s3-kerberos: only use krb5 headers where required.
[samba.git] / source3 / winbindd / winbindd_cred_cache.c
1 /*
2    Unix SMB/CIFS implementation.
3
4    Winbind daemon - krb5 credential cache functions
5    and in-memory cache functions.
6
7    Copyright (C) Guenther Deschner 2005-2006
8    Copyright (C) Jeremy Allison 2006
9
10    This program is free software; you can redistribute it and/or modify
11    it under the terms of the GNU General Public License as published by
12    the Free Software Foundation; either version 3 of the License, or
13    (at your option) any later version.
14
15    This program is distributed in the hope that it will be useful,
16    but WITHOUT ANY WARRANTY; without even the implied warranty of
17    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
18    GNU General Public License for more details.
19
20    You should have received a copy of the GNU General Public License
21    along with this program.  If not, see <http://www.gnu.org/licenses/>.
22 */
23
24 #include "includes.h"
25 #include "winbindd.h"
26 #include "../libcli/auth/libcli_auth.h"
27 #include "smb_krb5.h"
28
29 #undef DBGC_CLASS
30 #define DBGC_CLASS DBGC_WINBIND
31
32 /* uncomment this to do fast debugging on the krb5 ticket renewal event */
33 #ifdef DEBUG_KRB5_TKT_RENEWAL
34 #undef DEBUG_KRB5_TKT_RENEWAL
35 #endif
36
37 #define MAX_CCACHES 100
38
39 static struct WINBINDD_CCACHE_ENTRY *ccache_list;
40 static void krb5_ticket_gain_handler(struct event_context *,
41                                      struct timed_event *,
42                                      struct timeval,
43                                      void *);
44 static void add_krb5_ticket_gain_handler_event(struct WINBINDD_CCACHE_ENTRY *,
45                                      struct timeval);
46
47 /* The Krb5 ticket refresh handler should be scheduled
48    at one-half of the period from now till the tkt
49    expiration */
50 #define KRB5_EVENT_REFRESH_TIME(x) ((x) - (((x) - time(NULL))/2))
51
52 /****************************************************************
53  Find an entry by name.
54 ****************************************************************/
55
56 static struct WINBINDD_CCACHE_ENTRY *get_ccache_by_username(const char *username)
57 {
58         struct WINBINDD_CCACHE_ENTRY *entry;
59
60         for (entry = ccache_list; entry; entry = entry->next) {
61                 if (strequal(entry->username, username)) {
62                         return entry;
63                 }
64         }
65         return NULL;
66 }
67
68 /****************************************************************
69  How many do we have ?
70 ****************************************************************/
71
72 static int ccache_entry_count(void)
73 {
74         struct WINBINDD_CCACHE_ENTRY *entry;
75         int i = 0;
76
77         for (entry = ccache_list; entry; entry = entry->next) {
78                 i++;
79         }
80         return i;
81 }
82
83 void ccache_remove_all_after_fork(void)
84 {
85         struct WINBINDD_CCACHE_ENTRY *cur, *next;
86
87         for (cur = ccache_list; cur; cur = next) {
88                 next = cur->next;
89                 DLIST_REMOVE(ccache_list, cur);
90                 TALLOC_FREE(cur->event);
91                 TALLOC_FREE(cur);
92         }
93
94         return;
95 }
96
97 /****************************************************************
98  Do the work of refreshing the ticket.
99 ****************************************************************/
100
101 static void krb5_ticket_refresh_handler(struct event_context *event_ctx,
102                                         struct timed_event *te,
103                                         struct timeval now,
104                                         void *private_data)
105 {
106         struct WINBINDD_CCACHE_ENTRY *entry =
107                 talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
108 #ifdef HAVE_KRB5
109         int ret;
110         time_t new_start;
111         time_t expire_time = 0;
112         struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr;
113 #endif
114
115         DEBUG(10,("krb5_ticket_refresh_handler called\n"));
116         DEBUGADD(10,("event called for: %s, %s\n",
117                 entry->ccname, entry->username));
118
119         TALLOC_FREE(entry->event);
120
121 #ifdef HAVE_KRB5
122
123         /* Kinit again if we have the user password and we can't renew the old
124          * tgt anymore 
125          * NB
126          * This happens when machine are put to sleep for a very long time. */
127
128         if (entry->renew_until < time(NULL)) {
129 rekinit:
130                 if (cred_ptr && cred_ptr->pass) {
131
132                         set_effective_uid(entry->uid);
133
134                         ret = kerberos_kinit_password_ext(entry->principal_name,
135                                                           cred_ptr->pass,
136                                                           0, /* hm, can we do time correction here ? */
137                                                           &entry->refresh_time,
138                                                           &entry->renew_until,
139                                                           entry->ccname,
140                                                           False, /* no PAC required anymore */
141                                                           True,
142                                                           WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
143                                                           NULL);
144                         gain_root_privilege();
145
146                         if (ret) {
147                                 DEBUG(3,("krb5_ticket_refresh_handler: "
148                                         "could not re-kinit: %s\n",
149                                         error_message(ret)));
150                                 /* destroy the ticket because we cannot rekinit
151                                  * it, ignore error here */
152                                 ads_kdestroy(entry->ccname);
153
154                                 /* Don't break the ticket refresh chain: retry 
155                                  * refreshing ticket sometime later when KDC is 
156                                  * unreachable -- BoYang. More error code handling
157                                  * here? 
158                                  * */
159
160                                 if ((ret == KRB5_KDC_UNREACH)
161                                     || (ret == KRB5_REALM_CANT_RESOLVE)) {
162 #if defined(DEBUG_KRB5_TKT_RENEWAL)
163                                         new_start = time(NULL) + 30;
164 #else
165                                         new_start = time(NULL) +
166                                                     MAX(30, lp_winbind_cache_time());
167 #endif
168                                         add_krb5_ticket_gain_handler_event(entry,
169                                                         timeval_set(new_start, 0));
170                                         return;
171                                 }
172                                 TALLOC_FREE(entry->event);
173                                 return;
174                         }
175
176                         DEBUG(10,("krb5_ticket_refresh_handler: successful re-kinit "
177                                 "for: %s in ccache: %s\n",
178                                 entry->principal_name, entry->ccname));
179
180 #if defined(DEBUG_KRB5_TKT_RENEWAL)
181                         new_start = time(NULL) + 30;
182 #else
183                         /* The tkt should be refreshed at one-half the period
184                            from now to the expiration time */
185                         expire_time = entry->refresh_time;
186                         new_start = KRB5_EVENT_REFRESH_TIME(entry->refresh_time);
187 #endif
188                         goto done;
189                 } else {
190                                 /* can this happen? 
191                                  * No cached credentials
192                                  * destroy ticket and refresh chain 
193                                  * */
194                                 ads_kdestroy(entry->ccname);
195                                 TALLOC_FREE(entry->event);
196                                 return;
197                 }
198         }
199
200         set_effective_uid(entry->uid);
201
202         ret = smb_krb5_renew_ticket(entry->ccname,
203                                     entry->principal_name,
204                                     entry->service,
205                                     &new_start);
206 #if defined(DEBUG_KRB5_TKT_RENEWAL)
207         new_start = time(NULL) + 30;
208 #else
209         expire_time = new_start;
210         new_start = KRB5_EVENT_REFRESH_TIME(new_start);
211 #endif
212
213         gain_root_privilege();
214
215         if (ret) {
216                 DEBUG(3,("krb5_ticket_refresh_handler: "
217                         "could not renew tickets: %s\n",
218                         error_message(ret)));
219                 /* maybe we are beyond the renewing window */
220
221                 /* evil rises here, we refresh ticket failed,
222                  * but the ticket might be expired. Therefore,
223                  * When we refresh ticket failed, destory the 
224                  * ticket */
225
226                 ads_kdestroy(entry->ccname);
227
228                 /* avoid breaking the renewal chain: retry in
229                  * lp_winbind_cache_time() seconds when the KDC was not
230                  * available right now. 
231                  * the return code can be KRB5_REALM_CANT_RESOLVE. 
232                  * More error code handling here? */
233
234                 if ((ret == KRB5_KDC_UNREACH) 
235                     || (ret == KRB5_REALM_CANT_RESOLVE)) {
236 #if defined(DEBUG_KRB5_TKT_RENEWAL)
237                         new_start = time(NULL) + 30;
238 #else
239                         new_start = time(NULL) +
240                                     MAX(30, lp_winbind_cache_time());
241 #endif
242                         /* ticket is destroyed here, we have to regain it
243                          * if it is possible */
244                         add_krb5_ticket_gain_handler_event(entry,
245                                                 timeval_set(new_start, 0));
246                         return;
247                 }
248
249                 /* This is evil, if the ticket was already expired.
250                  * renew ticket function returns KRB5KRB_AP_ERR_TKT_EXPIRED.
251                  * But there is still a chance that we can rekinit it. 
252                  *
253                  * This happens when user login in online mode, and then network
254                  * down or something cause winbind goes offline for a very long time,
255                  * and then goes online again. ticket expired, renew failed.
256                  * This happens when machine are put to sleep for a long time,
257                  * but shorter than entry->renew_util.
258                  * NB
259                  * Looks like the KDC is reachable, we want to rekinit as soon as
260                  * possible instead of waiting some time later. */
261                 if ((ret == KRB5KRB_AP_ERR_TKT_EXPIRED)
262                     || (ret == KRB5_FCC_NOFILE)) goto rekinit;
263
264                 return;
265         }
266
267 done:
268         /* in cases that ticket will be unrenewable soon, we don't try to renew ticket 
269          * but try to regain ticket if it is possible */
270         if (entry->renew_until && expire_time
271              && (entry->renew_until <= expire_time)) {
272                 /* try to regain ticket 10 seconds beforre expiration */
273                 expire_time -= 10;
274                 add_krb5_ticket_gain_handler_event(entry,
275                                         timeval_set(expire_time, 0));
276                 return;
277         }
278
279         if (entry->refresh_time == 0) {
280                 entry->refresh_time = new_start;
281         }
282         entry->event = event_add_timed(winbind_event_context(), entry,
283                                        timeval_set(new_start, 0),
284                                        krb5_ticket_refresh_handler,
285                                        entry);
286
287 #endif
288 }
289
290 /****************************************************************
291  Do the work of regaining a ticket when coming from offline auth.
292 ****************************************************************/
293
294 static void krb5_ticket_gain_handler(struct event_context *event_ctx,
295                                      struct timed_event *te,
296                                      struct timeval now,
297                                      void *private_data)
298 {
299         struct WINBINDD_CCACHE_ENTRY *entry =
300                 talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
301 #ifdef HAVE_KRB5
302         int ret;
303         struct timeval t;
304         struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr;
305         struct winbindd_domain *domain = NULL;
306 #endif
307
308         DEBUG(10,("krb5_ticket_gain_handler called\n"));
309         DEBUGADD(10,("event called for: %s, %s\n",
310                 entry->ccname, entry->username));
311
312         TALLOC_FREE(entry->event);
313
314 #ifdef HAVE_KRB5
315
316         if (!cred_ptr || !cred_ptr->pass) {
317                 DEBUG(10,("krb5_ticket_gain_handler: no memory creds\n"));
318                 return;
319         }
320
321         if ((domain = find_domain_from_name(entry->realm)) == NULL) {
322                 DEBUG(0,("krb5_ticket_gain_handler: unknown domain\n"));
323                 return;
324         }
325
326         if (!domain->online) {
327                 goto retry_later;
328         }
329
330         set_effective_uid(entry->uid);
331
332         ret = kerberos_kinit_password_ext(entry->principal_name,
333                                           cred_ptr->pass,
334                                           0, /* hm, can we do time correction here ? */
335                                           &entry->refresh_time,
336                                           &entry->renew_until,
337                                           entry->ccname,
338                                           False, /* no PAC required anymore */
339                                           True,
340                                           WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
341                                           NULL);
342         gain_root_privilege();
343
344         if (ret) {
345                 DEBUG(3,("krb5_ticket_gain_handler: "
346                         "could not kinit: %s\n",
347                         error_message(ret)));
348                 /* evil. If we cannot do it, destroy any the __maybe__ 
349                  * __existing__ ticket */
350                 ads_kdestroy(entry->ccname);
351                 goto retry_later;
352         }
353
354         DEBUG(10,("krb5_ticket_gain_handler: "
355                 "successful kinit for: %s in ccache: %s\n",
356                 entry->principal_name, entry->ccname));
357
358         goto got_ticket;
359
360   retry_later:
361  
362 #if defined(DEBUG_KRB5_TKT_REGAIN)
363         t = timeval_set(time(NULL) + 30, 0);
364 #else
365         t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0);
366 #endif
367
368         add_krb5_ticket_gain_handler_event(entry, t);
369         return;
370
371   got_ticket:
372
373 #if defined(DEBUG_KRB5_TKT_RENEWAL)
374         t = timeval_set(time(NULL) + 30, 0);
375 #else
376         t = timeval_set(KRB5_EVENT_REFRESH_TIME(entry->refresh_time), 0);
377 #endif
378
379         if (entry->refresh_time == 0) {
380                 entry->refresh_time = t.tv_sec;
381         }
382         entry->event = event_add_timed(winbind_event_context(),
383                                        entry,
384                                        t,
385                                        krb5_ticket_refresh_handler,
386                                        entry);
387
388         return;
389 #endif
390 }
391
392 /**************************************************************
393  The gain initial ticket case is recognised as entry->refresh_time
394  is always zero.
395 **************************************************************/
396
397 static void add_krb5_ticket_gain_handler_event(struct WINBINDD_CCACHE_ENTRY *entry,
398                                      struct timeval t)
399 {
400         entry->refresh_time = 0;
401         entry->event = event_add_timed(winbind_event_context(),
402                                        entry,
403                                        t,
404                                        krb5_ticket_gain_handler,
405                                        entry);
406 }
407
408 void ccache_regain_all_now(void)
409 {
410         struct WINBINDD_CCACHE_ENTRY *cur;
411         struct timeval t = timeval_current();
412
413         for (cur = ccache_list; cur; cur = cur->next) {
414                 struct timed_event *new_event;
415
416                 /*
417                  * if refresh_time is 0, we know that the
418                  * the event has the krb5_ticket_gain_handler
419                  */
420                 if (cur->refresh_time == 0) {
421                         new_event = event_add_timed(winbind_event_context(),
422                                                     cur,
423                                                     t,
424                                                     krb5_ticket_gain_handler,
425                                                     cur);
426                 } else {
427                         new_event = event_add_timed(winbind_event_context(),
428                                                     cur,
429                                                     t,
430                                                     krb5_ticket_refresh_handler,
431                                                     cur);
432                 }
433
434                 if (!new_event) {
435                         continue;
436                 }
437
438                 TALLOC_FREE(cur->event);
439                 cur->event = new_event;
440         }
441
442         return;
443 }
444
445 /****************************************************************
446  Check if an ccache entry exists.
447 ****************************************************************/
448
449 bool ccache_entry_exists(const char *username)
450 {
451         struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
452         return (entry != NULL);
453 }
454
455 /****************************************************************
456  Ensure we're changing the correct entry.
457 ****************************************************************/
458
459 bool ccache_entry_identical(const char *username,
460                             uid_t uid,
461                             const char *ccname)
462 {
463         struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
464
465         if (!entry) {
466                 return False;
467         }
468
469         if (entry->uid != uid) {
470                 DEBUG(0,("cache_entry_identical: uid's differ: %u != %u\n",
471                         (unsigned int)entry->uid, (unsigned int)uid));
472                 return False;
473         }
474         if (!strcsequal(entry->ccname, ccname)) {
475                 DEBUG(0,("cache_entry_identical: "
476                         "ccnames differ: (cache) %s != (client) %s\n",
477                         entry->ccname, ccname));
478                 return False;
479         }
480         return True;
481 }
482
483 NTSTATUS add_ccache_to_list(const char *princ_name,
484                             const char *ccname,
485                             const char *service,
486                             const char *username,
487                             const char *realm,
488                             uid_t uid,
489                             time_t create_time,
490                             time_t ticket_end,
491                             time_t renew_until,
492                             bool postponed_request)
493 {
494         struct WINBINDD_CCACHE_ENTRY *entry = NULL;
495         struct timeval t;
496         NTSTATUS ntret;
497 #ifdef HAVE_KRB5
498         int ret;
499 #endif
500
501         if ((username == NULL && princ_name == NULL) ||
502             ccname == NULL || uid < 0) {
503                 return NT_STATUS_INVALID_PARAMETER;
504         }
505
506         if (ccache_entry_count() + 1 > MAX_CCACHES) {
507                 DEBUG(10,("add_ccache_to_list: "
508                         "max number of ccaches reached\n"));
509                 return NT_STATUS_NO_MORE_ENTRIES;
510         }
511
512         /* If it is cached login, destroy krb5 ticket
513          * to avoid surprise. */
514 #ifdef HAVE_KRB5
515         if (postponed_request) {
516                 /* ignore KRB5_FCC_NOFILE error here */
517                 ret = ads_kdestroy(ccname);
518                 if (ret == KRB5_FCC_NOFILE) {
519                         ret = 0;
520                 }
521                 if (ret) {
522                         DEBUG(0, ("add_ccache_to_list: failed to destroy "
523                                    "user krb5 ccache %s with %s\n", ccname,
524                                    error_message(ret)));
525                         return krb5_to_nt_status(ret);
526                 } else {
527                         DEBUG(10, ("add_ccache_to_list: successfully destroyed "
528                                    "krb5 ccache %s for user %s\n", ccname,
529                                    username));
530                 }
531         }
532 #endif
533
534         /* Reference count old entries */
535         entry = get_ccache_by_username(username);
536         if (entry) {
537                 /* Check cached entries are identical. */
538                 if (!ccache_entry_identical(username, uid, ccname)) {
539                         return NT_STATUS_INVALID_PARAMETER;
540                 }
541                 entry->ref_count++;
542                 DEBUG(10,("add_ccache_to_list: "
543                         "ref count on entry %s is now %d\n",
544                         username, entry->ref_count));
545                 /* FIXME: in this case we still might want to have a krb5 cred
546                  * event handler created - gd
547                  * Add ticket refresh handler here */
548                 
549                 if (!lp_winbind_refresh_tickets() || renew_until <= 0) {
550                         return NT_STATUS_OK;
551                 }
552                 
553                 if (!entry->event) {
554                         if (postponed_request) {
555                                 t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0);
556                                 add_krb5_ticket_gain_handler_event(entry, t);
557                         } else {
558                                 /* Renew at 1/2 the ticket expiration time */
559 #if defined(DEBUG_KRB5_TKT_RENEWAL)
560                                 t = timeval_set(time(NULL)+30, 0);
561 #else
562                                 t = timeval_set(KRB5_EVENT_REFRESH_TIME(ticket_end), 0);
563 #endif
564                                 if (!entry->refresh_time) {
565                                         entry->refresh_time = t.tv_sec;
566                                 }
567                                 entry->event = event_add_timed(winbind_event_context(),
568                                                                entry,
569                                                                t,
570                                                                krb5_ticket_refresh_handler,
571                                                                entry);
572                         }
573
574                         if (!entry->event) {
575                                 ntret = remove_ccache(username);
576                                 if (!NT_STATUS_IS_OK(ntret)) {
577                                         DEBUG(0, ("add_ccache_to_list: Failed to remove krb5 "
578                                                   "ccache %s for user %s\n", entry->ccname,
579                                                   entry->username));
580                                         DEBUG(0, ("add_ccache_to_list: error is %s\n",
581                                                   nt_errstr(ntret)));
582                                         return ntret;
583                                 }
584                                 return NT_STATUS_NO_MEMORY;
585                         }
586
587                         DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n"));
588                 }
589                  
590                 return NT_STATUS_OK;
591         }
592
593         entry = TALLOC_P(NULL, struct WINBINDD_CCACHE_ENTRY);
594         if (!entry) {
595                 return NT_STATUS_NO_MEMORY;
596         }
597
598         ZERO_STRUCTP(entry);
599
600         if (username) {
601                 entry->username = talloc_strdup(entry, username);
602                 if (!entry->username) {
603                         goto no_mem;
604                 }
605         }
606         if (princ_name) {
607                 entry->principal_name = talloc_strdup(entry, princ_name);
608                 if (!entry->principal_name) {
609                         goto no_mem;
610                 }
611         }
612         if (service) {
613                 entry->service = talloc_strdup(entry, service);
614                 if (!entry->service) {
615                         goto no_mem;
616                 }
617         }
618
619         entry->ccname = talloc_strdup(entry, ccname);
620         if (!entry->ccname) {
621                 goto no_mem;
622         }
623
624         entry->realm = talloc_strdup(entry, realm);
625         if (!entry->realm) {
626                 goto no_mem;
627         }
628
629         entry->create_time = create_time;
630         entry->renew_until = renew_until;
631         entry->uid = uid;
632         entry->ref_count = 1;
633
634         if (!lp_winbind_refresh_tickets() || renew_until <= 0) {
635                 goto add_entry;
636         }
637
638         if (postponed_request) {
639                 t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0);
640                 add_krb5_ticket_gain_handler_event(entry, t);
641         } else {
642                 /* Renew at 1/2 the ticket expiration time */
643 #if defined(DEBUG_KRB5_TKT_RENEWAL)
644                 t = timeval_set(time(NULL)+30, 0);
645 #else
646                 t = timeval_set(KRB5_EVENT_REFRESH_TIME(ticket_end), 0);
647 #endif
648                 if (entry->refresh_time == 0) {
649                         entry->refresh_time = t.tv_sec;
650                 }
651                 entry->event = event_add_timed(winbind_event_context(),
652                                                entry,
653                                                t,
654                                                krb5_ticket_refresh_handler,
655                                                entry);
656         }
657
658         if (!entry->event) {
659                 goto no_mem;
660         }
661
662         DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n"));
663
664  add_entry:
665
666         DLIST_ADD(ccache_list, entry);
667
668         DEBUG(10,("add_ccache_to_list: "
669                 "added ccache [%s] for user [%s] to the list\n",
670                 ccname, username));
671
672         return NT_STATUS_OK;
673
674  no_mem:
675
676         TALLOC_FREE(entry);
677         return NT_STATUS_NO_MEMORY;
678 }
679
680 /*******************************************************************
681  Remove a WINBINDD_CCACHE_ENTRY entry and the krb5 ccache if no longer
682  referenced.
683  *******************************************************************/
684
685 NTSTATUS remove_ccache(const char *username)
686 {
687         struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
688         NTSTATUS status = NT_STATUS_OK;
689         #ifdef HAVE_KRB5
690         krb5_error_code ret;
691 #endif
692
693         if (!entry) {
694                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
695         }
696
697         if (entry->ref_count <= 0) {
698                 DEBUG(0,("remove_ccache: logic error. "
699                         "ref count for user %s = %d\n",
700                         username, entry->ref_count));
701                 return NT_STATUS_INTERNAL_DB_CORRUPTION;
702         }
703
704         entry->ref_count--;
705
706         if (entry->ref_count > 0) {
707                 DEBUG(10,("remove_ccache: entry %s ref count now %d\n",
708                         username, entry->ref_count));
709                 return NT_STATUS_OK;
710         }
711
712         /* no references any more */
713
714         DLIST_REMOVE(ccache_list, entry);
715         TALLOC_FREE(entry->event); /* unregisters events */
716
717 #ifdef HAVE_KRB5
718         ret = ads_kdestroy(entry->ccname);
719
720         /* we ignore the error when there has been no credential cache */
721         if (ret == KRB5_FCC_NOFILE) {
722                 ret = 0;
723         } else if (ret) {
724                 DEBUG(0,("remove_ccache: "
725                         "failed to destroy user krb5 ccache %s with: %s\n",
726                         entry->ccname, error_message(ret)));
727         } else {
728                 DEBUG(10,("remove_ccache: "
729                         "successfully destroyed krb5 ccache %s for user %s\n",
730                         entry->ccname, username));
731         }
732         status = krb5_to_nt_status(ret);
733 #endif
734
735         TALLOC_FREE(entry);
736         DEBUG(10,("remove_ccache: removed ccache for user %s\n", username));
737
738         return status;
739 }
740
741 /*******************************************************************
742  In memory credentials cache code.
743 *******************************************************************/
744
745 static struct WINBINDD_MEMORY_CREDS *memory_creds_list;
746
747 /***********************************************************
748  Find an entry on the list by name.
749 ***********************************************************/
750
751 struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username)
752 {
753         struct WINBINDD_MEMORY_CREDS *p;
754
755         for (p = memory_creds_list; p; p = p->next) {
756                 if (strequal(p->username, username)) {
757                         return p;
758                 }
759         }
760         return NULL;
761 }
762
763 /***********************************************************
764  Store the required creds and mlock them.
765 ***********************************************************/
766
767 static NTSTATUS store_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp,
768                                    const char *pass)
769 {
770 #if !defined(HAVE_MLOCK)
771         return NT_STATUS_OK;
772 #else
773         /* new_entry->nt_hash is the base pointer for the block
774            of memory pointed into by new_entry->lm_hash and
775            new_entry->pass (if we're storing plaintext). */
776
777         memcredp->len = NT_HASH_LEN + LM_HASH_LEN;
778         if (pass) {
779                 memcredp->len += strlen(pass)+1;
780         }
781
782
783 #if defined(LINUX)
784         /* aligning the memory on on x86_64 and compiling
785            with gcc 4.1 using -O2 causes a segv in the
786            next memset()  --jerry */
787         memcredp->nt_hash = SMB_MALLOC_ARRAY(unsigned char, memcredp->len);
788 #else
789         /* On non-linux platforms, mlock()'d memory must be aligned */
790         memcredp->nt_hash = SMB_MEMALIGN_ARRAY(unsigned char,
791                                                getpagesize(), memcredp->len);
792 #endif
793         if (!memcredp->nt_hash) {
794                 return NT_STATUS_NO_MEMORY;
795         }
796         memset(memcredp->nt_hash, 0x0, memcredp->len);
797
798         memcredp->lm_hash = memcredp->nt_hash + NT_HASH_LEN;
799
800 #ifdef DEBUG_PASSWORD
801         DEBUG(10,("mlocking memory: %p\n", memcredp->nt_hash));
802 #endif
803         if ((mlock(memcredp->nt_hash, memcredp->len)) == -1) {
804                 DEBUG(0,("failed to mlock memory: %s (%d)\n",
805                         strerror(errno), errno));
806                 SAFE_FREE(memcredp->nt_hash);
807                 return map_nt_error_from_unix(errno);
808         }
809
810 #ifdef DEBUG_PASSWORD
811         DEBUG(10,("mlocked memory: %p\n", memcredp->nt_hash));
812 #endif
813
814         /* Create and store the password hashes. */
815         E_md4hash(pass, memcredp->nt_hash);
816         E_deshash(pass, memcredp->lm_hash);
817
818         if (pass) {
819                 memcredp->pass = (char *)memcredp->lm_hash + LM_HASH_LEN;
820                 memcpy(memcredp->pass, pass,
821                        memcredp->len - NT_HASH_LEN - LM_HASH_LEN);
822         }
823
824         return NT_STATUS_OK;
825 #endif
826 }
827
828 /***********************************************************
829  Destroy existing creds.
830 ***********************************************************/
831
832 static NTSTATUS delete_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp)
833 {
834 #if !defined(HAVE_MUNLOCK)
835         return NT_STATUS_OK;
836 #else
837         if (munlock(memcredp->nt_hash, memcredp->len) == -1) {
838                 DEBUG(0,("failed to munlock memory: %s (%d)\n",
839                         strerror(errno), errno));
840                 return map_nt_error_from_unix(errno);
841         }
842         memset(memcredp->nt_hash, '\0', memcredp->len);
843         SAFE_FREE(memcredp->nt_hash);
844         memcredp->nt_hash = NULL;
845         memcredp->lm_hash = NULL;
846         memcredp->pass = NULL;
847         memcredp->len = 0;
848         return NT_STATUS_OK;
849 #endif
850 }
851
852 /***********************************************************
853  Replace the required creds with new ones (password change).
854 ***********************************************************/
855
856 static NTSTATUS winbindd_replace_memory_creds_internal(struct WINBINDD_MEMORY_CREDS *memcredp,
857                                                        const char *pass)
858 {
859         NTSTATUS status = delete_memory_creds(memcredp);
860         if (!NT_STATUS_IS_OK(status)) {
861                 return status;
862         }
863         return store_memory_creds(memcredp, pass);
864 }
865
866 /*************************************************************
867  Store credentials in memory in a list.
868 *************************************************************/
869
870 static NTSTATUS winbindd_add_memory_creds_internal(const char *username,
871                                                    uid_t uid,
872                                                    const char *pass)
873 {
874         /* Shortcut to ensure we don't store if no mlock. */
875 #if !defined(HAVE_MLOCK) || !defined(HAVE_MUNLOCK)
876         return NT_STATUS_OK;
877 #else
878         NTSTATUS status;
879         struct WINBINDD_MEMORY_CREDS *memcredp = NULL;
880
881         memcredp = find_memory_creds_by_name(username);
882         if (uid == (uid_t)-1) {
883                 DEBUG(0,("winbindd_add_memory_creds_internal: "
884                         "invalid uid for user %s.\n", username));
885                 return NT_STATUS_INVALID_PARAMETER;
886         }
887
888         if (memcredp) {
889                 /* Already exists. Increment the reference count and replace stored creds. */
890                 if (uid != memcredp->uid) {
891                         DEBUG(0,("winbindd_add_memory_creds_internal: "
892                                 "uid %u for user %s doesn't "
893                                 "match stored uid %u. Replacing.\n",
894                                 (unsigned int)uid, username,
895                                 (unsigned int)memcredp->uid));
896                         memcredp->uid = uid;
897                 }
898                 memcredp->ref_count++;
899                 DEBUG(10,("winbindd_add_memory_creds_internal: "
900                         "ref count for user %s is now %d\n",
901                         username, memcredp->ref_count));
902                 return winbindd_replace_memory_creds_internal(memcredp, pass);
903         }
904
905         memcredp = TALLOC_ZERO_P(NULL, struct WINBINDD_MEMORY_CREDS);
906         if (!memcredp) {
907                 return NT_STATUS_NO_MEMORY;
908         }
909         memcredp->username = talloc_strdup(memcredp, username);
910         if (!memcredp->username) {
911                 talloc_destroy(memcredp);
912                 return NT_STATUS_NO_MEMORY;
913         }
914
915         status = store_memory_creds(memcredp, pass);
916         if (!NT_STATUS_IS_OK(status)) {
917                 talloc_destroy(memcredp);
918                 return status;
919         }
920
921         memcredp->uid = uid;
922         memcredp->ref_count = 1;
923         DLIST_ADD(memory_creds_list, memcredp);
924
925         DEBUG(10,("winbindd_add_memory_creds_internal: "
926                 "added entry for user %s\n", username));
927
928         return NT_STATUS_OK;
929 #endif
930 }
931
932 /*************************************************************
933  Store users credentials in memory. If we also have a
934  struct WINBINDD_CCACHE_ENTRY for this username with a
935  refresh timer, then store the plaintext of the password
936  and associate the new credentials with the struct WINBINDD_CCACHE_ENTRY.
937 *************************************************************/
938
939 NTSTATUS winbindd_add_memory_creds(const char *username,
940                                    uid_t uid,
941                                    const char *pass)
942 {
943         struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
944         NTSTATUS status;
945
946         status = winbindd_add_memory_creds_internal(username, uid, pass);
947         if (!NT_STATUS_IS_OK(status)) {
948                 return status;
949         }
950
951         if (entry) {
952                 struct WINBINDD_MEMORY_CREDS *memcredp = NULL;
953                 memcredp = find_memory_creds_by_name(username);
954                 if (memcredp) {
955                         entry->cred_ptr = memcredp;
956                 }
957         }
958
959         return status;
960 }
961
962 /*************************************************************
963  Decrement the in-memory ref count - delete if zero.
964 *************************************************************/
965
966 NTSTATUS winbindd_delete_memory_creds(const char *username)
967 {
968         struct WINBINDD_MEMORY_CREDS *memcredp = NULL;
969         struct WINBINDD_CCACHE_ENTRY *entry = NULL;
970         NTSTATUS status = NT_STATUS_OK;
971
972         memcredp = find_memory_creds_by_name(username);
973         entry = get_ccache_by_username(username);
974
975         if (!memcredp) {
976                 DEBUG(10,("winbindd_delete_memory_creds: unknown user %s\n",
977                         username));
978                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
979         }
980
981         if (memcredp->ref_count <= 0) {
982                 DEBUG(0,("winbindd_delete_memory_creds: logic error. "
983                         "ref count for user %s = %d\n",
984                         username, memcredp->ref_count));
985                 status = NT_STATUS_INTERNAL_DB_CORRUPTION;
986         }
987
988         memcredp->ref_count--;
989         if (memcredp->ref_count <= 0) {
990                 delete_memory_creds(memcredp);
991                 DLIST_REMOVE(memory_creds_list, memcredp);
992                 talloc_destroy(memcredp);
993                 DEBUG(10,("winbindd_delete_memory_creds: "
994                         "deleted entry for user %s\n",
995                         username));
996         } else {
997                 DEBUG(10,("winbindd_delete_memory_creds: "
998                         "entry for user %s ref_count now %d\n",
999                         username, memcredp->ref_count));
1000         }
1001
1002         if (entry) {
1003                 /* Ensure we have no dangling references to this. */
1004                 entry->cred_ptr = NULL;
1005         }
1006
1007         return status;
1008 }
1009
1010 /***********************************************************
1011  Replace the required creds with new ones (password change).
1012 ***********************************************************/
1013
1014 NTSTATUS winbindd_replace_memory_creds(const char *username,
1015                                        const char *pass)
1016 {
1017         struct WINBINDD_MEMORY_CREDS *memcredp = NULL;
1018
1019         memcredp = find_memory_creds_by_name(username);
1020         if (!memcredp) {
1021                 DEBUG(10,("winbindd_replace_memory_creds: unknown user %s\n",
1022                         username));
1023                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1024         }
1025
1026         DEBUG(10,("winbindd_replace_memory_creds: replaced creds for user %s\n",
1027                 username));
1028
1029         return winbindd_replace_memory_creds_internal(memcredp, pass);
1030 }