2 Unix SMB/CIFS implementation.
4 bind9 dlz driver for Samba
6 Copyright (C) 2010 Andrew Tridgell
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "param/param.h"
25 #include "lib/events/events.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "dsdb/common/util.h"
28 #include "auth/auth.h"
29 #include "auth/session.h"
30 #include "auth/gensec/gensec.h"
31 #include "librpc/gen_ndr/security.h"
32 #include "auth/credentials/credentials.h"
33 #include "system/kerberos.h"
34 #include "auth/kerberos/kerberos.h"
35 #include "gen_ndr/ndr_dnsp.h"
36 #include "gen_ndr/server_id.h"
37 #include "messaging/messaging.h"
39 #include "lib/util/dlinklist.h"
40 #include "dlz_minimal.h"
41 #include "dnsserver_common.h"
50 struct b9_zone *prev, *next;
53 struct dlz_bind9_data {
54 struct b9_options options;
55 struct ldb_context *samdb;
56 struct tevent_context *ev_ctx;
57 struct loadparm_context *lp;
58 int *transaction_token;
60 struct b9_zone *zonelist;
62 /* Used for dynamic update */
63 struct smb_krb5_context *smb_krb5_ctx;
64 struct auth4_context *auth_context;
65 struct auth_session_info *session_info;
68 /* helper functions from the dlz_dlopen driver */
70 dns_sdlz_putrr_t *putrr;
71 dns_sdlz_putnamedrr_t *putnamedrr;
72 dns_dlz_writeablezone_t *writeable_zone;
75 static struct dlz_bind9_data *dlz_bind9_state = NULL;
76 static int dlz_bind9_state_ref_count = 0;
78 static const char *zone_prefixes[] = {
79 "CN=MicrosoftDNS,DC=DomainDnsZones",
80 "CN=MicrosoftDNS,DC=ForestDnsZones",
81 "CN=MicrosoftDNS,CN=System",
86 * Get a printable string representation of an isc_result_t
88 static const char *isc_result_str( const isc_result_t result) {
91 return "ISC_R_SUCCESS";
93 return "ISC_R_NOMEMORY";
95 return "ISC_R_NOPERM";
97 return "ISC_R_NOSPACE";
99 return "ISC_R_NOTFOUND";
101 return "ISC_R_FAILURE";
102 case ISC_R_NOTIMPLEMENTED:
103 return "ISC_R_NOTIMPLEMENTED";
105 return "ISC_R_NOMORE";
106 case ISC_R_INVALIDFILE:
107 return "ISC_R_INVALIDFILE";
108 case ISC_R_UNEXPECTED:
109 return "ISC_R_UNEXPECTED";
110 case ISC_R_FILENOTFOUND:
111 return "ISC_R_FILENOTFOUND";
118 return the version of the API
120 _PUBLIC_ int dlz_version(unsigned int *flags)
122 return DLZ_DLOPEN_VERSION;
126 remember a helper function from the bind9 dlz_dlopen driver
128 static void b9_add_helper(struct dlz_bind9_data *state, const char *helper_name, void *ptr)
130 if (strcmp(helper_name, "log") == 0) {
133 if (strcmp(helper_name, "putrr") == 0) {
136 if (strcmp(helper_name, "putnamedrr") == 0) {
137 state->putnamedrr = ptr;
139 if (strcmp(helper_name, "writeable_zone") == 0) {
140 state->writeable_zone = ptr;
145 * Add a trailing '.' if it's missing
147 static const char *b9_format_fqdn(TALLOC_CTX *mem_ctx, const char *str)
152 if (str == NULL || str[0] == '\0') {
157 if (str[len-1] != '.') {
158 tmp = talloc_asprintf(mem_ctx, "%s.", str);
166 format a record for bind9
168 static bool b9_format(struct dlz_bind9_data *state,
170 struct dnsp_DnssrvRpcRecord *rec,
171 const char **type, const char **data)
177 switch (rec->wType) {
180 *data = rec->data.ipv4;
185 *data = rec->data.ipv6;
190 *data = b9_format_fqdn(mem_ctx, rec->data.cname);
195 tmp = talloc_asprintf(mem_ctx, "\"%s\"", rec->data.txt.str[0]);
196 for (i=1; i<rec->data.txt.count; i++) {
197 tmp = talloc_asprintf_append(tmp, " \"%s\"", rec->data.txt.str[i]);
204 *data = b9_format_fqdn(mem_ctx, rec->data.ptr);
209 fqdn = b9_format_fqdn(mem_ctx, rec->data.srv.nameTarget);
213 *data = talloc_asprintf(mem_ctx, "%u %u %u %s",
214 rec->data.srv.wPriority,
215 rec->data.srv.wWeight,
222 fqdn = b9_format_fqdn(mem_ctx, rec->data.mx.nameTarget);
226 *data = talloc_asprintf(mem_ctx, "%u %s",
227 rec->data.mx.wPriority, fqdn);
232 *data = talloc_asprintf(mem_ctx, "%s %s",
239 *data = b9_format_fqdn(mem_ctx, rec->data.ns);
246 /* we need to fake the authoritative nameserver to
247 * point at ourselves. This is how AD DNS servers
248 * force clients to send updates to the right local DC
250 mname = talloc_asprintf(mem_ctx, "%s.%s.",
251 lpcfg_netbios_name(state->lp),
252 lpcfg_dnsdomain(state->lp));
256 mname = strlower_talloc(mem_ctx, mname);
261 fqdn = b9_format_fqdn(mem_ctx, rec->data.soa.rname);
266 state->soa_serial = rec->data.soa.serial;
268 *data = talloc_asprintf(mem_ctx, "%s %s %u %u %u %u %u",
270 rec->data.soa.serial,
271 rec->data.soa.refresh,
273 rec->data.soa.expire,
274 rec->data.soa.minimum);
279 state->log(ISC_LOG_ERROR, "samba_dlz b9_format: unhandled record type %u",
287 static const struct {
288 enum dns_record_type dns_type;
292 { DNS_TYPE_A, "A" , false},
293 { DNS_TYPE_AAAA, "AAAA" , false},
294 { DNS_TYPE_CNAME, "CNAME" , true},
295 { DNS_TYPE_TXT, "TXT" , false},
296 { DNS_TYPE_PTR, "PTR" , false},
297 { DNS_TYPE_SRV, "SRV" , false},
298 { DNS_TYPE_MX, "MX" , false},
299 { DNS_TYPE_HINFO, "HINFO" , false},
300 { DNS_TYPE_NS, "NS" , false},
301 { DNS_TYPE_SOA, "SOA" , true},
306 see if a DNS type is single valued
308 static bool b9_single_valued(enum dns_record_type dns_type)
311 for (i=0; i<ARRAY_SIZE(dns_typemap); i++) {
312 if (dns_typemap[i].dns_type == dns_type) {
313 return dns_typemap[i].single_valued;
320 see if a DNS type is single valued
322 static bool b9_dns_type(const char *type, enum dns_record_type *dtype)
325 for (i=0; i<ARRAY_SIZE(dns_typemap); i++) {
326 if (strcasecmp(dns_typemap[i].typestr, type) == 0) {
327 *dtype = dns_typemap[i].dns_type;
335 #define DNS_PARSE_STR(ret, str, sep, saveptr) do { \
336 (ret) = strtok_r(str, sep, &saveptr); \
337 if ((ret) == NULL) return false; \
340 #define DNS_PARSE_UINT(ret, str, sep, saveptr) do { \
341 char *istr = strtok_r(str, sep, &saveptr); \
343 if ((istr) == NULL) return false; \
344 (ret) = strtoul_err(istr, NULL, 10, &error); \
351 parse a record from bind9
353 static bool b9_parse(struct dlz_bind9_data *state,
354 const char *rdatastr,
355 struct dnsp_DnssrvRpcRecord *rec)
357 char *full_name, *dclass, *type;
358 char *str, *tmp, *saveptr=NULL;
361 str = talloc_strdup(rec, rdatastr);
366 /* parse the SDLZ string form */
367 DNS_PARSE_STR(full_name, str, "\t", saveptr);
368 DNS_PARSE_UINT(rec->dwTtlSeconds, NULL, "\t", saveptr);
369 DNS_PARSE_STR(dclass, NULL, "\t", saveptr);
370 DNS_PARSE_STR(type, NULL, "\t", saveptr);
372 /* construct the record */
373 for (i=0; i<ARRAY_SIZE(dns_typemap); i++) {
374 if (strcasecmp(type, dns_typemap[i].typestr) == 0) {
375 rec->wType = dns_typemap[i].dns_type;
379 if (i == ARRAY_SIZE(dns_typemap)) {
380 state->log(ISC_LOG_ERROR, "samba_dlz: unsupported record type '%s' for '%s'",
385 switch (rec->wType) {
387 DNS_PARSE_STR(rec->data.ipv4, NULL, " ", saveptr);
391 DNS_PARSE_STR(rec->data.ipv6, NULL, " ", saveptr);
395 DNS_PARSE_STR(rec->data.cname, NULL, " ", saveptr);
399 rec->data.txt.count = 0;
400 rec->data.txt.str = talloc_array(rec, const char *, rec->data.txt.count);
401 tmp = strtok_r(NULL, "\t", &saveptr);
403 rec->data.txt.str = talloc_realloc(rec, rec->data.txt.str, const char *,
404 rec->data.txt.count+1);
407 rec->data.txt.str[rec->data.txt.count] = talloc_strndup(rec, &tmp[1], strlen(tmp)-2);
409 rec->data.txt.str[rec->data.txt.count] = talloc_strdup(rec, tmp);
411 rec->data.txt.count++;
412 tmp = strtok_r(NULL, " ", &saveptr);
417 DNS_PARSE_STR(rec->data.ptr, NULL, " ", saveptr);
421 DNS_PARSE_UINT(rec->data.srv.wPriority, NULL, " ", saveptr);
422 DNS_PARSE_UINT(rec->data.srv.wWeight, NULL, " ", saveptr);
423 DNS_PARSE_UINT(rec->data.srv.wPort, NULL, " ", saveptr);
424 DNS_PARSE_STR(rec->data.srv.nameTarget, NULL, " ", saveptr);
428 DNS_PARSE_UINT(rec->data.mx.wPriority, NULL, " ", saveptr);
429 DNS_PARSE_STR(rec->data.mx.nameTarget, NULL, " ", saveptr);
433 DNS_PARSE_STR(rec->data.hinfo.cpu, NULL, " ", saveptr);
434 DNS_PARSE_STR(rec->data.hinfo.os, NULL, " ", saveptr);
438 DNS_PARSE_STR(rec->data.ns, NULL, " ", saveptr);
442 DNS_PARSE_STR(rec->data.soa.mname, NULL, " ", saveptr);
443 DNS_PARSE_STR(rec->data.soa.rname, NULL, " ", saveptr);
444 DNS_PARSE_UINT(rec->data.soa.serial, NULL, " ", saveptr);
445 DNS_PARSE_UINT(rec->data.soa.refresh, NULL, " ", saveptr);
446 DNS_PARSE_UINT(rec->data.soa.retry, NULL, " ", saveptr);
447 DNS_PARSE_UINT(rec->data.soa.expire, NULL, " ", saveptr);
448 DNS_PARSE_UINT(rec->data.soa.minimum, NULL, " ", saveptr);
452 state->log(ISC_LOG_ERROR, "samba_dlz b9_parse: unhandled record type %u",
457 /* we should be at the end of the buffer now */
458 if (strtok_r(NULL, "\t ", &saveptr) != NULL) {
459 state->log(ISC_LOG_ERROR, "samba_dlz b9_parse: unexpected data at end of string for '%s'",
468 send a resource record to bind9
470 static isc_result_t b9_putrr(struct dlz_bind9_data *state,
471 void *handle, struct dnsp_DnssrvRpcRecord *rec,
475 const char *type, *data;
476 TALLOC_CTX *tmp_ctx = talloc_new(state);
478 if (!b9_format(state, tmp_ctx, rec, &type, &data)) {
479 return ISC_R_FAILURE;
483 talloc_free(tmp_ctx);
484 return ISC_R_NOMEMORY;
489 for (i=0; types[i]; i++) {
490 if (strcmp(types[i], type) == 0) break;
492 if (types[i] == NULL) {
494 return ISC_R_SUCCESS;
498 result = state->putrr(handle, type, rec->dwTtlSeconds, data);
499 if (result != ISC_R_SUCCESS) {
500 state->log(ISC_LOG_ERROR, "Failed to put rr");
502 talloc_free(tmp_ctx);
508 send a named resource record to bind9
510 static isc_result_t b9_putnamedrr(struct dlz_bind9_data *state,
511 void *handle, const char *name,
512 struct dnsp_DnssrvRpcRecord *rec)
515 const char *type, *data;
516 TALLOC_CTX *tmp_ctx = talloc_new(state);
518 if (!b9_format(state, tmp_ctx, rec, &type, &data)) {
519 return ISC_R_FAILURE;
523 talloc_free(tmp_ctx);
524 return ISC_R_NOMEMORY;
527 result = state->putnamedrr(handle, name, type, rec->dwTtlSeconds, data);
528 if (result != ISC_R_SUCCESS) {
529 state->log(ISC_LOG_ERROR, "Failed to put named rr '%s'", name);
531 talloc_free(tmp_ctx);
538 static isc_result_t parse_options(struct dlz_bind9_data *state,
539 unsigned int argc, const char **argv,
540 struct b9_options *options)
544 struct poptOption long_options[] = {
545 { "url", 'H', POPT_ARG_STRING, &options->url, 0, "database URL", "URL" },
546 { "debug", 'd', POPT_ARG_STRING, &options->debug, 0, "debug level", "DEBUG" },
550 pc = poptGetContext("dlz_bind9", argc, argv, long_options,
551 POPT_CONTEXT_KEEP_FIRST);
552 while ((opt = poptGetNextOpt(pc)) != -1) {
555 state->log(ISC_LOG_ERROR, "dlz_bind9: Invalid option %s: %s",
556 poptBadOption(pc, 0), poptStrerror(opt));
557 return ISC_R_FAILURE;
561 return ISC_R_SUCCESS;
566 * Create session info from PAC
567 * This is called as auth_context->generate_session_info_pac()
569 static NTSTATUS b9_generate_session_info_pac(struct auth4_context *auth_context,
571 struct smb_krb5_context *smb_krb5_context,
573 const char *principal_name,
574 const struct tsocket_address *remote_addr,
575 uint32_t session_info_flags,
576 struct auth_session_info **session_info)
579 struct auth_user_info_dc *user_info_dc;
582 tmp_ctx = talloc_new(mem_ctx);
583 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
585 status = kerberos_pac_blob_to_user_info_dc(tmp_ctx,
587 smb_krb5_context->krb5_context,
591 if (!NT_STATUS_IS_OK(status)) {
592 talloc_free(tmp_ctx);
596 if (user_info_dc->info->authenticated) {
597 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
600 session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
602 status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
603 session_info_flags, session_info);
604 if (!NT_STATUS_IS_OK(status)) {
605 talloc_free(tmp_ctx);
609 talloc_free(tmp_ctx);
613 /* Callback for the DEBUG() system, to catch the remaining messages */
614 static void b9_debug(void *private_ptr, int msg_level, const char *msg)
616 static const int isc_log_map[] = {
617 ISC_LOG_CRITICAL, /* 0 */
618 ISC_LOG_ERROR, /* 1 */
619 ISC_LOG_WARNING, /* 2 */
620 ISC_LOG_NOTICE /* 3 */
622 struct dlz_bind9_data *state = private_ptr;
625 if (msg_level >= ARRAY_SIZE(isc_log_map) || msg_level < 0) {
626 isc_log_level = ISC_LOG_INFO;
628 isc_log_level = isc_log_map[msg_level];
630 state->log(isc_log_level, "samba_dlz: %s", msg);
633 static int dlz_state_debug_unregister(struct dlz_bind9_data *state)
635 /* Stop logging (to the bind9 logs) */
636 debug_set_callback(NULL, NULL);
641 called to initialise the driver
643 _PUBLIC_ isc_result_t dlz_create(const char *dlzname,
644 unsigned int argc, const char **argv,
647 struct dlz_bind9_data *state;
648 const char *helper_name;
654 char *errstring = NULL;
656 if (dlz_bind9_state != NULL) {
657 dlz_bind9_state->log(ISC_LOG_ERROR,
658 "samba_dlz: dlz_create ignored, #refs=%d",
659 dlz_bind9_state_ref_count);
660 *dbdata = dlz_bind9_state;
661 dlz_bind9_state_ref_count++;
662 return ISC_R_SUCCESS;
665 state = talloc_zero(NULL, struct dlz_bind9_data);
667 return ISC_R_NOMEMORY;
670 talloc_set_destructor(state, dlz_state_debug_unregister);
672 /* fill in the helper functions */
673 va_start(ap, dbdata);
674 while ((helper_name = va_arg(ap, const char *)) != NULL) {
675 b9_add_helper(state, helper_name, va_arg(ap, void*));
679 /* Do not install samba signal handlers */
680 fault_setup_disable();
682 /* Start logging (to the bind9 logs) */
683 debug_set_callback(state, b9_debug);
685 state->ev_ctx = s4_event_context_init(state);
686 if (state->ev_ctx == NULL) {
687 result = ISC_R_NOMEMORY;
691 result = parse_options(state, argc, argv, &state->options);
692 if (result != ISC_R_SUCCESS) {
696 state->lp = loadparm_init_global(true);
697 if (state->lp == NULL) {
698 result = ISC_R_NOMEMORY;
702 if (state->options.debug) {
703 lpcfg_do_global_parameter(state->lp, "log level", state->options.debug);
705 lpcfg_do_global_parameter(state->lp, "log level", "0");
708 if (smb_krb5_init_context(state, state->lp, &state->smb_krb5_ctx) != 0) {
709 result = ISC_R_NOMEMORY;
713 nt_status = gensec_init();
714 if (!NT_STATUS_IS_OK(nt_status)) {
715 result = ISC_R_NOMEMORY;
719 state->auth_context = talloc_zero(state, struct auth4_context);
720 if (state->auth_context == NULL) {
721 result = ISC_R_NOMEMORY;
725 if (state->options.url == NULL) {
726 state->options.url = talloc_asprintf(state,
728 lpcfg_binddns_dir(state->lp));
729 if (state->options.url == NULL) {
730 result = ISC_R_NOMEMORY;
734 if (!file_exist(state->options.url)) {
735 state->options.url = talloc_asprintf(state,
737 lpcfg_private_dir(state->lp));
738 if (state->options.url == NULL) {
739 result = ISC_R_NOMEMORY;
745 ret = samdb_connect_url(state,
748 system_session(state->lp),
754 if (ret != LDB_SUCCESS) {
755 state->log(ISC_LOG_ERROR,
756 "samba_dlz: Failed to connect to %s: %s",
757 errstring, ldb_strerror(ret));
758 result = ISC_R_FAILURE;
762 dn = ldb_get_default_basedn(state->samdb);
764 state->log(ISC_LOG_ERROR, "samba_dlz: Unable to get basedn for %s - %s",
765 state->options.url, ldb_errstring(state->samdb));
766 result = ISC_R_FAILURE;
770 state->log(ISC_LOG_INFO, "samba_dlz: started for DN %s",
771 ldb_dn_get_linearized(dn));
773 state->auth_context->event_ctx = state->ev_ctx;
774 state->auth_context->lp_ctx = state->lp;
775 state->auth_context->sam_ctx = state->samdb;
776 state->auth_context->generate_session_info_pac = b9_generate_session_info_pac;
779 dlz_bind9_state = state;
780 dlz_bind9_state_ref_count++;
782 return ISC_R_SUCCESS;
785 state->log(ISC_LOG_INFO,
786 "samba_dlz: FAILED dlz_create call result=%d #refs=%d",
788 dlz_bind9_state_ref_count);
796 _PUBLIC_ void dlz_destroy(void *dbdata)
798 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
800 dlz_bind9_state_ref_count--;
801 if (dlz_bind9_state_ref_count == 0) {
802 state->log(ISC_LOG_INFO, "samba_dlz: shutting down");
803 talloc_unlink(state, state->samdb);
805 dlz_bind9_state = NULL;
807 state->log(ISC_LOG_INFO,
808 "samba_dlz: dlz_destroy called. %d refs remaining.",
809 dlz_bind9_state_ref_count);
815 return the base DN for a zone
817 static isc_result_t b9_find_zone_dn(struct dlz_bind9_data *state, const char *zone_name,
818 TALLOC_CTX *mem_ctx, struct ldb_dn **zone_dn)
821 TALLOC_CTX *tmp_ctx = talloc_new(state);
822 const char *attrs[] = { NULL };
825 for (i=0; zone_prefixes[i]; i++) {
826 const char *casefold;
828 struct ldb_result *res;
829 struct ldb_val zone_name_val
830 = data_blob_string_const(zone_name);
832 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
834 talloc_free(tmp_ctx);
835 return ISC_R_NOMEMORY;
839 * This dance ensures that it is not possible to put
840 * (eg) an extra DC=x, into the DNS name being
844 if (!ldb_dn_add_child_fmt(dn,
847 talloc_free(tmp_ctx);
848 return ISC_R_NOMEMORY;
851 ret = ldb_dn_set_component(dn,
855 if (ret != LDB_SUCCESS) {
856 talloc_free(tmp_ctx);
857 return ISC_R_NOMEMORY;
861 * Check if this is a plausibly valid DN early
862 * (time spent here will be saved during the
863 * search due to an internal cache)
865 casefold = ldb_dn_get_casefold(dn);
867 if (casefold == NULL) {
868 talloc_free(tmp_ctx);
869 return ISC_R_NOTFOUND;
872 ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, "objectClass=dnsZone");
873 if (ret == LDB_SUCCESS) {
874 if (zone_dn != NULL) {
875 *zone_dn = talloc_steal(mem_ctx, dn);
877 talloc_free(tmp_ctx);
878 return ISC_R_SUCCESS;
883 talloc_free(tmp_ctx);
884 return ISC_R_NOTFOUND;
889 return the DN for a name. The record does not need to exist, but the
892 static isc_result_t b9_find_name_dn(struct dlz_bind9_data *state, const char *name,
893 TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
897 /* work through the name piece by piece, until we find a zone */
900 result = b9_find_zone_dn(state, p, mem_ctx, dn);
901 if (result == ISC_R_SUCCESS) {
902 const char *casefold;
904 /* we found a zone, now extend the DN to get
909 ret = ldb_dn_add_child_fmt(*dn, "DC=@");
912 return ISC_R_NOMEMORY;
915 struct ldb_val name_val
916 = data_blob_const(name,
919 if (!ldb_dn_add_child_val(*dn,
923 return ISC_R_NOMEMORY;
928 * Check if this is a plausibly valid DN early
929 * (time spent here will be saved during the
930 * search due to an internal cache)
932 casefold = ldb_dn_get_casefold(*dn);
934 if (casefold == NULL) {
935 return ISC_R_NOTFOUND;
938 return ISC_R_SUCCESS;
946 return ISC_R_NOTFOUND;
951 see if we handle a given zone
953 #if DLZ_DLOPEN_VERSION < 3
954 _PUBLIC_ isc_result_t dlz_findzonedb(void *dbdata, const char *name)
956 _PUBLIC_ isc_result_t dlz_findzonedb(void *dbdata, const char *name,
957 dns_clientinfomethods_t *methods,
958 dns_clientinfo_t *clientinfo)
961 struct timeval start = timeval_current();
962 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
963 isc_result_t result = ISC_R_SUCCESS;
965 result = b9_find_zone_dn(state, name, NULL, NULL);
966 DNS_COMMON_LOG_OPERATION(
967 isc_result_str(result),
979 static isc_result_t dlz_lookup_types(struct dlz_bind9_data *state,
980 const char *zone, const char *name,
981 dns_sdlzlookup_t *lookup,
984 TALLOC_CTX *tmp_ctx = talloc_new(state);
986 WERROR werr = WERR_DNS_ERROR_NAME_DOES_NOT_EXIST;
987 struct dnsp_DnssrvRpcRecord *records = NULL;
988 uint16_t num_records = 0, i;
989 struct ldb_val zone_name_val
990 = data_blob_string_const(zone);
991 struct ldb_val name_val
992 = data_blob_string_const(name);
994 for (i=0; zone_prefixes[i]; i++) {
996 const char *casefold;
997 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
999 talloc_free(tmp_ctx);
1000 return ISC_R_NOMEMORY;
1004 * This dance ensures that it is not possible to put
1005 * (eg) an extra DC=x, into the DNS name being
1009 if (!ldb_dn_add_child_fmt(dn,
1011 zone_prefixes[i])) {
1012 talloc_free(tmp_ctx);
1013 return ISC_R_NOMEMORY;
1016 ret = ldb_dn_set_component(dn,
1020 if (ret != LDB_SUCCESS) {
1021 talloc_free(tmp_ctx);
1022 return ISC_R_NOMEMORY;
1025 ret = ldb_dn_set_component(dn,
1029 if (ret != LDB_SUCCESS) {
1030 talloc_free(tmp_ctx);
1031 return ISC_R_NOMEMORY;
1035 * Check if this is a plausibly valid DN early
1036 * (time spent here will be saved during the
1037 * search due to an internal cache)
1039 casefold = ldb_dn_get_casefold(dn);
1041 if (casefold == NULL) {
1042 talloc_free(tmp_ctx);
1043 return ISC_R_NOTFOUND;
1046 werr = dns_common_wildcard_lookup(state->samdb, tmp_ctx, dn,
1047 &records, &num_records);
1048 if (W_ERROR_IS_OK(werr)) {
1052 if (!W_ERROR_IS_OK(werr)) {
1053 talloc_free(tmp_ctx);
1054 return ISC_R_NOTFOUND;
1057 for (i=0; i < num_records; i++) {
1058 isc_result_t result;
1060 result = b9_putrr(state, lookup, &records[i], types);
1061 if (result != ISC_R_SUCCESS) {
1062 talloc_free(tmp_ctx);
1067 talloc_free(tmp_ctx);
1068 return ISC_R_SUCCESS;
1074 #if DLZ_DLOPEN_VERSION == 1
1075 _PUBLIC_ isc_result_t dlz_lookup(const char *zone, const char *name,
1076 void *dbdata, dns_sdlzlookup_t *lookup)
1078 _PUBLIC_ isc_result_t dlz_lookup(const char *zone, const char *name,
1079 void *dbdata, dns_sdlzlookup_t *lookup,
1080 dns_clientinfomethods_t *methods,
1081 dns_clientinfo_t *clientinfo)
1084 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1085 isc_result_t result = ISC_R_SUCCESS;
1086 struct timeval start = timeval_current();
1088 result = dlz_lookup_types(state, zone, name, lookup, NULL);
1089 DNS_COMMON_LOG_OPERATION(
1090 isc_result_str(result),
1101 see if a zone transfer is allowed
1103 _PUBLIC_ isc_result_t dlz_allowzonexfr(void *dbdata, const char *name, const char *client)
1105 /* just say yes for all our zones for now */
1106 struct dlz_bind9_data *state = talloc_get_type(
1107 dbdata, struct dlz_bind9_data);
1108 return b9_find_zone_dn(state, name, NULL, NULL);
1112 perform a zone transfer
1114 _PUBLIC_ isc_result_t dlz_allnodes(const char *zone, void *dbdata,
1115 dns_sdlzallnodes_t *allnodes)
1117 struct timeval start = timeval_current();
1118 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1119 const char *attrs[] = { "dnsRecord", NULL };
1120 int ret = LDB_ERR_NO_SUCH_OBJECT;
1122 struct ldb_dn *dn = NULL;
1123 struct ldb_result *res;
1124 TALLOC_CTX *tmp_ctx = talloc_new(state);
1125 struct ldb_val zone_name_val = data_blob_string_const(zone);
1126 isc_result_t result = ISC_R_SUCCESS;
1128 for (i=0; zone_prefixes[i]; i++) {
1129 const char *casefold;
1131 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
1133 talloc_free(tmp_ctx);
1134 result = ISC_R_NOMEMORY;
1139 * This dance ensures that it is not possible to put
1140 * (eg) an extra DC=x, into the DNS name being
1144 if (!ldb_dn_add_child_fmt(dn,
1146 zone_prefixes[i])) {
1147 talloc_free(tmp_ctx);
1148 result = ISC_R_NOMEMORY;
1152 ret = ldb_dn_set_component(dn,
1156 if (ret != LDB_SUCCESS) {
1157 talloc_free(tmp_ctx);
1158 result = ISC_R_NOMEMORY;
1163 * Check if this is a plausibly valid DN early
1164 * (time spent here will be saved during the
1165 * search due to an internal cache)
1167 casefold = ldb_dn_get_casefold(dn);
1169 if (casefold == NULL) {
1170 result = ISC_R_NOTFOUND;
1174 ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
1175 attrs, "objectClass=dnsNode");
1176 if (ret == LDB_SUCCESS) {
1180 if (ret != LDB_SUCCESS || dn == NULL) {
1181 talloc_free(tmp_ctx);
1182 result = ISC_R_NOTFOUND;
1186 for (i=0; i<res->count; i++) {
1187 struct ldb_message_element *el;
1188 TALLOC_CTX *el_ctx = talloc_new(tmp_ctx);
1189 const char *rdn, *name;
1190 const struct ldb_val *v;
1192 struct dnsp_DnssrvRpcRecord *recs = NULL;
1193 uint16_t num_recs = 0;
1195 el = ldb_msg_find_element(res->msgs[i], "dnsRecord");
1196 if (el == NULL || el->num_values == 0) {
1197 state->log(ISC_LOG_INFO, "failed to find dnsRecord for %s",
1198 ldb_dn_get_linearized(dn));
1199 talloc_free(el_ctx);
1203 v = ldb_dn_get_rdn_val(res->msgs[i]->dn);
1205 state->log(ISC_LOG_INFO, "failed to find RDN for %s",
1206 ldb_dn_get_linearized(dn));
1207 talloc_free(el_ctx);
1211 rdn = talloc_strndup(el_ctx, (char *)v->data, v->length);
1213 talloc_free(tmp_ctx);
1214 result = ISC_R_NOMEMORY;
1218 if (strcmp(rdn, "@") == 0) {
1221 name = talloc_asprintf(el_ctx, "%s.%s", rdn, zone);
1223 name = b9_format_fqdn(el_ctx, name);
1225 talloc_free(tmp_ctx);
1226 result = ISC_R_NOMEMORY;
1230 werr = dns_common_extract(state->samdb, el, el_ctx, &recs, &num_recs);
1231 if (!W_ERROR_IS_OK(werr)) {
1232 state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse dnsRecord for %s, %s",
1233 ldb_dn_get_linearized(dn), win_errstr(werr));
1234 talloc_free(el_ctx);
1238 for (j=0; j < num_recs; j++) {
1241 rc = b9_putnamedrr(state, allnodes, name, &recs[j]);
1242 if (rc != ISC_R_SUCCESS) {
1247 talloc_free(el_ctx);
1250 talloc_free(tmp_ctx);
1252 DNS_COMMON_LOG_OPERATION(
1253 isc_result_str(result),
1265 _PUBLIC_ isc_result_t dlz_newversion(const char *zone, void *dbdata, void **versionp)
1267 struct timeval start = timeval_current();
1268 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1269 isc_result_t result = ISC_R_SUCCESS;
1271 state->log(ISC_LOG_INFO, "samba_dlz: starting transaction on zone %s", zone);
1273 if (state->transaction_token != NULL) {
1274 state->log(ISC_LOG_INFO, "samba_dlz: transaction already started for zone %s", zone);
1275 result = ISC_R_FAILURE;
1279 state->transaction_token = talloc_zero(state, int);
1280 if (state->transaction_token == NULL) {
1281 result = ISC_R_NOMEMORY;
1285 if (ldb_transaction_start(state->samdb) != LDB_SUCCESS) {
1286 state->log(ISC_LOG_INFO, "samba_dlz: failed to start a transaction for zone %s", zone);
1287 talloc_free(state->transaction_token);
1288 state->transaction_token = NULL;
1289 result = ISC_R_FAILURE;
1293 *versionp = (void *)state->transaction_token;
1295 DNS_COMMON_LOG_OPERATION(
1296 isc_result_str(result),
1307 _PUBLIC_ void dlz_closeversion(const char *zone, isc_boolean_t commit,
1308 void *dbdata, void **versionp)
1310 struct timeval start = timeval_current();
1311 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1312 const char *data = NULL;
1314 data = commit ? "commit" : "cancel";
1316 if (state->transaction_token != (int *)*versionp) {
1317 state->log(ISC_LOG_INFO, "samba_dlz: transaction not started for zone %s", zone);
1322 if (ldb_transaction_commit(state->samdb) != LDB_SUCCESS) {
1323 state->log(ISC_LOG_INFO, "samba_dlz: failed to commit a transaction for zone %s", zone);
1326 state->log(ISC_LOG_INFO, "samba_dlz: committed transaction on zone %s", zone);
1328 if (ldb_transaction_cancel(state->samdb) != LDB_SUCCESS) {
1329 state->log(ISC_LOG_INFO, "samba_dlz: failed to cancel a transaction for zone %s", zone);
1332 state->log(ISC_LOG_INFO, "samba_dlz: cancelling transaction on zone %s", zone);
1335 talloc_free(state->transaction_token);
1336 state->transaction_token = NULL;
1340 DNS_COMMON_LOG_OPERATION(
1341 isc_result_str(ISC_R_SUCCESS),
1350 see if there is a SOA record for a zone
1352 static bool b9_has_soa(struct dlz_bind9_data *state, struct ldb_dn *dn, const char *zone)
1354 TALLOC_CTX *tmp_ctx = talloc_new(state);
1356 struct dnsp_DnssrvRpcRecord *records = NULL;
1357 uint16_t num_records = 0, i;
1358 struct ldb_val zone_name_val
1359 = data_blob_string_const(zone);
1362 * This dance ensures that it is not possible to put
1363 * (eg) an extra DC=x, into the DNS name being
1367 if (!ldb_dn_add_child_val(dn,
1370 talloc_free(tmp_ctx);
1375 * The SOA record is alwas stored under DC=@,DC=zonename
1376 * This can probably be removed when dns_common_lookup makes a fallback
1377 * lookup on @ pseudo record
1380 if (!ldb_dn_add_child_fmt(dn,"DC=@")) {
1381 talloc_free(tmp_ctx);
1385 werr = dns_common_lookup(state->samdb, tmp_ctx, dn,
1386 &records, &num_records, NULL);
1387 if (!W_ERROR_IS_OK(werr)) {
1388 talloc_free(tmp_ctx);
1392 for (i=0; i < num_records; i++) {
1393 if (records[i].wType == DNS_TYPE_SOA) {
1394 talloc_free(tmp_ctx);
1399 talloc_free(tmp_ctx);
1403 static bool b9_zone_add(struct dlz_bind9_data *state, const char *name)
1405 struct b9_zone *zone;
1407 zone = talloc_zero(state, struct b9_zone);
1412 zone->name = talloc_strdup(zone, name);
1413 if (zone->name == NULL) {
1418 DLIST_ADD(state->zonelist, zone);
1422 static bool b9_zone_exists(struct dlz_bind9_data *state, const char *name)
1424 struct b9_zone *zone = state->zonelist;
1427 while (zone != NULL) {
1428 if (strcasecmp(name, zone->name) == 0) {
1440 configure a writeable zone
1442 #if DLZ_DLOPEN_VERSION < 3
1443 _PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, void *dbdata)
1445 _PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb,
1449 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1450 TALLOC_CTX *tmp_ctx;
1454 state->log(ISC_LOG_INFO, "samba_dlz: starting configure");
1455 if (state->writeable_zone == NULL) {
1456 state->log(ISC_LOG_INFO, "samba_dlz: no writeable_zone method available");
1457 return ISC_R_FAILURE;
1460 tmp_ctx = talloc_new(state);
1462 for (i=0; zone_prefixes[i]; i++) {
1463 const char *attrs[] = { "name", NULL };
1465 struct ldb_result *res;
1467 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
1469 talloc_free(tmp_ctx);
1470 return ISC_R_NOMEMORY;
1473 if (!ldb_dn_add_child_fmt(dn, "%s", zone_prefixes[i])) {
1474 talloc_free(tmp_ctx);
1475 return ISC_R_NOMEMORY;
1478 ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
1479 attrs, "objectClass=dnsZone");
1480 if (ret != LDB_SUCCESS) {
1484 for (j=0; j<res->count; j++) {
1485 isc_result_t result;
1486 const char *zone = ldb_msg_find_attr_as_string(res->msgs[j], "name", NULL);
1487 struct ldb_dn *zone_dn;
1492 /* Ignore zones that are not handled in BIND */
1493 if ((strcmp(zone, "RootDNSServers") == 0) ||
1494 (strcmp(zone, "..TrustAnchors") == 0)) {
1497 zone_dn = ldb_dn_copy(tmp_ctx, dn);
1498 if (zone_dn == NULL) {
1499 talloc_free(tmp_ctx);
1500 return ISC_R_NOMEMORY;
1503 if (!b9_has_soa(state, zone_dn, zone)) {
1507 if (b9_zone_exists(state, zone)) {
1508 state->log(ISC_LOG_WARNING, "samba_dlz: Ignoring duplicate zone '%s' from '%s'",
1509 zone, ldb_dn_get_linearized(zone_dn));
1513 if (!b9_zone_add(state, zone)) {
1514 talloc_free(tmp_ctx);
1515 return ISC_R_NOMEMORY;
1518 #if DLZ_DLOPEN_VERSION < 3
1519 result = state->writeable_zone(view, zone);
1521 result = state->writeable_zone(view, dlzdb, zone);
1523 if (result != ISC_R_SUCCESS) {
1524 state->log(ISC_LOG_ERROR, "samba_dlz: Failed to configure zone '%s'",
1526 talloc_free(tmp_ctx);
1529 state->log(ISC_LOG_INFO, "samba_dlz: configured writeable zone '%s'", zone);
1533 talloc_free(tmp_ctx);
1534 return ISC_R_SUCCESS;
1538 authorize a zone update
1540 _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
1541 const char *type, const char *key, uint32_t keydatalen, uint8_t *keydata,
1544 struct timeval start = timeval_current();
1545 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1546 TALLOC_CTX *tmp_ctx;
1548 struct cli_credentials *server_credentials;
1550 char *keytab_file = NULL;
1554 struct gensec_security *gensec_ctx;
1555 struct auth_session_info *session_info;
1558 struct ldb_result *res;
1559 const char * attrs[] = { NULL };
1560 uint32_t access_mask;
1561 struct gensec_settings *settings = NULL;
1562 const struct gensec_security_ops **backends = NULL;
1564 isc_boolean_t result = ISC_FALSE;
1566 /* Remove cached credentials, if any */
1567 if (state->session_info) {
1568 talloc_free(state->session_info);
1569 state->session_info = NULL;
1571 if (state->update_name) {
1572 talloc_free(state->update_name);
1573 state->update_name = NULL;
1576 tmp_ctx = talloc_new(NULL);
1577 if (tmp_ctx == NULL) {
1578 state->log(ISC_LOG_ERROR, "samba_dlz: no memory");
1583 ap_req = data_blob_const(keydata, keydatalen);
1584 server_credentials = cli_credentials_init(tmp_ctx);
1585 if (!server_credentials) {
1586 state->log(ISC_LOG_ERROR, "samba_dlz: failed to init server credentials");
1587 talloc_free(tmp_ctx);
1592 cli_credentials_set_krb5_context(server_credentials, state->smb_krb5_ctx);
1593 cli_credentials_set_conf(server_credentials, state->lp);
1595 keytab_file = talloc_asprintf(tmp_ctx,
1597 lpcfg_binddns_dir(state->lp));
1598 if (keytab_file == NULL) {
1599 state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!");
1600 talloc_free(tmp_ctx);
1605 if (!file_exist(keytab_file)) {
1606 keytab_file = talloc_asprintf(tmp_ctx,
1608 lpcfg_private_dir(state->lp));
1609 if (keytab_file == NULL) {
1610 state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!");
1611 talloc_free(tmp_ctx);
1617 keytab_name = talloc_asprintf(tmp_ctx, "FILE:%s", keytab_file);
1618 if (keytab_name == NULL) {
1619 state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!");
1620 talloc_free(tmp_ctx);
1625 ret = cli_credentials_set_keytab_name(server_credentials, state->lp, keytab_name,
1628 state->log(ISC_LOG_ERROR, "samba_dlz: failed to obtain server credentials from %s",
1630 talloc_free(tmp_ctx);
1634 talloc_free(keytab_name);
1636 settings = lpcfg_gensec_settings(tmp_ctx, state->lp);
1637 if (settings == NULL) {
1638 state->log(ISC_LOG_ERROR, "samba_dlz: lpcfg_gensec_settings failed");
1639 talloc_free(tmp_ctx);
1643 backends = talloc_zero_array(settings,
1644 const struct gensec_security_ops *, 3);
1645 if (backends == NULL) {
1646 state->log(ISC_LOG_ERROR, "samba_dlz: talloc_zero_array gensec_security_ops failed");
1647 talloc_free(tmp_ctx);
1651 settings->backends = backends;
1655 backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_KERBEROS5);
1656 backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
1658 nt_status = gensec_server_start(tmp_ctx, settings,
1659 state->auth_context, &gensec_ctx);
1660 if (!NT_STATUS_IS_OK(nt_status)) {
1661 state->log(ISC_LOG_ERROR, "samba_dlz: failed to start gensec server");
1662 talloc_free(tmp_ctx);
1667 gensec_set_credentials(gensec_ctx, server_credentials);
1669 nt_status = gensec_start_mech_by_oid(gensec_ctx, GENSEC_OID_SPNEGO);
1670 if (!NT_STATUS_IS_OK(nt_status)) {
1671 state->log(ISC_LOG_ERROR, "samba_dlz: failed to start spnego");
1672 talloc_free(tmp_ctx);
1678 * We only allow SPNEGO/KRB5 and make sure the backend
1679 * to is RPC/IPC free.
1681 * See gensec_gssapi_update_internal() as
1684 * It allows gensec_update() not to block.
1686 * If that changes in future we need to use
1687 * gensec_update_send/recv here!
1689 nt_status = gensec_update(gensec_ctx, tmp_ctx, ap_req, &ap_req);
1690 if (!NT_STATUS_IS_OK(nt_status)) {
1691 state->log(ISC_LOG_ERROR, "samba_dlz: spnego update failed");
1692 talloc_free(tmp_ctx);
1697 nt_status = gensec_session_info(gensec_ctx, tmp_ctx, &session_info);
1698 if (!NT_STATUS_IS_OK(nt_status)) {
1699 state->log(ISC_LOG_ERROR, "samba_dlz: failed to create session info");
1700 talloc_free(tmp_ctx);
1705 /* Get the DN from name */
1706 rc = b9_find_name_dn(state, name, tmp_ctx, &dn);
1707 if (rc != ISC_R_SUCCESS) {
1708 state->log(ISC_LOG_ERROR, "samba_dlz: failed to find name %s", name);
1709 talloc_free(tmp_ctx);
1714 /* make sure the dn exists, or find parent dn in case new object is being added */
1715 ldb_ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
1716 attrs, "objectClass=dnsNode");
1717 if (ldb_ret == LDB_ERR_NO_SUCH_OBJECT) {
1718 ldb_dn_remove_child_components(dn, 1);
1719 access_mask = SEC_ADS_CREATE_CHILD;
1721 } else if (ldb_ret == LDB_SUCCESS) {
1722 access_mask = SEC_STD_REQUIRED | SEC_ADS_SELF_WRITE;
1725 talloc_free(tmp_ctx);
1731 ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn,
1732 session_info->security_token,
1734 if (ldb_ret != LDB_SUCCESS) {
1735 state->log(ISC_LOG_INFO,
1736 "samba_dlz: disallowing update of signer=%s name=%s type=%s error=%s",
1737 signer, name, type, ldb_strerror(ldb_ret));
1738 talloc_free(tmp_ctx);
1743 /* Cache session_info, so it can be used in the actual add/delete operation */
1744 state->update_name = talloc_strdup(state, name);
1745 if (state->update_name == NULL) {
1746 state->log(ISC_LOG_ERROR, "samba_dlz: memory allocation error");
1747 talloc_free(tmp_ctx);
1751 state->session_info = talloc_steal(state, session_info);
1753 state->log(ISC_LOG_INFO, "samba_dlz: allowing update of signer=%s name=%s tcpaddr=%s type=%s key=%s",
1754 signer, name, tcpaddr, type, key);
1756 talloc_free(tmp_ctx);
1759 DNS_COMMON_LOG_OPERATION(
1760 isc_result_str(result),
1769 see if two dns records match
1771 static bool b9_record_match(struct dlz_bind9_data *state,
1772 struct dnsp_DnssrvRpcRecord *rec1, struct dnsp_DnssrvRpcRecord *rec2)
1776 struct in6_addr rec1_in_addr6;
1777 struct in6_addr rec2_in_addr6;
1779 if (rec1->wType != rec2->wType) {
1782 /* see if this type is single valued */
1783 if (b9_single_valued(rec1->wType)) {
1787 /* see if the data matches */
1788 switch (rec1->wType) {
1790 return strcmp(rec1->data.ipv4, rec2->data.ipv4) == 0;
1791 case DNS_TYPE_AAAA: {
1794 ret = inet_pton(AF_INET6, rec1->data.ipv6, &rec1_in_addr6);
1798 ret = inet_pton(AF_INET6, rec2->data.ipv6, &rec2_in_addr6);
1803 return memcmp(&rec1_in_addr6, &rec2_in_addr6, sizeof(rec1_in_addr6)) == 0;
1805 case DNS_TYPE_CNAME:
1806 return dns_name_equal(rec1->data.cname, rec2->data.cname);
1808 status = (rec1->data.txt.count == rec2->data.txt.count);
1809 if (!status) return status;
1810 for (i=0; i<rec1->data.txt.count; i++) {
1811 status &= (strcmp(rec1->data.txt.str[i], rec2->data.txt.str[i]) == 0);
1815 return dns_name_equal(rec1->data.ptr, rec2->data.ptr);
1817 return dns_name_equal(rec1->data.ns, rec2->data.ns);
1820 return rec1->data.srv.wPriority == rec2->data.srv.wPriority &&
1821 rec1->data.srv.wWeight == rec2->data.srv.wWeight &&
1822 rec1->data.srv.wPort == rec2->data.srv.wPort &&
1823 dns_name_equal(rec1->data.srv.nameTarget, rec2->data.srv.nameTarget);
1826 return rec1->data.mx.wPriority == rec2->data.mx.wPriority &&
1827 dns_name_equal(rec1->data.mx.nameTarget, rec2->data.mx.nameTarget);
1829 case DNS_TYPE_HINFO:
1830 return strcmp(rec1->data.hinfo.cpu, rec2->data.hinfo.cpu) == 0 &&
1831 strcmp(rec1->data.hinfo.os, rec2->data.hinfo.os) == 0;
1834 return dns_name_equal(rec1->data.soa.mname, rec2->data.soa.mname) &&
1835 dns_name_equal(rec1->data.soa.rname, rec2->data.soa.rname) &&
1836 rec1->data.soa.serial == rec2->data.soa.serial &&
1837 rec1->data.soa.refresh == rec2->data.soa.refresh &&
1838 rec1->data.soa.retry == rec2->data.soa.retry &&
1839 rec1->data.soa.expire == rec2->data.soa.expire &&
1840 rec1->data.soa.minimum == rec2->data.soa.minimum;
1842 state->log(ISC_LOG_ERROR, "samba_dlz b9_record_match: unhandled record type %u",
1851 * Update session_info on samdb using the cached credentials
1853 static bool b9_set_session_info(struct dlz_bind9_data *state, const char *name)
1857 if (state->update_name == NULL || state->session_info == NULL) {
1858 state->log(ISC_LOG_ERROR, "samba_dlz: invalid credentials");
1862 /* Do not use client credentials, if we're not updating the client specified name */
1863 if (strcmp(state->update_name, name) != 0) {
1867 ret = ldb_set_opaque(
1870 state->session_info);
1871 if (ret != LDB_SUCCESS) {
1872 state->log(ISC_LOG_ERROR, "samba_dlz: unable to set session info");
1880 * Reset session_info on samdb as system session
1882 static void b9_reset_session_info(struct dlz_bind9_data *state)
1887 system_session(state->lp));
1891 add or modify a rdataset
1893 _PUBLIC_ isc_result_t dlz_addrdataset(const char *name, const char *rdatastr, void *dbdata, void *version)
1895 struct timeval start = timeval_current();
1896 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1897 struct dnsp_DnssrvRpcRecord *rec;
1899 isc_result_t result = ISC_R_SUCCESS;
1900 bool tombstoned = false;
1901 bool needs_add = false;
1902 struct dnsp_DnssrvRpcRecord *recs = NULL;
1903 uint16_t num_recs = 0;
1909 if (state->transaction_token != (void*)version) {
1910 state->log(ISC_LOG_INFO, "samba_dlz: bad transaction version");
1911 result = ISC_R_FAILURE;
1915 rec = talloc_zero(state, struct dnsp_DnssrvRpcRecord);
1917 result = ISC_R_NOMEMORY;
1921 rec->rank = DNS_RANK_ZONE;
1923 if (!b9_parse(state, rdatastr, rec)) {
1924 state->log(ISC_LOG_INFO, "samba_dlz: failed to parse rdataset '%s'", rdatastr);
1926 result = ISC_R_FAILURE;
1930 /* find the DN of the record */
1931 result = b9_find_name_dn(state, name, rec, &dn);
1932 if (result != ISC_R_SUCCESS) {
1937 /* get any existing records */
1938 werr = dns_common_lookup(state->samdb, rec, dn,
1939 &recs, &num_recs, &tombstoned);
1940 if (W_ERROR_EQUAL(werr, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST)) {
1944 if (!W_ERROR_IS_OK(werr)) {
1945 state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse dnsRecord for %s, %s",
1946 ldb_dn_get_linearized(dn), win_errstr(werr));
1948 result = ISC_R_FAILURE;
1954 * we need to keep the existing tombstone record
1960 /* there are existing records. We need to see if this will
1961 * replace a record or add to it
1963 for (i=first; i < num_recs; i++) {
1964 if (b9_record_match(state, rec, &recs[i])) {
1968 if (i == UINT16_MAX) {
1969 state->log(ISC_LOG_ERROR, "samba_dlz: failed to already %u dnsRecord values for %s",
1970 i, ldb_dn_get_linearized(dn));
1972 result = ISC_R_FAILURE;
1976 if (i == num_recs) {
1977 /* adding a new value */
1978 recs = talloc_realloc(rec, recs,
1979 struct dnsp_DnssrvRpcRecord,
1983 result = ISC_R_NOMEMORY;
1988 if (dns_name_is_static(recs, num_recs)) {
1989 rec->dwTimeStamp = 0;
1991 unix_to_nt_time(&t, time(NULL));
1992 t /= 10 * 1000 * 1000; /* convert to seconds */
1993 t /= 3600; /* convert to hours */
1994 rec->dwTimeStamp = (uint32_t)t;
2000 if (!b9_set_session_info(state, name)) {
2002 result = ISC_R_FAILURE;
2006 /* modify the record */
2007 werr = dns_common_replace(state->samdb, rec, dn,
2011 b9_reset_session_info(state);
2012 if (!W_ERROR_IS_OK(werr)) {
2013 state->log(ISC_LOG_ERROR, "samba_dlz: failed to %s %s - %s",
2014 needs_add ? "add" : "modify",
2015 ldb_dn_get_linearized(dn), win_errstr(werr));
2017 result = ISC_R_FAILURE;
2021 state->log(ISC_LOG_INFO, "samba_dlz: added rdataset %s '%s'", name, rdatastr);
2025 DNS_COMMON_LOG_OPERATION(
2026 isc_result_str(result),
2037 _PUBLIC_ isc_result_t dlz_subrdataset(const char *name, const char *rdatastr, void *dbdata, void *version)
2039 struct timeval start = timeval_current();
2040 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
2041 struct dnsp_DnssrvRpcRecord *rec;
2043 isc_result_t result = ISC_R_SUCCESS;
2044 struct dnsp_DnssrvRpcRecord *recs = NULL;
2045 uint16_t num_recs = 0;
2049 if (state->transaction_token != (void*)version) {
2050 state->log(ISC_LOG_ERROR, "samba_dlz: bad transaction version");
2051 result = ISC_R_FAILURE;
2055 rec = talloc_zero(state, struct dnsp_DnssrvRpcRecord);
2057 result = ISC_R_NOMEMORY;
2061 if (!b9_parse(state, rdatastr, rec)) {
2062 state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse rdataset '%s'", rdatastr);
2064 result = ISC_R_FAILURE;
2068 /* find the DN of the record */
2069 result = b9_find_name_dn(state, name, rec, &dn);
2070 if (result != ISC_R_SUCCESS) {
2075 /* get the existing records */
2076 werr = dns_common_lookup(state->samdb, rec, dn,
2077 &recs, &num_recs, NULL);
2078 if (!W_ERROR_IS_OK(werr)) {
2080 result = ISC_R_NOTFOUND;
2084 for (i=0; i < num_recs; i++) {
2085 if (b9_record_match(state, rec, &recs[i])) {
2086 recs[i] = (struct dnsp_DnssrvRpcRecord) {
2087 .wType = DNS_TYPE_TOMBSTONE,
2092 if (i == num_recs) {
2094 result = ISC_R_NOTFOUND;
2098 if (!b9_set_session_info(state, name)) {
2100 result = ISC_R_FAILURE;
2104 /* modify the record */
2105 werr = dns_common_replace(state->samdb, rec, dn,
2106 false,/* needs_add */
2109 b9_reset_session_info(state);
2110 if (!W_ERROR_IS_OK(werr)) {
2111 state->log(ISC_LOG_ERROR, "samba_dlz: failed to modify %s - %s",
2112 ldb_dn_get_linearized(dn), win_errstr(werr));
2114 result = ISC_R_FAILURE;
2118 state->log(ISC_LOG_INFO, "samba_dlz: subtracted rdataset %s '%s'", name, rdatastr);
2122 DNS_COMMON_LOG_OPERATION(
2123 isc_result_str(result),
2133 delete all records of the given type
2135 _PUBLIC_ isc_result_t dlz_delrdataset(const char *name, const char *type, void *dbdata, void *version)
2137 struct timeval start = timeval_current();
2138 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
2139 TALLOC_CTX *tmp_ctx;
2141 isc_result_t result = ISC_R_SUCCESS;
2142 enum dns_record_type dns_type;
2144 struct dnsp_DnssrvRpcRecord *recs = NULL;
2145 uint16_t num_recs = 0;
2149 if (state->transaction_token != (void*)version) {
2150 state->log(ISC_LOG_ERROR, "samba_dlz: bad transaction version");
2151 result = ISC_R_FAILURE;
2155 if (!b9_dns_type(type, &dns_type)) {
2156 state->log(ISC_LOG_ERROR, "samba_dlz: bad dns type %s in delete", type);
2157 result = ISC_R_FAILURE;
2161 tmp_ctx = talloc_new(state);
2163 /* find the DN of the record */
2164 result = b9_find_name_dn(state, name, tmp_ctx, &dn);
2165 if (result != ISC_R_SUCCESS) {
2166 talloc_free(tmp_ctx);
2170 /* get the existing records */
2171 werr = dns_common_lookup(state->samdb, tmp_ctx, dn,
2172 &recs, &num_recs, NULL);
2173 if (!W_ERROR_IS_OK(werr)) {
2174 talloc_free(tmp_ctx);
2175 result = ISC_R_NOTFOUND;
2179 for (ri=0; ri < num_recs; ri++) {
2180 if (dns_type != recs[ri].wType) {
2185 recs[ri] = (struct dnsp_DnssrvRpcRecord) {
2186 .wType = DNS_TYPE_TOMBSTONE,
2191 talloc_free(tmp_ctx);
2192 result = ISC_R_FAILURE;
2196 if (!b9_set_session_info(state, name)) {
2197 talloc_free(tmp_ctx);
2198 result = ISC_R_FAILURE;
2202 /* modify the record */
2203 werr = dns_common_replace(state->samdb, tmp_ctx, dn,
2204 false,/* needs_add */
2207 b9_reset_session_info(state);
2208 if (!W_ERROR_IS_OK(werr)) {
2209 state->log(ISC_LOG_ERROR, "samba_dlz: failed to modify %s - %s",
2210 ldb_dn_get_linearized(dn), win_errstr(werr));
2211 talloc_free(tmp_ctx);
2212 result = ISC_R_FAILURE;
2216 state->log(ISC_LOG_INFO, "samba_dlz: deleted rdataset %s of type %s", name, type);
2218 talloc_free(tmp_ctx);
2220 DNS_COMMON_LOG_OPERATION(
2221 isc_result_str(result),