search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-server: Clean up connection tracking functions
[samba4-gss.git] / source3 / utils / net_dns.c
blob486f1752b109c95bc75db9dbbfe24e204cf8920c
1 /*
2 Samba Unix/Linux Dynamic DNS Update
3 net ads commands
4
5 Copyright (C) Krishna Ganugapati (krishnag@centeris.com) 2006
6 Copyright (C) Gerald Carter 2006
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "utils/net.h"
24 #include "../lib/addns/dns.h"
25 #include "utils/net_dns.h"
26 #include "auth/gensec/gensec.h"
27 #include "auth_generic.h"
28
29 #if defined(HAVE_KRB5)
30
31 /*********************************************************************
32 *********************************************************************/
33
34 static DNS_ERROR DoDNSUpdateNegotiateGensec(const char *pszServerName,
35 const char *pszDomainName,
36 const char *keyname,
37 enum dns_ServerType srv_type,
38 struct cli_credentials *creds,
39 TALLOC_CTX *mem_ctx,
40 struct gensec_security **_gensec)
41 {
42 TALLOC_CTX *frame = talloc_stackframe();
43 struct auth_generic_state *ans = NULL;
44 NTSTATUS status;
45 DNS_ERROR err;
46
47 status = auth_generic_client_prepare(mem_ctx, &ans);
48 if (!NT_STATUS_IS_OK(status)) {
49 err = ERROR_DNS_GSS_ERROR;
50 goto error;
51 }
52 talloc_steal(frame, ans);
53
54 status = auth_generic_set_creds(ans, creds);
55 if (!NT_STATUS_IS_OK(status)) {
56 err = ERROR_DNS_GSS_ERROR;
57 goto error;
58 }
59
60 status = gensec_set_target_service(ans->gensec_security,
61 "dns");
62 if (!NT_STATUS_IS_OK(status)) {
63 err = ERROR_DNS_GSS_ERROR;
64 goto error;
65 }
66
67 status = gensec_set_target_hostname(ans->gensec_security,
68 pszServerName);
69 if (!NT_STATUS_IS_OK(status)) {
70 err = ERROR_DNS_GSS_ERROR;
71 goto error;
72 }
73
74 gensec_want_feature(ans->gensec_security, GENSEC_FEATURE_SIGN);
75
76 status = auth_generic_client_start(ans, GENSEC_OID_KERBEROS5);
77 if (!NT_STATUS_IS_OK(status)) {
78 err = ERROR_DNS_GSS_ERROR;
79 goto error;
80 }
81
82 err = dns_negotiate_sec_ctx(pszServerName,
83 keyname,
84 ans->gensec_security,
85 srv_type);
86 if (!ERR_DNS_IS_OK(err)) {
87 goto error;
88 }
89
90 *_gensec = talloc_move(mem_ctx, &ans->gensec_security);
91 error:
92 TALLOC_FREE(frame);
93
94 return err;
95 }
96
97 DNS_ERROR DoDNSUpdate(char *pszServerName,
98 const char *pszDomainName,
99 const char *pszHostName,
100 struct cli_credentials *creds,
101 const struct sockaddr_storage *sslist,
102 size_t num_addrs,
103 uint32_t flags,
104 uint32_t ttl,
105 bool remove_host)
106 {
107 DNS_ERROR err;
108 struct dns_connection *conn;
109 TALLOC_CTX *mem_ctx;
110 struct dns_update_request *req, *resp;
111
112 DEBUG(10,("DoDNSUpdate called with flags: 0x%08x\n", flags));
113
114 if (!(flags & DNS_UPDATE_SIGNED) &&
115 !(flags & DNS_UPDATE_UNSIGNED) &&
116 !(flags & DNS_UPDATE_PROBE)) {
117 return ERROR_DNS_INVALID_PARAMETER;
118 }
119
120 if ( !remove_host && ((num_addrs <= 0) || !sslist) ) {
121 return ERROR_DNS_INVALID_PARAMETER;
122 }
123
124 if (!(mem_ctx = talloc_init("DoDNSUpdate"))) {
125 return ERROR_DNS_NO_MEMORY;
126 }
127
128 err = dns_open_connection( pszServerName, DNS_TCP, mem_ctx, &conn );
129 if (!ERR_DNS_IS_OK(err)) {
130 goto error;
131 }
132
133 if (flags & DNS_UPDATE_PROBE) {
134
135 /*
136 * Probe if everything's fine
137 */
138
139 err = dns_create_probe(mem_ctx, pszDomainName, pszHostName,
140 num_addrs, sslist, &req);
141 if (!ERR_DNS_IS_OK(err)) goto error;
142
143 err = dns_update_transaction(mem_ctx, conn, req, &resp);
144
145 if (!ERR_DNS_IS_OK(err)) {
146 DEBUG(3,("DoDNSUpdate: failed to probe DNS\n"));
147 goto error;
148 }
149
150 if ((dns_response_code(resp->flags) == DNS_NO_ERROR) &&
151 (flags & DNS_UPDATE_PROBE_SUFFICIENT)) {
152 TALLOC_FREE(mem_ctx);
153 return ERROR_DNS_SUCCESS;
154 }
155 }
156
157 if (flags & DNS_UPDATE_UNSIGNED) {
158
159 /*
160 * First try without signing
161 */
162
163 err = dns_create_update_request(mem_ctx,
164 pszDomainName,
165 pszHostName,
166 sslist,
167 num_addrs,
168 ttl,
169 &req);
170 if (!ERR_DNS_IS_OK(err)) goto error;
171
172 err = dns_update_transaction(mem_ctx, conn, req, &resp);
173 if (!ERR_DNS_IS_OK(err)) {
174 DEBUG(3,("DoDNSUpdate: unsigned update failed\n"));
175 goto error;
176 }
177
178 if ((dns_response_code(resp->flags) == DNS_NO_ERROR) &&
179 (flags & DNS_UPDATE_UNSIGNED_SUFFICIENT)) {
180 TALLOC_FREE(mem_ctx);
181 return ERROR_DNS_SUCCESS;
182 }
183 }
184
185 /*
186 * Okay, we have to try with signing
187 */
188 if (flags & DNS_UPDATE_SIGNED) {
189 struct gensec_security *gensec = NULL;
190 char *keyname = NULL;
191
192 err = dns_create_update_request(mem_ctx,
193 pszDomainName,
194 pszHostName,
195 sslist,
196 num_addrs,
197 ttl,
198 &req);
199 if (!ERR_DNS_IS_OK(err)) goto error;
200
201 if (!(keyname = dns_generate_keyname( mem_ctx ))) {
202 err = ERROR_DNS_NO_MEMORY;
203 goto error;
204 }
205
206 err = DoDNSUpdateNegotiateGensec(pszServerName,
207 pszDomainName,
208 keyname,
209 DNS_SRV_ANY,
210 creds,
211 mem_ctx,
212 &gensec);
213
214 /* retry using the Windows 2000 DNS hack */
215 if (!ERR_DNS_IS_OK(err)) {
216 err = DoDNSUpdateNegotiateGensec(pszServerName,
217 pszDomainName,
218 keyname,
219 DNS_SRV_WIN2000,
220 creds,
221 mem_ctx,
222 &gensec);
223 }
224
225 if (!ERR_DNS_IS_OK(err))
226 goto error;
227
228 err = dns_sign_update(req, gensec, keyname,
229 "gss.microsoft.com", time(NULL), 3600);
230
231 if (!ERR_DNS_IS_OK(err)) goto error;
232
233 err = dns_update_transaction(mem_ctx, conn, req, &resp);
234 if (!ERR_DNS_IS_OK(err)) goto error;
235
236 err = (dns_response_code(resp->flags) == DNS_NO_ERROR) ?
237 ERROR_DNS_SUCCESS : ERROR_DNS_UPDATE_FAILED;
238
239 if (!ERR_DNS_IS_OK(err)) {
240 DEBUG(3,("DoDNSUpdate: signed update failed\n"));
241 }
242 }
243
244
245 error:
246 TALLOC_FREE(mem_ctx);
247 return err;
248 }
249
250 /*********************************************************************
251 *********************************************************************/
252
253 int get_my_ip_address( struct sockaddr_storage **pp_ss )
254
255 {
256 int i, n;
257 struct sockaddr_storage *list = NULL;
258 int count = 0;
259
260 /* Honor the configured list of interfaces to register */
261
262 load_interfaces();
263 n = iface_count();
264
265 if (n <= 0) {
266 return -1;
267 }
268
269 if ( (list = SMB_MALLOC_ARRAY( struct sockaddr_storage, n )) == NULL ) {
270 return -1;
271 }
272
273 for ( i=0; i<n; i++ ) {
274 const struct sockaddr_storage *nic_sa_storage = NULL;
275
276 if ((nic_sa_storage = iface_n_sockaddr_storage(i)) == NULL)
277 continue;
278
279 /* Don't register loopback addresses */
280 if (is_loopback_addr((const struct sockaddr *)nic_sa_storage)) {
281 continue;
282 }
283
284 /* Don't register link-local addresses */
285 if (is_linklocal_addr(nic_sa_storage)) {
286 continue;
287 }
288
289 memcpy(&list[count++], nic_sa_storage, sizeof(struct sockaddr_storage));
290 }
291 *pp_ss = list;
292
293 return count;
294 }
295
296 #endif /* defined(HAVE_KRB5) */
GSS-enabled samba4