on sn-devel-104
---

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 8ed9ced221..2c59a3ed69 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -65,6 +65,7 @@
 #include "s3_param.h"
 #include "lib/util/bitmap.h"
 #include "libcli/smb/smb_constants.h"
+#include "source4/dns_server/dns_update.h"
 
 #define standard_sub_basic talloc_strdup
 
@@ -1223,6 +1224,14 @@ static struct parm_struct parm_table[] = {
 		.special	= NULL,
 		.enum_list	= NULL
 	},
+	{
+		.label		= "allow dns updates",
+		.type		= P_ENUM,
+		.p_class	= P_GLOBAL,
+		.offset		= GLOBAL_VAR(allow_dns_updates),
+		.special	= NULL,
+		.enum_list	= enum_dns_update_settings
+	},
 
 	{NULL,  P_BOOL,  P_NONE,  0,  NULL,  NULL,  0}
 };
@@ -1503,6 +1512,7 @@ FN_GLOBAL_INTEGER(srv_minprotocol, srv_minprotocol)
 FN_GLOBAL_INTEGER(cli_maxprotocol, cli_maxprotocol)
 FN_GLOBAL_INTEGER(cli_minprotocol, cli_minprotocol)
 FN_GLOBAL_BOOL(paranoid_server_security, paranoid_server_security)
+FN_GLOBAL_INTEGER(allow_dns_updates, allow_dns_updates)
 
 FN_GLOBAL_INTEGER(server_signing, server_signing)
 FN_GLOBAL_INTEGER(client_signing, client_signing)
@@ -3362,6 +3372,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "rndc command", "/usr/sbin/rndc");
 	lpcfg_do_global_parameter(lp_ctx, "nsupdate command", "/usr/bin/nsupdate -g");
 
+        lpcfg_do_global_parameter(lp_ctx, "allow dns updates", "False");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/lib/param/param.h b/lib/param/param.h
index f6823859d8..079ef8b9a6 100644
--- a/lib/param/param.h
+++ b/lib/param/param.h
@@ -56,6 +56,7 @@ const char *lpcfg_realm(struct loadparm_context *);
 const char *lpcfg_netbios_name(struct loadparm_context *);
 const char *lpcfg_private_dir(struct loadparm_context *);
 int lpcfg_server_role(struct loadparm_context *);
+int lpcfg_allow_dns_updates(struct loadparm_context *);
 
 void reload_charcnv(struct loadparm_context *lp_ctx);
 
diff --git a/lib/param/param_enums.c b/lib/param/param_enums.c
index 9307a0c650..d30458fa5d 100644
--- a/lib/param/param_enums.c
+++ b/lib/param/param_enums.c
@@ -107,3 +107,11 @@ static const struct enum_list enum_smb_signing_vals[] = {
 	{SMB_SIGNING_REQUIRED, "enforced"},
 	{-1, NULL}
 };
+
+/* DNS update options. */
+static const struct enum_list enum_dns_update_settings[] = {
+	{DNS_UPDATE_OFF, "False"},
+	{DNS_UPDATE_ON, "True"},
+	{DNS_UPDATE_SIGNED, "signed"},
+	{-1, NULL}
+};
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index e0da6fdf1d..1bd2733858 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -68,6 +68,7 @@
 #include "dbwrap/dbwrap.h"
 #include "dbwrap/dbwrap_rbt.h"
 #include "../lib/util/bitmap.h"
+#include "../source4/dns_server/dns_update.h"
 
 #ifdef HAVE_SYS_SYSCTL_H
 #include <sys/sysctl.h>
diff --git a/source4/dns_server/dns_update.c b/source4/dns_server/dns_update.c
index ccbeed9ff8..3fd612cfab 100644
--- a/source4/dns_server/dns_update.c
+++ b/source4/dns_server/dns_update.c
@@ -25,9 +25,12 @@
 #include "librpc/gen_ndr/ndr_dns.h"
 #include "librpc/gen_ndr/ndr_dnsp.h"
 #include <ldb.h>
+#include "param/param.h"
 #include "dsdb/samdb/samdb.h"
 #include "dsdb/common/util.h"
+#include "smbd/service_task.h"
 #include "dns_server/dns_server.h"
+#include "dns_server/dns_update.h"
 
 static WERROR dns_rr_to_dnsp(TALLOC_CTX *mem_ctx,
 			     const struct dns_res_rec *rrec,
@@ -653,7 +656,6 @@ WERROR dns_server_process_update(struct dns_server *dns,
 	const struct dns_server_zone *z;
 	size_t host_part_len = 0;
 	WERROR werror = DNS_ERR(NOT_IMPLEMENTED);
-	bool update_allowed = false;
 
 	if (in->qdcount != 1) {
 		return DNS_ERR(FORMAT_ERROR);
@@ -701,7 +703,7 @@ WERROR dns_server_process_update(struct dns_server *dns,
 	/* TODO: Check if update is allowed, we probably want "always",
 	 * key-based GSSAPI, key-based bind-style TSIG and "never" as
 	 * smb.conf options. */
-	if (!update_allowed) {
+	if (lpcfg_allow_dns_updates(dns->task->lp_ctx) != DNS_UPDATE_ON) {
 		DEBUG(0, ("Update not allowed."));
 		return DNS_ERR(REFUSED);
 	}
diff --git a/source4/dns_server/dns_update.h b/source4/dns_server/dns_update.h
new file mode 100644
index 0000000000..71ff85eda1
--- /dev/null
+++ b/source4/dns_server/dns_update.h
@@ -0,0 +1,25 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   DNS update settings
+
+   Copyright (C) 2011 Kai Blin  <kai@samba.org>
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+enum dns_update_settings {
+	DNS_UPDATE_OFF=0,
+	DNS_UPDATE_ON=1,
+	DNS_UPDATE_SIGNED=2
+};