From af086da4ec19de83717820de85d8e672850ed4b2 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Fri, 5 May 2006 19:24:48 +0000 Subject: r15462: replace the use of OpenLDAP's ldap_domain2hostlist() for locating AD DC's with out own DNS SRV queries. Testing on Linux and Solaris. (This used to be commit cf71f88a3cdcabf99c0798ef4cf8c978397a57eb) --- source3/Makefile.in | 4 +- source3/configure.in | 11 -- source3/include/ads_dns.h | 54 +++++++ source3/include/includes.h | 1 + source3/libads/dns.c | 353 +++++++++++++++++++++++++++++++++++++++++++++ source3/libsmb/namequery.c | 51 ++++--- source3/utils/net_ads.c | 6 +- source3/utils/net_lookup.c | 72 +++++---- 8 files changed, 487 insertions(+), 65 deletions(-) create mode 100644 source3/include/ads_dns.h create mode 100644 source3/libads/dns.c (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index 773eb65016..694c4ab375 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -241,14 +241,14 @@ LIBADS_OBJ = libads/ldap.o libads/ldap_printer.o libads/sasl.o \ libads/krb5_setpw.o libads/ldap_user.o \ libads/ads_struct.o libads/kerberos_keytab.o \ libads/disp_sec.o libads/ads_utils.o libads/ldap_utils.o \ - libads/authdata.o + libads/authdata.o LIBADS_SERVER_OBJ = libads/util.o libads/kerberos_verify.o SECRETS_OBJ = passdb/secrets.o passdb/machine_sid.o LIBNMB_OBJ = libsmb/unexpected.o libsmb/namecache.o libsmb/nmblib.o \ - libsmb/namequery.o libsmb/conncache.o + libsmb/namequery.o libsmb/conncache.o libads/dns.o LIBSAMBA_OBJ = libsmb/nterr.o libsmb/dcerpc_err.o libsmb/smbdes.o \ libsmb/smbencrypt.o libsmb/ntlm_check.o \ diff --git a/source3/configure.in b/source3/configure.in index bf6841bdf4..40cf2d4a81 100644 --- a/source3/configure.in +++ b/source3/configure.in @@ -3227,17 +3227,6 @@ else fi fi - AC_CHECK_FUNC_EXT(ldap_domain2hostlist,$LDAP_LIBS) - - if test x"$ac_cv_func_ext_ldap_domain2hostlist" != x"yes"; then - if test x"$with_ads_support" = x"yes"; then - AC_MSG_ERROR(Active Directory support requires ldap_domain2hostlist) - elif test x"$with_ads_support" = x"auto"; then - AC_MSG_WARN(Disabling Active Directory support (requires ldap_domain2hostlist)) - with_ads_support=no - fi - fi - AC_CHECK_FUNC_EXT(ldap_add_result_entry,$LDAP_LIBS) if test x"$ac_cv_func_ext_ldap_add_result_entry" != x"yes"; then diff --git a/source3/include/ads_dns.h b/source3/include/ads_dns.h new file mode 100644 index 0000000000..9b65db0c8e --- /dev/null +++ b/source3/include/ads_dns.h @@ -0,0 +1,54 @@ +/* + * Unix SMB/CIFS implementation. + * Internal DNS query structures + * Copyright (C) Gerald Carter 2006. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#ifndef _ADS_DNS_H +#define _ADS_DNS_H + +/* DNS query section in replies */ + +struct dns_query { + const char *hostname; + uint16 type; + uint16 in_class; +}; + +/* DNS RR record in reply */ + +struct dns_rr { + const char *hostname; + uint16 type; + uint16 in_class; + uint32 ttl; + uint16 rdatalen; + uint8 *rdata; +}; + +/* SRV records */ + +struct dns_rr_srv { + const char *hostname; + uint16 priority; + uint16 weight; + uint16 port; + struct in_addr ip; +}; + + +#endif /* _ADS_DNS_H */ diff --git a/source3/include/includes.h b/source3/include/includes.h index 3aec0f602a..998a0715e2 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -903,6 +903,7 @@ extern int errno; #include "nt_status.h" #include "ads.h" +#include "ads_dns.h" #include "interfaces.h" #include "trans2.h" #include "nterr.h" diff --git a/source3/libads/dns.c b/source3/libads/dns.c new file mode 100644 index 0000000000..0119ae9130 --- /dev/null +++ b/source3/libads/dns.c @@ -0,0 +1,353 @@ +/* + Unix SMB/CIFS implementation. + DNS utility library + Copyright (C) Gerald (Jerry) Carter 2006. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +/* AIX resolv.h uses 'class' in struct ns_rr */ + +#if defined(AIX) +# if defined(class) +# undef class +# endif +#endif /* AIX */ + +/* resolver headers */ + +#include +#include +#include +#include +#include + +#define MAX_DNS_PACKET_SIZE 0xffff + +/********************************************************************* +*********************************************************************/ + +static BOOL ads_dns_parse_query( TALLOC_CTX *ctx, uint8 *start, uint8 *end, + uint8 **ptr, struct dns_query *q ) +{ + uint8 *p = *ptr; + pstring hostname; + int namelen; + + ZERO_STRUCTP( q ); + + if ( !start || !end || !q || !*ptr) + return False; + + /* See RFC 1035 for details. If this fails, then return. */ + + namelen = dn_expand( start, end, p, hostname, sizeof(hostname) ); + if ( namelen < 0 ) { + return False; + } + p += namelen; + q->hostname = talloc_strdup( ctx, hostname ); + + /* check that we have space remaining */ + + if ( PTR_DIFF(p+4, end) > 0 ) + return False; + + q->type = RSVAL( p, 0 ); + q->in_class = RSVAL( p, 2 ); + p += 4; + + *ptr = p; + + return True; +} + +/********************************************************************* +*********************************************************************/ + +static BOOL ads_dns_parse_rr( TALLOC_CTX *ctx, uint8 *start, uint8 *end, + uint8 **ptr, struct dns_rr *rr ) +{ + uint8 *p = *ptr; + pstring hostname; + int namelen; + + if ( !start || !end || !rr || !*ptr) + return -1; + + ZERO_STRUCTP( rr ); + /* pull the name from the answer */ + + namelen = dn_expand( start, end, p, hostname, sizeof(hostname) ); + if ( namelen < 0 ) { + return -1; + } + p += namelen; + rr->hostname = talloc_strdup( ctx, hostname ); + + /* check that we have space remaining */ + + if ( PTR_DIFF(p+10, end) > 0 ) + return False; + + /* pull some values and then skip onto the string */ + + rr->type = RSVAL(p, 0); + rr->in_class = RSVAL(p, 2); + rr->ttl = RIVAL(p, 4); + rr->rdatalen = RSVAL(p, 8); + + p += 10; + + /* sanity check the available space */ + + if ( PTR_DIFF(p+rr->rdatalen, end ) > 0 ) { + return False; + + } + + /* save a point to the rdata for this section */ + + rr->rdata = p; + p += rr->rdatalen; + + *ptr = p; + + return True; +} + +/********************************************************************* +*********************************************************************/ + +static BOOL ads_dns_parse_rr_srv( TALLOC_CTX *ctx, uint8 *start, uint8 *end, + uint8 **ptr, struct dns_rr_srv *srv ) +{ + struct dns_rr rr; + uint8 *p; + pstring dcname; + int namelen; + + if ( !start || !end || !srv || !*ptr) + return -1; + + /* Parse the RR entry. Coming out of the this, ptr is at the beginning + of the next record */ + + if ( !ads_dns_parse_rr( ctx, start, end, ptr, &rr ) ) { + DEBUG(1,("ads_dns_parse_rr_srv: Failed to parse RR record\n")); + return False; + } + + if ( rr.type != ns_t_srv ) { + DEBUG(1,("ads_dns_parse_rr_srv: Bad answer type (%d)\n", rr.type)); + return False; + } + + p = rr.rdata; + + srv->priority = RSVAL(p, 0); + srv->weight = RSVAL(p, 2); + srv->port = RSVAL(p, 4); + + p += 6; + + namelen = dn_expand( start, end, p, dcname, sizeof(dcname) ); + if ( namelen < 0 ) { + DEBUG(1,("ads_dns_parse_rr_srv: Failed to uncompress name!\n")); + return False; + } + srv->hostname = talloc_strdup( ctx, dcname ); + + return True; +} + + +/********************************************************************* + Sort SRV record list based on weight and priority. See RFC 2782. +*********************************************************************/ + +static int dnssrvcmp( struct dns_rr_srv *a, struct dns_rr_srv *b ) +{ + BOOL init = False; + + if ( !init ) { + srand( (uint32)time(NULL) ); + } + + if ( a->priority == b->priority ) { + + /* randomize entries with an equal weight and priority */ + if ( a->weight == b->weight ) + return rand() % 2 ? -1 : 1; + + /* higher weights should be sorted lower */ + if ( a->weight > b->weight ) + return -1; + else + return 1; + } + + if ( a->priority < b->priority ) + return -1; + + return 1; +} + +/********************************************************************* + Simple wrapper for a DNS SRV query +*********************************************************************/ + +NTSTATUS ads_dns_lookup_srv( TALLOC_CTX *ctx, const char *name, struct dns_rr_srv **dclist, int *numdcs ) +{ + uint8 *buffer = NULL; + size_t buf_len; + int resp_len = NS_PACKETSZ; + struct dns_rr_srv *dcs = NULL; + int query_count, answer_count, auth_count, additional_count; + uint8 *p = buffer; + int rrnum; + int idx = 0; + + if ( !ctx || !name || !dclist ) { + return NT_STATUS_INVALID_PARAMETER; + } + + /* Send the request. May have to loop several times in case + of large replies */ + + do { + if ( buffer ) + TALLOC_FREE( buffer ); + + buf_len = resp_len * sizeof(uint8); + + if ( (buffer = TALLOC_ARRAY(ctx, uint8, buf_len)) == NULL ) { + DEBUG(0,("ads_dns_lookup_srv: talloc() failed!\n")); + return NT_STATUS_NO_MEMORY; + } + + if ( (resp_len = res_query(name, ns_c_in, ns_t_srv, buffer, buf_len)) < 0 ) { + DEBUG(1,("ads_dns_lookup_srv: Failed to resolve %s (%s)\n", name, strerror(errno))); + TALLOC_FREE( buffer ); + return NT_STATUS_UNSUCCESSFUL; + } + } while ( buf_len < resp_len && resp_len < MAX_DNS_PACKET_SIZE ); + + p = buffer; + + /* For some insane reason, the ns_initparse() et. al. routines are only + available in libresolv.a, and not the shared lib. Who knows why.... + So we have to parse the DNS reply ourselves */ + + /* Pull the answer RR's count from the header. Use the NMB ordering macros */ + + query_count = RSVAL( p, 4 ); + answer_count = RSVAL( p, 6 ); + auth_count = RSVAL( p, 8 ); + additional_count = RSVAL( p, 10 ); + + DEBUG(4,("ads_dns_lookup_srv: %d records returned in the answer section.\n", + answer_count)); + + if ( (dcs = TALLOC_ARRAY(ctx, struct dns_rr_srv, answer_count)) == NULL ) { + DEBUG(0,("ads_dns_lookup_srv: talloc() failure for %d char*'s\n", + answer_count)); + return NT_STATUS_NO_MEMORY; + } + + /* now skip the header */ + + p += NS_HFIXEDSZ; + + /* parse the query section */ + + for ( rrnum=0; rrnum if we are using ADS */ if ( lp_security() != SEC_ADS ) @@ -1039,25 +1039,31 @@ static BOOL resolve_ads(const char *name, int name_type, DEBUG(5,("resolve_hosts: Attempting to resolve DC's for %s using DNS\n", name)); - if (ldap_domain2hostlist(name, &list) != LDAP_SUCCESS) + if ( (ctx = talloc_init("resolve_ads")) == NULL ) { + DEBUG(0,("resolve_ads: talloc_init() failed!\n")); return False; - - count = count_chars(list, ' ') + 1; - if ( (*return_iplist = SMB_MALLOC_ARRAY(struct ip_service, count)) == NULL ) { - DEBUG(0,("resolve_hosts: malloc failed for %d entries\n", count )); + } + + status = ads_dns_query_dcs( ctx, name, &dcs, &numdcs ); + if ( !NT_STATUS_IS_OK( status ) ) { + return False; + } + + if ( (*return_iplist = SMB_MALLOC_ARRAY(struct ip_service, numdcs)) == NULL ) { + DEBUG(0,("resolve_ads: malloc failed for %d entries\n", count )); return False; } - ptr = list; - while (next_token(&ptr, tok, " ", sizeof(tok))) { - unsigned port = LDAP_PORT; - char *p = strchr(tok, ':'); - if (p) { - *p = 0; - port = atoi(p+1); - } - (*return_iplist)[i].ip = *interpret_addr2(tok); - (*return_iplist)[i].port = port; + i = 0; + while ( i < numdcs ) { + + /* use the IP address from the SRV structure if we have one */ + if ( is_zero_ip( dcs[i].ip ) ) + (*return_iplist)[i].ip = *interpret_addr2(dcs[i].hostname); + else + (*return_iplist)[i].ip = dcs[i].ip; + + (*return_iplist)[i].port = dcs[i].port; /* make sure it is a valid IP. I considered checking the negative connection cache, but this is the wrong place for it. Maybe only @@ -1067,11 +1073,12 @@ static BOOL resolve_ads(const char *name, int name_type, our DNS server doesn't know anything about the DC's -- jerry */ if ( is_zero_ip((*return_iplist)[i].ip) ) - continue; - + continue; + i++; } - SAFE_FREE(list); + + TALLOC_FREE( dcs ); *return_count = i; diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c index cca8dd63d0..8076860569 100644 --- a/source3/utils/net_ads.c +++ b/source3/utils/net_ads.c @@ -72,8 +72,12 @@ static int net_ads_lookup(int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS status; + const char *realm = NULL; - ads = ads_init(NULL, opt_target_workgroup, opt_host); + if ( strequal(lp_workgroup(), opt_target_workgroup ) ) + realm = lp_realm(); + + ads = ads_init(realm, opt_target_workgroup, opt_host); if (ads) { ads->auth.flags |= ADS_AUTH_NO_BIND; } diff --git a/source3/utils/net_lookup.c b/source3/utils/net_lookup.c index dd2d666d5a..68097aa9f7 100644 --- a/source3/utils/net_lookup.c +++ b/source3/utils/net_lookup.c @@ -62,71 +62,85 @@ static int net_lookup_host(int argc, const char **argv) return 0; } -#ifdef HAVE_LDAP -static void print_ldap_srvlist(char *srvlist) +#ifdef HAVE_ADS +static void print_ldap_srvlist(struct dns_rr_srv *dclist, int numdcs ) { - char *cur, *next; struct in_addr ip; - BOOL printit; - - cur = srvlist; - do { - next = strchr(cur,':'); - if (next) *next++='\0'; - printit = resolve_name(cur, &ip, 0x20); - cur=next; - next=cur ? strchr(cur,' ') :NULL; - if (next) - *next++='\0'; - if (printit) - d_printf("%s:%s\n", inet_ntoa(ip), cur?cur:""); - cur = next; - } while (next); + int i; + + for ( i=0; i 0) domain = argv[0]; else domain = opt_target_workgroup; + if ( (ctx = talloc_init("net_lookup_ldap")) == NULL ) { + d_fprintf(stderr, "net_lookup_ldap: talloc_inti() failed!\n"); + return -1; + } + DEBUG(9, ("Lookup up ldap for domain %s\n", domain)); - rc = ldap_domain2hostlist(domain, &srvlist); - if ((rc == LDAP_SUCCESS) && srvlist) { - print_ldap_srvlist(srvlist); + + status = ads_dns_query_dcs( ctx, domain, &dcs, &numdcs ); + if ( NT_STATUS_IS_OK(status) && numdcs ) { + print_ldap_srvlist(dcs, numdcs); + TALLOC_FREE( ctx ); + return 0; } DEBUG(9, ("Looking up DC for domain %s\n", domain)); - if (!get_pdc_ip(domain, &addr)) + if (!get_pdc_ip(domain, &addr)) { + TALLOC_FREE( ctx ); return -1; + } hostent = gethostbyaddr((char *) &addr.s_addr, sizeof(addr.s_addr), AF_INET); - if (!hostent) + if (!hostent) { + TALLOC_FREE( ctx ); return -1; + } DEBUG(9, ("Found DC with DNS name %s\n", hostent->h_name)); domain = strchr(hostent->h_name, '.'); - if (!domain) + if (!domain) { + TALLOC_FREE( ctx ); return -1; + } domain++; DEBUG(9, ("Looking up ldap for domain %s\n", domain)); - rc = ldap_domain2hostlist(domain, &srvlist); - if ((rc == LDAP_SUCCESS) && srvlist) { - print_ldap_srvlist(srvlist); + + status = ads_dns_query_dcs( ctx, domain, &dcs, &numdcs ); + if ( NT_STATUS_IS_OK(status) && numdcs ) { + print_ldap_srvlist(dcs, numdcs); + TALLOC_FREE( ctx ); + return 0; } + + TALLOC_FREE( ctx ); + + return -1; #endif DEBUG(1,("No ADS support\n")); -- cgit