diff options
author | Andrew Bartlett <abartlet@samba.org> | 2012-07-02 07:24:21 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2012-07-03 08:13:02 +1000 |
commit | d0460d96d62d879545818c7f0966b1026b27a007 (patch) | |
tree | 959903572619cebde5414a321acad5338912bb6b /examples | |
parent | 5de841f6f249ea742a8ed0ef5a795f77a364cc35 (diff) | |
download | samba-d0460d96d62d879545818c7f0966b1026b27a007.tar.gz |
s4-bind: Remove patches now incorporated into bind9
These patches are in bind9 now, and we do not recomment using them any more
as the improved version in bind 9.8 is much less prone to failure.
Andrew Bartlett
Diffstat (limited to 'examples')
6 files changed, 0 insertions, 256 deletions
diff --git a/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch b/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch deleted file mode 100644 index 3716dd4ab63..00000000000 --- a/examples/bind9-patches/0001-leave-the-question-section-in-update-responses.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1d97835f07fd5142187629941422f87b33015414 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell <tridge@samba.org> -Date: Wed, 17 Feb 2010 10:47:59 +1100 -Subject: [PATCH 1/5] leave the question section in update responses. - -This fixes TSIG-GSS updates from windows7 and w2k8r2, which require -the question to be included in the initial refusal for the unsigned -update. ---- - lib/dns/message.c | 3 ++- - 1 files changed, 2 insertions(+), 1 deletions(-) - -diff --git a/lib/dns/message.c b/lib/dns/message.c -index b541635..ae4965f 100644 ---- a/lib/dns/message.c -+++ b/lib/dns/message.c -@@ -2474,7 +2474,8 @@ dns_message_reply(dns_message_t *msg, isc_boolean_t want_question_section) { - if (!msg->header_ok) - return (DNS_R_FORMERR); - if (msg->opcode != dns_opcode_query && -- msg->opcode != dns_opcode_notify) -+ msg->opcode != dns_opcode_notify && -+ msg->opcode != dns_opcode_update) - want_question_section = ISC_FALSE; - if (want_question_section) { - if (!msg->question_ok) --- -1.6.3.3 - diff --git a/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch b/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch deleted file mode 100644 index 22f0ce493f2..00000000000 --- a/examples/bind9-patches/0002-prevent-a-valgrind-uninitialised-memory-warning.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 31059dee4a706bb4f25f3dccaae7616451eabd8b Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell <tridge@samba.org> -Date: Wed, 17 Feb 2010 10:59:42 +1100 -Subject: [PATCH 2/5] prevent a valgrind uninitialised memory warning - -epoll uses a union, so to prevent passing uninitialised data in a -syscall we need to zero it before use. ---- - lib/isc/unix/socket.c | 2 ++ - 1 files changed, 2 insertions(+), 0 deletions(-) - -diff --git a/lib/isc/unix/socket.c b/lib/isc/unix/socket.c -index d09fe51..4796ee4 100644 ---- a/lib/isc/unix/socket.c -+++ b/lib/isc/unix/socket.c -@@ -652,6 +652,7 @@ watch_fd(isc_socketmgr_t *manager, int fd, int msg) { - event.events = EPOLLIN; - else - event.events = EPOLLOUT; -+ memset(&event.data, 0, sizeof(event.data)); - event.data.fd = fd; - if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_ADD, fd, &event) == -1 && - errno != EEXIST) { -@@ -719,6 +720,7 @@ unwatch_fd(isc_socketmgr_t *manager, int fd, int msg) { - event.events = EPOLLIN; - else - event.events = EPOLLOUT; -+ memset(&event.data, 0, sizeof(event.data)); - event.data.fd = fd; - if (epoll_ctl(manager->epoll_fd, EPOLL_CTL_DEL, fd, &event) == -1 && - errno != ENOENT) { --- -1.6.3.3 - diff --git a/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch b/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch deleted file mode 100644 index e92dce39372..00000000000 --- a/examples/bind9-patches/0003-don-t-compress-TSIG-names.patch +++ /dev/null @@ -1,58 +0,0 @@ -From ec22ed6c9797dbdcd820e352167bef8500ca00c6 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell <tridge@samba.org> -Date: Wed, 17 Feb 2010 12:20:35 +1100 -Subject: [PATCH 3/5] don't compress TSIG names - -windows DNS servers will refuse TSIG-GSS requests with compressed -names ---- - bin/nsupdate/nsupdate.c | 4 ++++ - lib/dns/message.c | 2 ++ - lib/dns/tsig.c | 3 +++ - 3 files changed, 9 insertions(+), 0 deletions(-) - -diff --git a/bin/nsupdate/nsupdate.c b/bin/nsupdate/nsupdate.c -index 6cf4cf4..f7ce6db 100644 ---- a/bin/nsupdate/nsupdate.c -+++ b/bin/nsupdate/nsupdate.c -@@ -1985,6 +1985,10 @@ send_update(dns_name_t *zonename, isc_sockaddr_t *master, - fprintf(stderr, "Sending update to %s\n", addrbuf); - } - -+ /* windows doesn't like the tsig name to be compressed */ -+ if (updatemsg->tsigname) -+ updatemsg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS; -+ - result = dns_request_createvia3(requestmgr, updatemsg, srcaddr, - master, options, tsigkey, timeout, - udp_timeout, udp_retries, global_task, -diff --git a/lib/dns/message.c b/lib/dns/message.c -index ae4965f..cb4528f 100644 ---- a/lib/dns/message.c -+++ b/lib/dns/message.c -@@ -1531,6 +1531,8 @@ getsection(isc_buffer_t *source, dns_message_t *msg, dns_decompress_t *dctx, - } else if (rdtype == dns_rdatatype_tsig && msg->tsig == NULL) { - msg->tsig = rdataset; - msg->tsigname = name; -+ /* TSIG names should not be compressed */ -+ msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS; - rdataset = NULL; - free_rdataset = ISC_FALSE; - free_name = ISC_FALSE; -diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c -index 74a7af3..3223942 100644 ---- a/lib/dns/tsig.c -+++ b/lib/dns/tsig.c -@@ -889,6 +889,9 @@ dns_tsig_sign(dns_message_t *msg) { - msg->tsig = dataset; - msg->tsigname = owner; - -+ /* windows does not like the tsig name being compressed */ -+ msg->tsigname->attributes |= DNS_NAMEATTR_NOCOMPRESS; -+ - return (ISC_R_SUCCESS); - - cleanup_rdatalist: --- -1.6.3.3 - diff --git a/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch b/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch deleted file mode 100644 index 3130a05fd07..00000000000 --- a/examples/bind9-patches/0004-If-tkey-gssapi-initialisation-fails-then-heck-for-th.patch +++ /dev/null @@ -1,94 +0,0 @@ -From c73ceb48ffc518e171d1d40b82ae2b5f603fe038 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell <tridge@samba.org> -Date: Wed, 17 Feb 2010 15:27:44 +1100 -Subject: [PATCH 4/5] If tkey-gssapi initialisation fails, then heck for the most common - configuration errors so that the admin doesn't spend all day trying to - work out why the config is broken. - ---- - lib/dns/gssapictx.c | 48 ++++++++++++++++++++++++++++++++++++++++++++++++ - 1 files changed, 48 insertions(+), 0 deletions(-) - -diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c -index 11eadb9..879393c 100644 ---- a/lib/dns/gssapictx.c -+++ b/lib/dns/gssapictx.c -@@ -66,6 +66,7 @@ - * we include SPNEGO's OID. - */ - #if defined(GSSAPI) -+#include <krb5/krb5.h> - - static unsigned char krb5_mech_oid_bytes[] = { - 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x12, 0x01, 0x02, 0x02 -@@ -191,6 +192,50 @@ log_cred(const gss_cred_id_t cred) { - } - #endif - -+#ifdef GSSAPI -+/* -+ * check for the most common configuration errors. -+ * -+ * The errors checked for are: -+ * - tkey-gssapi-credential doesn't start with DNS/ -+ * - the default realm in /etc/krb5.conf and the -+ * tkey-gssapi-credential bind config option don't match -+ */ -+static void dst_gssapi_check_config(const char *gss_name) -+{ -+ const char *p; -+ krb5_context krb5_ctx; -+ char *krb5_realm = NULL; -+ -+ if (strncasecmp(gss_name, "DNS/", 4) != 0) { -+ gss_log(ISC_LOG_ERROR, "tkey-gssapi-credential (%s) should start with 'DNS/'"); -+ return; -+ } -+ -+ if (krb5_init_context(&krb5_ctx) != 0) { -+ gss_log(ISC_LOG_ERROR, "Unable to initialise krb5 context"); -+ return; -+ } -+ if (krb5_get_default_realm(krb5_ctx, &krb5_realm) != 0) { -+ gss_log(ISC_LOG_ERROR, "Unable to get krb5 default realm"); -+ krb5_free_context(krb5_ctx); -+ return; -+ } -+ if (!(p = strchr(gss_name, '/'))) { -+ gss_log(ISC_LOG_ERROR, "badly formatted tkey-gssapi-credentials (%s)", gss_name); -+ krb5_free_context(krb5_ctx); -+ return; -+ } -+ if (strcasecmp(p+1, krb5_realm) != 0) { -+ gss_log(ISC_LOG_ERROR,"default realm from krb5.conf (%s) does not match tkey-gssapi-credential (%s)", -+ krb5_realm, gss_name); -+ krb5_free_context(krb5_ctx); -+ return; -+ } -+ krb5_free_context(krb5_ctx); -+} -+#endif -+ - isc_result_t - dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, - gss_cred_id_t *cred) -@@ -223,6 +268,8 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, - gret = gss_import_name(&minor, &gnamebuf, - GSS_C_NO_OID, &gname); - if (gret != GSS_S_COMPLETE) { -+ dst_gssapi_check_config((char *)array); -+ - gss_log(3, "failed gss_import_name: %s", - gss_error_tostring(gret, minor, buf, - sizeof(buf))); -@@ -254,6 +301,7 @@ dst_gssapi_acquirecred(dns_name_t *name, isc_boolean_t initiate, - initiate ? "initiate" : "accept", - (char *)gnamebuf.value, - gss_error_tostring(gret, minor, buf, sizeof(buf))); -+ dst_gssapi_check_config((char *)array); - return (ISC_R_FAILURE); - } - --- -1.6.3.3 - diff --git a/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch b/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch deleted file mode 100644 index a44813dd627..00000000000 --- a/examples/bind9-patches/0005-windows-doesn-t-return-valid-GSSAPI-sequence-numbers.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 0f6a49d9fb4a3b9f917ee9caed3a94e44db045a5 Mon Sep 17 00:00:00 2001 -From: Andrew Tridgell <tridge@samba.org> -Date: Wed, 17 Feb 2010 15:28:51 +1100 -Subject: [PATCH 5/5] windows doesn't return valid GSSAPI sequence numbers on its - TSIG-GSS DNS update replies - ---- - lib/dns/gssapictx.c | 5 ++++- - 1 files changed, 4 insertions(+), 1 deletions(-) - -diff --git a/lib/dns/gssapictx.c b/lib/dns/gssapictx.c -index 879393c..69b66c5 100644 ---- a/lib/dns/gssapictx.c -+++ b/lib/dns/gssapictx.c -@@ -536,8 +536,11 @@ dst_gssapi_initctx(dns_name_t *name, isc_buffer_t *intoken, - gintokenp = NULL; - } - -+ /* note that we don't set GSS_C_SEQUENCE_FLAG as Windows DNS -+ * servers don't like it -+ */ - flags = GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | GSS_C_DELEG_FLAG | -- GSS_C_SEQUENCE_FLAG | GSS_C_INTEG_FLAG; -+ GSS_C_INTEG_FLAG; - - gret = gss_init_sec_context(&minor, GSS_C_NO_CREDENTIAL, gssctx, - gname, GSS_SPNEGO_MECHANISM, flags, --- -1.6.3.3 - diff --git a/examples/bind9-patches/README b/examples/bind9-patches/README deleted file mode 100644 index 7bc965eec5c..00000000000 --- a/examples/bind9-patches/README +++ /dev/null @@ -1,11 +0,0 @@ -NOTE! These patches are now incorporated in bind9 releases from -9.7.2RC1 and onwards. You no longer need a patched version of bind9 to -work with krb5 DNS updates and Samba4. - ---------------------------------- - -These patches fix the TSIG-GSS dynamic DNS updates in bind9 to allow -dynamic updates to work with recent windows versions. - -The patches were developed against bind9 version 9.6.1, and were -tested on Ubuntu Karmic. |