2 Unix SMB/CIFS implementation.
4 bind9 dlz driver for Samba
6 Copyright (C) 2010 Andrew Tridgell
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 #include "param/param.h"
25 #include "lib/events/events.h"
26 #include "dsdb/samdb/samdb.h"
27 #include "dsdb/common/util.h"
28 #include "auth/auth.h"
29 #include "auth/session.h"
30 #include "auth/gensec/gensec.h"
31 #include "librpc/gen_ndr/security.h"
32 #include "auth/credentials/credentials.h"
33 #include "system/kerberos.h"
34 #include "auth/kerberos/kerberos.h"
35 #include "gen_ndr/ndr_dnsp.h"
36 #include "gen_ndr/server_id.h"
37 #include "messaging/messaging.h"
39 #include "lib/util/dlinklist.h"
40 #include "dlz_minimal.h"
41 #include "dnsserver_common.h"
50 struct b9_zone *prev, *next;
53 struct dlz_bind9_data {
54 struct b9_options options;
55 struct ldb_context *samdb;
56 struct tevent_context *ev_ctx;
57 struct loadparm_context *lp;
58 int *transaction_token;
60 struct b9_zone *zonelist;
62 /* Used for dynamic update */
63 struct smb_krb5_context *smb_krb5_ctx;
64 struct auth4_context *auth_context;
65 struct auth_session_info *session_info;
68 /* helper functions from the dlz_dlopen driver */
70 dns_sdlz_putrr_t *putrr;
71 dns_sdlz_putnamedrr_t *putnamedrr;
72 dns_dlz_writeablezone_t *writeable_zone;
75 static struct dlz_bind9_data *dlz_bind9_state = NULL;
76 static int dlz_bind9_state_ref_count = 0;
78 static const char *zone_prefixes[] = {
79 "CN=MicrosoftDNS,DC=DomainDnsZones",
80 "CN=MicrosoftDNS,DC=ForestDnsZones",
81 "CN=MicrosoftDNS,CN=System",
86 return the version of the API
88 _PUBLIC_ int dlz_version(unsigned int *flags)
90 return DLZ_DLOPEN_VERSION;
94 remember a helper function from the bind9 dlz_dlopen driver
96 static void b9_add_helper(struct dlz_bind9_data *state, const char *helper_name, void *ptr)
98 if (strcmp(helper_name, "log") == 0) {
101 if (strcmp(helper_name, "putrr") == 0) {
104 if (strcmp(helper_name, "putnamedrr") == 0) {
105 state->putnamedrr = ptr;
107 if (strcmp(helper_name, "writeable_zone") == 0) {
108 state->writeable_zone = ptr;
113 * Add a trailing '.' if it's missing
115 static const char *b9_format_fqdn(TALLOC_CTX *mem_ctx, const char *str)
120 if (str == NULL || str[0] == '\0') {
125 if (str[len-1] != '.') {
126 tmp = talloc_asprintf(mem_ctx, "%s.", str);
134 format a record for bind9
136 static bool b9_format(struct dlz_bind9_data *state,
138 struct dnsp_DnssrvRpcRecord *rec,
139 const char **type, const char **data)
145 switch (rec->wType) {
148 *data = rec->data.ipv4;
153 *data = rec->data.ipv6;
158 *data = b9_format_fqdn(mem_ctx, rec->data.cname);
163 tmp = talloc_asprintf(mem_ctx, "\"%s\"", rec->data.txt.str[0]);
164 for (i=1; i<rec->data.txt.count; i++) {
165 tmp = talloc_asprintf_append(tmp, " \"%s\"", rec->data.txt.str[i]);
172 *data = b9_format_fqdn(mem_ctx, rec->data.ptr);
177 fqdn = b9_format_fqdn(mem_ctx, rec->data.srv.nameTarget);
181 *data = talloc_asprintf(mem_ctx, "%u %u %u %s",
182 rec->data.srv.wPriority,
183 rec->data.srv.wWeight,
190 fqdn = b9_format_fqdn(mem_ctx, rec->data.mx.nameTarget);
194 *data = talloc_asprintf(mem_ctx, "%u %s",
195 rec->data.mx.wPriority, fqdn);
200 *data = talloc_asprintf(mem_ctx, "%s %s",
207 *data = b9_format_fqdn(mem_ctx, rec->data.ns);
214 /* we need to fake the authoritative nameserver to
215 * point at ourselves. This is how AD DNS servers
216 * force clients to send updates to the right local DC
218 mname = talloc_asprintf(mem_ctx, "%s.%s.",
219 lpcfg_netbios_name(state->lp),
220 lpcfg_dnsdomain(state->lp));
224 mname = strlower_talloc(mem_ctx, mname);
229 fqdn = b9_format_fqdn(mem_ctx, rec->data.soa.rname);
234 state->soa_serial = rec->data.soa.serial;
236 *data = talloc_asprintf(mem_ctx, "%s %s %u %u %u %u %u",
238 rec->data.soa.serial,
239 rec->data.soa.refresh,
241 rec->data.soa.expire,
242 rec->data.soa.minimum);
247 state->log(ISC_LOG_ERROR, "samba_dlz b9_format: unhandled record type %u",
255 static const struct {
256 enum dns_record_type dns_type;
260 { DNS_TYPE_A, "A" , false},
261 { DNS_TYPE_AAAA, "AAAA" , false},
262 { DNS_TYPE_CNAME, "CNAME" , true},
263 { DNS_TYPE_TXT, "TXT" , false},
264 { DNS_TYPE_PTR, "PTR" , false},
265 { DNS_TYPE_SRV, "SRV" , false},
266 { DNS_TYPE_MX, "MX" , false},
267 { DNS_TYPE_HINFO, "HINFO" , false},
268 { DNS_TYPE_NS, "NS" , false},
269 { DNS_TYPE_SOA, "SOA" , true},
274 see if a DNS type is single valued
276 static bool b9_single_valued(enum dns_record_type dns_type)
279 for (i=0; i<ARRAY_SIZE(dns_typemap); i++) {
280 if (dns_typemap[i].dns_type == dns_type) {
281 return dns_typemap[i].single_valued;
288 see if a DNS type is single valued
290 static bool b9_dns_type(const char *type, enum dns_record_type *dtype)
293 for (i=0; i<ARRAY_SIZE(dns_typemap); i++) {
294 if (strcasecmp(dns_typemap[i].typestr, type) == 0) {
295 *dtype = dns_typemap[i].dns_type;
303 #define DNS_PARSE_STR(ret, str, sep, saveptr) do { \
304 (ret) = strtok_r(str, sep, &saveptr); \
305 if ((ret) == NULL) return false; \
308 #define DNS_PARSE_UINT(ret, str, sep, saveptr) do { \
309 char *istr = strtok_r(str, sep, &saveptr); \
310 if ((istr) == NULL) return false; \
311 (ret) = strtoul(istr, NULL, 10); \
315 parse a record from bind9
317 static bool b9_parse(struct dlz_bind9_data *state,
318 const char *rdatastr,
319 struct dnsp_DnssrvRpcRecord *rec)
321 char *full_name, *dclass, *type;
322 char *str, *tmp, *saveptr=NULL;
325 str = talloc_strdup(rec, rdatastr);
330 /* parse the SDLZ string form */
331 DNS_PARSE_STR(full_name, str, "\t", saveptr);
332 DNS_PARSE_UINT(rec->dwTtlSeconds, NULL, "\t", saveptr);
333 DNS_PARSE_STR(dclass, NULL, "\t", saveptr);
334 DNS_PARSE_STR(type, NULL, "\t", saveptr);
336 /* construct the record */
337 for (i=0; i<ARRAY_SIZE(dns_typemap); i++) {
338 if (strcasecmp(type, dns_typemap[i].typestr) == 0) {
339 rec->wType = dns_typemap[i].dns_type;
343 if (i == ARRAY_SIZE(dns_typemap)) {
344 state->log(ISC_LOG_ERROR, "samba_dlz: unsupported record type '%s' for '%s'",
349 switch (rec->wType) {
351 DNS_PARSE_STR(rec->data.ipv4, NULL, " ", saveptr);
355 DNS_PARSE_STR(rec->data.ipv6, NULL, " ", saveptr);
359 DNS_PARSE_STR(rec->data.cname, NULL, " ", saveptr);
363 rec->data.txt.count = 0;
364 rec->data.txt.str = talloc_array(rec, const char *, rec->data.txt.count);
365 tmp = strtok_r(NULL, "\t", &saveptr);
367 rec->data.txt.str = talloc_realloc(rec, rec->data.txt.str, const char *,
368 rec->data.txt.count+1);
371 rec->data.txt.str[rec->data.txt.count] = talloc_strndup(rec, &tmp[1], strlen(tmp)-2);
373 rec->data.txt.str[rec->data.txt.count] = talloc_strdup(rec, tmp);
375 rec->data.txt.count++;
376 tmp = strtok_r(NULL, " ", &saveptr);
381 DNS_PARSE_STR(rec->data.ptr, NULL, " ", saveptr);
385 DNS_PARSE_UINT(rec->data.srv.wPriority, NULL, " ", saveptr);
386 DNS_PARSE_UINT(rec->data.srv.wWeight, NULL, " ", saveptr);
387 DNS_PARSE_UINT(rec->data.srv.wPort, NULL, " ", saveptr);
388 DNS_PARSE_STR(rec->data.srv.nameTarget, NULL, " ", saveptr);
392 DNS_PARSE_UINT(rec->data.mx.wPriority, NULL, " ", saveptr);
393 DNS_PARSE_STR(rec->data.mx.nameTarget, NULL, " ", saveptr);
397 DNS_PARSE_STR(rec->data.hinfo.cpu, NULL, " ", saveptr);
398 DNS_PARSE_STR(rec->data.hinfo.os, NULL, " ", saveptr);
402 DNS_PARSE_STR(rec->data.ns, NULL, " ", saveptr);
406 DNS_PARSE_STR(rec->data.soa.mname, NULL, " ", saveptr);
407 DNS_PARSE_STR(rec->data.soa.rname, NULL, " ", saveptr);
408 DNS_PARSE_UINT(rec->data.soa.serial, NULL, " ", saveptr);
409 DNS_PARSE_UINT(rec->data.soa.refresh, NULL, " ", saveptr);
410 DNS_PARSE_UINT(rec->data.soa.retry, NULL, " ", saveptr);
411 DNS_PARSE_UINT(rec->data.soa.expire, NULL, " ", saveptr);
412 DNS_PARSE_UINT(rec->data.soa.minimum, NULL, " ", saveptr);
416 state->log(ISC_LOG_ERROR, "samba_dlz b9_parse: unhandled record type %u",
421 /* we should be at the end of the buffer now */
422 if (strtok_r(NULL, "\t ", &saveptr) != NULL) {
423 state->log(ISC_LOG_ERROR, "samba_dlz b9_parse: unexpected data at end of string for '%s'",
432 send a resource record to bind9
434 static isc_result_t b9_putrr(struct dlz_bind9_data *state,
435 void *handle, struct dnsp_DnssrvRpcRecord *rec,
439 const char *type, *data;
440 TALLOC_CTX *tmp_ctx = talloc_new(state);
442 if (!b9_format(state, tmp_ctx, rec, &type, &data)) {
443 return ISC_R_FAILURE;
447 talloc_free(tmp_ctx);
448 return ISC_R_NOMEMORY;
453 for (i=0; types[i]; i++) {
454 if (strcmp(types[i], type) == 0) break;
456 if (types[i] == NULL) {
458 return ISC_R_SUCCESS;
462 result = state->putrr(handle, type, rec->dwTtlSeconds, data);
463 if (result != ISC_R_SUCCESS) {
464 state->log(ISC_LOG_ERROR, "Failed to put rr");
466 talloc_free(tmp_ctx);
472 send a named resource record to bind9
474 static isc_result_t b9_putnamedrr(struct dlz_bind9_data *state,
475 void *handle, const char *name,
476 struct dnsp_DnssrvRpcRecord *rec)
479 const char *type, *data;
480 TALLOC_CTX *tmp_ctx = talloc_new(state);
482 if (!b9_format(state, tmp_ctx, rec, &type, &data)) {
483 return ISC_R_FAILURE;
487 talloc_free(tmp_ctx);
488 return ISC_R_NOMEMORY;
491 result = state->putnamedrr(handle, name, type, rec->dwTtlSeconds, data);
492 if (result != ISC_R_SUCCESS) {
493 state->log(ISC_LOG_ERROR, "Failed to put named rr '%s'", name);
495 talloc_free(tmp_ctx);
502 static isc_result_t parse_options(struct dlz_bind9_data *state,
503 unsigned int argc, const char **argv,
504 struct b9_options *options)
508 struct poptOption long_options[] = {
509 { "url", 'H', POPT_ARG_STRING, &options->url, 0, "database URL", "URL" },
510 { "debug", 'd', POPT_ARG_STRING, &options->debug, 0, "debug level", "DEBUG" },
514 pc = poptGetContext("dlz_bind9", argc, argv, long_options,
515 POPT_CONTEXT_KEEP_FIRST);
516 while ((opt = poptGetNextOpt(pc)) != -1) {
519 state->log(ISC_LOG_ERROR, "dlz_bind9: Invalid option %s: %s",
520 poptBadOption(pc, 0), poptStrerror(opt));
521 return ISC_R_FAILURE;
525 return ISC_R_SUCCESS;
530 * Create session info from PAC
531 * This is called as auth_context->generate_session_info_pac()
533 static NTSTATUS b9_generate_session_info_pac(struct auth4_context *auth_context,
535 struct smb_krb5_context *smb_krb5_context,
537 const char *principal_name,
538 const struct tsocket_address *remote_addr,
539 uint32_t session_info_flags,
540 struct auth_session_info **session_info)
543 struct auth_user_info_dc *user_info_dc;
546 tmp_ctx = talloc_new(mem_ctx);
547 NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
549 status = kerberos_pac_blob_to_user_info_dc(tmp_ctx,
551 smb_krb5_context->krb5_context,
555 if (!NT_STATUS_IS_OK(status)) {
556 talloc_free(tmp_ctx);
560 if (user_info_dc->info->authenticated) {
561 session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED;
564 session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
566 status = auth_generate_session_info(mem_ctx, NULL, NULL, user_info_dc,
567 session_info_flags, session_info);
568 if (!NT_STATUS_IS_OK(status)) {
569 talloc_free(tmp_ctx);
573 talloc_free(tmp_ctx);
577 /* Callback for the DEBUG() system, to catch the remaining messages */
578 static void b9_debug(void *private_ptr, int msg_level, const char *msg)
580 static const int isc_log_map[] = {
581 ISC_LOG_CRITICAL, /* 0 */
582 ISC_LOG_ERROR, /* 1 */
583 ISC_LOG_WARNING, /* 2 */
584 ISC_LOG_NOTICE /* 3 */
586 struct dlz_bind9_data *state = private_ptr;
589 if (msg_level >= ARRAY_SIZE(isc_log_map) || msg_level < 0) {
590 isc_log_level = ISC_LOG_INFO;
592 isc_log_level = isc_log_map[msg_level];
594 state->log(isc_log_level, "samba_dlz: %s", msg);
597 static int dlz_state_debug_unregister(struct dlz_bind9_data *state)
599 /* Stop logging (to the bind9 logs) */
600 debug_set_callback(NULL, NULL);
605 called to initialise the driver
607 _PUBLIC_ isc_result_t dlz_create(const char *dlzname,
608 unsigned int argc, const char **argv,
611 struct dlz_bind9_data *state;
612 const char *helper_name;
618 char *errstring = NULL;
620 if (dlz_bind9_state != NULL) {
621 *dbdata = dlz_bind9_state;
622 dlz_bind9_state_ref_count++;
623 return ISC_R_SUCCESS;
626 state = talloc_zero(NULL, struct dlz_bind9_data);
628 return ISC_R_NOMEMORY;
631 talloc_set_destructor(state, dlz_state_debug_unregister);
633 /* fill in the helper functions */
634 va_start(ap, dbdata);
635 while ((helper_name = va_arg(ap, const char *)) != NULL) {
636 b9_add_helper(state, helper_name, va_arg(ap, void*));
640 /* Do not install samba signal handlers */
641 fault_setup_disable();
643 /* Start logging (to the bind9 logs) */
644 debug_set_callback(state, b9_debug);
646 state->ev_ctx = s4_event_context_init(state);
647 if (state->ev_ctx == NULL) {
648 result = ISC_R_NOMEMORY;
652 result = parse_options(state, argc, argv, &state->options);
653 if (result != ISC_R_SUCCESS) {
657 state->lp = loadparm_init_global(true);
658 if (state->lp == NULL) {
659 result = ISC_R_NOMEMORY;
663 if (state->options.debug) {
664 lpcfg_do_global_parameter(state->lp, "log level", state->options.debug);
666 lpcfg_do_global_parameter(state->lp, "log level", "0");
669 if (smb_krb5_init_context(state, state->lp, &state->smb_krb5_ctx) != 0) {
670 result = ISC_R_NOMEMORY;
674 nt_status = gensec_init();
675 if (!NT_STATUS_IS_OK(nt_status)) {
676 result = ISC_R_NOMEMORY;
680 state->auth_context = talloc_zero(state, struct auth4_context);
681 if (state->auth_context == NULL) {
682 result = ISC_R_NOMEMORY;
686 if (state->options.url == NULL) {
687 state->options.url = talloc_asprintf(state,
689 lpcfg_binddns_dir(state->lp));
690 if (state->options.url == NULL) {
691 result = ISC_R_NOMEMORY;
695 if (!file_exist(state->options.url)) {
696 state->options.url = talloc_asprintf(state,
698 lpcfg_private_dir(state->lp));
699 if (state->options.url == NULL) {
700 result = ISC_R_NOMEMORY;
706 ret = samdb_connect_url(state,
709 system_session(state->lp),
715 if (ret != LDB_SUCCESS) {
716 state->log(ISC_LOG_ERROR,
717 "samba_dlz: Failed to connect to %s: %s",
718 errstring, ldb_strerror(ret));
719 result = ISC_R_FAILURE;
723 dn = ldb_get_default_basedn(state->samdb);
725 state->log(ISC_LOG_ERROR, "samba_dlz: Unable to get basedn for %s - %s",
726 state->options.url, ldb_errstring(state->samdb));
727 result = ISC_R_FAILURE;
731 state->log(ISC_LOG_INFO, "samba_dlz: started for DN %s",
732 ldb_dn_get_linearized(dn));
734 state->auth_context->event_ctx = state->ev_ctx;
735 state->auth_context->lp_ctx = state->lp;
736 state->auth_context->sam_ctx = state->samdb;
737 state->auth_context->generate_session_info_pac = b9_generate_session_info_pac;
740 dlz_bind9_state = state;
741 dlz_bind9_state_ref_count++;
743 return ISC_R_SUCCESS;
753 _PUBLIC_ void dlz_destroy(void *dbdata)
755 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
756 state->log(ISC_LOG_INFO, "samba_dlz: shutting down");
758 dlz_bind9_state_ref_count--;
759 if (dlz_bind9_state_ref_count == 0) {
760 talloc_unlink(state, state->samdb);
762 dlz_bind9_state = NULL;
768 return the base DN for a zone
770 static isc_result_t b9_find_zone_dn(struct dlz_bind9_data *state, const char *zone_name,
771 TALLOC_CTX *mem_ctx, struct ldb_dn **zone_dn)
774 TALLOC_CTX *tmp_ctx = talloc_new(state);
775 const char *attrs[] = { NULL };
778 for (i=0; zone_prefixes[i]; i++) {
780 struct ldb_result *res;
782 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
784 talloc_free(tmp_ctx);
785 return ISC_R_NOMEMORY;
788 if (!ldb_dn_add_child_fmt(dn, "DC=%s,%s", zone_name, zone_prefixes[i])) {
789 talloc_free(tmp_ctx);
790 return ISC_R_NOMEMORY;
793 ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE, attrs, "objectClass=dnsZone");
794 if (ret == LDB_SUCCESS) {
795 if (zone_dn != NULL) {
796 *zone_dn = talloc_steal(mem_ctx, dn);
798 talloc_free(tmp_ctx);
799 return ISC_R_SUCCESS;
804 talloc_free(tmp_ctx);
805 return ISC_R_NOTFOUND;
810 return the DN for a name. The record does not need to exist, but the
813 static isc_result_t b9_find_name_dn(struct dlz_bind9_data *state, const char *name,
814 TALLOC_CTX *mem_ctx, struct ldb_dn **dn)
818 /* work through the name piece by piece, until we find a zone */
821 result = b9_find_zone_dn(state, p, mem_ctx, dn);
822 if (result == ISC_R_SUCCESS) {
823 /* we found a zone, now extend the DN to get
828 ret = ldb_dn_add_child_fmt(*dn, "DC=@");
830 ret = ldb_dn_add_child_fmt(*dn, "DC=%.*s", (int)(p-name)-1, name);
834 return ISC_R_NOMEMORY;
836 return ISC_R_SUCCESS;
844 return ISC_R_NOTFOUND;
849 see if we handle a given zone
851 #if DLZ_DLOPEN_VERSION < 3
852 _PUBLIC_ isc_result_t dlz_findzonedb(void *dbdata, const char *name)
854 _PUBLIC_ isc_result_t dlz_findzonedb(void *dbdata, const char *name,
855 dns_clientinfomethods_t *methods,
856 dns_clientinfo_t *clientinfo)
859 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
860 return b9_find_zone_dn(state, name, NULL, NULL);
867 static isc_result_t dlz_lookup_types(struct dlz_bind9_data *state,
868 const char *zone, const char *name,
869 dns_sdlzlookup_t *lookup,
872 TALLOC_CTX *tmp_ctx = talloc_new(state);
874 WERROR werr = WERR_DNS_ERROR_NAME_DOES_NOT_EXIST;
875 struct dnsp_DnssrvRpcRecord *records = NULL;
876 uint16_t num_records = 0, i;
878 for (i=0; zone_prefixes[i]; i++) {
879 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
881 talloc_free(tmp_ctx);
882 return ISC_R_NOMEMORY;
885 if (!ldb_dn_add_child_fmt(dn, "DC=%s,DC=%s,%s", name, zone, zone_prefixes[i])) {
886 talloc_free(tmp_ctx);
887 return ISC_R_NOMEMORY;
890 werr = dns_common_wildcard_lookup(state->samdb, tmp_ctx, dn,
891 &records, &num_records);
892 if (W_ERROR_IS_OK(werr)) {
896 if (!W_ERROR_IS_OK(werr)) {
897 talloc_free(tmp_ctx);
898 return ISC_R_NOTFOUND;
901 for (i=0; i < num_records; i++) {
904 result = b9_putrr(state, lookup, &records[i], types);
905 if (result != ISC_R_SUCCESS) {
906 talloc_free(tmp_ctx);
911 talloc_free(tmp_ctx);
912 return ISC_R_SUCCESS;
918 #if DLZ_DLOPEN_VERSION == 1
919 _PUBLIC_ isc_result_t dlz_lookup(const char *zone, const char *name,
920 void *dbdata, dns_sdlzlookup_t *lookup)
922 _PUBLIC_ isc_result_t dlz_lookup(const char *zone, const char *name,
923 void *dbdata, dns_sdlzlookup_t *lookup,
924 dns_clientinfomethods_t *methods,
925 dns_clientinfo_t *clientinfo)
928 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
929 return dlz_lookup_types(state, zone, name, lookup, NULL);
934 see if a zone transfer is allowed
936 _PUBLIC_ isc_result_t dlz_allowzonexfr(void *dbdata, const char *name, const char *client)
938 /* just say yes for all our zones for now */
939 struct dlz_bind9_data *state = talloc_get_type(
940 dbdata, struct dlz_bind9_data);
941 return b9_find_zone_dn(state, name, NULL, NULL);
945 perform a zone transfer
947 _PUBLIC_ isc_result_t dlz_allnodes(const char *zone, void *dbdata,
948 dns_sdlzallnodes_t *allnodes)
950 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
951 const char *attrs[] = { "dnsRecord", NULL };
952 int ret = LDB_SUCCESS, i, j;
954 struct ldb_result *res;
955 TALLOC_CTX *tmp_ctx = talloc_new(state);
957 for (i=0; zone_prefixes[i]; i++) {
958 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
960 talloc_free(tmp_ctx);
961 return ISC_R_NOMEMORY;
964 if (!ldb_dn_add_child_fmt(dn, "DC=%s,%s", zone, zone_prefixes[i])) {
965 talloc_free(tmp_ctx);
966 return ISC_R_NOMEMORY;
969 ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
970 attrs, "objectClass=dnsNode");
971 if (ret == LDB_SUCCESS) {
975 if (ret != LDB_SUCCESS) {
976 talloc_free(tmp_ctx);
977 return ISC_R_NOTFOUND;
980 for (i=0; i<res->count; i++) {
981 struct ldb_message_element *el;
982 TALLOC_CTX *el_ctx = talloc_new(tmp_ctx);
983 const char *rdn, *name;
984 const struct ldb_val *v;
986 struct dnsp_DnssrvRpcRecord *recs = NULL;
987 uint16_t num_recs = 0;
989 el = ldb_msg_find_element(res->msgs[i], "dnsRecord");
990 if (el == NULL || el->num_values == 0) {
991 state->log(ISC_LOG_INFO, "failed to find dnsRecord for %s",
992 ldb_dn_get_linearized(dn));
997 v = ldb_dn_get_rdn_val(res->msgs[i]->dn);
999 state->log(ISC_LOG_INFO, "failed to find RDN for %s",
1000 ldb_dn_get_linearized(dn));
1001 talloc_free(el_ctx);
1005 rdn = talloc_strndup(el_ctx, (char *)v->data, v->length);
1007 talloc_free(tmp_ctx);
1008 return ISC_R_NOMEMORY;
1011 if (strcmp(rdn, "@") == 0) {
1014 name = talloc_asprintf(el_ctx, "%s.%s", rdn, zone);
1016 name = b9_format_fqdn(el_ctx, name);
1018 talloc_free(tmp_ctx);
1019 return ISC_R_NOMEMORY;
1022 werr = dns_common_extract(state->samdb, el, el_ctx, &recs, &num_recs);
1023 if (!W_ERROR_IS_OK(werr)) {
1024 state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse dnsRecord for %s, %s",
1025 ldb_dn_get_linearized(dn), win_errstr(werr));
1026 talloc_free(el_ctx);
1030 for (j=0; j < num_recs; j++) {
1031 isc_result_t result;
1033 result = b9_putnamedrr(state, allnodes, name, &recs[j]);
1034 if (result != ISC_R_SUCCESS) {
1039 talloc_free(el_ctx);
1042 talloc_free(tmp_ctx);
1044 return ISC_R_SUCCESS;
1051 _PUBLIC_ isc_result_t dlz_newversion(const char *zone, void *dbdata, void **versionp)
1053 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1055 state->log(ISC_LOG_INFO, "samba_dlz: starting transaction on zone %s", zone);
1057 if (state->transaction_token != NULL) {
1058 state->log(ISC_LOG_INFO, "samba_dlz: transaction already started for zone %s", zone);
1059 return ISC_R_FAILURE;
1062 state->transaction_token = talloc_zero(state, int);
1063 if (state->transaction_token == NULL) {
1064 return ISC_R_NOMEMORY;
1067 if (ldb_transaction_start(state->samdb) != LDB_SUCCESS) {
1068 state->log(ISC_LOG_INFO, "samba_dlz: failed to start a transaction for zone %s", zone);
1069 talloc_free(state->transaction_token);
1070 state->transaction_token = NULL;
1071 return ISC_R_FAILURE;
1074 *versionp = (void *)state->transaction_token;
1076 return ISC_R_SUCCESS;
1082 _PUBLIC_ void dlz_closeversion(const char *zone, isc_boolean_t commit,
1083 void *dbdata, void **versionp)
1085 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1087 if (state->transaction_token != (int *)*versionp) {
1088 state->log(ISC_LOG_INFO, "samba_dlz: transaction not started for zone %s", zone);
1093 if (ldb_transaction_commit(state->samdb) != LDB_SUCCESS) {
1094 state->log(ISC_LOG_INFO, "samba_dlz: failed to commit a transaction for zone %s", zone);
1097 state->log(ISC_LOG_INFO, "samba_dlz: committed transaction on zone %s", zone);
1099 if (ldb_transaction_cancel(state->samdb) != LDB_SUCCESS) {
1100 state->log(ISC_LOG_INFO, "samba_dlz: failed to cancel a transaction for zone %s", zone);
1103 state->log(ISC_LOG_INFO, "samba_dlz: cancelling transaction on zone %s", zone);
1106 talloc_free(state->transaction_token);
1107 state->transaction_token = NULL;
1113 see if there is a SOA record for a zone
1115 static bool b9_has_soa(struct dlz_bind9_data *state, struct ldb_dn *dn, const char *zone)
1117 TALLOC_CTX *tmp_ctx = talloc_new(state);
1119 struct dnsp_DnssrvRpcRecord *records = NULL;
1120 uint16_t num_records = 0, i;
1122 if (!ldb_dn_add_child_fmt(dn, "DC=@,DC=%s", zone)) {
1123 talloc_free(tmp_ctx);
1127 werr = dns_common_lookup(state->samdb, tmp_ctx, dn,
1128 &records, &num_records, NULL);
1129 if (!W_ERROR_IS_OK(werr)) {
1130 talloc_free(tmp_ctx);
1134 for (i=0; i < num_records; i++) {
1135 if (records[i].wType == DNS_TYPE_SOA) {
1136 talloc_free(tmp_ctx);
1141 talloc_free(tmp_ctx);
1145 static bool b9_zone_add(struct dlz_bind9_data *state, const char *name)
1147 struct b9_zone *zone;
1149 zone = talloc_zero(state, struct b9_zone);
1154 zone->name = talloc_strdup(zone, name);
1155 if (zone->name == NULL) {
1160 DLIST_ADD(state->zonelist, zone);
1164 static bool b9_zone_exists(struct dlz_bind9_data *state, const char *name)
1166 struct b9_zone *zone = state->zonelist;
1169 while (zone != NULL) {
1170 if (strcasecmp(name, zone->name) == 0) {
1182 configure a writeable zone
1184 #if DLZ_DLOPEN_VERSION < 3
1185 _PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, void *dbdata)
1187 _PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb,
1191 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1192 TALLOC_CTX *tmp_ctx;
1196 state->log(ISC_LOG_INFO, "samba_dlz: starting configure");
1197 if (state->writeable_zone == NULL) {
1198 state->log(ISC_LOG_INFO, "samba_dlz: no writeable_zone method available");
1199 return ISC_R_FAILURE;
1202 tmp_ctx = talloc_new(state);
1204 for (i=0; zone_prefixes[i]; i++) {
1205 const char *attrs[] = { "name", NULL };
1207 struct ldb_result *res;
1209 dn = ldb_dn_copy(tmp_ctx, ldb_get_default_basedn(state->samdb));
1211 talloc_free(tmp_ctx);
1212 return ISC_R_NOMEMORY;
1215 if (!ldb_dn_add_child_fmt(dn, "%s", zone_prefixes[i])) {
1216 talloc_free(tmp_ctx);
1217 return ISC_R_NOMEMORY;
1220 ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_SUBTREE,
1221 attrs, "objectClass=dnsZone");
1222 if (ret != LDB_SUCCESS) {
1226 for (j=0; j<res->count; j++) {
1227 isc_result_t result;
1228 const char *zone = ldb_msg_find_attr_as_string(res->msgs[j], "name", NULL);
1229 struct ldb_dn *zone_dn;
1234 /* Ignore zones that are not handled in BIND */
1235 if ((strcmp(zone, "RootDNSServers") == 0) ||
1236 (strcmp(zone, "..TrustAnchors") == 0)) {
1239 zone_dn = ldb_dn_copy(tmp_ctx, dn);
1240 if (zone_dn == NULL) {
1241 talloc_free(tmp_ctx);
1242 return ISC_R_NOMEMORY;
1245 if (!b9_has_soa(state, zone_dn, zone)) {
1249 if (b9_zone_exists(state, zone)) {
1250 state->log(ISC_LOG_WARNING, "samba_dlz: Ignoring duplicate zone '%s' from '%s'",
1251 zone, ldb_dn_get_linearized(zone_dn));
1255 if (!b9_zone_add(state, zone)) {
1256 talloc_free(tmp_ctx);
1257 return ISC_R_NOMEMORY;
1260 #if DLZ_DLOPEN_VERSION < 3
1261 result = state->writeable_zone(view, zone);
1263 result = state->writeable_zone(view, dlzdb, zone);
1265 if (result != ISC_R_SUCCESS) {
1266 state->log(ISC_LOG_ERROR, "samba_dlz: Failed to configure zone '%s'",
1268 talloc_free(tmp_ctx);
1271 state->log(ISC_LOG_INFO, "samba_dlz: configured writeable zone '%s'", zone);
1275 talloc_free(tmp_ctx);
1276 return ISC_R_SUCCESS;
1280 authorize a zone update
1282 _PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const char *tcpaddr,
1283 const char *type, const char *key, uint32_t keydatalen, uint8_t *keydata,
1286 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1287 TALLOC_CTX *tmp_ctx;
1289 struct cli_credentials *server_credentials;
1291 char *keytab_file = NULL;
1295 struct gensec_security *gensec_ctx;
1296 struct auth_session_info *session_info;
1298 isc_result_t result;
1299 struct ldb_result *res;
1300 const char * attrs[] = { NULL };
1301 uint32_t access_mask;
1302 struct gensec_settings *settings = NULL;
1303 const struct gensec_security_ops **backends = NULL;
1306 /* Remove cached credentials, if any */
1307 if (state->session_info) {
1308 talloc_free(state->session_info);
1309 state->session_info = NULL;
1311 if (state->update_name) {
1312 talloc_free(state->update_name);
1313 state->update_name = NULL;
1316 tmp_ctx = talloc_new(NULL);
1317 if (tmp_ctx == NULL) {
1318 state->log(ISC_LOG_ERROR, "samba_dlz: no memory");
1322 ap_req = data_blob_const(keydata, keydatalen);
1323 server_credentials = cli_credentials_init(tmp_ctx);
1324 if (!server_credentials) {
1325 state->log(ISC_LOG_ERROR, "samba_dlz: failed to init server credentials");
1326 talloc_free(tmp_ctx);
1330 cli_credentials_set_krb5_context(server_credentials, state->smb_krb5_ctx);
1331 cli_credentials_set_conf(server_credentials, state->lp);
1333 keytab_file = talloc_asprintf(tmp_ctx,
1335 lpcfg_binddns_dir(state->lp));
1336 if (keytab_file == NULL) {
1337 state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!");
1338 talloc_free(tmp_ctx);
1342 if (!file_exist(keytab_file)) {
1343 keytab_file = talloc_asprintf(tmp_ctx,
1345 lpcfg_private_dir(state->lp));
1346 if (keytab_file == NULL) {
1347 state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!");
1348 talloc_free(tmp_ctx);
1353 keytab_name = talloc_asprintf(tmp_ctx, "FILE:%s", keytab_file);
1354 if (keytab_name == NULL) {
1355 state->log(ISC_LOG_ERROR, "samba_dlz: Out of memory!");
1356 talloc_free(tmp_ctx);
1360 ret = cli_credentials_set_keytab_name(server_credentials, state->lp, keytab_name,
1363 state->log(ISC_LOG_ERROR, "samba_dlz: failed to obtain server credentials from %s",
1365 talloc_free(tmp_ctx);
1368 talloc_free(keytab_name);
1370 settings = lpcfg_gensec_settings(tmp_ctx, state->lp);
1371 if (settings == NULL) {
1372 state->log(ISC_LOG_ERROR, "samba_dlz: lpcfg_gensec_settings failed");
1373 talloc_free(tmp_ctx);
1376 backends = talloc_zero_array(settings,
1377 const struct gensec_security_ops *, 3);
1378 if (backends == NULL) {
1379 state->log(ISC_LOG_ERROR, "samba_dlz: talloc_zero_array gensec_security_ops failed");
1380 talloc_free(tmp_ctx);
1383 settings->backends = backends;
1387 backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_KERBEROS5);
1388 backends[idx++] = gensec_security_by_oid(NULL, GENSEC_OID_SPNEGO);
1390 nt_status = gensec_server_start(tmp_ctx, settings,
1391 state->auth_context, &gensec_ctx);
1392 if (!NT_STATUS_IS_OK(nt_status)) {
1393 state->log(ISC_LOG_ERROR, "samba_dlz: failed to start gensec server");
1394 talloc_free(tmp_ctx);
1398 gensec_set_credentials(gensec_ctx, server_credentials);
1400 nt_status = gensec_start_mech_by_oid(gensec_ctx, GENSEC_OID_SPNEGO);
1401 if (!NT_STATUS_IS_OK(nt_status)) {
1402 state->log(ISC_LOG_ERROR, "samba_dlz: failed to start spnego");
1403 talloc_free(tmp_ctx);
1408 * We only allow SPNEGO/KRB5 and make sure the backend
1409 * to is RPC/IPC free.
1411 * See gensec_gssapi_update_internal() as
1414 * It allows gensec_update() not to block.
1416 * If that changes in future we need to use
1417 * gensec_update_send/recv here!
1419 nt_status = gensec_update(gensec_ctx, tmp_ctx, ap_req, &ap_req);
1420 if (!NT_STATUS_IS_OK(nt_status)) {
1421 state->log(ISC_LOG_ERROR, "samba_dlz: spnego update failed");
1422 talloc_free(tmp_ctx);
1426 nt_status = gensec_session_info(gensec_ctx, tmp_ctx, &session_info);
1427 if (!NT_STATUS_IS_OK(nt_status)) {
1428 state->log(ISC_LOG_ERROR, "samba_dlz: failed to create session info");
1429 talloc_free(tmp_ctx);
1433 /* Get the DN from name */
1434 result = b9_find_name_dn(state, name, tmp_ctx, &dn);
1435 if (result != ISC_R_SUCCESS) {
1436 state->log(ISC_LOG_ERROR, "samba_dlz: failed to find name %s", name);
1437 talloc_free(tmp_ctx);
1441 /* make sure the dn exists, or find parent dn in case new object is being added */
1442 ldb_ret = ldb_search(state->samdb, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
1443 attrs, "objectClass=dnsNode");
1444 if (ldb_ret == LDB_ERR_NO_SUCH_OBJECT) {
1445 ldb_dn_remove_child_components(dn, 1);
1446 access_mask = SEC_ADS_CREATE_CHILD;
1448 } else if (ldb_ret == LDB_SUCCESS) {
1449 access_mask = SEC_STD_REQUIRED | SEC_ADS_SELF_WRITE;
1452 talloc_free(tmp_ctx);
1457 ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn,
1458 session_info->security_token,
1460 if (ldb_ret != LDB_SUCCESS) {
1461 state->log(ISC_LOG_INFO,
1462 "samba_dlz: disallowing update of signer=%s name=%s type=%s error=%s",
1463 signer, name, type, ldb_strerror(ldb_ret));
1464 talloc_free(tmp_ctx);
1468 /* Cache session_info, so it can be used in the actual add/delete operation */
1469 state->update_name = talloc_strdup(state, name);
1470 if (state->update_name == NULL) {
1471 state->log(ISC_LOG_ERROR, "samba_dlz: memory allocation error");
1472 talloc_free(tmp_ctx);
1475 state->session_info = talloc_steal(state, session_info);
1477 state->log(ISC_LOG_INFO, "samba_dlz: allowing update of signer=%s name=%s tcpaddr=%s type=%s key=%s",
1478 signer, name, tcpaddr, type, key);
1480 talloc_free(tmp_ctx);
1485 see if two dns records match
1487 static bool b9_record_match(struct dlz_bind9_data *state,
1488 struct dnsp_DnssrvRpcRecord *rec1, struct dnsp_DnssrvRpcRecord *rec2)
1492 struct in6_addr rec1_in_addr6;
1493 struct in6_addr rec2_in_addr6;
1495 if (rec1->wType != rec2->wType) {
1498 /* see if this type is single valued */
1499 if (b9_single_valued(rec1->wType)) {
1503 /* see if the data matches */
1504 switch (rec1->wType) {
1506 return strcmp(rec1->data.ipv4, rec2->data.ipv4) == 0;
1507 case DNS_TYPE_AAAA: {
1510 ret = inet_pton(AF_INET6, rec1->data.ipv6, &rec1_in_addr6);
1514 ret = inet_pton(AF_INET6, rec2->data.ipv6, &rec2_in_addr6);
1519 return memcmp(&rec1_in_addr6, &rec2_in_addr6, sizeof(rec1_in_addr6)) == 0;
1521 case DNS_TYPE_CNAME:
1522 return dns_name_equal(rec1->data.cname, rec2->data.cname);
1524 status = (rec1->data.txt.count == rec2->data.txt.count);
1525 if (!status) return status;
1526 for (i=0; i<rec1->data.txt.count; i++) {
1527 status &= (strcmp(rec1->data.txt.str[i], rec2->data.txt.str[i]) == 0);
1531 return dns_name_equal(rec1->data.ptr, rec2->data.ptr);
1533 return dns_name_equal(rec1->data.ns, rec2->data.ns);
1536 return rec1->data.srv.wPriority == rec2->data.srv.wPriority &&
1537 rec1->data.srv.wWeight == rec2->data.srv.wWeight &&
1538 rec1->data.srv.wPort == rec2->data.srv.wPort &&
1539 dns_name_equal(rec1->data.srv.nameTarget, rec2->data.srv.nameTarget);
1542 return rec1->data.mx.wPriority == rec2->data.mx.wPriority &&
1543 dns_name_equal(rec1->data.mx.nameTarget, rec2->data.mx.nameTarget);
1545 case DNS_TYPE_HINFO:
1546 return strcmp(rec1->data.hinfo.cpu, rec2->data.hinfo.cpu) == 0 &&
1547 strcmp(rec1->data.hinfo.os, rec2->data.hinfo.os) == 0;
1550 return dns_name_equal(rec1->data.soa.mname, rec2->data.soa.mname) &&
1551 dns_name_equal(rec1->data.soa.rname, rec2->data.soa.rname) &&
1552 rec1->data.soa.serial == rec2->data.soa.serial &&
1553 rec1->data.soa.refresh == rec2->data.soa.refresh &&
1554 rec1->data.soa.retry == rec2->data.soa.retry &&
1555 rec1->data.soa.expire == rec2->data.soa.expire &&
1556 rec1->data.soa.minimum == rec2->data.soa.minimum;
1558 state->log(ISC_LOG_ERROR, "samba_dlz b9_record_match: unhandled record type %u",
1567 * Update session_info on samdb using the cached credentials
1569 static bool b9_set_session_info(struct dlz_bind9_data *state, const char *name)
1573 if (state->update_name == NULL || state->session_info == NULL) {
1574 state->log(ISC_LOG_ERROR, "samba_dlz: invalid credentials");
1578 /* Do not use client credentials, if we're not updating the client specified name */
1579 if (strcmp(state->update_name, name) != 0) {
1583 ret = ldb_set_opaque(
1586 state->session_info);
1587 if (ret != LDB_SUCCESS) {
1588 state->log(ISC_LOG_ERROR, "samba_dlz: unable to set session info");
1596 * Reset session_info on samdb as system session
1598 static void b9_reset_session_info(struct dlz_bind9_data *state)
1603 system_session(state->lp));
1607 add or modify a rdataset
1609 _PUBLIC_ isc_result_t dlz_addrdataset(const char *name, const char *rdatastr, void *dbdata, void *version)
1611 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1612 struct dnsp_DnssrvRpcRecord *rec;
1614 isc_result_t result;
1615 bool tombstoned = false;
1616 bool needs_add = false;
1617 struct dnsp_DnssrvRpcRecord *recs = NULL;
1618 uint16_t num_recs = 0;
1624 if (state->transaction_token != (void*)version) {
1625 state->log(ISC_LOG_INFO, "samba_dlz: bad transaction version");
1626 return ISC_R_FAILURE;
1629 rec = talloc_zero(state, struct dnsp_DnssrvRpcRecord);
1631 return ISC_R_NOMEMORY;
1634 unix_to_nt_time(&t, time(NULL));
1636 * convert to seconds (NT time is in 100ns units)
1638 t /= 10 * 1000 * 1000;
1644 rec->rank = DNS_RANK_ZONE;
1645 rec->dwTimeStamp = (uint32_t)t;
1647 if (!b9_parse(state, rdatastr, rec)) {
1648 state->log(ISC_LOG_INFO, "samba_dlz: failed to parse rdataset '%s'", rdatastr);
1650 return ISC_R_FAILURE;
1653 /* find the DN of the record */
1654 result = b9_find_name_dn(state, name, rec, &dn);
1655 if (result != ISC_R_SUCCESS) {
1660 /* get any existing records */
1661 werr = dns_common_lookup(state->samdb, rec, dn,
1662 &recs, &num_recs, &tombstoned);
1663 if (W_ERROR_EQUAL(werr, WERR_DNS_ERROR_NAME_DOES_NOT_EXIST)) {
1667 if (!W_ERROR_IS_OK(werr)) {
1668 state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse dnsRecord for %s, %s",
1669 ldb_dn_get_linearized(dn), win_errstr(werr));
1671 return ISC_R_FAILURE;
1676 * we need to keep the existing tombstone record
1682 /* there are existing records. We need to see if this will
1683 * replace a record or add to it
1685 for (i=first; i < num_recs; i++) {
1686 if (b9_record_match(state, rec, &recs[i])) {
1690 if (i == UINT16_MAX) {
1691 state->log(ISC_LOG_ERROR, "samba_dlz: failed to already %u dnsRecord values for %s",
1692 i, ldb_dn_get_linearized(dn));
1694 return ISC_R_FAILURE;
1697 if (i == num_recs) {
1698 /* adding a new value */
1699 recs = talloc_realloc(rec, recs,
1700 struct dnsp_DnssrvRpcRecord,
1704 return ISC_R_NOMEMORY;
1711 if (!b9_set_session_info(state, name)) {
1713 return ISC_R_FAILURE;
1716 /* modify the record */
1717 werr = dns_common_replace(state->samdb, rec, dn,
1721 b9_reset_session_info(state);
1722 if (!W_ERROR_IS_OK(werr)) {
1723 state->log(ISC_LOG_ERROR, "samba_dlz: failed to %s %s - %s",
1724 needs_add ? "add" : "modify",
1725 ldb_dn_get_linearized(dn), win_errstr(werr));
1727 return ISC_R_FAILURE;
1730 state->log(ISC_LOG_INFO, "samba_dlz: added rdataset %s '%s'", name, rdatastr);
1733 return ISC_R_SUCCESS;
1739 _PUBLIC_ isc_result_t dlz_subrdataset(const char *name, const char *rdatastr, void *dbdata, void *version)
1741 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1742 struct dnsp_DnssrvRpcRecord *rec;
1744 isc_result_t result;
1745 struct dnsp_DnssrvRpcRecord *recs = NULL;
1746 uint16_t num_recs = 0;
1750 if (state->transaction_token != (void*)version) {
1751 state->log(ISC_LOG_ERROR, "samba_dlz: bad transaction version");
1752 return ISC_R_FAILURE;
1755 rec = talloc_zero(state, struct dnsp_DnssrvRpcRecord);
1757 return ISC_R_NOMEMORY;
1760 if (!b9_parse(state, rdatastr, rec)) {
1761 state->log(ISC_LOG_ERROR, "samba_dlz: failed to parse rdataset '%s'", rdatastr);
1763 return ISC_R_FAILURE;
1766 /* find the DN of the record */
1767 result = b9_find_name_dn(state, name, rec, &dn);
1768 if (result != ISC_R_SUCCESS) {
1773 /* get the existing records */
1774 werr = dns_common_lookup(state->samdb, rec, dn,
1775 &recs, &num_recs, NULL);
1776 if (!W_ERROR_IS_OK(werr)) {
1778 return ISC_R_NOTFOUND;
1781 for (i=0; i < num_recs; i++) {
1782 if (b9_record_match(state, rec, &recs[i])) {
1783 recs[i] = (struct dnsp_DnssrvRpcRecord) {
1784 .wType = DNS_TYPE_TOMBSTONE,
1789 if (i == num_recs) {
1791 return ISC_R_NOTFOUND;
1794 if (!b9_set_session_info(state, name)) {
1796 return ISC_R_FAILURE;
1799 /* modify the record */
1800 werr = dns_common_replace(state->samdb, rec, dn,
1801 false,/* needs_add */
1804 b9_reset_session_info(state);
1805 if (!W_ERROR_IS_OK(werr)) {
1806 state->log(ISC_LOG_ERROR, "samba_dlz: failed to modify %s - %s",
1807 ldb_dn_get_linearized(dn), win_errstr(werr));
1809 return ISC_R_FAILURE;
1812 state->log(ISC_LOG_INFO, "samba_dlz: subtracted rdataset %s '%s'", name, rdatastr);
1815 return ISC_R_SUCCESS;
1820 delete all records of the given type
1822 _PUBLIC_ isc_result_t dlz_delrdataset(const char *name, const char *type, void *dbdata, void *version)
1824 struct dlz_bind9_data *state = talloc_get_type_abort(dbdata, struct dlz_bind9_data);
1825 TALLOC_CTX *tmp_ctx;
1827 isc_result_t result;
1828 enum dns_record_type dns_type;
1830 struct dnsp_DnssrvRpcRecord *recs = NULL;
1831 uint16_t num_recs = 0;
1835 if (state->transaction_token != (void*)version) {
1836 state->log(ISC_LOG_ERROR, "samba_dlz: bad transaction version");
1837 return ISC_R_FAILURE;
1840 if (!b9_dns_type(type, &dns_type)) {
1841 state->log(ISC_LOG_ERROR, "samba_dlz: bad dns type %s in delete", type);
1842 return ISC_R_FAILURE;
1845 tmp_ctx = talloc_new(state);
1847 /* find the DN of the record */
1848 result = b9_find_name_dn(state, name, tmp_ctx, &dn);
1849 if (result != ISC_R_SUCCESS) {
1850 talloc_free(tmp_ctx);
1854 /* get the existing records */
1855 werr = dns_common_lookup(state->samdb, tmp_ctx, dn,
1856 &recs, &num_recs, NULL);
1857 if (!W_ERROR_IS_OK(werr)) {
1858 talloc_free(tmp_ctx);
1859 return ISC_R_NOTFOUND;
1862 for (ri=0; ri < num_recs; ri++) {
1863 if (dns_type != recs[ri].wType) {
1868 recs[ri] = (struct dnsp_DnssrvRpcRecord) {
1869 .wType = DNS_TYPE_TOMBSTONE,
1874 talloc_free(tmp_ctx);
1875 return ISC_R_FAILURE;
1878 if (!b9_set_session_info(state, name)) {
1879 talloc_free(tmp_ctx);
1880 return ISC_R_FAILURE;
1883 /* modify the record */
1884 werr = dns_common_replace(state->samdb, tmp_ctx, dn,
1885 false,/* needs_add */
1888 b9_reset_session_info(state);
1889 if (!W_ERROR_IS_OK(werr)) {
1890 state->log(ISC_LOG_ERROR, "samba_dlz: failed to modify %s - %s",
1891 ldb_dn_get_linearized(dn), win_errstr(werr));
1892 talloc_free(tmp_ctx);
1893 return ISC_R_FAILURE;
1896 state->log(ISC_LOG_INFO, "samba_dlz: deleted rdataset %s of type %s", name, type);
1898 talloc_free(tmp_ctx);
1899 return ISC_R_SUCCESS;