]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
net: Convert net_dns.c to NTSTATUS
authorVolker Lendecke <vl@samba.org>
Sat, 13 Jun 2026 09:57:27 +0000 (11:57 +0200)
committerVolker Lendecke <vl@samba.org>
Fri, 3 Jul 2026 08:08:36 +0000 (08:08 +0000)
In the gss code at many places we lost the underlying NTSTATUS code
and just replace it with DNS_GSS_ERROR. Don't loose that information.

This brings a slight change in behaviour for the interactive join
command: Instead of retrying with "the next" nameserver on very
specific errors we retry on all errors. I'm not sure the previous
behaviour did anything good, and as this is an interactive command all
that might happen is that the user has to wait a bit longer on
failure.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
source3/utils/net_ads_join_dns.c
source3/utils/net_dns.c
source3/utils/net_dns.h

index 86ec5a7a529d67be37634cb99a4bb6d3648cf69f..b28409c03df32693b0bcd1abcc5be98d52d926df 100644 (file)
@@ -49,7 +49,6 @@ static NTSTATUS net_update_dns_internal(struct net_context *c,
        struct dns_rr_ns _nameserver = {};
        size_t ns_count = 0, i;
        NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
-       DNS_ERROR dns_err;
        const char *dnsdomain = NULL;
        char *root_domain = NULL;
        uint32_t ttl = 3600;
@@ -190,33 +189,24 @@ do_update:
                /* Now perform the dns update - we'll try non-secure and if we fail,
                   we'll follow it up with a secure update */
 
-               dns_err = DoDNSUpdate(ssaddr_str_buf(&ns->ss_s[0], &addstrbuf),
-                                     ns->hostname,
-                                     dnsdomain,
-                                     machine_name,
-                                     creds,
-                                     addrs,
-                                     num_addrs,
-                                     flags,
-                                     ttl,
-                                     remove_host);
-               if (ERR_DNS_IS_OK(dns_err)) {
+               status = DoDNSUpdate(ssaddr_str_buf(&ns->ss_s[0], &addstrbuf),
+                                    ns->hostname,
+                                    dnsdomain,
+                                    machine_name,
+                                    creds,
+                                    addrs,
+                                    num_addrs,
+                                    flags,
+                                    ttl,
+                                    remove_host);
+               if (NT_STATUS_IS_OK(status)) {
                        status = NT_STATUS_OK;
                        goto done;
                }
 
-               if (ERR_DNS_EQUAL(dns_err, ERROR_DNS_INVALID_NAME_SERVER) ||
-                   ERR_DNS_EQUAL(dns_err, ERROR_DNS_CONNECTION_FAILED) ||
-                   ERR_DNS_EQUAL(dns_err, ERROR_DNS_SOCKET_ERROR)) {
-                       DEBUG(1,("retrying DNS update with next nameserver after receiving %s\n",
-                               dns_errstr(dns_err)));
-                       continue;
-               }
-
-               d_printf(_("DNS Update for %s failed: %s\n"),
-                       machine_name, dns_errstr(dns_err));
-               status = NT_STATUS_UNSUCCESSFUL;
-               goto done;
+               DBG_WARNING("retrying DNS update with next nameserver after "
+                           "receiving %s\n",
+                           nt_errstr(status));
        }
 
 done:
index 63cd4f6c8db437cbbe8c19b437d4eb6a8aefdc51..ad560bb1b296def3550f89802912560a40281fce 100644 (file)
 
 #if defined(HAVE_KRB5)
 
-static DNS_ERROR dns_negotiate_sec_ctx(const char *serveraddress,
-                                      const char *keyname,
-                                      struct gensec_security *gensec,
-                                      enum dns_ServerType srv_type)
+static NTSTATUS dns_negotiate_sec_ctx(const char *serveraddress,
+                                     const char *keyname,
+                                     struct gensec_security *gensec,
+                                     enum dns_ServerType srv_type)
 {
        TALLOC_CTX *frame = talloc_stackframe();
        struct dns_name_packet *reply = NULL;
        DATA_BLOB in = { .length = 0, };
        DATA_BLOB out = { .length = 0, };
        NTSTATUS status;
-       DNS_ERROR err;
 
        do {
                status = gensec_update(gensec, frame, in, &out);
                TALLOC_FREE(reply);
                if (GENSEC_UPDATE_IS_NTERROR(status)) {
-                       err = ERROR_DNS_GSS_ERROR;
                        goto error;
                }
 
@@ -94,7 +92,7 @@ static DNS_ERROR dns_negotiate_sec_ctx(const char *serveraddress,
                                              &rec,
                                              &reply);
                        if (ret != 0) {
-                               err = ERROR_DNS_SOCKET_ERROR;
+                               status = map_nt_error_from_unix(ret);
                                goto error;
                        }
                }
@@ -118,7 +116,7 @@ static DNS_ERROR dns_negotiate_sec_ctx(const char *serveraddress,
                        }
 
                        if (i == reply->ancount) {
-                               err = ERROR_DNS_INVALID_MESSAGE;
+                               status = NT_STATUS_INVALID_NETWORK_RESPONSE;
                                goto error;
                        }
 
@@ -131,55 +129,50 @@ static DNS_ERROR dns_negotiate_sec_ctx(const char *serveraddress,
 
        /* If we arrive here, we have a valid security context */
 
-       err = ERROR_DNS_SUCCESS;
+       status = NT_STATUS_OK;
 
       error:
 
        TALLOC_FREE(frame);
-       return err;
+       return status;
 }
 
 /*********************************************************************
 *********************************************************************/
 
-static DNS_ERROR DoDNSUpdateNegotiateGensec(const char *pszServerAddress,
-                                           const char *pszServerName,
-                                           const char *pszDomainName,
-                                           const char *keyname,
-                                           enum dns_ServerType srv_type,
-                                           struct cli_credentials *creds,
-                                           TALLOC_CTX *mem_ctx,
-                                           struct gensec_security **_gensec)
+static NTSTATUS DoDNSUpdateNegotiateGensec(const char *pszServerAddress,
+                                          const char *pszServerName,
+                                          const char *pszDomainName,
+                                          const char *keyname,
+                                          enum dns_ServerType srv_type,
+                                          struct cli_credentials *creds,
+                                          TALLOC_CTX *mem_ctx,
+                                          struct gensec_security **_gensec)
 {
        TALLOC_CTX *frame = talloc_stackframe();
        struct auth_generic_state *ans = NULL;
        NTSTATUS status;
-       DNS_ERROR err;
 
        status = auth_generic_client_prepare(mem_ctx, &ans);
        if (!NT_STATUS_IS_OK(status)) {
-               err = ERROR_DNS_GSS_ERROR;
                goto error;
        }
        talloc_steal(frame, ans);
 
        status = auth_generic_set_creds(ans, creds);
        if (!NT_STATUS_IS_OK(status)) {
-               err = ERROR_DNS_GSS_ERROR;
                goto error;
        }
 
        status = gensec_set_target_service(ans->gensec_security,
                                           "dns");
        if (!NT_STATUS_IS_OK(status)) {
-               err = ERROR_DNS_GSS_ERROR;
                goto error;
        }
 
        status = gensec_set_target_hostname(ans->gensec_security,
                                            pszServerName);
        if (!NT_STATUS_IS_OK(status)) {
-               err = ERROR_DNS_GSS_ERROR;
                goto error;
        }
 
@@ -187,15 +180,14 @@ static DNS_ERROR DoDNSUpdateNegotiateGensec(const char *pszServerAddress,
 
        status = auth_generic_client_start(ans, GENSEC_OID_KERBEROS5);
        if (!NT_STATUS_IS_OK(status)) {
-               err = ERROR_DNS_GSS_ERROR;
                goto error;
        }
 
-       err = dns_negotiate_sec_ctx(pszServerAddress,
-                                   keyname,
-                                   ans->gensec_security,
-                                   srv_type);
-       if (!ERR_DNS_IS_OK(err)) {
+       status = dns_negotiate_sec_ctx(pszServerAddress,
+                                      keyname,
+                                      ans->gensec_security,
+                                      srv_type);
+       if (!NT_STATUS_IS_OK(status)) {
                goto error;
        }
 
@@ -203,23 +195,23 @@ static DNS_ERROR DoDNSUpdateNegotiateGensec(const char *pszServerAddress,
  error:
        TALLOC_FREE(frame);
 
-       return err;
+       return status;
 }
 
-DNS_ERROR DoDNSUpdate(const char *pszServerAddress,
-                     const char *pszServerName,
-                     const char *pszDomainName,
-                     const char *pszHostName,
-                     struct cli_credentials *creds,
-                     const struct sockaddr_storage *_sslist,
-                     size_t num_addrs,
-                     uint32_t flags,
-                     uint32_t ttl,
-                     bool remove_host)
+NTSTATUS DoDNSUpdate(const char *pszServerAddress,
+                    const char *pszServerName,
+                    const char *pszDomainName,
+                    const char *pszHostName,
+                    struct cli_credentials *creds,
+                    const struct sockaddr_storage *_sslist,
+                    size_t num_addrs,
+                    uint32_t flags,
+                    uint32_t ttl,
+                    bool remove_host)
 {
-       DNS_ERROR err;
        TALLOC_CTX *mem_ctx;
        struct samba_sockaddr sslist[num_addrs];
+       NTSTATUS status = NT_STATUS_UNSUCCESSFUL;
        size_t i;
 
        DEBUG(10,("DoDNSUpdate called with flags: 0x%08x\n", flags));
@@ -227,15 +219,15 @@ DNS_ERROR DoDNSUpdate(const char *pszServerAddress,
        if (!(flags & DNS_UPDATE_SIGNED) &&
            !(flags & DNS_UPDATE_UNSIGNED) &&
            !(flags & DNS_UPDATE_PROBE)) {
-               return ERROR_DNS_INVALID_PARAMETER;
+               return NT_STATUS_INVALID_PARAMETER;
        }
 
        if (!remove_host && ((num_addrs <= 0) || !_sslist)) {
-               return ERROR_DNS_INVALID_PARAMETER;
+               return NT_STATUS_INVALID_PARAMETER;
        }
 
        if (!(mem_ctx = talloc_init("DoDNSUpdate"))) {
-               return ERROR_DNS_NO_MEMORY;
+               return NT_STATUS_NO_MEMORY;
        }
 
        for (i = 0; i < num_addrs; i++) {
@@ -254,7 +246,7 @@ DNS_ERROR DoDNSUpdate(const char *pszServerAddress,
                                             num_addrs);
                if (probe == NULL) {
                        TALLOC_FREE(mem_ctx);
-                       return ERROR_DNS_NO_MEMORY;
+                       return NT_STATUS_NO_MEMORY;
                }
 
                ret = dns_cli_request(mem_ctx,
@@ -263,14 +255,14 @@ DNS_ERROR DoDNSUpdate(const char *pszServerAddress,
                                      &reply);
                if (ret != 0) {
                        TALLOC_FREE(mem_ctx);
-                       return ERROR_DNS_SOCKET_ERROR;
+                       return map_nt_error_from_unix(ret);
                }
 
                if ((flags & DNS_UPDATE_PROBE_SUFFICIENT) &&
                    ((reply->operation & DNS_RCODE) == DNS_RCODE_OK))
                {
                        TALLOC_FREE(mem_ctx);
-                       return ERROR_DNS_SUCCESS;
+                       return NT_STATUS_OK;
                }
        }
 
@@ -287,7 +279,7 @@ DNS_ERROR DoDNSUpdate(const char *pszServerAddress,
                                               ttl);
                if (update == NULL) {
                        TALLOC_FREE(mem_ctx);
-                       return ERROR_DNS_NO_MEMORY;
+                       return NT_STATUS_NO_MEMORY;
                }
 
                ret = dns_cli_request(mem_ctx,
@@ -296,14 +288,14 @@ DNS_ERROR DoDNSUpdate(const char *pszServerAddress,
                                      &reply);
                if (ret != 0) {
                        TALLOC_FREE(mem_ctx);
-                       return ERROR_DNS_SOCKET_ERROR;
+                       return map_nt_error_from_unix(ret);
                }
 
                if ((flags & DNS_UPDATE_UNSIGNED_SUFFICIENT) &&
                    ((reply->operation & DNS_RCODE) == DNS_RCODE_OK))
                {
                        TALLOC_FREE(mem_ctx);
-                       return ERROR_DNS_SUCCESS;
+                       return NT_STATUS_OK;
                }
        }
 
@@ -326,32 +318,33 @@ DNS_ERROR DoDNSUpdate(const char *pszServerAddress,
                                               ttl);
                if (update == NULL) {
                        TALLOC_FREE(mem_ctx);
-                       return ERROR_DNS_NO_MEMORY;
+                       return NT_STATUS_NO_MEMORY;
                }
 
-               err = DoDNSUpdateNegotiateGensec(pszServerAddress,
-                                                pszServerName,
-                                                pszDomainName,
-                                                keyname,
-                                                DNS_SRV_ANY,
-                                                creds,
-                                                mem_ctx,
-                                                &gensec);
+               status = DoDNSUpdateNegotiateGensec(pszServerAddress,
+                                                   pszServerName,
+                                                   pszDomainName,
+                                                   keyname,
+                                                   DNS_SRV_ANY,
+                                                   creds,
+                                                   mem_ctx,
+                                                   &gensec);
 
                /* retry using the Windows 2000 DNS hack */
-               if (!ERR_DNS_IS_OK(err)) {
-                       err = DoDNSUpdateNegotiateGensec(pszServerAddress,
-                                                        pszServerName,
-                                                        pszDomainName,
-                                                        keyname,
-                                                        DNS_SRV_WIN2000,
-                                                        creds,
-                                                        mem_ctx,
-                                                        &gensec);
+               if (!NT_STATUS_IS_OK(status)) {
+                       status = DoDNSUpdateNegotiateGensec(pszServerAddress,
+                                                           pszServerName,
+                                                           pszDomainName,
+                                                           keyname,
+                                                           DNS_SRV_WIN2000,
+                                                           creds,
+                                                           mem_ctx,
+                                                           &gensec);
                }
 
-               if (!ERR_DNS_IS_OK(err))
+               if (!NT_STATUS_IS_OK(status)) {
                        goto error;
+               }
 
                ret = dns_cli_sign_packet(update,
                                          gensec,
@@ -359,7 +352,7 @@ DNS_ERROR DoDNSUpdate(const char *pszServerAddress,
                                          keyname,
                                          "gss.microsoft.com");
                if (ret != 0) {
-                       err = ERROR_DNS_GSS_ERROR;
+                       status = map_nt_error_from_unix(ret);
                        goto error;
                }
 
@@ -369,14 +362,14 @@ DNS_ERROR DoDNSUpdate(const char *pszServerAddress,
                                      &reply);
                if (ret != 0) {
                        TALLOC_FREE(mem_ctx);
-                       return ERROR_DNS_SOCKET_ERROR;
+                       return map_nt_error_from_unix(ret);
                }
 
-               err = ((reply->operation & DNS_RCODE) == DNS_RCODE_OK)
-                             ? ERROR_DNS_SUCCESS
-                             : ERROR_DNS_UPDATE_FAILED;
+               status = ((reply->operation & DNS_RCODE) == DNS_RCODE_OK)
+                                ? NT_STATUS_OK
+                                : NT_STATUS_UNSUCCESSFUL;
 
-               if (!ERR_DNS_IS_OK(err)) {
+               if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(3,("DoDNSUpdate: signed update failed\n"));
                }
        }
@@ -384,7 +377,7 @@ DNS_ERROR DoDNSUpdate(const char *pszServerAddress,
 
 error:
        TALLOC_FREE(mem_ctx);
-       return err;
+       return status;
 }
 
 /*********************************************************************
index 3c1d8c9a1316582e6e4e6c6d2d3a71b7055e4665..5495afaf54aa733c6dc9b02de45267e2607a3991 100644 (file)
 
 struct cli_credentials;
 
-DNS_ERROR DoDNSUpdate(const char *pszServerAddress,
-                     const char *pszServerName,
-                     const char *pszDomainName,
-                     const char *pszHostName,
-                     struct cli_credentials *creds,
-                     const struct sockaddr_storage *sslist,
-                     size_t num_addrs,
-                     uint32_t flags,
-                     uint32_t ttl,
-                     bool remove_host);
+NTSTATUS DoDNSUpdate(const char *pszServerAddress,
+                    const char *pszServerName,
+                    const char *pszDomainName,
+                    const char *pszHostName,
+                    struct cli_credentials *creds,
+                    const struct sockaddr_storage *sslist,
+                    size_t num_addrs,
+                    uint32_t flags,
+                    uint32_t ttl,
+                    bool remove_host);
 
 #endif /* defined(HAVE_KRB5) */