summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-07-02 07:24:21 +1000
committerAndrew Bartlett <abartlet@samba.org>2012-07-03 08:13:02 +1000
commitd0460d96d62d879545818c7f0966b1026b27a007 (patch)
tree959903572619cebde5414a321acad5338912bb6b
parent5de841f6f249ea742a8ed0ef5a795f77a364cc35 (diff)
downloadsamba-d0460d96d62d879545818c7f0966b1026b27a007.tar.gz
samba-d0460d96d62d879545818c7f0966b1026b27a007.tar.bz2
samba-d0460d96d62d879545818c7f0966b1026b27a007.zip
s4-bind: Remove patches now incorporated into bind9
These patches are in bind9 now, and we do not recomment using them any more as the improved version in bind 9.8 is much less prone to failure. Andrew Bartlett
-rw-r--r--examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch29
-rw-r--r--examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch34
-rw-r--r--examples/bind9-patches/0003-don-t-compress-TSIG-names.patch58
-rw-r--r--examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch94
-rw-r--r--examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch30
-rw-r--r--examples/bind9-patches/README11
6 files changed, 0 insertions, 256 deletions
diff --git a/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch b/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch
deleted file mode 100644
index 3716dd4ab6..0000000000
--- a/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From 1d97835f07fd5142187629941422f87b33015414 Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <tridge@samba.org>
-Date: Wed, 17 Feb 2010 10:47:59 +1100
-Subject: [PATCH 1/5] leave the question section in update responses.
-
-This fixes TSIG-GSS updates from windows7 and w2k8r2, which require
-the question to be included in the initial refusal for the unsigned
-update.
----
- lib/dns/message.c | 3 ++-
- 1 files changed, 2 insertions(+), 1 deletions(-)
-
-diff --git a/lib/dns/message.c b/lib/dns/message.c
-index b541635..ae4965f 100644
---- a/lib/dns/message.c
-+++ b/lib/dns/message.c
-@@ -2474,7 +2474,8 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) {
- if (!msg->header_ok)
- return (DNS_R_FORMERR);
- if (msg->opcode != dns_opcode_query &&
-- msg->opcode != dns_opcode_notify)
-+ msg->opcode != dns_opcode_notify &&
-+ msg->opcode != dns_opcode_update)
- want_question_section = ISC_FALSE;
- if (want_question_section) {
- if (!msg->question_ok)
---
-1.6.3.3
-
diff --git a/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch b/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch
deleted file mode 100644
index 22f0ce493f..0000000000
--- a/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 31059dee4a706bb4f25f3dccaae7616451eabd8b Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <tridge@samba.org>
-Date: Wed, 17 Feb 2010 10:59:42 +1100
-Subject: [PATCH 2/5] prevent a valgrind uninitialised memory warning
-
-epoll uses a union, so to prevent passing uninitialised data in a
-syscall we need to zero it before use.
----
- lib/isc/unix/socket.c | 2 ++
- 1 files changed, 2 insertions(+), 0 deletions(-)
-
-diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c
-index d09fe51..4796ee4 100644
---- a/lib/isc/unix/socket.c
-+++ b/lib/isc/unix/socket.c
-@@ -652,6 +652,7 @@ watch_fd(isc_socketmgr_t *manager, int fd, int msg) {
- event.events = EPOLLIN;
- else
- event.events = EPOLLOUT;
-+ memset(&event.data, 0, sizeof(event.data));
- event.data.fd = fd;
- if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_ADD, fd, &event) == -1 &&
- errno != EEXIST) {
-@@ -719,6 +720,7 @@ unwatch_fd(isc_socketmgr_t *manager, int fd, int msg) {
- event.events = EPOLLIN;
- else
- event.events = EPOLLOUT;
-+ memset(&event.data, 0, sizeof(event.data));
- event.data.fd = fd;
- if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_DEL, fd, &event) == -1 &&
- errno != ENOENT) {
---
-1.6.3.3
-
diff --git a/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch b/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch
deleted file mode 100644
index e92dce3937..0000000000
--- a/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch
+++ /dev/null
@@ -1,58 +0,0 @@
-From ec22ed6c9797dbdcd820e352167bef8500ca00c6 Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <tridge@samba.org>
-Date: Wed, 17 Feb 2010 12:20:35 +1100
-Subject: [PATCH 3/5] don't compress TSIG names
-
-windows DNS servers will refuse TSIG-GSS requests with compressed
-names
----
- bin/nsupdate/nsupdate.c | 4 ++++
- lib/dns/message.c | 2 ++
- lib/dns/tsig.c | 3 +++
- 3 files changed, 9 insertions(+), 0 deletions(-)
-
-diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c
-index 6cf4cf4..f7ce6db 100644
---- a/bin/nsupdate/nsupdate.c
-+++ b/bin/nsupdate/nsupdate.c
-@@ -1985,6 +1985,10 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master,
- fprintf(stderr, "Sending update to %s\n", addrbuf);
- }
-
-+ /* windows doesn't like the tsig name to be compressed */
-+ if (updatemsg->tsigname)
-+ updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
-+
- result = dns_request_createvia3(requestmgr, updatemsg, srcaddr,
- master, options, tsigkey, timeout,
- udp_timeout, udp_retries, global_task,
-diff --git a/lib/dns/message.c b/lib/dns/message.c
-index ae4965f..cb4528f 100644
---- a/lib/dns/message.c
-+++ b/lib/dns/message.c
-@@ -1531,6 +1531,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx,
- } else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) {
- msg->tsig = rdataset;
- msg->tsigname = name;
-+ /* TSIG names should not be compressed */
-+ msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
- rdataset = NULL;
- free_rdataset = ISC_FALSE;
- free_name = ISC_FALSE;
-diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
-index 74a7af3..3223942 100644
---- a/lib/dns/tsig.c
-+++ b/lib/dns/tsig.c
-@@ -889,6 +889,9 @@ dns_tsig_sign(dns_message_t *msg) {
- msg->tsig = dataset;
- msg->tsigname = owner;
-
-+ /* windows does not like the tsig name being compressed */
-+ msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS;
-+
- return (ISC_R_SUCCESS);
-
- cleanup_rdatalist:
---
-1.6.3.3
-
diff --git a/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch b/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch
deleted file mode 100644
index 3130a05fd0..0000000000
--- a/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From c73ceb48ffc518e171d1d40b82ae2b5f603fe038 Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <tridge@samba.org>
-Date: Wed, 17 Feb 2010 15:27:44 +1100
-Subject: [PATCH 4/5] If tkey-gssapi initialisation fails, then heck for the most common
- configuration errors so that the admin doesn't spend all day trying to
- work out why the config is broken.
-
----
- lib/dns/gssapictx.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++
- 1 files changed, 48 insertions(+), 0 deletions(-)
-
-diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
-index 11eadb9..879393c 100644
---- a/lib/dns/gssapictx.c
-+++ b/lib/dns/gssapictx.c
-@@ -66,6 +66,7 @@
- * we include SPNEGO's OID.
- */
- #if defined(GSSAPI)
-+#include <krb5/krb5.h>
-
- static unsigned char krb5_mech_oid_bytes[] = {
- 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02
-@@ -191,6 +192,50 @@ log_cred(const gss_cred_id_t cred) {
- }
- #endif
-
-+#ifdef GSSAPI
-+/*
-+ * check for the most common configuration errors.
-+ *
-+ * The errors checked for are:
-+ * - tkey-gssapi-credential doesn't start with DNS/
-+ * - the default realm in /etc/krb5.conf and the
-+ * tkey-gssapi-credential bind config option don't match
-+ */
-+static void dst_gssapi_check_config(const char *gss_name)
-+{
-+ const char *p;
-+ krb5_context krb5_ctx;
-+ char *krb5_realm = NULL;
-+
-+ if (strncasecmp(gss_name, "DNS/", 4) != 0) {
-+ gss_log(ISC_LOG_ERROR, "tkey-gssapi-credential (%s) should start with 'DNS/'");
-+ return;
-+ }
-+
-+ if (krb5_init_context(&krb5_ctx) != 0) {
-+ gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context");
-+ return;
-+ }
-+ if (krb5_get_default_realm(krb5_ctx, &krb5_realm) != 0) {
-+ gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm");
-+ krb5_free_context(krb5_ctx);
-+ return;
-+ }
-+ if (!(p = strchr(gss_name, '/'))) {
-+ gss_log(ISC_LOG_ERROR, "badly formatted tkey-gssapi-credentials (%s)", gss_name);
-+ krb5_free_context(krb5_ctx);
-+ return;
-+ }
-+ if (strcasecmp(p+1, krb5_realm) != 0) {
-+ gss_log(ISC_LOG_ERROR,"default realm from krb5.conf (%s) does not match tkey-gssapi-credential (%s)",
-+ krb5_realm, gss_name);
-+ krb5_free_context(krb5_ctx);
-+ return;
-+ }
-+ krb5_free_context(krb5_ctx);
-+}
-+#endif
-+
- isc_result_t
- dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
- gss_cred_id_t *cred)
-@@ -223,6 +268,8 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
- gret = gss_import_name(&minor, &gnamebuf,
- GSS_C_NO_OID, &gname);
- if (gret != GSS_S_COMPLETE) {
-+ dst_gssapi_check_config((char *)array);
-+
- gss_log(3, "failed gss_import_name: %s",
- gss_error_tostring(gret, minor, buf,
- sizeof(buf)));
-@@ -254,6 +301,7 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate,
- initiate ? "initiate" : "accept",
- (char *)gnamebuf.value,
- gss_error_tostring(gret, minor, buf, sizeof(buf)));
-+ dst_gssapi_check_config((char *)array);
- return (ISC_R_FAILURE);
- }
-
---
-1.6.3.3
-
diff --git a/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch b/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch
deleted file mode 100644
index a44813dd62..0000000000
--- a/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 0f6a49d9fb4a3b9f917ee9caed3a94e44db045a5 Mon Sep 17 00:00:00 2001
-From: Andrew Tridgell <tridge@samba.org>
-Date: Wed, 17 Feb 2010 15:28:51 +1100
-Subject: [PATCH 5/5] windows doesn't return valid GSSAPI sequence numbers on its
- TSIG-GSS DNS update replies
-
----
- lib/dns/gssapictx.c | 5 ++++-
- 1 files changed, 4 insertions(+), 1 deletions(-)
-
-diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c
-index 879393c..69b66c5 100644
---- a/lib/dns/gssapictx.c
-+++ b/lib/dns/gssapictx.c
-@@ -536,8 +536,11 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken,
- gintokenp = NULL;
- }
-
-+ /* note that we don't set GSS_C_SEQUENCE_FLAG as Windows DNS
-+ * servers don't like it
-+ */
- flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG |
-- GSS_C_SEQUENCE_FLAG | GSS_C_INTEG_FLAG;
-+ GSS_C_INTEG_FLAG;
-
- gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx,
- gname, GSS_SPNEGO_MECHANISM, flags,
---
-1.6.3.3
-
diff --git a/examples/bind9-patches/README b/examples/bind9-patches/README
deleted file mode 100644
index 7bc965eec5..0000000000
--- a/examples/bind9-patches/README
+++ /dev/null
@@ -1,11 +0,0 @@
-NOTE! These patches are now incorporated in bind9 releases from
-9.7.2RC1 and onwards. You no longer need a patched version of bind9 to
-work with krb5 DNS updates and Samba4.
-
----------------------------------
-
-These patches fix the TSIG-GSS dynamic DNS updates in bind9 to allow
-dynamic updates to work with recent windows versions.
-
-The patches were developed against bind9 version 9.6.1, and were
-tested on Ubuntu Karmic.