Lines 1254-1259
_PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb,
|
Link Here
|
---|
|
1254 |
return ISC_R_SUCCESS; |
1254 |
return ISC_R_SUCCESS; |
1255 |
} |
1255 |
} |
1256 |
|
1256 |
|
|
|
1257 |
static bool b9_is_tombstoned(struct ldb_result *res) { |
1258 |
struct ldb_message_element *el; |
1259 |
struct ldb_val *val; |
1260 |
struct ldb_val tombstoned_val = data_blob_string_const("TRUE"); |
1261 |
|
1262 |
el = ldb_msg_find_element(res->msgs[0], "dNSTombstoned"); |
1263 |
if (el == NULL) { |
1264 |
return false; |
1265 |
} |
1266 |
|
1267 |
val = ldb_msg_find_val(el, &tombstoned_val); |
1268 |
return val != NULL; |
1269 |
} |
1270 |
|
1257 |
/* |
1271 |
/* |
1258 |
authorize a zone update |
1272 |
authorize a zone update |
1259 |
*/ |
1273 |
*/ |
Lines 1274-1281
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
|
Link Here
|
---|
|
1274 |
struct ldb_dn *dn; |
1288 |
struct ldb_dn *dn; |
1275 |
isc_result_t result; |
1289 |
isc_result_t result; |
1276 |
struct ldb_result *res; |
1290 |
struct ldb_result *res; |
1277 |
const char * attrs[] = { NULL }; |
1291 |
const char * attrs[] = { "dNSTombstoned", NULL }; |
1278 |
uint32_t access_mask; |
1292 |
uint32_t access_mask; |
|
|
1293 |
bool is_tombstoned = false; |
1279 |
|
1294 |
|
1280 |
/* Remove cached credentials, if any */ |
1295 |
/* Remove cached credentials, if any */ |
1281 |
if (state->session_info) { |
1296 |
if (state->session_info) { |
Lines 1365-1370
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
|
Link Here
|
---|
|
1365 |
talloc_free(res); |
1380 |
talloc_free(res); |
1366 |
} else if (ldb_ret == LDB_SUCCESS) { |
1381 |
} else if (ldb_ret == LDB_SUCCESS) { |
1367 |
access_mask = SEC_STD_REQUIRED | SEC_ADS_SELF_WRITE; |
1382 |
access_mask = SEC_STD_REQUIRED | SEC_ADS_SELF_WRITE; |
|
|
1383 |
is_tombstoned = b9_is_tombstoned(res); |
1368 |
talloc_free(res); |
1384 |
talloc_free(res); |
1369 |
} else { |
1385 |
} else { |
1370 |
talloc_free(tmp_ctx); |
1386 |
talloc_free(tmp_ctx); |
Lines 1375-1380
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
|
Link Here
|
---|
|
1375 |
ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn, |
1391 |
ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn, |
1376 |
session_info->security_token, |
1392 |
session_info->security_token, |
1377 |
access_mask, NULL); |
1393 |
access_mask, NULL); |
|
|
1394 |
/* If a machine changes it's IP address and creates a new reverse-zone |
1395 |
* PTR, the old one gets marked as a `dNSTombstoned = TRUE`. This |
1396 |
* prevents other machines with different GUIDS from changing the old |
1397 |
* reverse-zone PTR. This deletes the old object in that case, so that |
1398 |
* a new zone-object may be created. |
1399 |
*/ |
1400 |
if (ldb_ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS && is_tombstoned) { |
1401 |
ldb_ret = ldb_delete(state->samdb, dn); |
1402 |
if (ldb_ret != LDB_SUCCESS) { |
1403 |
state->log(ISC_LOG_ERROR, |
1404 |
"samba_dlz: to failed delete tombstoned object: error=%s", |
1405 |
ldb_strerror(ldb_ret)); |
1406 |
talloc_free(tmp_ctx); |
1407 |
return ISC_FALSE; |
1408 |
} |
1409 |
ldb_dn_remove_child_components(dn, 1); |
1410 |
access_mask = SEC_ADS_CREATE_CHILD; |
1411 |
ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn, |
1412 |
session_info->security_token, |
1413 |
access_mask, NULL); |
1414 |
} |
1378 |
if (ldb_ret != LDB_SUCCESS) { |
1415 |
if (ldb_ret != LDB_SUCCESS) { |
1379 |
state->log(ISC_LOG_INFO, |
1416 |
state->log(ISC_LOG_INFO, |
1380 |
"samba_dlz: disallowing update of signer=%s name=%s type=%s error=%s", |
1417 |
"samba_dlz: disallowing update of signer=%s name=%s type=%s error=%s", |
1381 |
- |
|
|