The branch, master has been updated
via 7751d03 s3-net: Fix DEBUG() location.
via 0eded14 s3-net: give more control how to update/register DNS
entries.
via ec23d0a s3-net: pass down a flags field to DoDNSUpdate().
via 5d4247a s3-net: move out some prototypes to net_dns.h.
via a2fec69 s3-net: pass down struct net_context to the dns update
calls.
via 06f3b1f s3-kerberos: add aes enctypes to generated krb5.conf.
via eae33e9 s3-krb5: use and request AES keys in kerberos operations.
from 4a21d2e Fix release script to build full set of documentation
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7751d03a1e18a94de1f54f6ba4143b52d8c53180
Author: Günther Deschner <g...@samba.org>
Date: Mon Oct 1 16:19:28 2012 +0200
s3-net: Fix DEBUG() location.
Guenther
Autobuild-User(master): Günther Deschner <g...@samba.org>
Autobuild-Date(master): Tue Oct 2 18:06:17 CEST 2012 on sn-devel-104
commit 0eded14f19806e87b2205677064d1413bcb86d38
Author: Günther Deschner <g...@samba.org>
Date: Tue Sep 25 11:09:45 2012 +0200
s3-net: give more control how to update/register DNS entries.
Guenther
commit ec23d0a3eeeeb2f3969d4d113d80bd82cb1dbbcd
Author: Günther Deschner <g...@samba.org>
Date: Tue Sep 25 11:08:48 2012 +0200
s3-net: pass down a flags field to DoDNSUpdate().
Guenther
commit 5d4247ae7434adae87b265a362a9fa19b4ca557c
Author: Günther Deschner <g...@samba.org>
Date: Wed Sep 19 15:35:15 2012 +0200
s3-net: move out some prototypes to net_dns.h.
Guenther
commit a2fec69b0958f75e31c702e25017eeae6a92be0d
Author: Günther Deschner <g...@samba.org>
Date: Wed Sep 19 15:31:57 2012 +0200
s3-net: pass down struct net_context to the dns update calls.
Guenther
commit 06f3b1f0b0dcf9355a8d634cdb62f1f0a8ea4dbe
Author: Günther Deschner <g...@samba.org>
Date: Mon Dec 19 10:52:58 2011 +0100
s3-kerberos: add aes enctypes to generated krb5.conf.
Guenther
commit eae33e96fcaa456830862325b91579faf2a96213
Author: Günther Deschner <g...@samba.org>
Date: Thu Dec 15 18:12:41 2011 +0100
s3-krb5: use and request AES keys in kerberos operations.
Guenther
-----------------------------------------------------------------------
Summary of changes:
lib/krb5_wrap/krb5_samba.c | 6 ++
source3/libads/kerberos.c | 28 +++++++++--
source3/libads/kerberos_keytab.c | 8 +++-
source3/utils/net_ads.c | 44 ++++++++++--------
source3/utils/net_dns.c | 96 +++++++++++++++++++++++---------------
source3/utils/net_dns.h | 43 +++++++++++++++++
6 files changed, 163 insertions(+), 62 deletions(-)
create mode 100644 source3/utils/net_dns.h
Changeset truncated at 500 lines:
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 1a5a710..8037337 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -688,6 +688,12 @@ int cli_krb5_get_ticket(TALLOC_CTX *mem_ctx,
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
ENCTYPE_NULL};
initialize_krb5_error_table();
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 1093d12..3183e26 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -831,6 +831,7 @@ bool create_local_private_krb5_conf_for_domain(const char
*realm,
int fd;
char *realm_upper = NULL;
bool result = false;
+ char *aes_enctypes = NULL;
if (!lp_create_krb5_conf()) {
return false;
@@ -870,14 +871,33 @@ bool create_local_private_krb5_conf_for_domain(const char
*realm,
goto done;
}
+ aes_enctypes = talloc_strdup(fname, "");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s",
"aes256-cts-hmac-sha1-96 ");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+#endif
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ aes_enctypes = talloc_asprintf_append(aes_enctypes, "%s",
"aes128-cts-hmac-sha1-96");
+ if (aes_enctypes == NULL) {
+ goto done;
+ }
+#endif
+
file_contents = talloc_asprintf(fname,
"[libdefaults]\n\tdefault_realm = %s\n"
- "\tdefault_tgs_enctypes = RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n"
- "\tdefault_tkt_enctypes = RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n"
- "\tpreferred_enctypes = RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n\n"
+ "\tdefault_tgs_enctypes = %s RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n"
+ "\tdefault_tkt_enctypes = %s RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n"
+ "\tpreferred_enctypes = %s RC4-HMAC
DES-CBC-CRC DES-CBC-MD5\n\n"
"[realms]\n\t%s = {\n"
"\t%s\t}\n",
- realm_upper, realm_upper,
kdc_ip_string);
+ realm_upper, aes_enctypes,
aes_enctypes, aes_enctypes,
+ realm_upper, kdc_ip_string);
if (!file_contents) {
goto done;
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index eb2603b..b7df50d 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -263,9 +263,15 @@ int ads_keytab_add_entry(ADS_STRUCT *ads, const char
*srvPrinc)
krb5_keytab keytab = NULL;
krb5_data password;
krb5_kvno kvno;
- krb5_enctype enctypes[4] = {
+ krb5_enctype enctypes[6] = {
ENCTYPE_DES_CBC_CRC,
ENCTYPE_DES_CBC_MD5,
+#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+#endif
+#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+#endif
ENCTYPE_ARCFOUR_HMAC,
0
};
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index b1d55f1..c122251 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -38,6 +38,7 @@
#include "../libcli/security/security.h"
#include "libsmb/libsmb.h"
#include "lib/param/loadparm.h"
+#include "utils/net_dns.h"
#ifdef HAVE_ADS
@@ -1126,12 +1127,9 @@ static WERROR check_ads_config( void )
#if defined(WITH_DNS_UPDATES)
#include "../lib/addns/dns.h"
-DNS_ERROR DoDNSUpdate(char *pszServerName,
- const char *pszDomainName, const char *pszHostName,
- const struct sockaddr_storage *sslist,
- size_t num_addrs );
-static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx, ADS_STRUCT *ads,
+static NTSTATUS net_update_dns_internal(struct net_context *c,
+ TALLOC_CTX *ctx, ADS_STRUCT *ads,
const char *machine_name,
const struct sockaddr_storage *addrs,
int num_addrs)
@@ -1197,7 +1195,7 @@ static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx,
ADS_STRUCT *ads,
&nameservers, &ns_count);
if ( !NT_STATUS_IS_OK(status) || (ns_count == 0)) {
- DEBUG(3,("net_ads_join: Failed to find name server for
the %s "
+ DEBUG(3,("net_update_dns_internal: Failed to find name
server for the %s "
"realm\n", ads->config.realm));
goto done;
}
@@ -1208,6 +1206,17 @@ static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx,
ADS_STRUCT *ads,
for (i=0; i < ns_count; i++) {
+ uint32_t flags = DNS_UPDATE_SIGNED |
+ DNS_UPDATE_UNSIGNED |
+ DNS_UPDATE_UNSIGNED_SUFFICIENT |
+ DNS_UPDATE_PROBE |
+ DNS_UPDATE_PROBE_SUFFICIENT;
+
+ if (c->opt_force) {
+ flags &= ~DNS_UPDATE_PROBE_SUFFICIENT;
+ flags &= ~DNS_UPDATE_UNSIGNED_SUFFICIENT;
+ }
+
status = NT_STATUS_UNSUCCESSFUL;
/* Now perform the dns update - we'll try non-secure and if we
fail,
@@ -1215,7 +1224,7 @@ static NTSTATUS net_update_dns_internal(TALLOC_CTX *ctx,
ADS_STRUCT *ads,
fstrcpy( dns_server, nameservers[i].hostname );
- dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name,
addrs, num_addrs);
+ dns_err = DoDNSUpdate(dns_server, dnsdomain, machine_name,
addrs, num_addrs, flags);
if (ERR_DNS_IS_OK(dns_err)) {
status = NT_STATUS_OK;
goto done;
@@ -1242,7 +1251,8 @@ done:
return status;
}
-static NTSTATUS net_update_dns_ext(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads,
+static NTSTATUS net_update_dns_ext(struct net_context *c,
+ TALLOC_CTX *mem_ctx, ADS_STRUCT *ads,
const char *hostname,
struct sockaddr_storage *iplist,
int num_addrs)
@@ -1274,18 +1284,18 @@ static NTSTATUS net_update_dns_ext(TALLOC_CTX *mem_ctx,
ADS_STRUCT *ads,
iplist = iplist_alloc;
}
- status = net_update_dns_internal(mem_ctx, ads, machine_name,
+ status = net_update_dns_internal(c, mem_ctx, ads, machine_name,
iplist, num_addrs);
SAFE_FREE(iplist_alloc);
return status;
}
-static NTSTATUS net_update_dns(TALLOC_CTX *mem_ctx, ADS_STRUCT *ads, const
char *hostname)
+static NTSTATUS net_update_dns(struct net_context *c, TALLOC_CTX *mem_ctx,
ADS_STRUCT *ads, const char *hostname)
{
NTSTATUS status;
- status = net_update_dns_ext(mem_ctx, ads, hostname, NULL, 0);
+ status = net_update_dns_ext(c, mem_ctx, ads, hostname, NULL, 0);
return status;
}
#endif
@@ -1315,7 +1325,7 @@ static int net_ads_join_usage(struct net_context *c, int
argc, const char **argv
}
-static void _net_ads_join_dns_updates(TALLOC_CTX *ctx, struct libnet_JoinCtx
*r)
+static void _net_ads_join_dns_updates(struct net_context *c, TALLOC_CTX *ctx,
struct libnet_JoinCtx *r)
{
#if defined(WITH_DNS_UPDATES)
ADS_STRUCT *ads_dns = NULL;
@@ -1389,7 +1399,7 @@ static void _net_ads_join_dns_updates(TALLOC_CTX *ctx,
struct libnet_JoinCtx *r)
goto done;
}
- status = net_update_dns(ctx, ads_dns, NULL);
+ status = net_update_dns(c, ctx, ads_dns, NULL);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf( stderr, _("DNS update failed: %s\n"),
nt_errstr(status));
@@ -1545,7 +1555,7 @@ int net_ads_join(struct net_context *c, int argc, const
char **argv)
* If the dns update fails, we still consider the join
* operation as succeeded if we came this far.
*/
- _net_ads_join_dns_updates(ctx, r);
+ _net_ads_join_dns_updates(c, ctx, r);
TALLOC_FREE(r);
TALLOC_FREE( ctx );
@@ -1641,7 +1651,7 @@ static int net_ads_dns_register(struct net_context *c,
int argc, const char **ar
return -1;
}
- ntstatus = net_update_dns_ext(ctx, ads, hostname, addrs, num_addrs);
+ ntstatus = net_update_dns_ext(c, ctx, ads, hostname, addrs, num_addrs);
if (!NT_STATUS_IS_OK(ntstatus)) {
d_fprintf( stderr, _("DNS update failed!\n") );
ads_destroy( &ads );
@@ -1662,10 +1672,6 @@ static int net_ads_dns_register(struct net_context *c,
int argc, const char **ar
#endif
}
-#if defined(WITH_DNS_UPDATES)
-DNS_ERROR do_gethostbyname(const char *server, const char *host);
-#endif
-
static int net_ads_dns_gethostbyname(struct net_context *c, int argc, const
char **argv)
{
#if defined(WITH_DNS_UPDATES)
diff --git a/source3/utils/net_dns.c b/source3/utils/net_dns.c
index 559c14d..9bbefdb 100644
--- a/source3/utils/net_dns.c
+++ b/source3/utils/net_dns.c
@@ -22,23 +22,17 @@
#include "includes.h"
#include "utils/net.h"
#include "../lib/addns/dns.h"
+#include "utils/net_dns.h"
#if defined(WITH_DNS_UPDATES)
-/*
- * Silly prototype to get rid of a warning
- */
-
-DNS_ERROR DoDNSUpdate(char *pszServerName,
- const char *pszDomainName, const char *pszHostName,
- const struct sockaddr_storage *sslist,
- size_t num_addrs );
/*********************************************************************
*********************************************************************/
DNS_ERROR DoDNSUpdate(char *pszServerName,
const char *pszDomainName, const char *pszHostName,
- const struct sockaddr_storage *sslist, size_t num_addrs )
+ const struct sockaddr_storage *sslist, size_t num_addrs,
+ uint32_t flags)
{
DNS_ERROR err;
struct dns_connection *conn;
@@ -46,6 +40,14 @@ DNS_ERROR DoDNSUpdate(char *pszServerName,
OM_uint32 minor;
struct dns_update_request *req, *resp;
+ DEBUG(10,("DoDNSUpdate called with flags: 0x%08x\n", flags));
+
+ if (!(flags & DNS_UPDATE_SIGNED) &&
+ !(flags & DNS_UPDATE_UNSIGNED) &&
+ !(flags & DNS_UPDATE_PROBE)) {
+ return ERROR_DNS_INVALID_PARAMETER;
+ }
+
if ( (num_addrs <= 0) || !sslist ) {
return ERROR_DNS_INVALID_PARAMETER;
}
@@ -59,45 +61,65 @@ DNS_ERROR DoDNSUpdate(char *pszServerName,
goto error;
}
- /*
- * Probe if everything's fine
- */
+ if (flags & DNS_UPDATE_PROBE) {
- err = dns_create_probe(mem_ctx, pszDomainName, pszHostName,
- num_addrs, sslist, &req);
- if (!ERR_DNS_IS_OK(err)) goto error;
+ /*
+ * Probe if everything's fine
+ */
- err = dns_update_transaction(mem_ctx, conn, req, &resp);
- if (!ERR_DNS_IS_OK(err)) goto error;
+ err = dns_create_probe(mem_ctx, pszDomainName, pszHostName,
+ num_addrs, sslist, &req);
+ if (!ERR_DNS_IS_OK(err)) goto error;
+
+ err = dns_update_transaction(mem_ctx, conn, req, &resp);
+ if (!ERR_DNS_IS_OK(err)) goto error;
- if (dns_response_code(resp->flags) == DNS_NO_ERROR) {
- TALLOC_FREE(mem_ctx);
- return ERROR_DNS_SUCCESS;
+ if (!ERR_DNS_IS_OK(err)) {
+ DEBUG(3,("DoDNSUpdate: failed to probe DNS\n"));
+ }
+
+ if ((dns_response_code(resp->flags) == DNS_NO_ERROR) &&
+ (flags & DNS_UPDATE_PROBE_SUFFICIENT)) {
+ TALLOC_FREE(mem_ctx);
+ return ERROR_DNS_SUCCESS;
+ }
}
- /*
- * First try without signing
- */
+ if (flags & DNS_UPDATE_UNSIGNED) {
- err = dns_create_update_request(mem_ctx, pszDomainName, pszHostName,
- sslist, num_addrs, &req);
- if (!ERR_DNS_IS_OK(err)) goto error;
+ /*
+ * First try without signing
+ */
- err = dns_update_transaction(mem_ctx, conn, req, &resp);
- if (!ERR_DNS_IS_OK(err)) goto error;
+ err = dns_create_update_request(mem_ctx, pszDomainName,
pszHostName,
+ sslist, num_addrs, &req);
+ if (!ERR_DNS_IS_OK(err)) goto error;
- if (dns_response_code(resp->flags) == DNS_NO_ERROR) {
- TALLOC_FREE(mem_ctx);
- return ERROR_DNS_SUCCESS;
+ err = dns_update_transaction(mem_ctx, conn, req, &resp);
+ if (!ERR_DNS_IS_OK(err)) goto error;
+
+ if (!ERR_DNS_IS_OK(err)) {
+ DEBUG(3,("DoDNSUpdate: unsigned update failed\n"));
+ }
+
+ if ((dns_response_code(resp->flags) == DNS_NO_ERROR) &&
+ (flags & DNS_UPDATE_UNSIGNED_SUFFICIENT)) {
+ TALLOC_FREE(mem_ctx);
+ return ERROR_DNS_SUCCESS;
+ }
}
/*
* Okay, we have to try with signing
*/
- {
+ if (flags & DNS_UPDATE_SIGNED) {
gss_ctx_id_t gss_context;
char *keyname;
+ err = dns_create_update_request(mem_ctx, pszDomainName,
pszHostName,
+ sslist, num_addrs, &req);
+ if (!ERR_DNS_IS_OK(err)) goto error;
+
if (!(keyname = dns_generate_keyname( mem_ctx ))) {
err = ERROR_DNS_NO_MEMORY;
goto error;
@@ -128,6 +150,10 @@ DNS_ERROR DoDNSUpdate(char *pszServerName,
err = (dns_response_code(resp->flags) == DNS_NO_ERROR) ?
ERROR_DNS_SUCCESS : ERROR_DNS_UPDATE_FAILED;
+
+ if (!ERR_DNS_IS_OK(err)) {
+ DEBUG(3,("DoDNSUpdate: signed update failed\n"));
+ }
}
@@ -182,12 +208,6 @@ int get_my_ip_address( struct sockaddr_storage **pp_ss )
return count;
}
-/*
- * Silly prototype to get rid of a warning
- */
-
-DNS_ERROR do_gethostbyname(const char *server, const char *host);
-
DNS_ERROR do_gethostbyname(const char *server, const char *host)
{
struct dns_connection *conn;
diff --git a/source3/utils/net_dns.h b/source3/utils/net_dns.h
new file mode 100644
index 0000000..31e541b
--- /dev/null
+++ b/source3/utils/net_dns.h
@@ -0,0 +1,43 @@
+/*
+ Samba Unix/Linux Dynamic DNS Update
+ net ads commands
+
+ Copyright (C) Krishna Ganugapati (krish...@centeris.com) 2006
+ Copyright (C) Gerald Carter 2006
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+/* flags for DoDNSUpdate */
+
+#define DNS_UPDATE_SIGNED 0x01
+#define DNS_UPDATE_SIGNED_SUFFICIENT 0x02
+#define DNS_UPDATE_UNSIGNED 0x04
+#define DNS_UPDATE_UNSIGNED_SUFFICIENT 0x08
+#define DNS_UPDATE_PROBE 0x10
+#define DNS_UPDATE_PROBE_SUFFICIENT 0x20
+
+#if defined(WITH_DNS_UPDATES)
+
+#include "../lib/addns/dns.h"
+
+DNS_ERROR DoDNSUpdate(char *pszServerName,
+ const char *pszDomainName, const char *pszHostName,
+ const struct sockaddr_storage *sslist,
+ size_t num_addrs,
+ uint32_t flags);
+
+DNS_ERROR do_gethostbyname(const char *server, const char *host);
+
+#endif /* defined(WITH_DNS_UPDATES) */
--
Samba Shared Repository
