2 Unix SMB/CIFS implementation.
4 Winbind cache backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Gerald Carter 2003-2007
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2005
10 Copyright (C) Michael Adam 2007
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
28 #include "tdb_validate.h"
29 #include "../libcli/auth/libcli_auth.h"
30 #include "../librpc/gen_ndr/ndr_wbint.h"
33 #include "../libcli/security/security.h"
36 #define DBGC_CLASS DBGC_WINBIND
38 #define WINBINDD_CACHE_VERSION 2
39 #define WINBINDD_CACHE_VERSION_KEYSTR "WINBINDD_CACHE_VERSION"
41 extern struct winbindd_methods reconnect_methods;
43 extern struct winbindd_methods ads_methods;
45 extern struct winbindd_methods builtin_passdb_methods;
46 extern struct winbindd_methods sam_passdb_methods;
49 * JRA. KEEP THIS LIST UP TO DATE IF YOU ADD CACHE ENTRIES.
50 * Here are the list of entry types that are *not* stored
51 * as form struct cache_entry in the cache.
54 static const char *non_centry_keys[] = {
59 WINBINDD_CACHE_VERSION_KEYSTR,
63 /************************************************************************
64 Is this key a non-centry type ?
65 ************************************************************************/
67 static bool is_non_centry_key(TDB_DATA kbuf)
71 if (kbuf.dptr == NULL || kbuf.dsize == 0) {
74 for (i = 0; non_centry_keys[i] != NULL; i++) {
75 size_t namelen = strlen(non_centry_keys[i]);
76 if (kbuf.dsize < namelen) {
79 if (strncmp(non_centry_keys[i], (const char *)kbuf.dptr, namelen) == 0) {
86 /* Global online/offline state - False when online. winbindd starts up online
87 and sets this to true if the first query fails and there's an entry in
88 the cache tdb telling us to stay offline. */
90 static bool global_winbindd_offline_state;
92 struct winbind_cache {
98 uint32 sequence_number;
104 void (*smb_panic_fn)(const char *const why) = smb_panic;
106 #define WINBINDD_MAX_CACHE_SIZE (50*1024*1024)
108 static struct winbind_cache *wcache;
110 /* get the winbind_cache structure */
111 static struct winbind_cache *get_cache(struct winbindd_domain *domain)
113 struct winbind_cache *ret = wcache;
115 /* We have to know what type of domain we are dealing with first. */
117 if (domain->internal) {
118 domain->backend = &builtin_passdb_methods;
119 domain->initialized = True;
122 if (strequal(domain->name, get_global_sam_name()) &&
123 sid_check_is_domain(&domain->sid)) {
124 domain->backend = &sam_passdb_methods;
125 domain->initialized = True;
128 if ( !domain->initialized ) {
129 init_dc_connection( domain );
133 OK. listen up becasue I'm only going to say this once.
134 We have the following scenarios to consider
135 (a) trusted AD domains on a Samba DC,
136 (b) trusted AD domains and we are joined to a non-kerberos domain
137 (c) trusted AD domains and we are joined to a kerberos (AD) domain
139 For (a) we can always contact the trusted domain using krb5
140 since we have the domain trust account password
142 For (b) we can only use RPC since we have no way of
143 getting a krb5 ticket in our own domain
145 For (c) we can always use krb5 since we have a kerberos trust
150 if (!domain->backend) {
152 struct winbindd_domain *our_domain = domain;
154 /* find our domain first so we can figure out if we
155 are joined to a kerberized domain */
157 if ( !domain->primary )
158 our_domain = find_our_domain();
160 if ((our_domain->active_directory || IS_DC)
161 && domain->active_directory
162 && !lp_winbind_rpc_only()) {
163 DEBUG(5,("get_cache: Setting ADS methods for domain %s\n", domain->name));
164 domain->backend = &ads_methods;
166 #endif /* HAVE_ADS */
167 DEBUG(5,("get_cache: Setting MS-RPC methods for domain %s\n", domain->name));
168 domain->backend = &reconnect_methods;
171 #endif /* HAVE_ADS */
177 ret = SMB_XMALLOC_P(struct winbind_cache);
181 wcache_flush_cache();
187 free a centry structure
189 static void centry_free(struct cache_entry *centry)
193 SAFE_FREE(centry->data);
197 static bool centry_check_bytes(struct cache_entry *centry, size_t nbytes)
199 if (centry->len - centry->ofs < nbytes) {
200 DEBUG(0,("centry corruption? needed %u bytes, have %d\n",
201 (unsigned int)nbytes,
202 centry->len - centry->ofs));
209 pull a uint64_t from a cache entry
211 static uint64_t centry_uint64_t(struct cache_entry *centry)
215 if (!centry_check_bytes(centry, 8)) {
216 smb_panic_fn("centry_uint64_t");
218 ret = BVAL(centry->data, centry->ofs);
224 pull a uint32 from a cache entry
226 static uint32 centry_uint32(struct cache_entry *centry)
230 if (!centry_check_bytes(centry, 4)) {
231 smb_panic_fn("centry_uint32");
233 ret = IVAL(centry->data, centry->ofs);
239 pull a uint16 from a cache entry
241 static uint16 centry_uint16(struct cache_entry *centry)
244 if (!centry_check_bytes(centry, 2)) {
245 smb_panic_fn("centry_uint16");
247 ret = CVAL(centry->data, centry->ofs);
253 pull a uint8 from a cache entry
255 static uint8 centry_uint8(struct cache_entry *centry)
258 if (!centry_check_bytes(centry, 1)) {
259 smb_panic_fn("centry_uint8");
261 ret = CVAL(centry->data, centry->ofs);
267 pull a NTTIME from a cache entry
269 static NTTIME centry_nttime(struct cache_entry *centry)
272 if (!centry_check_bytes(centry, 8)) {
273 smb_panic_fn("centry_nttime");
275 ret = IVAL(centry->data, centry->ofs);
277 ret += (uint64)IVAL(centry->data, centry->ofs) << 32;
283 pull a time_t from a cache entry. time_t stored portably as a 64-bit time.
285 static time_t centry_time(struct cache_entry *centry)
287 return (time_t)centry_nttime(centry);
290 /* pull a string from a cache entry, using the supplied
293 static char *centry_string(struct cache_entry *centry, TALLOC_CTX *mem_ctx)
298 len = centry_uint8(centry);
301 /* a deliberate NULL string */
305 if (!centry_check_bytes(centry, (size_t)len)) {
306 smb_panic_fn("centry_string");
309 ret = TALLOC_ARRAY(mem_ctx, char, len+1);
311 smb_panic_fn("centry_string out of memory\n");
313 memcpy(ret,centry->data + centry->ofs, len);
319 /* pull a hash16 from a cache entry, using the supplied
322 static char *centry_hash16(struct cache_entry *centry, TALLOC_CTX *mem_ctx)
327 len = centry_uint8(centry);
330 DEBUG(0,("centry corruption? hash len (%u) != 16\n",
335 if (!centry_check_bytes(centry, 16)) {
339 ret = TALLOC_ARRAY(mem_ctx, char, 16);
341 smb_panic_fn("centry_hash out of memory\n");
343 memcpy(ret,centry->data + centry->ofs, 16);
348 /* pull a sid from a cache entry, using the supplied
351 static bool centry_sid(struct cache_entry *centry, struct dom_sid *sid)
356 sid_string = centry_string(centry, talloc_tos());
357 if (sid_string == NULL) {
360 ret = string_to_sid(sid, sid_string);
361 TALLOC_FREE(sid_string);
367 pull a NTSTATUS from a cache entry
369 static NTSTATUS centry_ntstatus(struct cache_entry *centry)
373 status = NT_STATUS(centry_uint32(centry));
378 /* the server is considered down if it can't give us a sequence number */
379 static bool wcache_server_down(struct winbindd_domain *domain)
386 ret = (domain->sequence_number == DOM_SEQUENCE_NONE);
389 DEBUG(10,("wcache_server_down: server for Domain %s down\n",
394 static bool wcache_fetch_seqnum(const char *domain_name, uint32_t *seqnum,
395 uint32_t *last_seq_check)
400 if (wcache->tdb == NULL) {
401 DEBUG(10,("wcache_fetch_seqnum: tdb == NULL\n"));
405 key = talloc_asprintf(talloc_tos(), "SEQNUM/%s", domain_name);
407 DEBUG(10, ("talloc failed\n"));
411 data = tdb_fetch_bystring(wcache->tdb, key);
414 if (data.dptr == NULL) {
415 DEBUG(10, ("wcache_fetch_seqnum: %s not found\n",
419 if (data.dsize != 8) {
420 DEBUG(10, ("wcache_fetch_seqnum: invalid data size %d\n",
422 SAFE_FREE(data.dptr);
426 *seqnum = IVAL(data.dptr, 0);
427 *last_seq_check = IVAL(data.dptr, 4);
428 SAFE_FREE(data.dptr);
433 static NTSTATUS fetch_cache_seqnum( struct winbindd_domain *domain, time_t now )
435 uint32 last_check, time_diff;
437 if (!wcache_fetch_seqnum(domain->name, &domain->sequence_number,
439 return NT_STATUS_UNSUCCESSFUL;
441 domain->last_seq_check = last_check;
443 /* have we expired? */
445 time_diff = now - domain->last_seq_check;
446 if ( time_diff > lp_winbind_cache_time() ) {
447 DEBUG(10,("fetch_cache_seqnum: timeout [%s][%u @ %u]\n",
448 domain->name, domain->sequence_number,
449 (uint32)domain->last_seq_check));
450 return NT_STATUS_UNSUCCESSFUL;
453 DEBUG(10,("fetch_cache_seqnum: success [%s][%u @ %u]\n",
454 domain->name, domain->sequence_number,
455 (uint32)domain->last_seq_check));
460 bool wcache_store_seqnum(const char *domain_name, uint32_t seqnum,
461 time_t last_seq_check)
467 if (wcache->tdb == NULL) {
468 DEBUG(10, ("wcache_store_seqnum: wcache->tdb == NULL\n"));
472 key_str = talloc_asprintf(talloc_tos(), "SEQNUM/%s", domain_name);
473 if (key_str == NULL) {
474 DEBUG(10, ("talloc_asprintf failed\n"));
478 SIVAL(buf, 0, seqnum);
479 SIVAL(buf, 4, last_seq_check);
481 ret = tdb_store_bystring(wcache->tdb, key_str,
482 make_tdb_data(buf, sizeof(buf)), TDB_REPLACE);
483 TALLOC_FREE(key_str);
485 DEBUG(10, ("tdb_store_bystring failed: %s\n",
486 tdb_errorstr(wcache->tdb)));
487 TALLOC_FREE(key_str);
491 DEBUG(10, ("wcache_store_seqnum: success [%s][%u @ %u]\n",
492 domain_name, seqnum, (unsigned)last_seq_check));
497 static bool store_cache_seqnum( struct winbindd_domain *domain )
499 return wcache_store_seqnum(domain->name, domain->sequence_number,
500 domain->last_seq_check);
504 refresh the domain sequence number. If force is true
505 then always refresh it, no matter how recently we fetched it
508 static void refresh_sequence_number(struct winbindd_domain *domain, bool force)
512 time_t t = time(NULL);
513 unsigned cache_time = lp_winbind_cache_time();
515 if (is_domain_offline(domain)) {
521 #if 0 /* JERRY -- disable as the default cache time is now 5 minutes */
522 /* trying to reconnect is expensive, don't do it too often */
523 if (domain->sequence_number == DOM_SEQUENCE_NONE) {
528 time_diff = t - domain->last_seq_check;
530 /* see if we have to refetch the domain sequence number */
531 if (!force && (time_diff < cache_time) &&
532 (domain->sequence_number != DOM_SEQUENCE_NONE) &&
533 NT_STATUS_IS_OK(domain->last_status)) {
534 DEBUG(10, ("refresh_sequence_number: %s time ok\n", domain->name));
538 /* try to get the sequence number from the tdb cache first */
539 /* this will update the timestamp as well */
541 status = fetch_cache_seqnum( domain, t );
542 if (NT_STATUS_IS_OK(status) &&
543 (domain->sequence_number != DOM_SEQUENCE_NONE) &&
544 NT_STATUS_IS_OK(domain->last_status)) {
548 /* important! make sure that we know if this is a native
549 mode domain or not. And that we can contact it. */
551 if ( winbindd_can_contact_domain( domain ) ) {
552 status = domain->backend->sequence_number(domain,
553 &domain->sequence_number);
555 /* just use the current time */
556 status = NT_STATUS_OK;
557 domain->sequence_number = time(NULL);
561 /* the above call could have set our domain->backend to NULL when
562 * coming from offline to online mode, make sure to reinitialize the
563 * backend - Guenther */
566 if (!NT_STATUS_IS_OK(status)) {
567 DEBUG(10,("refresh_sequence_number: failed with %s\n", nt_errstr(status)));
568 domain->sequence_number = DOM_SEQUENCE_NONE;
571 domain->last_status = status;
572 domain->last_seq_check = time(NULL);
574 /* save the new sequence number in the cache */
575 store_cache_seqnum( domain );
578 DEBUG(10, ("refresh_sequence_number: %s seq number is now %d\n",
579 domain->name, domain->sequence_number));
585 decide if a cache entry has expired
587 static bool centry_expired(struct winbindd_domain *domain, const char *keystr, struct cache_entry *centry)
589 /* If we've been told to be offline - stay in that state... */
590 if (lp_winbind_offline_logon() && global_winbindd_offline_state) {
591 DEBUG(10,("centry_expired: Key %s for domain %s valid as winbindd is globally offline.\n",
592 keystr, domain->name ));
596 /* when the domain is offline return the cached entry.
597 * This deals with transient offline states... */
599 if (!domain->online) {
600 DEBUG(10,("centry_expired: Key %s for domain %s valid as domain is offline.\n",
601 keystr, domain->name ));
605 /* if the server is OK and our cache entry came from when it was down then
606 the entry is invalid */
607 if ((domain->sequence_number != DOM_SEQUENCE_NONE) &&
608 (centry->sequence_number == DOM_SEQUENCE_NONE)) {
609 DEBUG(10,("centry_expired: Key %s for domain %s invalid sequence.\n",
610 keystr, domain->name ));
614 /* if the server is down or the cache entry is not older than the
615 current sequence number or it did not timeout then it is OK */
616 if (wcache_server_down(domain)
617 || ((centry->sequence_number == domain->sequence_number)
618 && (centry->timeout > time(NULL)))) {
619 DEBUG(10,("centry_expired: Key %s for domain %s is good.\n",
620 keystr, domain->name ));
624 DEBUG(10,("centry_expired: Key %s for domain %s expired\n",
625 keystr, domain->name ));
631 static struct cache_entry *wcache_fetch_raw(char *kstr)
634 struct cache_entry *centry;
637 key = string_tdb_data(kstr);
638 data = tdb_fetch(wcache->tdb, key);
644 centry = SMB_XMALLOC_P(struct cache_entry);
645 centry->data = (unsigned char *)data.dptr;
646 centry->len = data.dsize;
649 if (centry->len < 16) {
650 /* huh? corrupt cache? */
651 DEBUG(10,("wcache_fetch_raw: Corrupt cache for key %s "
652 "(len < 16)?\n", kstr));
657 centry->status = centry_ntstatus(centry);
658 centry->sequence_number = centry_uint32(centry);
659 centry->timeout = centry_uint64_t(centry);
664 static bool is_my_own_sam_domain(struct winbindd_domain *domain)
666 if (strequal(domain->name, get_global_sam_name()) &&
667 sid_check_is_domain(&domain->sid)) {
674 static bool is_builtin_domain(struct winbindd_domain *domain)
676 if (strequal(domain->name, "BUILTIN") &&
677 sid_check_is_builtin(&domain->sid)) {
685 fetch an entry from the cache, with a varargs key. auto-fetch the sequence
686 number and return status
688 static struct cache_entry *wcache_fetch(struct winbind_cache *cache,
689 struct winbindd_domain *domain,
690 const char *format, ...) PRINTF_ATTRIBUTE(3,4);
691 static struct cache_entry *wcache_fetch(struct winbind_cache *cache,
692 struct winbindd_domain *domain,
693 const char *format, ...)
697 struct cache_entry *centry;
699 if (!winbindd_use_cache() ||
700 is_my_own_sam_domain(domain) ||
701 is_builtin_domain(domain)) {
705 refresh_sequence_number(domain, false);
707 va_start(ap, format);
708 smb_xvasprintf(&kstr, format, ap);
711 centry = wcache_fetch_raw(kstr);
712 if (centry == NULL) {
717 if (centry_expired(domain, kstr, centry)) {
719 DEBUG(10,("wcache_fetch: entry %s expired for domain %s\n",
720 kstr, domain->name ));
727 DEBUG(10,("wcache_fetch: returning entry %s for domain %s\n",
728 kstr, domain->name ));
734 static void wcache_delete(const char *format, ...) PRINTF_ATTRIBUTE(1,2);
735 static void wcache_delete(const char *format, ...)
741 va_start(ap, format);
742 smb_xvasprintf(&kstr, format, ap);
745 key = string_tdb_data(kstr);
747 tdb_delete(wcache->tdb, key);
752 make sure we have at least len bytes available in a centry
754 static void centry_expand(struct cache_entry *centry, uint32 len)
756 if (centry->len - centry->ofs >= len)
759 centry->data = SMB_REALLOC_ARRAY(centry->data, unsigned char,
762 DEBUG(0,("out of memory: needed %d bytes in centry_expand\n", centry->len));
763 smb_panic_fn("out of memory in centry_expand");
768 push a uint64_t into a centry
770 static void centry_put_uint64_t(struct cache_entry *centry, uint64_t v)
772 centry_expand(centry, 8);
773 SBVAL(centry->data, centry->ofs, v);
778 push a uint32 into a centry
780 static void centry_put_uint32(struct cache_entry *centry, uint32 v)
782 centry_expand(centry, 4);
783 SIVAL(centry->data, centry->ofs, v);
788 push a uint16 into a centry
790 static void centry_put_uint16(struct cache_entry *centry, uint16 v)
792 centry_expand(centry, 2);
793 SIVAL(centry->data, centry->ofs, v);
798 push a uint8 into a centry
800 static void centry_put_uint8(struct cache_entry *centry, uint8 v)
802 centry_expand(centry, 1);
803 SCVAL(centry->data, centry->ofs, v);
808 push a string into a centry
810 static void centry_put_string(struct cache_entry *centry, const char *s)
815 /* null strings are marked as len 0xFFFF */
816 centry_put_uint8(centry, 0xFF);
821 /* can't handle more than 254 char strings. Truncating is probably best */
823 DEBUG(10,("centry_put_string: truncating len (%d) to: 254\n", len));
826 centry_put_uint8(centry, len);
827 centry_expand(centry, len);
828 memcpy(centry->data + centry->ofs, s, len);
833 push a 16 byte hash into a centry - treat as 16 byte string.
835 static void centry_put_hash16(struct cache_entry *centry, const uint8 val[16])
837 centry_put_uint8(centry, 16);
838 centry_expand(centry, 16);
839 memcpy(centry->data + centry->ofs, val, 16);
843 static void centry_put_sid(struct cache_entry *centry, const struct dom_sid *sid)
846 centry_put_string(centry, sid_to_fstring(sid_string, sid));
851 put NTSTATUS into a centry
853 static void centry_put_ntstatus(struct cache_entry *centry, NTSTATUS status)
855 uint32 status_value = NT_STATUS_V(status);
856 centry_put_uint32(centry, status_value);
861 push a NTTIME into a centry
863 static void centry_put_nttime(struct cache_entry *centry, NTTIME nt)
865 centry_expand(centry, 8);
866 SIVAL(centry->data, centry->ofs, nt & 0xFFFFFFFF);
868 SIVAL(centry->data, centry->ofs, nt >> 32);
873 push a time_t into a centry - use a 64 bit size.
874 NTTIME here is being used as a convenient 64-bit size.
876 static void centry_put_time(struct cache_entry *centry, time_t t)
878 NTTIME nt = (NTTIME)t;
879 centry_put_nttime(centry, nt);
883 start a centry for output. When finished, call centry_end()
885 struct cache_entry *centry_start(struct winbindd_domain *domain, NTSTATUS status)
887 struct cache_entry *centry;
892 centry = SMB_XMALLOC_P(struct cache_entry);
894 centry->len = 8192; /* reasonable default */
895 centry->data = SMB_XMALLOC_ARRAY(uint8, centry->len);
897 centry->sequence_number = domain->sequence_number;
898 centry->timeout = lp_winbind_cache_time() + time(NULL);
899 centry_put_ntstatus(centry, status);
900 centry_put_uint32(centry, centry->sequence_number);
901 centry_put_uint64_t(centry, centry->timeout);
906 finish a centry and write it to the tdb
908 static void centry_end(struct cache_entry *centry, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
909 static void centry_end(struct cache_entry *centry, const char *format, ...)
915 if (!winbindd_use_cache()) {
919 va_start(ap, format);
920 smb_xvasprintf(&kstr, format, ap);
923 key = string_tdb_data(kstr);
924 data.dptr = centry->data;
925 data.dsize = centry->ofs;
927 tdb_store(wcache->tdb, key, data, TDB_REPLACE);
931 static void wcache_save_name_to_sid(struct winbindd_domain *domain,
932 NTSTATUS status, const char *domain_name,
933 const char *name, const struct dom_sid *sid,
934 enum lsa_SidType type)
936 struct cache_entry *centry;
939 centry = centry_start(domain, status);
942 centry_put_uint32(centry, type);
943 centry_put_sid(centry, sid);
944 fstrcpy(uname, name);
946 centry_end(centry, "NS/%s/%s", domain_name, uname);
947 DEBUG(10,("wcache_save_name_to_sid: %s\\%s -> %s (%s)\n", domain_name,
948 uname, sid_string_dbg(sid), nt_errstr(status)));
952 static void wcache_save_sid_to_name(struct winbindd_domain *domain, NTSTATUS status,
953 const struct dom_sid *sid, const char *domain_name, const char *name, enum lsa_SidType type)
955 struct cache_entry *centry;
958 centry = centry_start(domain, status);
962 if (NT_STATUS_IS_OK(status)) {
963 centry_put_uint32(centry, type);
964 centry_put_string(centry, domain_name);
965 centry_put_string(centry, name);
968 centry_end(centry, "SN/%s", sid_to_fstring(sid_string, sid));
969 DEBUG(10,("wcache_save_sid_to_name: %s -> %s (%s)\n", sid_string,
970 name, nt_errstr(status)));
975 static void wcache_save_user(struct winbindd_domain *domain, NTSTATUS status,
976 struct wbint_userinfo *info)
978 struct cache_entry *centry;
981 if (is_null_sid(&info->user_sid)) {
985 centry = centry_start(domain, status);
988 centry_put_string(centry, info->acct_name);
989 centry_put_string(centry, info->full_name);
990 centry_put_string(centry, info->homedir);
991 centry_put_string(centry, info->shell);
992 centry_put_uint32(centry, info->primary_gid);
993 centry_put_sid(centry, &info->user_sid);
994 centry_put_sid(centry, &info->group_sid);
995 centry_end(centry, "U/%s", sid_to_fstring(sid_string,
997 DEBUG(10,("wcache_save_user: %s (acct_name %s)\n", sid_string, info->acct_name));
1001 static void wcache_save_lockout_policy(struct winbindd_domain *domain,
1003 struct samr_DomInfo12 *lockout_policy)
1005 struct cache_entry *centry;
1007 centry = centry_start(domain, status);
1011 centry_put_nttime(centry, lockout_policy->lockout_duration);
1012 centry_put_nttime(centry, lockout_policy->lockout_window);
1013 centry_put_uint16(centry, lockout_policy->lockout_threshold);
1015 centry_end(centry, "LOC_POL/%s", domain->name);
1017 DEBUG(10,("wcache_save_lockout_policy: %s\n", domain->name));
1019 centry_free(centry);
1024 static void wcache_save_password_policy(struct winbindd_domain *domain,
1026 struct samr_DomInfo1 *policy)
1028 struct cache_entry *centry;
1030 centry = centry_start(domain, status);
1034 centry_put_uint16(centry, policy->min_password_length);
1035 centry_put_uint16(centry, policy->password_history_length);
1036 centry_put_uint32(centry, policy->password_properties);
1037 centry_put_nttime(centry, policy->max_password_age);
1038 centry_put_nttime(centry, policy->min_password_age);
1040 centry_end(centry, "PWD_POL/%s", domain->name);
1042 DEBUG(10,("wcache_save_password_policy: %s\n", domain->name));
1044 centry_free(centry);
1047 /***************************************************************************
1048 ***************************************************************************/
1050 static void wcache_save_username_alias(struct winbindd_domain *domain,
1052 const char *name, const char *alias)
1054 struct cache_entry *centry;
1057 if ( (centry = centry_start(domain, status)) == NULL )
1060 centry_put_string( centry, alias );
1062 fstrcpy(uname, name);
1064 centry_end(centry, "NSS/NA/%s", uname);
1066 DEBUG(10,("wcache_save_username_alias: %s -> %s\n", name, alias ));
1068 centry_free(centry);
1071 static void wcache_save_alias_username(struct winbindd_domain *domain,
1073 const char *alias, const char *name)
1075 struct cache_entry *centry;
1078 if ( (centry = centry_start(domain, status)) == NULL )
1081 centry_put_string( centry, name );
1083 fstrcpy(uname, alias);
1085 centry_end(centry, "NSS/AN/%s", uname);
1087 DEBUG(10,("wcache_save_alias_username: %s -> %s\n", alias, name ));
1089 centry_free(centry);
1092 /***************************************************************************
1093 ***************************************************************************/
1095 NTSTATUS resolve_username_to_alias( TALLOC_CTX *mem_ctx,
1096 struct winbindd_domain *domain,
1097 const char *name, char **alias )
1099 struct winbind_cache *cache = get_cache(domain);
1100 struct cache_entry *centry = NULL;
1104 if ( domain->internal )
1105 return NT_STATUS_NOT_SUPPORTED;
1110 if ( (upper_name = SMB_STRDUP(name)) == NULL )
1111 return NT_STATUS_NO_MEMORY;
1112 strupper_m(upper_name);
1114 centry = wcache_fetch(cache, domain, "NSS/NA/%s", upper_name);
1116 SAFE_FREE( upper_name );
1121 status = centry->status;
1123 if (!NT_STATUS_IS_OK(status)) {
1124 centry_free(centry);
1128 *alias = centry_string( centry, mem_ctx );
1130 centry_free(centry);
1132 DEBUG(10,("resolve_username_to_alias: [Cached] - mapped %s to %s\n",
1133 name, *alias ? *alias : "(none)"));
1135 return (*alias) ? NT_STATUS_OK : NT_STATUS_OBJECT_NAME_NOT_FOUND;
1139 /* If its not in cache and we are offline, then fail */
1141 if ( get_global_winbindd_state_offline() || !domain->online ) {
1142 DEBUG(8,("resolve_username_to_alias: rejecting query "
1143 "in offline mode\n"));
1144 return NT_STATUS_NOT_FOUND;
1147 status = nss_map_to_alias( mem_ctx, domain->name, name, alias );
1149 if ( NT_STATUS_IS_OK( status ) ) {
1150 wcache_save_username_alias(domain, status, name, *alias);
1153 if ( NT_STATUS_EQUAL( status, NT_STATUS_NONE_MAPPED ) ) {
1154 wcache_save_username_alias(domain, status, name, "(NULL)");
1157 DEBUG(5,("resolve_username_to_alias: backend query returned %s\n",
1158 nt_errstr(status)));
1160 if ( NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ) {
1161 set_domain_offline( domain );
1167 /***************************************************************************
1168 ***************************************************************************/
1170 NTSTATUS resolve_alias_to_username( TALLOC_CTX *mem_ctx,
1171 struct winbindd_domain *domain,
1172 const char *alias, char **name )
1174 struct winbind_cache *cache = get_cache(domain);
1175 struct cache_entry *centry = NULL;
1179 if ( domain->internal )
1180 return NT_STATUS_NOT_SUPPORTED;
1185 if ( (upper_name = SMB_STRDUP(alias)) == NULL )
1186 return NT_STATUS_NO_MEMORY;
1187 strupper_m(upper_name);
1189 centry = wcache_fetch(cache, domain, "NSS/AN/%s", upper_name);
1191 SAFE_FREE( upper_name );
1196 status = centry->status;
1198 if (!NT_STATUS_IS_OK(status)) {
1199 centry_free(centry);
1203 *name = centry_string( centry, mem_ctx );
1205 centry_free(centry);
1207 DEBUG(10,("resolve_alias_to_username: [Cached] - mapped %s to %s\n",
1208 alias, *name ? *name : "(none)"));
1210 return (*name) ? NT_STATUS_OK : NT_STATUS_OBJECT_NAME_NOT_FOUND;
1214 /* If its not in cache and we are offline, then fail */
1216 if ( get_global_winbindd_state_offline() || !domain->online ) {
1217 DEBUG(8,("resolve_alias_to_username: rejecting query "
1218 "in offline mode\n"));
1219 return NT_STATUS_NOT_FOUND;
1222 /* an alias cannot contain a domain prefix or '@' */
1224 if (strchr(alias, '\\') || strchr(alias, '@')) {
1225 DEBUG(10,("resolve_alias_to_username: skipping fully "
1226 "qualified name %s\n", alias));
1227 return NT_STATUS_OBJECT_NAME_INVALID;
1230 status = nss_map_from_alias( mem_ctx, domain->name, alias, name );
1232 if ( NT_STATUS_IS_OK( status ) ) {
1233 wcache_save_alias_username( domain, status, alias, *name );
1236 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1237 wcache_save_alias_username(domain, status, alias, "(NULL)");
1240 DEBUG(5,("resolve_alias_to_username: backend query returned %s\n",
1241 nt_errstr(status)));
1243 if ( NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ) {
1244 set_domain_offline( domain );
1250 NTSTATUS wcache_cached_creds_exist(struct winbindd_domain *domain, const struct dom_sid *sid)
1252 struct winbind_cache *cache = get_cache(domain);
1254 fstring key_str, tmp;
1258 return NT_STATUS_INTERNAL_DB_ERROR;
1261 if (is_null_sid(sid)) {
1262 return NT_STATUS_INVALID_SID;
1265 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
1266 return NT_STATUS_INVALID_SID;
1269 fstr_sprintf(key_str, "CRED/%s", sid_to_fstring(tmp, sid));
1271 data = tdb_fetch(cache->tdb, string_tdb_data(key_str));
1273 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1276 SAFE_FREE(data.dptr);
1277 return NT_STATUS_OK;
1280 /* Lookup creds for a SID - copes with old (unsalted) creds as well
1281 as new salted ones. */
1283 NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
1284 TALLOC_CTX *mem_ctx,
1285 const struct dom_sid *sid,
1286 const uint8 **cached_nt_pass,
1287 const uint8 **cached_salt)
1289 struct winbind_cache *cache = get_cache(domain);
1290 struct cache_entry *centry = NULL;
1297 return NT_STATUS_INTERNAL_DB_ERROR;
1300 if (is_null_sid(sid)) {
1301 return NT_STATUS_INVALID_SID;
1304 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
1305 return NT_STATUS_INVALID_SID;
1308 /* Try and get a salted cred first. If we can't
1309 fall back to an unsalted cred. */
1311 centry = wcache_fetch(cache, domain, "CRED/%s",
1312 sid_to_fstring(tmp, sid));
1314 DEBUG(10,("wcache_get_creds: entry for [CRED/%s] not found\n",
1315 sid_string_dbg(sid)));
1316 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1319 t = centry_time(centry);
1321 /* In the salted case this isn't actually the nt_hash itself,
1322 but the MD5 of the salt + nt_hash. Let the caller
1323 sort this out. It can tell as we only return the cached_salt
1324 if we are returning a salted cred. */
1326 *cached_nt_pass = (const uint8 *)centry_hash16(centry, mem_ctx);
1327 if (*cached_nt_pass == NULL) {
1330 sid_to_fstring(sidstr, sid);
1332 /* Bad (old) cred cache. Delete and pretend we
1334 DEBUG(0,("wcache_get_creds: bad entry for [CRED/%s] - deleting\n",
1336 wcache_delete("CRED/%s", sidstr);
1337 centry_free(centry);
1338 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1341 /* We only have 17 bytes more data in the salted cred case. */
1342 if (centry->len - centry->ofs == 17) {
1343 *cached_salt = (const uint8 *)centry_hash16(centry, mem_ctx);
1345 *cached_salt = NULL;
1348 dump_data_pw("cached_nt_pass", *cached_nt_pass, NT_HASH_LEN);
1350 dump_data_pw("cached_salt", *cached_salt, NT_HASH_LEN);
1353 status = centry->status;
1355 DEBUG(10,("wcache_get_creds: [Cached] - cached creds for user %s status: %s\n",
1356 sid_string_dbg(sid), nt_errstr(status) ));
1358 centry_free(centry);
1362 /* Store creds for a SID - only writes out new salted ones. */
1364 NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
1365 const struct dom_sid *sid,
1366 const uint8 nt_pass[NT_HASH_LEN])
1368 struct cache_entry *centry;
1371 uint8 cred_salt[NT_HASH_LEN];
1372 uint8 salted_hash[NT_HASH_LEN];
1374 if (is_null_sid(sid)) {
1375 return NT_STATUS_INVALID_SID;
1378 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
1379 return NT_STATUS_INVALID_SID;
1382 centry = centry_start(domain, NT_STATUS_OK);
1384 return NT_STATUS_INTERNAL_DB_ERROR;
1387 dump_data_pw("nt_pass", nt_pass, NT_HASH_LEN);
1389 centry_put_time(centry, time(NULL));
1391 /* Create a salt and then salt the hash. */
1392 generate_random_buffer(cred_salt, NT_HASH_LEN);
1393 E_md5hash(cred_salt, nt_pass, salted_hash);
1395 centry_put_hash16(centry, salted_hash);
1396 centry_put_hash16(centry, cred_salt);
1397 centry_end(centry, "CRED/%s", sid_to_fstring(sid_string, sid));
1399 DEBUG(10,("wcache_save_creds: %s\n", sid_string));
1401 centry_free(centry);
1403 return NT_STATUS_OK;
1407 /* Query display info. This is the basic user list fn */
1408 static NTSTATUS query_user_list(struct winbindd_domain *domain,
1409 TALLOC_CTX *mem_ctx,
1410 uint32 *num_entries,
1411 struct wbint_userinfo **info)
1413 struct winbind_cache *cache = get_cache(domain);
1414 struct cache_entry *centry = NULL;
1416 unsigned int i, retry;
1417 bool old_status = domain->online;
1422 centry = wcache_fetch(cache, domain, "UL/%s", domain->name);
1427 *num_entries = centry_uint32(centry);
1429 if (*num_entries == 0)
1432 (*info) = TALLOC_ARRAY(mem_ctx, struct wbint_userinfo, *num_entries);
1434 smb_panic_fn("query_user_list out of memory");
1436 for (i=0; i<(*num_entries); i++) {
1437 (*info)[i].acct_name = centry_string(centry, mem_ctx);
1438 (*info)[i].full_name = centry_string(centry, mem_ctx);
1439 (*info)[i].homedir = centry_string(centry, mem_ctx);
1440 (*info)[i].shell = centry_string(centry, mem_ctx);
1441 centry_sid(centry, &(*info)[i].user_sid);
1442 centry_sid(centry, &(*info)[i].group_sid);
1446 status = centry->status;
1448 DEBUG(10,("query_user_list: [Cached] - cached list for domain %s status: %s\n",
1449 domain->name, nt_errstr(status) ));
1451 centry_free(centry);
1458 /* Return status value returned by seq number check */
1460 if (!NT_STATUS_IS_OK(domain->last_status))
1461 return domain->last_status;
1463 /* Put the query_user_list() in a retry loop. There appears to be
1464 * some bug either with Windows 2000 or Samba's handling of large
1465 * rpc replies. This manifests itself as sudden disconnection
1466 * at a random point in the enumeration of a large (60k) user list.
1467 * The retry loop simply tries the operation again. )-: It's not
1468 * pretty but an acceptable workaround until we work out what the
1469 * real problem is. */
1474 DEBUG(10,("query_user_list: [Cached] - doing backend query for list for domain %s\n",
1477 status = domain->backend->query_user_list(domain, mem_ctx, num_entries, info);
1478 if (!NT_STATUS_IS_OK(status)) {
1479 DEBUG(3, ("query_user_list: returned 0x%08x, "
1480 "retrying\n", NT_STATUS_V(status)));
1482 if (NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL)) {
1483 DEBUG(3, ("query_user_list: flushing "
1484 "connection cache\n"));
1485 invalidate_cm_connection(&domain->conn);
1487 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
1488 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1489 if (!domain->internal && old_status) {
1490 set_domain_offline(domain);
1492 /* store partial response. */
1493 if (*num_entries > 0) {
1495 * humm, what about the status used for cache?
1496 * Should it be NT_STATUS_OK?
1501 * domain is offline now, and there is no user entries,
1502 * try to fetch from cache again.
1504 if (cache->tdb && !domain->online && !domain->internal && old_status) {
1505 centry = wcache_fetch(cache, domain, "UL/%s", domain->name);
1506 /* partial response... */
1510 goto do_fetch_cache;
1517 } while (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_UNSUCCESSFUL) &&
1521 refresh_sequence_number(domain, false);
1522 if (!NT_STATUS_IS_OK(status)) {
1525 centry = centry_start(domain, status);
1528 centry_put_uint32(centry, *num_entries);
1529 for (i=0; i<(*num_entries); i++) {
1530 centry_put_string(centry, (*info)[i].acct_name);
1531 centry_put_string(centry, (*info)[i].full_name);
1532 centry_put_string(centry, (*info)[i].homedir);
1533 centry_put_string(centry, (*info)[i].shell);
1534 centry_put_sid(centry, &(*info)[i].user_sid);
1535 centry_put_sid(centry, &(*info)[i].group_sid);
1536 if (domain->backend && domain->backend->consistent) {
1537 /* when the backend is consistent we can pre-prime some mappings */
1538 wcache_save_name_to_sid(domain, NT_STATUS_OK,
1540 (*info)[i].acct_name,
1541 &(*info)[i].user_sid,
1543 wcache_save_sid_to_name(domain, NT_STATUS_OK,
1544 &(*info)[i].user_sid,
1546 (*info)[i].acct_name,
1548 wcache_save_user(domain, NT_STATUS_OK, &(*info)[i]);
1551 centry_end(centry, "UL/%s", domain->name);
1552 centry_free(centry);
1558 /* list all domain groups */
1559 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
1560 TALLOC_CTX *mem_ctx,
1561 uint32 *num_entries,
1562 struct acct_info **info)
1564 struct winbind_cache *cache = get_cache(domain);
1565 struct cache_entry *centry = NULL;
1570 old_status = domain->online;
1574 centry = wcache_fetch(cache, domain, "GL/%s/domain", domain->name);
1579 *num_entries = centry_uint32(centry);
1581 if (*num_entries == 0)
1584 (*info) = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries);
1586 smb_panic_fn("enum_dom_groups out of memory");
1588 for (i=0; i<(*num_entries); i++) {
1589 fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx));
1590 fstrcpy((*info)[i].acct_desc, centry_string(centry, mem_ctx));
1591 (*info)[i].rid = centry_uint32(centry);
1595 status = centry->status;
1597 DEBUG(10,("enum_dom_groups: [Cached] - cached list for domain %s status: %s\n",
1598 domain->name, nt_errstr(status) ));
1600 centry_free(centry);
1607 /* Return status value returned by seq number check */
1609 if (!NT_STATUS_IS_OK(domain->last_status))
1610 return domain->last_status;
1612 DEBUG(10,("enum_dom_groups: [Cached] - doing backend query for list for domain %s\n",
1615 status = domain->backend->enum_dom_groups(domain, mem_ctx, num_entries, info);
1617 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
1618 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1619 if (!domain->internal && old_status) {
1620 set_domain_offline(domain);
1624 !domain->internal &&
1626 centry = wcache_fetch(cache, domain, "GL/%s/domain", domain->name);
1628 goto do_fetch_cache;
1633 refresh_sequence_number(domain, false);
1634 if (!NT_STATUS_IS_OK(status)) {
1637 centry = centry_start(domain, status);
1640 centry_put_uint32(centry, *num_entries);
1641 for (i=0; i<(*num_entries); i++) {
1642 centry_put_string(centry, (*info)[i].acct_name);
1643 centry_put_string(centry, (*info)[i].acct_desc);
1644 centry_put_uint32(centry, (*info)[i].rid);
1646 centry_end(centry, "GL/%s/domain", domain->name);
1647 centry_free(centry);
1653 /* list all domain groups */
1654 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
1655 TALLOC_CTX *mem_ctx,
1656 uint32 *num_entries,
1657 struct acct_info **info)
1659 struct winbind_cache *cache = get_cache(domain);
1660 struct cache_entry *centry = NULL;
1665 old_status = domain->online;
1669 centry = wcache_fetch(cache, domain, "GL/%s/local", domain->name);
1674 *num_entries = centry_uint32(centry);
1676 if (*num_entries == 0)
1679 (*info) = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries);
1681 smb_panic_fn("enum_dom_groups out of memory");
1683 for (i=0; i<(*num_entries); i++) {
1684 fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx));
1685 fstrcpy((*info)[i].acct_desc, centry_string(centry, mem_ctx));
1686 (*info)[i].rid = centry_uint32(centry);
1691 /* If we are returning cached data and the domain controller
1692 is down then we don't know whether the data is up to date
1693 or not. Return NT_STATUS_MORE_PROCESSING_REQUIRED to
1696 if (wcache_server_down(domain)) {
1697 DEBUG(10, ("enum_local_groups: returning cached user list and server was down\n"));
1698 status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1700 status = centry->status;
1702 DEBUG(10,("enum_local_groups: [Cached] - cached list for domain %s status: %s\n",
1703 domain->name, nt_errstr(status) ));
1705 centry_free(centry);
1712 /* Return status value returned by seq number check */
1714 if (!NT_STATUS_IS_OK(domain->last_status))
1715 return domain->last_status;
1717 DEBUG(10,("enum_local_groups: [Cached] - doing backend query for list for domain %s\n",
1720 status = domain->backend->enum_local_groups(domain, mem_ctx, num_entries, info);
1722 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
1723 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1724 if (!domain->internal && old_status) {
1725 set_domain_offline(domain);
1728 !domain->internal &&
1731 centry = wcache_fetch(cache, domain, "GL/%s/local", domain->name);
1733 goto do_fetch_cache;
1738 refresh_sequence_number(domain, false);
1739 if (!NT_STATUS_IS_OK(status)) {
1742 centry = centry_start(domain, status);
1745 centry_put_uint32(centry, *num_entries);
1746 for (i=0; i<(*num_entries); i++) {
1747 centry_put_string(centry, (*info)[i].acct_name);
1748 centry_put_string(centry, (*info)[i].acct_desc);
1749 centry_put_uint32(centry, (*info)[i].rid);
1751 centry_end(centry, "GL/%s/local", domain->name);
1752 centry_free(centry);
1758 NTSTATUS wcache_name_to_sid(struct winbindd_domain *domain,
1759 const char *domain_name,
1761 struct dom_sid *sid,
1762 enum lsa_SidType *type)
1764 struct winbind_cache *cache = get_cache(domain);
1765 struct cache_entry *centry;
1769 if (cache->tdb == NULL) {
1770 return NT_STATUS_NOT_FOUND;
1773 uname = talloc_strdup_upper(talloc_tos(), name);
1774 if (uname == NULL) {
1775 return NT_STATUS_NO_MEMORY;
1778 centry = wcache_fetch(cache, domain, "NS/%s/%s", domain_name, uname);
1780 if (centry == NULL) {
1781 return NT_STATUS_NOT_FOUND;
1784 status = centry->status;
1785 if (NT_STATUS_IS_OK(status)) {
1786 *type = (enum lsa_SidType)centry_uint32(centry);
1787 centry_sid(centry, sid);
1790 DEBUG(10,("name_to_sid: [Cached] - cached name for domain %s status: "
1791 "%s\n", domain->name, nt_errstr(status) ));
1793 centry_free(centry);
1797 /* convert a single name to a sid in a domain */
1798 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
1799 TALLOC_CTX *mem_ctx,
1800 const char *domain_name,
1803 struct dom_sid *sid,
1804 enum lsa_SidType *type)
1809 old_status = domain->online;
1811 status = wcache_name_to_sid(domain, domain_name, name, sid, type);
1812 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1818 /* If the seq number check indicated that there is a problem
1819 * with this DC, then return that status... except for
1820 * access_denied. This is special because the dc may be in
1821 * "restrict anonymous = 1" mode, in which case it will deny
1822 * most unauthenticated operations, but *will* allow the LSA
1823 * name-to-sid that we try as a fallback. */
1825 if (!(NT_STATUS_IS_OK(domain->last_status)
1826 || NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED)))
1827 return domain->last_status;
1829 DEBUG(10,("name_to_sid: [Cached] - doing backend query for name for domain %s\n",
1832 status = domain->backend->name_to_sid(domain, mem_ctx, domain_name,
1833 name, flags, sid, type);
1835 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
1836 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1837 if (!domain->internal && old_status) {
1838 set_domain_offline(domain);
1840 if (!domain->internal &&
1843 NTSTATUS cache_status;
1844 cache_status = wcache_name_to_sid(domain, domain_name, name, sid, type);
1845 return cache_status;
1849 refresh_sequence_number(domain, false);
1851 if (domain->online &&
1852 (NT_STATUS_IS_OK(status) || NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED))) {
1853 wcache_save_name_to_sid(domain, status, domain_name, name, sid, *type);
1855 /* Only save the reverse mapping if this was not a UPN */
1856 if (!strchr(name, '@')) {
1857 strupper_m(CONST_DISCARD(char *,domain_name));
1858 strlower_m(CONST_DISCARD(char *,name));
1859 wcache_save_sid_to_name(domain, status, sid, domain_name, name, *type);
1866 NTSTATUS wcache_sid_to_name(struct winbindd_domain *domain,
1867 const struct dom_sid *sid,
1868 TALLOC_CTX *mem_ctx,
1871 enum lsa_SidType *type)
1873 struct winbind_cache *cache = get_cache(domain);
1874 struct cache_entry *centry;
1878 if (cache->tdb == NULL) {
1879 return NT_STATUS_NOT_FOUND;
1882 sid_string = sid_string_tos(sid);
1883 if (sid_string == NULL) {
1884 return NT_STATUS_NO_MEMORY;
1887 centry = wcache_fetch(cache, domain, "SN/%s", sid_string);
1888 TALLOC_FREE(sid_string);
1889 if (centry == NULL) {
1890 return NT_STATUS_NOT_FOUND;
1893 if (NT_STATUS_IS_OK(centry->status)) {
1894 *type = (enum lsa_SidType)centry_uint32(centry);
1895 *domain_name = centry_string(centry, mem_ctx);
1896 *name = centry_string(centry, mem_ctx);
1899 status = centry->status;
1900 centry_free(centry);
1902 DEBUG(10,("sid_to_name: [Cached] - cached name for domain %s status: "
1903 "%s\n", domain->name, nt_errstr(status) ));
1908 /* convert a sid to a user or group name. The sid is guaranteed to be in the domain
1910 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
1911 TALLOC_CTX *mem_ctx,
1912 const struct dom_sid *sid,
1915 enum lsa_SidType *type)
1920 old_status = domain->online;
1921 status = wcache_sid_to_name(domain, sid, mem_ctx, domain_name, name,
1923 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1928 *domain_name = NULL;
1930 /* If the seq number check indicated that there is a problem
1931 * with this DC, then return that status... except for
1932 * access_denied. This is special because the dc may be in
1933 * "restrict anonymous = 1" mode, in which case it will deny
1934 * most unauthenticated operations, but *will* allow the LSA
1935 * sid-to-name that we try as a fallback. */
1937 if (!(NT_STATUS_IS_OK(domain->last_status)
1938 || NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED)))
1939 return domain->last_status;
1941 DEBUG(10,("sid_to_name: [Cached] - doing backend query for name for domain %s\n",
1944 status = domain->backend->sid_to_name(domain, mem_ctx, sid, domain_name, name, type);
1946 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
1947 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1948 if (!domain->internal && old_status) {
1949 set_domain_offline(domain);
1951 if (!domain->internal &&
1954 NTSTATUS cache_status;
1955 cache_status = wcache_sid_to_name(domain, sid, mem_ctx,
1956 domain_name, name, type);
1957 return cache_status;
1961 refresh_sequence_number(domain, false);
1962 if (!NT_STATUS_IS_OK(status)) {
1965 wcache_save_sid_to_name(domain, status, sid, *domain_name, *name, *type);
1967 /* We can't save the name to sid mapping here, as with sid history a
1968 * later name2sid would give the wrong sid. */
1973 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
1974 TALLOC_CTX *mem_ctx,
1975 const struct dom_sid *domain_sid,
1980 enum lsa_SidType **types)
1982 struct winbind_cache *cache = get_cache(domain);
1984 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1989 old_status = domain->online;
1990 *domain_name = NULL;
1998 if (num_rids == 0) {
1999 return NT_STATUS_OK;
2002 *names = TALLOC_ARRAY(mem_ctx, char *, num_rids);
2003 *types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
2005 if ((*names == NULL) || (*types == NULL)) {
2006 result = NT_STATUS_NO_MEMORY;
2010 have_mapped = have_unmapped = false;
2012 for (i=0; i<num_rids; i++) {
2014 struct cache_entry *centry;
2017 if (!sid_compose(&sid, domain_sid, rids[i])) {
2018 result = NT_STATUS_INTERNAL_ERROR;
2022 centry = wcache_fetch(cache, domain, "SN/%s",
2023 sid_to_fstring(tmp, &sid));
2028 (*types)[i] = SID_NAME_UNKNOWN;
2029 (*names)[i] = talloc_strdup(*names, "");
2031 if (NT_STATUS_IS_OK(centry->status)) {
2034 (*types)[i] = (enum lsa_SidType)centry_uint32(centry);
2036 dom = centry_string(centry, mem_ctx);
2037 if (*domain_name == NULL) {
2043 (*names)[i] = centry_string(centry, *names);
2045 } else if (NT_STATUS_EQUAL(centry->status, NT_STATUS_NONE_MAPPED)) {
2046 have_unmapped = true;
2049 /* something's definitely wrong */
2050 result = centry->status;
2054 centry_free(centry);
2058 return NT_STATUS_NONE_MAPPED;
2060 if (!have_unmapped) {
2061 return NT_STATUS_OK;
2063 return STATUS_SOME_UNMAPPED;
2067 TALLOC_FREE(*names);
2068 TALLOC_FREE(*types);
2070 result = domain->backend->rids_to_names(domain, mem_ctx, domain_sid,
2071 rids, num_rids, domain_name,
2074 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
2075 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2076 if (!domain->internal && old_status) {
2077 set_domain_offline(domain);
2080 !domain->internal &&
2083 have_mapped = have_unmapped = false;
2085 for (i=0; i<num_rids; i++) {
2087 struct cache_entry *centry;
2090 if (!sid_compose(&sid, domain_sid, rids[i])) {
2091 result = NT_STATUS_INTERNAL_ERROR;
2095 centry = wcache_fetch(cache, domain, "SN/%s",
2096 sid_to_fstring(tmp, &sid));
2098 (*types)[i] = SID_NAME_UNKNOWN;
2099 (*names)[i] = talloc_strdup(*names, "");
2103 (*types)[i] = SID_NAME_UNKNOWN;
2104 (*names)[i] = talloc_strdup(*names, "");
2106 if (NT_STATUS_IS_OK(centry->status)) {
2109 (*types)[i] = (enum lsa_SidType)centry_uint32(centry);
2111 dom = centry_string(centry, mem_ctx);
2112 if (*domain_name == NULL) {
2118 (*names)[i] = centry_string(centry, *names);
2120 } else if (NT_STATUS_EQUAL(centry->status, NT_STATUS_NONE_MAPPED)) {
2121 have_unmapped = true;
2124 /* something's definitely wrong */
2125 result = centry->status;
2129 centry_free(centry);
2133 return NT_STATUS_NONE_MAPPED;
2135 if (!have_unmapped) {
2136 return NT_STATUS_OK;
2138 return STATUS_SOME_UNMAPPED;
2142 None of the queried rids has been found so save all negative entries
2144 if (NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED)) {
2145 for (i = 0; i < num_rids; i++) {
2147 const char *name = "";
2148 const enum lsa_SidType type = SID_NAME_UNKNOWN;
2149 NTSTATUS status = NT_STATUS_NONE_MAPPED;
2151 if (!sid_compose(&sid, domain_sid, rids[i])) {
2152 return NT_STATUS_INTERNAL_ERROR;
2155 wcache_save_sid_to_name(domain, status, &sid, *domain_name,
2163 Some or all of the queried rids have been found.
2165 if (!NT_STATUS_IS_OK(result) &&
2166 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
2170 refresh_sequence_number(domain, false);
2172 for (i=0; i<num_rids; i++) {
2176 if (!sid_compose(&sid, domain_sid, rids[i])) {
2177 result = NT_STATUS_INTERNAL_ERROR;
2181 status = (*types)[i] == SID_NAME_UNKNOWN ?
2182 NT_STATUS_NONE_MAPPED : NT_STATUS_OK;
2184 wcache_save_sid_to_name(domain, status, &sid, *domain_name,
2185 (*names)[i], (*types)[i]);
2191 TALLOC_FREE(*names);
2192 TALLOC_FREE(*types);
2196 NTSTATUS wcache_query_user(struct winbindd_domain *domain,
2197 TALLOC_CTX *mem_ctx,
2198 const struct dom_sid *user_sid,
2199 struct wbint_userinfo *info)
2201 struct winbind_cache *cache = get_cache(domain);
2202 struct cache_entry *centry = NULL;
2206 if (cache->tdb == NULL) {
2207 return NT_STATUS_NOT_FOUND;
2210 sid_string = sid_string_tos(user_sid);
2211 if (sid_string == NULL) {
2212 return NT_STATUS_NO_MEMORY;
2215 centry = wcache_fetch(cache, domain, "U/%s", sid_string);
2216 TALLOC_FREE(sid_string);
2217 if (centry == NULL) {
2218 return NT_STATUS_NOT_FOUND;
2222 * If we have an access denied cache entry and a cached info3
2223 * in the samlogon cache then do a query. This will force the
2224 * rpc back end to return the info3 data.
2227 if (NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED) &&
2228 netsamlogon_cache_have(user_sid)) {
2229 DEBUG(10, ("query_user: cached access denied and have cached "
2231 domain->last_status = NT_STATUS_OK;
2232 centry_free(centry);
2233 return NT_STATUS_NOT_FOUND;
2236 /* if status is not ok then this is a negative hit
2237 and the rest of the data doesn't matter */
2238 status = centry->status;
2239 if (NT_STATUS_IS_OK(status)) {
2240 info->acct_name = centry_string(centry, mem_ctx);
2241 info->full_name = centry_string(centry, mem_ctx);
2242 info->homedir = centry_string(centry, mem_ctx);
2243 info->shell = centry_string(centry, mem_ctx);
2244 info->primary_gid = centry_uint32(centry);
2245 centry_sid(centry, &info->user_sid);
2246 centry_sid(centry, &info->group_sid);
2249 DEBUG(10,("query_user: [Cached] - cached info for domain %s status: "
2250 "%s\n", domain->name, nt_errstr(status) ));
2252 centry_free(centry);
2256 /* Lookup user information from a rid */
2257 static NTSTATUS query_user(struct winbindd_domain *domain,
2258 TALLOC_CTX *mem_ctx,
2259 const struct dom_sid *user_sid,
2260 struct wbint_userinfo *info)
2265 old_status = domain->online;
2266 status = wcache_query_user(domain, mem_ctx, user_sid, info);
2267 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
2273 /* Return status value returned by seq number check */
2275 if (!NT_STATUS_IS_OK(domain->last_status))
2276 return domain->last_status;
2278 DEBUG(10,("query_user: [Cached] - doing backend query for info for domain %s\n",
2281 status = domain->backend->query_user(domain, mem_ctx, user_sid, info);
2283 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2284 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2285 if (!domain->internal && old_status) {
2286 set_domain_offline(domain);
2288 if (!domain->internal &&
2291 NTSTATUS cache_status;
2292 cache_status = wcache_query_user(domain, mem_ctx, user_sid, info);
2293 return cache_status;
2297 refresh_sequence_number(domain, false);
2298 if (!NT_STATUS_IS_OK(status)) {
2301 wcache_save_user(domain, status, info);
2306 NTSTATUS wcache_lookup_usergroups(struct winbindd_domain *domain,
2307 TALLOC_CTX *mem_ctx,
2308 const struct dom_sid *user_sid,
2309 uint32_t *pnum_sids,
2310 struct dom_sid **psids)
2312 struct winbind_cache *cache = get_cache(domain);
2313 struct cache_entry *centry = NULL;
2315 uint32_t i, num_sids;
2316 struct dom_sid *sids;
2319 if (cache->tdb == NULL) {
2320 return NT_STATUS_NOT_FOUND;
2323 centry = wcache_fetch(cache, domain, "UG/%s",
2324 sid_to_fstring(sid_string, user_sid));
2325 if (centry == NULL) {
2326 return NT_STATUS_NOT_FOUND;
2329 /* If we have an access denied cache entry and a cached info3 in the
2330 samlogon cache then do a query. This will force the rpc back end
2331 to return the info3 data. */
2333 if (NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED)
2334 && netsamlogon_cache_have(user_sid)) {
2335 DEBUG(10, ("lookup_usergroups: cached access denied and have "
2337 domain->last_status = NT_STATUS_OK;
2338 centry_free(centry);
2339 return NT_STATUS_NOT_FOUND;
2342 num_sids = centry_uint32(centry);
2343 sids = talloc_array(mem_ctx, struct dom_sid, num_sids);
2345 centry_free(centry);
2346 return NT_STATUS_NO_MEMORY;
2349 for (i=0; i<num_sids; i++) {
2350 centry_sid(centry, &sids[i]);
2353 status = centry->status;
2355 DEBUG(10,("lookup_usergroups: [Cached] - cached info for domain %s "
2356 "status: %s\n", domain->name, nt_errstr(status)));
2358 centry_free(centry);
2360 *pnum_sids = num_sids;
2365 /* Lookup groups a user is a member of. */
2366 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
2367 TALLOC_CTX *mem_ctx,
2368 const struct dom_sid *user_sid,
2369 uint32 *num_groups, struct dom_sid **user_gids)
2371 struct cache_entry *centry = NULL;
2377 old_status = domain->online;
2378 status = wcache_lookup_usergroups(domain, mem_ctx, user_sid,
2379 num_groups, user_gids);
2380 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
2385 (*user_gids) = NULL;
2387 /* Return status value returned by seq number check */
2389 if (!NT_STATUS_IS_OK(domain->last_status))
2390 return domain->last_status;
2392 DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info for domain %s\n",
2395 status = domain->backend->lookup_usergroups(domain, mem_ctx, user_sid, num_groups, user_gids);
2397 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2398 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2399 if (!domain->internal && old_status) {
2400 set_domain_offline(domain);
2402 if (!domain->internal &&
2405 NTSTATUS cache_status;
2406 cache_status = wcache_lookup_usergroups(domain, mem_ctx, user_sid,
2407 num_groups, user_gids);
2408 return cache_status;
2411 if ( NT_STATUS_EQUAL(status, NT_STATUS_SYNCHRONIZATION_REQUIRED) )
2415 refresh_sequence_number(domain, false);
2416 if (!NT_STATUS_IS_OK(status)) {
2419 centry = centry_start(domain, status);
2423 centry_put_uint32(centry, *num_groups);
2424 for (i=0; i<(*num_groups); i++) {
2425 centry_put_sid(centry, &(*user_gids)[i]);
2428 centry_end(centry, "UG/%s", sid_to_fstring(sid_string, user_sid));
2429 centry_free(centry);
2435 static char *wcache_make_sidlist(TALLOC_CTX *mem_ctx, uint32_t num_sids,
2436 const struct dom_sid *sids)
2441 sidlist = talloc_strdup(mem_ctx, "");
2442 if (sidlist == NULL) {
2445 for (i=0; i<num_sids; i++) {
2447 sidlist = talloc_asprintf_append_buffer(
2448 sidlist, "/%s", sid_to_fstring(tmp, &sids[i]));
2449 if (sidlist == NULL) {
2456 NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain,
2457 TALLOC_CTX *mem_ctx, uint32_t num_sids,
2458 const struct dom_sid *sids,
2459 uint32_t *pnum_aliases, uint32_t **paliases)
2461 struct winbind_cache *cache = get_cache(domain);
2462 struct cache_entry *centry = NULL;
2463 uint32_t num_aliases;
2469 if (cache->tdb == NULL) {
2470 return NT_STATUS_NOT_FOUND;
2473 if (num_sids == 0) {
2476 return NT_STATUS_OK;
2479 /* We need to cache indexed by the whole list of SIDs, the aliases
2480 * resulting might come from any of the SIDs. */
2482 sidlist = wcache_make_sidlist(talloc_tos(), num_sids, sids);
2483 if (sidlist == NULL) {
2484 return NT_STATUS_NO_MEMORY;
2487 centry = wcache_fetch(cache, domain, "UA%s", sidlist);
2488 TALLOC_FREE(sidlist);
2489 if (centry == NULL) {
2490 return NT_STATUS_NOT_FOUND;
2493 num_aliases = centry_uint32(centry);
2494 aliases = talloc_array(mem_ctx, uint32_t, num_aliases);
2495 if (aliases == NULL) {
2496 centry_free(centry);
2497 return NT_STATUS_NO_MEMORY;
2500 for (i=0; i<num_aliases; i++) {
2501 aliases[i] = centry_uint32(centry);
2504 status = centry->status;
2506 DEBUG(10,("lookup_useraliases: [Cached] - cached info for domain: %s "
2507 "status %s\n", domain->name, nt_errstr(status)));
2509 centry_free(centry);
2511 *pnum_aliases = num_aliases;
2512 *paliases = aliases;
2517 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
2518 TALLOC_CTX *mem_ctx,
2519 uint32 num_sids, const struct dom_sid *sids,
2520 uint32 *num_aliases, uint32 **alias_rids)
2522 struct cache_entry *centry = NULL;
2528 old_status = domain->online;
2529 status = wcache_lookup_useraliases(domain, mem_ctx, num_sids, sids,
2530 num_aliases, alias_rids);
2531 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
2536 (*alias_rids) = NULL;
2538 if (!NT_STATUS_IS_OK(domain->last_status))
2539 return domain->last_status;
2541 DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info "
2542 "for domain %s\n", domain->name ));
2544 sidlist = wcache_make_sidlist(talloc_tos(), num_sids, sids);
2545 if (sidlist == NULL) {
2546 return NT_STATUS_NO_MEMORY;
2549 status = domain->backend->lookup_useraliases(domain, mem_ctx,
2551 num_aliases, alias_rids);
2553 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2554 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2555 if (!domain->internal && old_status) {
2556 set_domain_offline(domain);
2558 if (!domain->internal &&
2561 NTSTATUS cache_status;
2562 cache_status = wcache_lookup_useraliases(domain, mem_ctx, num_sids,
2563 sids, num_aliases, alias_rids);
2564 return cache_status;
2568 refresh_sequence_number(domain, false);
2569 if (!NT_STATUS_IS_OK(status)) {
2572 centry = centry_start(domain, status);
2575 centry_put_uint32(centry, *num_aliases);
2576 for (i=0; i<(*num_aliases); i++)
2577 centry_put_uint32(centry, (*alias_rids)[i]);
2578 centry_end(centry, "UA%s", sidlist);
2579 centry_free(centry);
2585 NTSTATUS wcache_lookup_groupmem(struct winbindd_domain *domain,
2586 TALLOC_CTX *mem_ctx,
2587 const struct dom_sid *group_sid,
2588 uint32_t *num_names,
2589 struct dom_sid **sid_mem, char ***names,
2590 uint32_t **name_types)
2592 struct winbind_cache *cache = get_cache(domain);
2593 struct cache_entry *centry = NULL;
2598 if (cache->tdb == NULL) {
2599 return NT_STATUS_NOT_FOUND;
2602 sid_string = sid_string_tos(group_sid);
2603 if (sid_string == NULL) {
2604 return NT_STATUS_NO_MEMORY;
2607 centry = wcache_fetch(cache, domain, "GM/%s", sid_string);
2608 TALLOC_FREE(sid_string);
2609 if (centry == NULL) {
2610 return NT_STATUS_NOT_FOUND;
2617 *num_names = centry_uint32(centry);
2618 if (*num_names == 0) {
2619 centry_free(centry);
2620 return NT_STATUS_OK;
2623 *sid_mem = talloc_array(mem_ctx, struct dom_sid, *num_names);
2624 *names = talloc_array(mem_ctx, char *, *num_names);
2625 *name_types = talloc_array(mem_ctx, uint32, *num_names);
2627 if ((*sid_mem == NULL) || (*names == NULL) || (*name_types == NULL)) {
2628 TALLOC_FREE(*sid_mem);
2629 TALLOC_FREE(*names);
2630 TALLOC_FREE(*name_types);
2631 centry_free(centry);
2632 return NT_STATUS_NO_MEMORY;
2635 for (i=0; i<(*num_names); i++) {
2636 centry_sid(centry, &(*sid_mem)[i]);
2637 (*names)[i] = centry_string(centry, mem_ctx);
2638 (*name_types)[i] = centry_uint32(centry);
2641 status = centry->status;
2643 DEBUG(10,("lookup_groupmem: [Cached] - cached info for domain %s "
2644 "status: %s\n", domain->name, nt_errstr(status)));
2646 centry_free(centry);
2650 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
2651 TALLOC_CTX *mem_ctx,
2652 const struct dom_sid *group_sid,
2653 enum lsa_SidType type,
2655 struct dom_sid **sid_mem, char ***names,
2656 uint32 **name_types)
2658 struct cache_entry *centry = NULL;
2664 old_status = domain->online;
2665 status = wcache_lookup_groupmem(domain, mem_ctx, group_sid, num_names,
2666 sid_mem, names, name_types);
2667 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
2674 (*name_types) = NULL;
2676 /* Return status value returned by seq number check */
2678 if (!NT_STATUS_IS_OK(domain->last_status))
2679 return domain->last_status;
2681 DEBUG(10,("lookup_groupmem: [Cached] - doing backend query for info for domain %s\n",
2684 status = domain->backend->lookup_groupmem(domain, mem_ctx, group_sid,
2686 sid_mem, names, name_types);
2688 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2689 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2690 if (!domain->internal && old_status) {
2691 set_domain_offline(domain);
2693 if (!domain->internal &&
2696 NTSTATUS cache_status;
2697 cache_status = wcache_lookup_groupmem(domain, mem_ctx, group_sid,
2698 num_names, sid_mem, names,
2700 return cache_status;
2704 refresh_sequence_number(domain, false);
2705 if (!NT_STATUS_IS_OK(status)) {
2708 centry = centry_start(domain, status);
2711 centry_put_uint32(centry, *num_names);
2712 for (i=0; i<(*num_names); i++) {
2713 centry_put_sid(centry, &(*sid_mem)[i]);
2714 centry_put_string(centry, (*names)[i]);
2715 centry_put_uint32(centry, (*name_types)[i]);
2717 centry_end(centry, "GM/%s", sid_to_fstring(sid_string, group_sid));
2718 centry_free(centry);
2724 /* find the sequence number for a domain */
2725 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
2727 refresh_sequence_number(domain, false);
2729 *seq = domain->sequence_number;
2731 return NT_STATUS_OK;
2734 /* enumerate trusted domains
2735 * (we need to have the list of trustdoms in the cache when we go offline) -
2737 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
2738 TALLOC_CTX *mem_ctx,
2739 struct netr_DomainTrustList *trusts)
2742 struct winbind_cache *cache;
2743 struct winbindd_tdc_domain *dom_list = NULL;
2744 size_t num_domains = 0;
2745 bool retval = false;
2749 old_status = domain->online;
2751 trusts->array = NULL;
2753 cache = get_cache(domain);
2754 if (!cache || !cache->tdb) {
2758 if (domain->online) {
2762 retval = wcache_tdc_fetch_list(&dom_list, &num_domains);
2763 if (!retval || !num_domains || !dom_list) {
2764 TALLOC_FREE(dom_list);
2769 trusts->array = TALLOC_ZERO_ARRAY(mem_ctx, struct netr_DomainTrust, num_domains);
2770 if (!trusts->array) {
2771 TALLOC_FREE(dom_list);
2772 return NT_STATUS_NO_MEMORY;
2775 for (i = 0; i < num_domains; i++) {
2776 struct netr_DomainTrust *trust;
2777 struct dom_sid *sid;
2778 struct winbindd_domain *dom;
2780 dom = find_domain_from_name_noinit(dom_list[i].domain_name);
2781 if (dom && dom->internal) {
2785 trust = &trusts->array[trusts->count];
2786 trust->netbios_name = talloc_strdup(trusts->array, dom_list[i].domain_name);
2787 trust->dns_name = talloc_strdup(trusts->array, dom_list[i].dns_name);
2788 sid = talloc(trusts->array, struct dom_sid);
2789 if (!trust->netbios_name || !trust->dns_name ||
2791 TALLOC_FREE(dom_list);
2792 TALLOC_FREE(trusts->array);
2793 return NT_STATUS_NO_MEMORY;
2796 trust->trust_flags = dom_list[i].trust_flags;
2797 trust->trust_attributes = dom_list[i].trust_attribs;
2798 trust->trust_type = dom_list[i].trust_type;
2799 sid_copy(sid, &dom_list[i].sid);
2804 TALLOC_FREE(dom_list);
2805 return NT_STATUS_OK;
2808 /* Return status value returned by seq number check */
2810 if (!NT_STATUS_IS_OK(domain->last_status))
2811 return domain->last_status;
2813 DEBUG(10,("trusted_domains: [Cached] - doing backend query for info for domain %s\n",
2816 status = domain->backend->trusted_domains(domain, mem_ctx, trusts);
2818 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2819 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2820 if (!domain->internal && old_status) {
2821 set_domain_offline(domain);
2823 if (!domain->internal &&
2826 retval = wcache_tdc_fetch_list(&dom_list, &num_domains);
2827 if (retval && num_domains && dom_list) {
2828 TALLOC_FREE(trusts->array);
2830 goto do_fetch_cache;
2834 /* no trusts gives NT_STATUS_NO_MORE_ENTRIES resetting to NT_STATUS_OK
2835 * so that the generic centry handling still applies correctly -
2838 if (!NT_STATUS_IS_ERR(status)) {
2839 status = NT_STATUS_OK;
2844 /* get lockout policy */
2845 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
2846 TALLOC_CTX *mem_ctx,
2847 struct samr_DomInfo12 *policy)
2849 struct winbind_cache *cache = get_cache(domain);
2850 struct cache_entry *centry = NULL;
2854 old_status = domain->online;
2858 centry = wcache_fetch(cache, domain, "LOC_POL/%s", domain->name);
2864 policy->lockout_duration = centry_nttime(centry);
2865 policy->lockout_window = centry_nttime(centry);
2866 policy->lockout_threshold = centry_uint16(centry);
2868 status = centry->status;
2870 DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n",
2871 domain->name, nt_errstr(status) ));
2873 centry_free(centry);
2877 ZERO_STRUCTP(policy);
2879 /* Return status value returned by seq number check */
2881 if (!NT_STATUS_IS_OK(domain->last_status))
2882 return domain->last_status;
2884 DEBUG(10,("lockout_policy: [Cached] - doing backend query for info for domain %s\n",
2887 status = domain->backend->lockout_policy(domain, mem_ctx, policy);
2889 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2890 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2891 if (!domain->internal && old_status) {
2892 set_domain_offline(domain);
2895 !domain->internal &&
2898 centry = wcache_fetch(cache, domain, "LOC_POL/%s", domain->name);
2900 goto do_fetch_cache;
2905 refresh_sequence_number(domain, false);
2906 if (!NT_STATUS_IS_OK(status)) {
2909 wcache_save_lockout_policy(domain, status, policy);
2914 /* get password policy */
2915 static NTSTATUS password_policy(struct winbindd_domain *domain,
2916 TALLOC_CTX *mem_ctx,
2917 struct samr_DomInfo1 *policy)
2919 struct winbind_cache *cache = get_cache(domain);
2920 struct cache_entry *centry = NULL;
2924 old_status = domain->online;
2928 centry = wcache_fetch(cache, domain, "PWD_POL/%s", domain->name);
2934 policy->min_password_length = centry_uint16(centry);
2935 policy->password_history_length = centry_uint16(centry);
2936 policy->password_properties = centry_uint32(centry);
2937 policy->max_password_age = centry_nttime(centry);
2938 policy->min_password_age = centry_nttime(centry);
2940 status = centry->status;
2942 DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n",
2943 domain->name, nt_errstr(status) ));
2945 centry_free(centry);
2949 ZERO_STRUCTP(policy);
2951 /* Return status value returned by seq number check */
2953 if (!NT_STATUS_IS_OK(domain->last_status))
2954 return domain->last_status;
2956 DEBUG(10,("password_policy: [Cached] - doing backend query for info for domain %s\n",
2959 status = domain->backend->password_policy(domain, mem_ctx, policy);
2961 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2962 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2963 if (!domain->internal && old_status) {
2964 set_domain_offline(domain);
2967 !domain->internal &&
2970 centry = wcache_fetch(cache, domain, "PWD_POL/%s", domain->name);
2972 goto do_fetch_cache;
2977 refresh_sequence_number(domain, false);
2978 if (!NT_STATUS_IS_OK(status)) {
2981 wcache_save_password_policy(domain, status, policy);
2987 /* Invalidate cached user and group lists coherently */
2989 static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
2992 if (strncmp((const char *)kbuf.dptr, "UL/", 3) == 0 ||
2993 strncmp((const char *)kbuf.dptr, "GL/", 3) == 0)
2994 tdb_delete(the_tdb, kbuf);
2999 /* Invalidate the getpwnam and getgroups entries for a winbindd domain */
3001 void wcache_invalidate_samlogon(struct winbindd_domain *domain,
3002 const struct dom_sid *sid)
3004 fstring key_str, sid_string;
3005 struct winbind_cache *cache;
3007 /* dont clear cached U/SID and UG/SID entries when we want to logon
3010 if (lp_winbind_offline_logon()) {
3017 cache = get_cache(domain);
3023 /* Clear U/SID cache entry */
3024 fstr_sprintf(key_str, "U/%s", sid_to_fstring(sid_string, sid));
3025 DEBUG(10, ("wcache_invalidate_samlogon: clearing %s\n", key_str));
3026 tdb_delete(cache->tdb, string_tdb_data(key_str));
3028 /* Clear UG/SID cache entry */
3029 fstr_sprintf(key_str, "UG/%s", sid_to_fstring(sid_string, sid));
3030 DEBUG(10, ("wcache_invalidate_samlogon: clearing %s\n", key_str));
3031 tdb_delete(cache->tdb, string_tdb_data(key_str));
3033 /* Samba/winbindd never needs this. */
3034 netsamlogon_clear_cached_user(sid);
3037 bool wcache_invalidate_cache(void)
3039 struct winbindd_domain *domain;
3041 for (domain = domain_list(); domain; domain = domain->next) {
3042 struct winbind_cache *cache = get_cache(domain);
3044 DEBUG(10, ("wcache_invalidate_cache: invalidating cache "
3045 "entries for %s\n", domain->name));
3048 tdb_traverse(cache->tdb, traverse_fn, NULL);
3057 bool wcache_invalidate_cache_noinit(void)
3059 struct winbindd_domain *domain;
3061 for (domain = domain_list(); domain; domain = domain->next) {
3062 struct winbind_cache *cache;
3064 /* Skip uninitialized domains. */
3065 if (!domain->initialized && !domain->internal) {
3069 cache = get_cache(domain);
3071 DEBUG(10, ("wcache_invalidate_cache: invalidating cache "
3072 "entries for %s\n", domain->name));
3075 tdb_traverse(cache->tdb, traverse_fn, NULL);
3077 * Flushing cache has nothing to with domains.
3078 * return here if we successfully flushed once.
3079 * To avoid unnecessary traversing the cache.
3090 bool init_wcache(void)
3092 if (wcache == NULL) {
3093 wcache = SMB_XMALLOC_P(struct winbind_cache);
3094 ZERO_STRUCTP(wcache);
3097 if (wcache->tdb != NULL)
3100 /* when working offline we must not clear the cache on restart */
3101 wcache->tdb = tdb_open_log(cache_path("winbindd_cache.tdb"),
3102 WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
3103 TDB_INCOMPATIBLE_HASH |
3104 (lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST)),
3105 O_RDWR|O_CREAT, 0600);
3107 if (wcache->tdb == NULL) {
3108 DEBUG(0,("Failed to open winbindd_cache.tdb!\n"));
3115 /************************************************************************
3116 This is called by the parent to initialize the cache file.
3117 We don't need sophisticated locking here as we know we're the
3119 ************************************************************************/
3121 bool initialize_winbindd_cache(void)
3123 bool cache_bad = true;
3126 if (!init_wcache()) {
3127 DEBUG(0,("initialize_winbindd_cache: init_wcache failed.\n"));
3131 /* Check version number. */
3132 if (tdb_fetch_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, &vers) &&
3133 vers == WINBINDD_CACHE_VERSION) {
3138 DEBUG(0,("initialize_winbindd_cache: clearing cache "
3139 "and re-creating with version number %d\n",
3140 WINBINDD_CACHE_VERSION ));
3142 tdb_close(wcache->tdb);
3145 if (unlink(cache_path("winbindd_cache.tdb")) == -1) {
3146 DEBUG(0,("initialize_winbindd_cache: unlink %s failed %s ",
3147 cache_path("winbindd_cache.tdb"),
3151 if (!init_wcache()) {
3152 DEBUG(0,("initialize_winbindd_cache: re-initialization "
3153 "init_wcache failed.\n"));
3157 /* Write the version. */
3158 if (!tdb_store_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, WINBINDD_CACHE_VERSION)) {
3159 DEBUG(0,("initialize_winbindd_cache: version number store failed %s\n",
3160 tdb_errorstr(wcache->tdb) ));
3165 tdb_close(wcache->tdb);
3170 void close_winbindd_cache(void)
3176 tdb_close(wcache->tdb);
3181 bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
3182 char **domain_name, char **name,
3183 enum lsa_SidType *type)
3185 struct winbindd_domain *domain;
3188 domain = find_lookup_domain_from_sid(sid);
3189 if (domain == NULL) {
3192 status = wcache_sid_to_name(domain, sid, mem_ctx, domain_name, name,
3194 return NT_STATUS_IS_OK(status);
3197 bool lookup_cached_name(const char *domain_name,
3199 struct dom_sid *sid,
3200 enum lsa_SidType *type)
3202 struct winbindd_domain *domain;
3204 bool original_online_state;
3206 domain = find_lookup_domain_from_name(domain_name);
3207 if (domain == NULL) {
3211 /* If we are doing a cached logon, temporarily set the domain
3212 offline so the cache won't expire the entry */
3214 original_online_state = domain->online;
3215 domain->online = false;
3216 status = wcache_name_to_sid(domain, domain_name, name, sid, type);
3217 domain->online = original_online_state;
3219 return NT_STATUS_IS_OK(status);
3222 void cache_name2sid(struct winbindd_domain *domain,
3223 const char *domain_name, const char *name,
3224 enum lsa_SidType type, const struct dom_sid *sid)
3226 refresh_sequence_number(domain, false);
3227 wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name,
3232 * The original idea that this cache only contains centries has
3233 * been blurred - now other stuff gets put in here. Ensure we
3234 * ignore these things on cleanup.
3237 static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb, TDB_DATA kbuf,
3238 TDB_DATA dbuf, void *state)
3240 struct cache_entry *centry;
3242 if (is_non_centry_key(kbuf)) {
3246 centry = wcache_fetch_raw((char *)kbuf.dptr);
3251 if (!NT_STATUS_IS_OK(centry->status)) {
3252 DEBUG(10,("deleting centry %s\n", (const char *)kbuf.dptr));
3253 tdb_delete(the_tdb, kbuf);
3256 centry_free(centry);
3260 /* flush the cache */
3261 void wcache_flush_cache(void)
3266 tdb_close(wcache->tdb);
3269 if (!winbindd_use_cache()) {
3273 /* when working offline we must not clear the cache on restart */
3274 wcache->tdb = tdb_open_log(cache_path("winbindd_cache.tdb"),
3275 WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
3276 TDB_INCOMPATIBLE_HASH |
3277 (lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST)),
3278 O_RDWR|O_CREAT, 0600);
3281 DEBUG(0,("Failed to open winbindd_cache.tdb!\n"));
3285 tdb_traverse(wcache->tdb, traverse_fn_cleanup, NULL);
3287 DEBUG(10,("wcache_flush_cache success\n"));
3290 /* Count cached creds */
3292 static int traverse_fn_cached_creds(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
3295 int *cred_count = (int*)state;
3297 if (strncmp((const char *)kbuf.dptr, "CRED/", 5) == 0) {
3303 NTSTATUS wcache_count_cached_creds(struct winbindd_domain *domain, int *count)
3305 struct winbind_cache *cache = get_cache(domain);
3310 return NT_STATUS_INTERNAL_DB_ERROR;
3313 tdb_traverse(cache->tdb, traverse_fn_cached_creds, (void *)count);
3315 return NT_STATUS_OK;
3319 struct cred_list *prev, *next;
3324 static struct cred_list *wcache_cred_list;
3326 static int traverse_fn_get_credlist(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
3329 struct cred_list *cred;
3331 if (strncmp((const char *)kbuf.dptr, "CRED/", 5) == 0) {
3333 cred = SMB_MALLOC_P(struct cred_list);
3335 DEBUG(0,("traverse_fn_remove_first_creds: failed to malloc new entry for list\n"));
3341 /* save a copy of the key */
3343 fstrcpy(cred->name, (const char *)kbuf.dptr);
3344 DLIST_ADD(wcache_cred_list, cred);
3350 NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const struct dom_sid *sid)
3352 struct winbind_cache *cache = get_cache(domain);
3355 struct cred_list *cred, *oldest = NULL;
3358 return NT_STATUS_INTERNAL_DB_ERROR;
3361 /* we possibly already have an entry */
3362 if (sid && NT_STATUS_IS_OK(wcache_cached_creds_exist(domain, sid))) {
3364 fstring key_str, tmp;
3366 DEBUG(11,("we already have an entry, deleting that\n"));
3368 fstr_sprintf(key_str, "CRED/%s", sid_to_fstring(tmp, sid));
3370 tdb_delete(cache->tdb, string_tdb_data(key_str));
3372 return NT_STATUS_OK;
3375 ret = tdb_traverse(cache->tdb, traverse_fn_get_credlist, NULL);
3377 return NT_STATUS_OK;
3378 } else if ((ret == -1) || (wcache_cred_list == NULL)) {
3379 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3382 ZERO_STRUCTP(oldest);
3384 for (cred = wcache_cred_list; cred; cred = cred->next) {
3389 data = tdb_fetch(cache->tdb, string_tdb_data(cred->name));
3391 DEBUG(10,("wcache_remove_oldest_cached_creds: entry for [%s] not found\n",
3393 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
3397 t = IVAL(data.dptr, 0);
3398 SAFE_FREE(data.dptr);
3401 oldest = SMB_MALLOC_P(struct cred_list);
3402 if (oldest == NULL) {
3403 status = NT_STATUS_NO_MEMORY;
3407 fstrcpy(oldest->name, cred->name);
3408 oldest->created = t;
3412 if (t < oldest->created) {
3413 fstrcpy(oldest->name, cred->name);
3414 oldest->created = t;
3418 if (tdb_delete(cache->tdb, string_tdb_data(oldest->name)) == 0) {
3419 status = NT_STATUS_OK;
3421 status = NT_STATUS_UNSUCCESSFUL;
3424 SAFE_FREE(wcache_cred_list);
3430 /* Change the global online/offline state. */
3431 bool set_global_winbindd_state_offline(void)
3435 DEBUG(10,("set_global_winbindd_state_offline: offline requested.\n"));
3437 /* Only go offline if someone has created
3438 the key "WINBINDD_OFFLINE" in the cache tdb. */
3440 if (wcache == NULL || wcache->tdb == NULL) {
3441 DEBUG(10,("set_global_winbindd_state_offline: wcache not open yet.\n"));
3445 if (!lp_winbind_offline_logon()) {
3446 DEBUG(10,("set_global_winbindd_state_offline: rejecting.\n"));
3450 if (global_winbindd_offline_state) {
3451 /* Already offline. */
3455 data = tdb_fetch_bystring( wcache->tdb, "WINBINDD_OFFLINE" );
3457 if (!data.dptr || data.dsize != 4) {
3458 DEBUG(10,("set_global_winbindd_state_offline: offline state not set.\n"));
3459 SAFE_FREE(data.dptr);
3462 DEBUG(10,("set_global_winbindd_state_offline: offline state set.\n"));
3463 global_winbindd_offline_state = true;
3464 SAFE_FREE(data.dptr);
3469 void set_global_winbindd_state_online(void)
3471 DEBUG(10,("set_global_winbindd_state_online: online requested.\n"));
3473 if (!lp_winbind_offline_logon()) {
3474 DEBUG(10,("set_global_winbindd_state_online: rejecting.\n"));
3478 if (!global_winbindd_offline_state) {
3479 /* Already online. */
3482 global_winbindd_offline_state = false;
3488 /* Ensure there is no key "WINBINDD_OFFLINE" in the cache tdb. */
3489 tdb_delete_bystring(wcache->tdb, "WINBINDD_OFFLINE");
3492 bool get_global_winbindd_state_offline(void)
3494 return global_winbindd_offline_state;
3497 /***********************************************************************
3498 Validate functions for all possible cache tdb keys.
3499 ***********************************************************************/
3501 static struct cache_entry *create_centry_validate(const char *kstr, TDB_DATA data,
3502 struct tdb_validation_status *state)
3504 struct cache_entry *centry;
3506 centry = SMB_XMALLOC_P(struct cache_entry);
3507 centry->data = (unsigned char *)memdup(data.dptr, data.dsize);
3508 if (!centry->data) {
3512 centry->len = data.dsize;
3515 if (centry->len < 16) {
3516 /* huh? corrupt cache? */
3517 DEBUG(0,("create_centry_validate: Corrupt cache for key %s "
3518 "(len < 16) ?\n", kstr));
3519 centry_free(centry);
3520 state->bad_entry = true;
3521 state->success = false;
3525 centry->status = NT_STATUS(centry_uint32(centry));
3526 centry->sequence_number = centry_uint32(centry);
3527 centry->timeout = centry_uint64_t(centry);
3531 static int validate_seqnum(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3532 struct tdb_validation_status *state)
3534 if (dbuf.dsize != 8) {
3535 DEBUG(0,("validate_seqnum: Corrupt cache for key %s (len %u != 8) ?\n",
3536 keystr, (unsigned int)dbuf.dsize ));
3537 state->bad_entry = true;
3543 static int validate_ns(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3544 struct tdb_validation_status *state)
3546 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3551 (void)centry_uint32(centry);
3552 if (NT_STATUS_IS_OK(centry->status)) {
3554 (void)centry_sid(centry, &sid);
3557 centry_free(centry);
3559 if (!(state->success)) {
3562 DEBUG(10,("validate_ns: %s ok\n", keystr));
3566 static int validate_sn(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3567 struct tdb_validation_status *state)
3569 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3574 if (NT_STATUS_IS_OK(centry->status)) {
3575 (void)centry_uint32(centry);
3576 (void)centry_string(centry, mem_ctx);
3577 (void)centry_string(centry, mem_ctx);
3580 centry_free(centry);
3582 if (!(state->success)) {
3585 DEBUG(10,("validate_sn: %s ok\n", keystr));
3589 static int validate_u(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3590 struct tdb_validation_status *state)
3592 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3599 (void)centry_string(centry, mem_ctx);
3600 (void)centry_string(centry, mem_ctx);
3601 (void)centry_string(centry, mem_ctx);
3602 (void)centry_string(centry, mem_ctx);
3603 (void)centry_uint32(centry);
3604 (void)centry_sid(centry, &sid);
3605 (void)centry_sid(centry, &sid);
3607 centry_free(centry);
3609 if (!(state->success)) {
3612 DEBUG(10,("validate_u: %s ok\n", keystr));
3616 static int validate_loc_pol(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3617 struct tdb_validation_status *state)
3619 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3625 (void)centry_nttime(centry);
3626 (void)centry_nttime(centry);
3627 (void)centry_uint16(centry);
3629 centry_free(centry);
3631 if (!(state->success)) {
3634 DEBUG(10,("validate_loc_pol: %s ok\n", keystr));
3638 static int validate_pwd_pol(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3639 struct tdb_validation_status *state)
3641 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3647 (void)centry_uint16(centry);
3648 (void)centry_uint16(centry);
3649 (void)centry_uint32(centry);
3650 (void)centry_nttime(centry);
3651 (void)centry_nttime(centry);
3653 centry_free(centry);
3655 if (!(state->success)) {
3658 DEBUG(10,("validate_pwd_pol: %s ok\n", keystr));
3662 static int validate_cred(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3663 struct tdb_validation_status *state)
3665 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3671 (void)centry_time(centry);
3672 (void)centry_hash16(centry, mem_ctx);
3674 /* We only have 17 bytes more data in the salted cred case. */
3675 if (centry->len - centry->ofs == 17) {
3676 (void)centry_hash16(centry, mem_ctx);
3679 centry_free(centry);
3681 if (!(state->success)) {
3684 DEBUG(10,("validate_cred: %s ok\n", keystr));
3688 static int validate_ul(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3689 struct tdb_validation_status *state)
3691 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3692 int32 num_entries, i;
3698 num_entries = (int32)centry_uint32(centry);
3700 for (i=0; i< num_entries; i++) {
3702 (void)centry_string(centry, mem_ctx);
3703 (void)centry_string(centry, mem_ctx);
3704 (void)centry_string(centry, mem_ctx);
3705 (void)centry_string(centry, mem_ctx);
3706 (void)centry_sid(centry, &sid);
3707 (void)centry_sid(centry, &sid);
3710 centry_free(centry);
3712 if (!(state->success)) {
3715 DEBUG(10,("validate_ul: %s ok\n", keystr));
3719 static int validate_gl(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3720 struct tdb_validation_status *state)
3722 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3723 int32 num_entries, i;
3729 num_entries = centry_uint32(centry);
3731 for (i=0; i< num_entries; i++) {
3732 (void)centry_string(centry, mem_ctx);
3733 (void)centry_string(centry, mem_ctx);
3734 (void)centry_uint32(centry);
3737 centry_free(centry);
3739 if (!(state->success)) {
3742 DEBUG(10,("validate_gl: %s ok\n", keystr));
3746 static int validate_ug(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3747 struct tdb_validation_status *state)
3749 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3750 int32 num_groups, i;
3756 num_groups = centry_uint32(centry);
3758 for (i=0; i< num_groups; i++) {
3760 centry_sid(centry, &sid);
3763 centry_free(centry);
3765 if (!(state->success)) {
3768 DEBUG(10,("validate_ug: %s ok\n", keystr));
3772 static int validate_ua(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3773 struct tdb_validation_status *state)
3775 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3776 int32 num_aliases, i;
3782 num_aliases = centry_uint32(centry);
3784 for (i=0; i < num_aliases; i++) {
3785 (void)centry_uint32(centry);
3788 centry_free(centry);
3790 if (!(state->success)) {
3793 DEBUG(10,("validate_ua: %s ok\n", keystr));
3797 static int validate_gm(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3798 struct tdb_validation_status *state)
3800 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3807 num_names = centry_uint32(centry);
3809 for (i=0; i< num_names; i++) {
3811 centry_sid(centry, &sid);
3812 (void)centry_string(centry, mem_ctx);
3813 (void)centry_uint32(centry);
3816 centry_free(centry);
3818 if (!(state->success)) {
3821 DEBUG(10,("validate_gm: %s ok\n", keystr));
3825 static int validate_dr(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3826 struct tdb_validation_status *state)
3828 /* Can't say anything about this other than must be nonzero. */
3829 if (dbuf.dsize == 0) {
3830 DEBUG(0,("validate_dr: Corrupt cache for key %s (len == 0) ?\n",
3832 state->bad_entry = true;
3833 state->success = false;
3837 DEBUG(10,("validate_dr: %s ok\n", keystr));
3841 static int validate_de(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3842 struct tdb_validation_status *state)
3844 /* Can't say anything about this other than must be nonzero. */
3845 if (dbuf.dsize == 0) {
3846 DEBUG(0,("validate_de: Corrupt cache for key %s (len == 0) ?\n",
3848 state->bad_entry = true;
3849 state->success = false;
3853 DEBUG(10,("validate_de: %s ok\n", keystr));
3857 static int validate_pwinfo(TALLOC_CTX *mem_ctx, const char *keystr,
3858 TDB_DATA dbuf, struct tdb_validation_status *state)
3860 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3866 (void)centry_string(centry, mem_ctx);
3867 (void)centry_string(centry, mem_ctx);
3868 (void)centry_string(centry, mem_ctx);
3869 (void)centry_uint32(centry);
3871 centry_free(centry);
3873 if (!(state->success)) {
3876 DEBUG(10,("validate_pwinfo: %s ok\n", keystr));
3880 static int validate_nss_an(TALLOC_CTX *mem_ctx, const char *keystr,
3882 struct tdb_validation_status *state)
3884 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3890 (void)centry_string( centry, mem_ctx );
3892 centry_free(centry);
3894 if (!(state->success)) {
3897 DEBUG(10,("validate_pwinfo: %s ok\n", keystr));
3901 static int validate_nss_na(TALLOC_CTX *mem_ctx, const char *keystr,
3903 struct tdb_validation_status *state)
3905 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3911 (void)centry_string( centry, mem_ctx );
3913 centry_free(centry);
3915 if (!(state->success)) {
3918 DEBUG(10,("validate_pwinfo: %s ok\n", keystr));
3922 static int validate_trustdomcache(TALLOC_CTX *mem_ctx, const char *keystr,
3924 struct tdb_validation_status *state)
3926 if (dbuf.dsize == 0) {
3927 DEBUG(0, ("validate_trustdomcache: Corrupt cache for "
3928 "key %s (len ==0) ?\n", keystr));
3929 state->bad_entry = true;
3930 state->success = false;
3934 DEBUG(10, ("validate_trustdomcache: %s ok\n", keystr));
3935 DEBUGADD(10, (" Don't trust me, I am a DUMMY!\n"));
3939 static int validate_offline(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3940 struct tdb_validation_status *state)
3942 if (dbuf.dsize != 4) {
3943 DEBUG(0,("validate_offline: Corrupt cache for key %s (len %u != 4) ?\n",
3944 keystr, (unsigned int)dbuf.dsize ));
3945 state->bad_entry = true;
3946 state->success = false;
3949 DEBUG(10,("validate_offline: %s ok\n", keystr));
3953 static int validate_ndr(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3954 struct tdb_validation_status *state)
3957 * Ignore validation for now. The proper way to do this is with a
3958 * checksum. Just pure parsing does not really catch much.
3963 static int validate_cache_version(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3964 struct tdb_validation_status *state)
3966 if (dbuf.dsize != 4) {
3967 DEBUG(0, ("validate_cache_version: Corrupt cache for "
3968 "key %s (len %u != 4) ?\n",
3969 keystr, (unsigned int)dbuf.dsize));
3970 state->bad_entry = true;
3971 state->success = false;
3975 DEBUG(10, ("validate_cache_version: %s ok\n", keystr));
3979 /***********************************************************************
3980 A list of all possible cache tdb keys with associated validation
3982 ***********************************************************************/
3984 struct key_val_struct {
3985 const char *keyname;
3986 int (*validate_data_fn)(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, struct tdb_validation_status* state);
3988 {"SEQNUM/", validate_seqnum},
3989 {"NS/", validate_ns},
3990 {"SN/", validate_sn},
3992 {"LOC_POL/", validate_loc_pol},
3993 {"PWD_POL/", validate_pwd_pol},
3994 {"CRED/", validate_cred},
3995 {"UL/", validate_ul},
3996 {"GL/", validate_gl},
3997 {"UG/", validate_ug},
3998 {"UA", validate_ua},
3999 {"GM/", validate_gm},
4000 {"DR/", validate_dr},
4001 {"DE/", validate_de},
4002 {"NSS/PWINFO/", validate_pwinfo},
4003 {"TRUSTDOMCACHE/", validate_trustdomcache},
4004 {"NSS/NA/", validate_nss_na},
4005 {"NSS/AN/", validate_nss_an},
4006 {"WINBINDD_OFFLINE", validate_offline},
4007 {"NDR/", validate_ndr},
4008 {WINBINDD_CACHE_VERSION_KEYSTR, validate_cache_version},
4012 /***********************************************************************
4013 Function to look at every entry in the tdb and validate it as far as
4015 ***********************************************************************/
4017 static int cache_traverse_validate_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, void *state)
4020 unsigned int max_key_len = 1024;
4021 struct tdb_validation_status *v_state = (struct tdb_validation_status *)state;
4023 /* Paranoia check. */
4024 if (strncmp("UA/", (const char *)kbuf.dptr, 3) == 0) {
4025 max_key_len = 1024 * 1024;
4027 if (kbuf.dsize > max_key_len) {
4028 DEBUG(0, ("cache_traverse_validate_fn: key length too large: "
4030 (unsigned int)kbuf.dsize, (unsigned int)max_key_len));
4034 for (i = 0; key_val[i].keyname; i++) {
4035 size_t namelen = strlen(key_val[i].keyname);
4036 if (kbuf.dsize >= namelen && (
4037 strncmp(key_val[i].keyname, (const char *)kbuf.dptr, namelen)) == 0) {
4038 TALLOC_CTX *mem_ctx;
4042 keystr = SMB_MALLOC_ARRAY(char, kbuf.dsize+1);
4046 memcpy(keystr, kbuf.dptr, kbuf.dsize);
4047 keystr[kbuf.dsize] = '\0';
4049 mem_ctx = talloc_init("validate_ctx");
4055 ret = key_val[i].validate_data_fn(mem_ctx, keystr, dbuf,
4059 talloc_destroy(mem_ctx);
4064 DEBUG(0,("cache_traverse_validate_fn: unknown cache entry\nkey :\n"));
4065 dump_data(0, (uint8 *)kbuf.dptr, kbuf.dsize);
4066 DEBUG(0,("data :\n"));
4067 dump_data(0, (uint8 *)dbuf.dptr, dbuf.dsize);
4068 v_state->unknown_key = true;
4069 v_state->success = false;
4070 return 1; /* terminate. */
4073 static void validate_panic(const char *const why)
4075 DEBUG(0,("validating cache: would panic %s\n", why ));
4076 DEBUGADD(0, ("exiting instead (cache validation mode)\n"));
4080 /***********************************************************************
4081 Try and validate every entry in the winbindd cache. If we fail here,
4082 delete the cache tdb and return non-zero.
4083 ***********************************************************************/
4085 int winbindd_validate_cache(void)
4088 const char *tdb_path = cache_path("winbindd_cache.tdb");
4089 TDB_CONTEXT *tdb = NULL;
4091 DEBUG(10, ("winbindd_validate_cache: replacing panic function\n"));
4092 smb_panic_fn = validate_panic;
4095 tdb = tdb_open_log(tdb_path,
4096 WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
4097 TDB_INCOMPATIBLE_HASH |
4098 ( lp_winbind_offline_logon()
4100 : TDB_DEFAULT | TDB_CLEAR_IF_FIRST ),
4104 DEBUG(0, ("winbindd_validate_cache: "
4105 "error opening/initializing tdb\n"));
4110 ret = tdb_validate_and_backup(tdb_path, cache_traverse_validate_fn);
4113 DEBUG(10, ("winbindd_validate_cache: validation not successful.\n"));
4114 DEBUGADD(10, ("removing tdb %s.\n", tdb_path));
4119 DEBUG(10, ("winbindd_validate_cache: restoring panic function\n"));
4120 smb_panic_fn = smb_panic;
4124 /***********************************************************************
4125 Try and validate every entry in the winbindd cache.
4126 ***********************************************************************/
4128 int winbindd_validate_cache_nobackup(void)
4131 const char *tdb_path = cache_path("winbindd_cache.tdb");
4133 DEBUG(10, ("winbindd_validate_cache: replacing panic function\n"));
4134 smb_panic_fn = validate_panic;
4137 if (wcache == NULL || wcache->tdb == NULL) {
4138 ret = tdb_validate_open(tdb_path, cache_traverse_validate_fn);
4140 ret = tdb_validate(wcache->tdb, cache_traverse_validate_fn);
4144 DEBUG(10, ("winbindd_validate_cache_nobackup: validation not "
4148 DEBUG(10, ("winbindd_validate_cache_nobackup: restoring panic "
4150 smb_panic_fn = smb_panic;
4154 bool winbindd_cache_validate_and_initialize(void)
4156 close_winbindd_cache();
4158 if (lp_winbind_offline_logon()) {
4159 if (winbindd_validate_cache() < 0) {
4160 DEBUG(0, ("winbindd cache tdb corrupt and no backup "
4161 "could be restored.\n"));
4165 return initialize_winbindd_cache();
4168 /*********************************************************************
4169 ********************************************************************/
4171 static bool add_wbdomain_to_tdc_array( struct winbindd_domain *new_dom,
4172 struct winbindd_tdc_domain **domains,
4173 size_t *num_domains )
4175 struct winbindd_tdc_domain *list = NULL;
4178 bool set_only = false;
4180 /* don't allow duplicates */
4185 for ( i=0; i< (*num_domains); i++ ) {
4186 if ( strequal( new_dom->name, list[i].domain_name ) ) {
4187 DEBUG(10,("add_wbdomain_to_tdc_array: Found existing record for %s\n",
4198 list = TALLOC_ARRAY( NULL, struct winbindd_tdc_domain, 1 );
4201 list = TALLOC_REALLOC_ARRAY( *domains, *domains,
4202 struct winbindd_tdc_domain,
4207 ZERO_STRUCT( list[idx] );
4213 list[idx].domain_name = talloc_strdup( list, new_dom->name );
4214 list[idx].dns_name = talloc_strdup( list, new_dom->alt_name );
4216 if ( !is_null_sid( &new_dom->sid ) ) {
4217 sid_copy( &list[idx].sid, &new_dom->sid );
4219 sid_copy(&list[idx].sid, &global_sid_NULL);
4222 if ( new_dom->domain_flags != 0x0 )
4223 list[idx].trust_flags = new_dom->domain_flags;
4225 if ( new_dom->domain_type != 0x0 )
4226 list[idx].trust_type = new_dom->domain_type;
4228 if ( new_dom->domain_trust_attribs != 0x0 )
4229 list[idx].trust_attribs = new_dom->domain_trust_attribs;
4233 *num_domains = idx + 1;
4239 /*********************************************************************
4240 ********************************************************************/
4242 static TDB_DATA make_tdc_key( const char *domain_name )
4244 char *keystr = NULL;
4245 TDB_DATA key = { NULL, 0 };
4247 if ( !domain_name ) {
4248 DEBUG(5,("make_tdc_key: Keyname workgroup is NULL!\n"));
4252 if (asprintf( &keystr, "TRUSTDOMCACHE/%s", domain_name ) == -1) {
4255 key = string_term_tdb_data(keystr);
4260 /*********************************************************************
4261 ********************************************************************/
4263 static int pack_tdc_domains( struct winbindd_tdc_domain *domains,
4265 unsigned char **buf )
4267 unsigned char *buffer = NULL;
4272 DEBUG(10,("pack_tdc_domains: Packing %d trusted domains\n",
4280 /* Store the number of array items first */
4281 len += tdb_pack( buffer+len, buflen-len, "d",
4284 /* now pack each domain trust record */
4285 for ( i=0; i<num_domains; i++ ) {
4290 DEBUG(10,("pack_tdc_domains: Packing domain %s (%s)\n",
4291 domains[i].domain_name,
4292 domains[i].dns_name ? domains[i].dns_name : "UNKNOWN" ));
4295 len += tdb_pack( buffer+len, buflen-len, "fffddd",
4296 domains[i].domain_name,
4297 domains[i].dns_name,
4298 sid_to_fstring(tmp, &domains[i].sid),
4299 domains[i].trust_flags,
4300 domains[i].trust_attribs,
4301 domains[i].trust_type );
4304 if ( buflen < len ) {
4306 if ( (buffer = SMB_MALLOC_ARRAY(unsigned char, len)) == NULL ) {
4307 DEBUG(0,("pack_tdc_domains: failed to alloc buffer!\n"));
4321 /*********************************************************************
4322 ********************************************************************/
4324 static size_t unpack_tdc_domains( unsigned char *buf, int buflen,
4325 struct winbindd_tdc_domain **domains )
4327 fstring domain_name, dns_name, sid_string;
4328 uint32 type, attribs, flags;
4332 struct winbindd_tdc_domain *list = NULL;
4334 /* get the number of domains */
4335 len += tdb_unpack( buf+len, buflen-len, "d", &num_domains);
4337 DEBUG(5,("unpack_tdc_domains: Failed to unpack domain array\n"));
4341 list = TALLOC_ARRAY( NULL, struct winbindd_tdc_domain, num_domains );
4343 DEBUG(0,("unpack_tdc_domains: Failed to talloc() domain list!\n"));
4347 for ( i=0; i<num_domains; i++ ) {
4348 len += tdb_unpack( buf+len, buflen-len, "fffddd",
4357 DEBUG(5,("unpack_tdc_domains: Failed to unpack domain array\n"));
4358 TALLOC_FREE( list );
4362 DEBUG(11,("unpack_tdc_domains: Unpacking domain %s (%s) "
4363 "SID %s, flags = 0x%x, attribs = 0x%x, type = 0x%x\n",
4364 domain_name, dns_name, sid_string,
4365 flags, attribs, type));
4367 list[i].domain_name = talloc_strdup( list, domain_name );
4368 list[i].dns_name = talloc_strdup( list, dns_name );
4369 if ( !string_to_sid( &(list[i].sid), sid_string ) ) {
4370 DEBUG(10,("unpack_tdc_domains: no SID for domain %s\n",
4373 list[i].trust_flags = flags;
4374 list[i].trust_attribs = attribs;
4375 list[i].trust_type = type;
4383 /*********************************************************************
4384 ********************************************************************/
4386 static bool wcache_tdc_store_list( struct winbindd_tdc_domain *domains, size_t num_domains )
4388 TDB_DATA key = make_tdc_key( lp_workgroup() );
4389 TDB_DATA data = { NULL, 0 };
4395 /* See if we were asked to delete the cache entry */
4398 ret = tdb_delete( wcache->tdb, key );
4402 data.dsize = pack_tdc_domains( domains, num_domains, &data.dptr );
4409 ret = tdb_store( wcache->tdb, key, data, 0 );
4412 SAFE_FREE( data.dptr );
4413 SAFE_FREE( key.dptr );
4415 return ( ret != -1 );
4418 /*********************************************************************
4419 ********************************************************************/
4421 bool wcache_tdc_fetch_list( struct winbindd_tdc_domain **domains, size_t *num_domains )
4423 TDB_DATA key = make_tdc_key( lp_workgroup() );
4424 TDB_DATA data = { NULL, 0 };
4432 data = tdb_fetch( wcache->tdb, key );
4434 SAFE_FREE( key.dptr );
4439 *num_domains = unpack_tdc_domains( data.dptr, data.dsize, domains );
4441 SAFE_FREE( data.dptr );
4449 /*********************************************************************
4450 ********************************************************************/
4452 bool wcache_tdc_add_domain( struct winbindd_domain *domain )
4454 struct winbindd_tdc_domain *dom_list = NULL;
4455 size_t num_domains = 0;
4458 DEBUG(10,("wcache_tdc_add_domain: Adding domain %s (%s), SID %s, "
4459 "flags = 0x%x, attributes = 0x%x, type = 0x%x\n",
4460 domain->name, domain->alt_name,
4461 sid_string_dbg(&domain->sid),
4462 domain->domain_flags,
4463 domain->domain_trust_attribs,
4464 domain->domain_type));
4466 if ( !init_wcache() ) {
4470 /* fetch the list */
4472 wcache_tdc_fetch_list( &dom_list, &num_domains );
4474 /* add the new domain */
4476 if ( !add_wbdomain_to_tdc_array( domain, &dom_list, &num_domains ) ) {
4480 /* pack the domain */
4482 if ( !wcache_tdc_store_list( dom_list, num_domains ) ) {
4490 TALLOC_FREE( dom_list );
4495 /*********************************************************************
4496 ********************************************************************/
4498 struct winbindd_tdc_domain * wcache_tdc_fetch_domain( TALLOC_CTX *ctx, const char *name )
4500 struct winbindd_tdc_domain *dom_list = NULL;
4501 size_t num_domains = 0;
4503 struct winbindd_tdc_domain *d = NULL;
4505 DEBUG(10,("wcache_tdc_fetch_domain: Searching for domain %s\n", name));
4507 if ( !init_wcache() ) {
4511 /* fetch the list */
4513 wcache_tdc_fetch_list( &dom_list, &num_domains );
4515 for ( i=0; i<num_domains; i++ ) {
4516 if ( strequal(name, dom_list[i].domain_name) ||
4517 strequal(name, dom_list[i].dns_name) )
4519 DEBUG(10,("wcache_tdc_fetch_domain: Found domain %s\n",
4522 d = TALLOC_P( ctx, struct winbindd_tdc_domain );
4526 d->domain_name = talloc_strdup( d, dom_list[i].domain_name );
4527 d->dns_name = talloc_strdup( d, dom_list[i].dns_name );
4528 sid_copy( &d->sid, &dom_list[i].sid );
4529 d->trust_flags = dom_list[i].trust_flags;
4530 d->trust_type = dom_list[i].trust_type;
4531 d->trust_attribs = dom_list[i].trust_attribs;
4537 TALLOC_FREE( dom_list );
4542 /*********************************************************************
4543 ********************************************************************/
4545 struct winbindd_tdc_domain*
4546 wcache_tdc_fetch_domainbysid(TALLOC_CTX *ctx,
4547 const struct dom_sid *sid)
4549 struct winbindd_tdc_domain *dom_list = NULL;
4550 size_t num_domains = 0;
4552 struct winbindd_tdc_domain *d = NULL;
4554 DEBUG(10,("wcache_tdc_fetch_domainbysid: Searching for domain %s\n",
4555 sid_string_dbg(sid)));
4557 if (!init_wcache()) {
4561 /* fetch the list */
4563 wcache_tdc_fetch_list(&dom_list, &num_domains);
4565 for (i = 0; i<num_domains; i++) {
4566 if (sid_equal(sid, &(dom_list[i].sid))) {
4567 DEBUG(10, ("wcache_tdc_fetch_domainbysid: "
4568 "Found domain %s for SID %s\n",
4569 dom_list[i].domain_name,
4570 sid_string_dbg(sid)));
4572 d = TALLOC_P(ctx, struct winbindd_tdc_domain);
4576 d->domain_name = talloc_strdup(d,
4577 dom_list[i].domain_name);
4579 d->dns_name = talloc_strdup(d, dom_list[i].dns_name);
4580 sid_copy(&d->sid, &dom_list[i].sid);
4581 d->trust_flags = dom_list[i].trust_flags;
4582 d->trust_type = dom_list[i].trust_type;
4583 d->trust_attribs = dom_list[i].trust_attribs;
4589 TALLOC_FREE(dom_list);
4595 /*********************************************************************
4596 ********************************************************************/
4598 void wcache_tdc_clear( void )
4600 if ( !init_wcache() )
4603 wcache_tdc_store_list( NULL, 0 );
4609 /*********************************************************************
4610 ********************************************************************/
4612 static void wcache_save_user_pwinfo(struct winbindd_domain *domain,
4614 const struct dom_sid *user_sid,
4615 const char *homedir,
4620 struct cache_entry *centry;
4623 if ( (centry = centry_start(domain, status)) == NULL )
4626 centry_put_string( centry, homedir );
4627 centry_put_string( centry, shell );
4628 centry_put_string( centry, gecos );
4629 centry_put_uint32( centry, gid );
4631 centry_end(centry, "NSS/PWINFO/%s", sid_to_fstring(tmp, user_sid) );
4633 DEBUG(10,("wcache_save_user_pwinfo: %s\n", sid_string_dbg(user_sid) ));
4635 centry_free(centry);
4640 NTSTATUS nss_get_info_cached( struct winbindd_domain *domain,
4641 const struct dom_sid *user_sid,
4643 ADS_STRUCT *ads, LDAPMessage *msg,
4644 const char **homedir, const char **shell,
4645 const char **gecos, gid_t *p_gid)
4647 struct winbind_cache *cache = get_cache(domain);
4648 struct cache_entry *centry = NULL;
4655 centry = wcache_fetch(cache, domain, "NSS/PWINFO/%s",
4656 sid_to_fstring(tmp, user_sid));
4661 *homedir = centry_string( centry, ctx );
4662 *shell = centry_string( centry, ctx );
4663 *gecos = centry_string( centry, ctx );
4664 *p_gid = centry_uint32( centry );
4666 centry_free(centry);
4668 DEBUG(10,("nss_get_info_cached: [Cached] - user_sid %s\n",
4669 sid_string_dbg(user_sid)));
4671 return NT_STATUS_OK;
4675 nt_status = nss_get_info( domain->name, user_sid, ctx, ads, msg,
4676 homedir, shell, gecos, p_gid );
4678 DEBUG(10, ("nss_get_info returned %s\n", nt_errstr(nt_status)));
4680 if ( NT_STATUS_IS_OK(nt_status) ) {
4681 DEBUG(10, ("result:\n\thomedir = '%s'\n", *homedir));
4682 DEBUGADD(10, ("\tshell = '%s'\n", *shell));
4683 DEBUGADD(10, ("\tgecos = '%s'\n", *gecos));
4684 DEBUGADD(10, ("\tgid = '%u'\n", (unsigned int)*p_gid));
4686 wcache_save_user_pwinfo( domain, nt_status, user_sid,
4687 *homedir, *shell, *gecos, *p_gid );
4690 if ( NT_STATUS_EQUAL( nt_status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND ) ) {
4691 DEBUG(5,("nss_get_info_cached: Setting domain %s offline\n",
4693 set_domain_offline( domain );
4701 /* the cache backend methods are exposed via this structure */
4702 struct winbindd_methods cache_methods = {
4720 static bool wcache_ndr_key(TALLOC_CTX *mem_ctx, char *domain_name,
4721 uint32_t opnum, const DATA_BLOB *req,
4727 key = talloc_asprintf(mem_ctx, "NDR/%s/%d/", domain_name, (int)opnum);
4731 keylen = talloc_get_size(key) - 1;
4733 key = talloc_realloc(mem_ctx, key, char, keylen + req->length);
4737 memcpy(key + keylen, req->data, req->length);
4739 pkey->dptr = (uint8_t *)key;
4740 pkey->dsize = talloc_get_size(key);
4744 static bool wcache_opnum_cacheable(uint32_t opnum)
4747 case NDR_WBINT_PING:
4748 case NDR_WBINT_QUERYSEQUENCENUMBER:
4749 case NDR_WBINT_ALLOCATEUID:
4750 case NDR_WBINT_ALLOCATEGID:
4751 case NDR_WBINT_CHECKMACHINEACCOUNT:
4752 case NDR_WBINT_CHANGEMACHINEACCOUNT:
4753 case NDR_WBINT_PINGDC:
4759 bool wcache_fetch_ndr(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
4760 uint32_t opnum, const DATA_BLOB *req, DATA_BLOB *resp)
4765 if (!wcache_opnum_cacheable(opnum) ||
4766 is_my_own_sam_domain(domain) ||
4767 is_builtin_domain(domain)) {
4771 if (wcache->tdb == NULL) {
4775 if (!wcache_ndr_key(talloc_tos(), domain->name, opnum, req, &key)) {
4778 data = tdb_fetch(wcache->tdb, key);
4779 TALLOC_FREE(key.dptr);
4781 if (data.dptr == NULL) {
4784 if (data.dsize < 12) {
4788 if (!is_domain_offline(domain)) {
4789 uint32_t entry_seqnum, dom_seqnum, last_check;
4790 uint64_t entry_timeout;
4792 if (!wcache_fetch_seqnum(domain->name, &dom_seqnum,
4796 entry_seqnum = IVAL(data.dptr, 0);
4797 if (entry_seqnum != dom_seqnum) {
4798 DEBUG(10, ("Entry has wrong sequence number: %d\n",
4799 (int)entry_seqnum));
4802 entry_timeout = BVAL(data.dptr, 4);
4803 if (entry_timeout > time(NULL)) {
4804 DEBUG(10, ("Entry has timed out\n"));
4809 resp->data = (uint8_t *)talloc_memdup(mem_ctx, data.dptr + 12,
4811 if (resp->data == NULL) {
4812 DEBUG(10, ("talloc failed\n"));
4815 resp->length = data.dsize - 12;
4819 SAFE_FREE(data.dptr);
4823 void wcache_store_ndr(struct winbindd_domain *domain, uint32_t opnum,
4824 const DATA_BLOB *req, const DATA_BLOB *resp)
4827 uint32_t dom_seqnum, last_check;
4830 if (!wcache_opnum_cacheable(opnum) ||
4831 is_my_own_sam_domain(domain) ||
4832 is_builtin_domain(domain)) {
4836 if (wcache->tdb == NULL) {
4840 if (!wcache_fetch_seqnum(domain->name, &dom_seqnum, &last_check)) {
4841 DEBUG(10, ("could not fetch seqnum for domain %s\n",
4846 if (!wcache_ndr_key(talloc_tos(), domain->name, opnum, req, &key)) {
4850 timeout = time(NULL) + lp_winbind_cache_time();
4852 data.dsize = resp->length + 12;
4853 data.dptr = talloc_array(key.dptr, uint8_t, data.dsize);
4854 if (data.dptr == NULL) {
4858 SIVAL(data.dptr, 0, dom_seqnum);
4859 SBVAL(data.dptr, 4, timeout);
4860 memcpy(data.dptr + 12, resp->data, resp->length);
4862 tdb_store(wcache->tdb, key, data, 0);
4865 TALLOC_FREE(key.dptr);
git.samba.org / kai / samba.git / blob