|
Lines 1254-1259
_PUBLIC_ isc_result_t dlz_configure(dns_view_t *view, dns_dlzdb_t *dlzdb,
|
Link Here
|
|---|
|
|---|
| 1254 |
return ISC_R_SUCCESS; |
1254 |
return ISC_R_SUCCESS; |
| 1255 |
} |
1255 |
} |
| 1256 |
|
1256 |
|
|
|
1257 |
static bool b9_is_tombstoned(struct ldb_result *res) { |
| 1258 |
struct ldb_message_element *el; |
| 1259 |
struct ldb_val *val; |
| 1260 |
struct ldb_val tombstoned_val = data_blob_string_const("TRUE"); |
| 1261 |
|
| 1262 |
el = ldb_msg_find_element(res->msgs[0], "dNSTombstoned"); |
| 1263 |
if (el == NULL) { |
| 1264 |
return false; |
| 1265 |
} |
| 1266 |
|
| 1267 |
val = ldb_msg_find_val(el, &tombstoned_val); |
| 1268 |
return val != NULL; |
| 1269 |
} |
| 1270 |
|
| 1257 |
/* |
1271 |
/* |
| 1258 |
authorize a zone update |
1272 |
authorize a zone update |
| 1259 |
*/ |
1273 |
*/ |
|
Lines 1274-1281
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
|
Link Here
|
|---|
|
|---|
| 1274 |
struct ldb_dn *dn; |
1288 |
struct ldb_dn *dn; |
| 1275 |
isc_result_t result; |
1289 |
isc_result_t result; |
| 1276 |
struct ldb_result *res; |
1290 |
struct ldb_result *res; |
| 1277 |
const char * attrs[] = { NULL }; |
1291 |
const char * attrs[] = { "dNSTombstoned", NULL }; |
| 1278 |
uint32_t access_mask; |
1292 |
uint32_t access_mask; |
|
|
1293 |
bool is_tombstoned = false; |
| 1279 |
|
1294 |
|
| 1280 |
/* Remove cached credentials, if any */ |
1295 |
/* Remove cached credentials, if any */ |
| 1281 |
if (state->session_info) { |
1296 |
if (state->session_info) { |
|
Lines 1365-1370
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
|
Link Here
|
|---|
|
|---|
| 1365 |
talloc_free(res); |
1380 |
talloc_free(res); |
| 1366 |
} else if (ldb_ret == LDB_SUCCESS) { |
1381 |
} else if (ldb_ret == LDB_SUCCESS) { |
| 1367 |
access_mask = SEC_STD_REQUIRED | SEC_ADS_SELF_WRITE; |
1382 |
access_mask = SEC_STD_REQUIRED | SEC_ADS_SELF_WRITE; |
|
|
1383 |
is_tombstoned = b9_is_tombstoned(res); |
| 1368 |
talloc_free(res); |
1384 |
talloc_free(res); |
| 1369 |
} else { |
1385 |
} else { |
| 1370 |
talloc_free(tmp_ctx); |
1386 |
talloc_free(tmp_ctx); |
|
Lines 1375-1380
_PUBLIC_ isc_boolean_t dlz_ssumatch(const char *signer, const char *name, const
|
Link Here
|
|---|
|
|---|
| 1375 |
ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn, |
1391 |
ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn, |
| 1376 |
session_info->security_token, |
1392 |
session_info->security_token, |
| 1377 |
access_mask, NULL); |
1393 |
access_mask, NULL); |
|
|
1394 |
/* If a machine changes it's IP address and creates a new reverse-zone |
| 1395 |
* PTR, the old one gets marked as a `dNSTombstoned = TRUE`. This |
| 1396 |
* prevents other machines with different GUIDS from changing the old |
| 1397 |
* reverse-zone PTR. This deletes the old object in that case, so that |
| 1398 |
* a new zone-object may be created. |
| 1399 |
*/ |
| 1400 |
if (ldb_ret == LDB_ERR_INSUFFICIENT_ACCESS_RIGHTS && is_tombstoned) { |
| 1401 |
ldb_ret = ldb_delete(state->samdb, dn); |
| 1402 |
if (ldb_ret != LDB_SUCCESS) { |
| 1403 |
state->log(ISC_LOG_ERROR, |
| 1404 |
"samba_dlz: to failed delete tombstoned object: error=%s", |
| 1405 |
ldb_strerror(ldb_ret)); |
| 1406 |
talloc_free(tmp_ctx); |
| 1407 |
return ISC_FALSE; |
| 1408 |
} |
| 1409 |
ldb_dn_remove_child_components(dn, 1); |
| 1410 |
access_mask = SEC_ADS_CREATE_CHILD; |
| 1411 |
ldb_ret = dsdb_check_access_on_dn(state->samdb, tmp_ctx, dn, |
| 1412 |
session_info->security_token, |
| 1413 |
access_mask, NULL); |
| 1414 |
} |
| 1378 |
if (ldb_ret != LDB_SUCCESS) { |
1415 |
if (ldb_ret != LDB_SUCCESS) { |
| 1379 |
state->log(ISC_LOG_INFO, |
1416 |
state->log(ISC_LOG_INFO, |
| 1380 |
"samba_dlz: disallowing update of signer=%s name=%s type=%s error=%s", |
1417 |
"samba_dlz: disallowing update of signer=%s name=%s type=%s error=%s", |
| 1381 |
- |
|
|