along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
-#include "includes.h"
+#include "replace.h"
+#include "samlogon_cache.h"
+#include "system/filesys.h"
+#include "system/time.h"
+#include "lib/util/debug.h"
+#include "lib/util/talloc_stack.h"
+#include "source3/lib/util_path.h"
#include "librpc/gen_ndr/ndr_krb5pac.h"
#include "../libcli/security/security.h"
+#include "util_tdb.h"
#define NETSAMLOGON_TDB "netsamlogon_cache.tdb"
bool netsamlogon_cache_init(void)
{
bool first_try = true;
- const char *path = NULL;
+ char *path = NULL;
int ret;
struct tdb_context *tdb;
return true;
}
- path = cache_path(NETSAMLOGON_TDB);
+ path = cache_path(talloc_tos(), NETSAMLOGON_TDB);
+ if (path == NULL) {
+ return false;
+ }
again:
tdb = tdb_open_log(path, 0, TDB_DEFAULT|TDB_INCOMPATIBLE_HASH,
O_RDWR | O_CREAT, 0600);
}
netsamlogon_tdb = tdb;
+ talloc_free(path);
return true;
clear:
if (!first_try) {
+ talloc_free(path);
return false;
}
first_try = false;
- DEBUG(0,("retry after CLEAR_IF_FIRST for '%s'\n", path));
- tdb = tdb_open_log(path, 0, TDB_CLEAR_IF_FIRST|TDB_INCOMPATIBLE_HASH,
- O_RDWR | O_CREAT, 0600);
- if (tdb) {
- tdb_close(tdb);
- goto again;
- }
- DEBUG(0,("tdb_open_log(%s) with CLEAR_IF_FIRST - failed\n", path));
-
- return false;
-}
-
-
-/***********************************************************************
- Shutdown samlogon_cache database
-***********************************************************************/
-
-bool netsamlogon_cache_shutdown(void)
-{
- if (netsamlogon_tdb) {
- return (tdb_close(netsamlogon_tdb) == 0);
+ DEBUG(0,("retry after truncate for '%s'\n", path));
+ ret = truncate(path, 0);
+ if (ret == -1) {
+ DBG_ERR("truncate failed: %s\n", strerror(errno));
+ talloc_free(path);
+ return false;
}
- return true;
+ goto again;
}
/***********************************************************************
Clear cache getpwnam and getgroups entries from the winbindd cache
***********************************************************************/
-void netsamlogon_clear_cached_user(struct netr_SamInfo3 *info3)
+void netsamlogon_clear_cached_user(const struct dom_sid *user_sid)
{
- struct dom_sid user_sid;
- fstring keystr;
-
- if (!info3) {
- return;
- }
+ char keystr[DOM_SID_STR_BUFLEN];
if (!netsamlogon_cache_init()) {
DEBUG(0,("netsamlogon_clear_cached_user: cannot open "
NETSAMLOGON_TDB));
return;
}
- sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid);
/* Prepare key as DOMAIN-SID/USER-RID string */
- sid_to_fstring(keystr, &user_sid);
+ dom_sid_string_buf(user_sid, keystr, sizeof(keystr));
DEBUG(10,("netsamlogon_clear_cached_user: SID [%s]\n", keystr));
bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3)
{
- TDB_DATA data;
- fstring keystr;
+ uint8_t dummy = 0;
+ TDB_DATA data = { .dptr = &dummy, .dsize = sizeof(dummy) };
+ char keystr[DOM_SID_STR_BUFLEN];
bool result = false;
struct dom_sid user_sid;
- time_t t = time(NULL);
- TALLOC_CTX *mem_ctx;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
DATA_BLOB blob;
enum ndr_err_code ndr_err;
struct netsamlogoncache_entry r;
+ int ret;
if (!info3) {
- return false;
+ goto fail;
}
if (!netsamlogon_cache_init()) {
DEBUG(0,("netsamlogon_cache_store: cannot open %s for write!\n",
NETSAMLOGON_TDB));
- return false;
+ goto fail;
+ }
+
+ /*
+ * First write a record with just the domain sid for
+ * netsamlogon_cache_domain_known. Use TDB_INSERT to avoid
+ * overwriting potentially other data. We're just interested
+ * in the existence of that record.
+ */
+ dom_sid_string_buf(info3->base.domain_sid, keystr, sizeof(keystr));
+
+ ret = tdb_store_bystring(netsamlogon_tdb, keystr, data, TDB_INSERT);
+
+ if ((ret == -1) && (tdb_error(netsamlogon_tdb) != TDB_ERR_EXISTS)) {
+ DBG_WARNING("Could not store domain marker for %s: %s\n",
+ keystr, tdb_errorstr(netsamlogon_tdb));
+ goto fail;
}
sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid);
/* Prepare key as DOMAIN-SID/USER-RID string */
- sid_to_fstring(keystr, &user_sid);
+ dom_sid_string_buf(&user_sid, keystr, sizeof(keystr));
DEBUG(10,("netsamlogon_cache_store: SID [%s]\n", keystr));
/* Prepare data */
- if (!(mem_ctx = TALLOC_P( NULL, int))) {
- DEBUG(0,("netsamlogon_cache_store: talloc() failed!\n"));
- return false;
+ if (info3->base.full_name.string == NULL) {
+ struct netr_SamInfo3 *cached_info3;
+ const char *full_name = NULL;
+
+ cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid);
+ if (cached_info3 != NULL) {
+ full_name = cached_info3->base.full_name.string;
+ }
+
+ if (full_name != NULL) {
+ info3->base.full_name.string = talloc_strdup(info3, full_name);
+ if (info3->base.full_name.string == NULL) {
+ goto fail;
+ }
+ }
}
/* only Samba fills in the username, not sure why NT doesn't */
if (!info3->base.account_name.string) {
info3->base.account_name.string = talloc_strdup(info3, username);
+ if (info3->base.account_name.string == NULL) {
+ goto fail;
+ }
}
- r.timestamp = t;
+ r.timestamp = time(NULL);
r.info3 = *info3;
+ /* avoid storing secret information */
+ ZERO_STRUCT(r.info3.base.key);
+ ZERO_STRUCT(r.info3.base.LMSessKey);
+
if (DEBUGLEVEL >= 10) {
NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
}
- ndr_err = ndr_push_struct_blob(&blob, mem_ctx, &r,
+ ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r,
(ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DEBUG(0,("netsamlogon_cache_store: failed to push entry to cache\n"));
- TALLOC_FREE(mem_ctx);
- return false;
+ DBG_WARNING("failed to push entry to cache: %s\n",
+ ndr_errstr(ndr_err));
+ goto fail;
}
data.dsize = blob.length;
data.dptr = blob.data;
- if (tdb_store_bystring(netsamlogon_tdb, keystr, data, TDB_REPLACE) != -1) {
+ if (tdb_store_bystring(netsamlogon_tdb, keystr, data, TDB_REPLACE) == 0) {
result = true;
}
- TALLOC_FREE(mem_ctx);
-
+fail:
+ TALLOC_FREE(tmp_ctx);
return result;
}
/***********************************************************************
Retrieves a netr_SamInfo3 structure from a tdb. Caller must
- free the user_info struct (malloc()'d memory)
+ free the user_info struct (talloced memory)
***********************************************************************/
struct netr_SamInfo3 *netsamlogon_cache_get(TALLOC_CTX *mem_ctx, const struct dom_sid *user_sid)
{
struct netr_SamInfo3 *info3 = NULL;
TDB_DATA data;
- fstring keystr, tmp;
+ char keystr[DOM_SID_STR_BUFLEN];
enum ndr_err_code ndr_err;
DATA_BLOB blob;
struct netsamlogoncache_entry r;
if (!netsamlogon_cache_init()) {
DEBUG(0,("netsamlogon_cache_get: cannot open %s for write!\n",
NETSAMLOGON_TDB));
- return false;
+ return NULL;
}
/* Prepare key as DOMAIN-SID/USER-RID string */
- slprintf(keystr, sizeof(keystr), "%s", sid_to_fstring(tmp, user_sid));
+ dom_sid_string_buf(user_sid, keystr, sizeof(keystr));
DEBUG(10,("netsamlogon_cache_get: SID [%s]\n", keystr));
data = tdb_fetch_bystring( netsamlogon_tdb, keystr );
return NULL;
}
- info3 = TALLOC_ZERO_P(mem_ctx, struct netr_SamInfo3);
+ info3 = talloc_zero(mem_ctx, struct netr_SamInfo3);
if (!info3) {
goto done;
}
blob = data_blob_const(data.dptr, data.dsize);
- ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, &r,
- (ndr_pull_flags_fn_t)ndr_pull_netsamlogoncache_entry);
-
- if (DEBUGLEVEL >= 10) {
- NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
- }
+ ndr_err = ndr_pull_struct_blob_all(
+ &blob, mem_ctx, &r,
+ (ndr_pull_flags_fn_t)ndr_pull_netsamlogoncache_entry);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
DEBUG(0,("netsamlogon_cache_get: failed to pull entry from cache\n"));
- tdb_delete(netsamlogon_tdb, data);
+ tdb_delete_bystring(netsamlogon_tdb, keystr);
TALLOC_FREE(info3);
goto done;
}
+ if (DEBUGLEVEL >= 10) {
+ NDR_PRINT_DEBUG(netsamlogoncache_entry, &r);
+ }
+
info3 = (struct netr_SamInfo3 *)talloc_memdup(mem_ctx, &r.info3,
sizeof(r.info3));
SAFE_FREE(data.dptr);
return info3;
+}
-#if 0 /* The netsamlogon cache needs to hang around. Something about
- this feels wrong, but it is the only way we can get all of the
- groups. The old universal groups cache didn't expire either.
- --jerry */
- {
- time_t now = time(NULL);
- uint32 time_diff;
-
- /* is the entry expired? */
- time_diff = now - t;
-
- if ( (time_diff < 0 ) || (time_diff > lp_winbind_cache_time()) ) {
- DEBUG(10,("netsamlogon_cache_get: cache entry expired \n"));
- tdb_delete( netsamlogon_tdb, key );
- TALLOC_FREE( user );
- }
+bool netsamlogon_cache_have(const struct dom_sid *sid)
+{
+ char keystr[DOM_SID_STR_BUFLEN];
+ bool ok;
+
+ if (!netsamlogon_cache_init()) {
+ DBG_WARNING("Cannot open %s\n", NETSAMLOGON_TDB);
+ return false;
}
-#endif
+
+ dom_sid_string_buf(sid, keystr, sizeof(keystr));
+
+ ok = tdb_exists(netsamlogon_tdb, string_term_tdb_data(keystr));
+ return ok;
}
-bool netsamlogon_cache_have(const struct dom_sid *user_sid)
+struct netsamlog_cache_forall_state {
+ TALLOC_CTX *mem_ctx;
+ int (*cb)(const char *sid_str,
+ time_t when_cached,
+ struct netr_SamInfo3 *,
+ void *private_data);
+ void *private_data;
+};
+
+static int netsamlog_cache_traverse_cb(struct tdb_context *tdb,
+ TDB_DATA key,
+ TDB_DATA data,
+ void *private_data)
{
- TALLOC_CTX *mem_ctx = talloc_init("netsamlogon_cache_have");
- struct netr_SamInfo3 *info3 = NULL;
- bool result;
+ struct netsamlog_cache_forall_state *state =
+ (struct netsamlog_cache_forall_state *)private_data;
+ TALLOC_CTX *mem_ctx = NULL;
+ DATA_BLOB blob;
+ const char *sid_str = NULL;
+ struct dom_sid sid;
+ struct netsamlogoncache_entry r;
+ enum ndr_err_code ndr_err;
+ int ret;
+ bool ok;
+
+ if (key.dsize == 0) {
+ return 0;
+ }
+ if (key.dptr[key.dsize - 1] != '\0') {
+ return 0;
+ }
+ if (data.dptr == NULL) {
+ return 0;
+ }
+ sid_str = (char *)key.dptr;
- if (!mem_ctx)
- return False;
+ ok = string_to_sid(&sid, sid_str);
+ if (!ok) {
+ DBG_ERR("String to SID failed for %s\n", sid_str);
+ return -1;
+ }
+
+ if (sid.num_auths != 5) {
+ return 0;
+ }
- info3 = netsamlogon_cache_get(mem_ctx, user_sid);
+ mem_ctx = talloc_new(state->mem_ctx);
+ if (mem_ctx == NULL) {
+ return -1;
+ }
- result = (info3 != NULL);
+ blob = data_blob_const(data.dptr, data.dsize);
- talloc_destroy(mem_ctx);
+ ndr_err = ndr_pull_struct_blob(
+ &blob, state->mem_ctx, &r,
+ (ndr_pull_flags_fn_t)ndr_pull_netsamlogoncache_entry);
- return result;
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ DBG_ERR("failed to pull entry from cache\n");
+ return -1;
+ }
+
+ ret = state->cb(sid_str, r.timestamp, &r.info3, state->private_data);
+
+ TALLOC_FREE(mem_ctx);
+ return ret;
+}
+
+int netsamlog_cache_for_all(int (*cb)(const char *sid_str,
+ time_t when_cached,
+ struct netr_SamInfo3 *,
+ void *private_data),
+ void *private_data)
+{
+ int ret;
+ TALLOC_CTX *mem_ctx = NULL;
+ struct netsamlog_cache_forall_state state;
+
+ if (!netsamlogon_cache_init()) {
+ DBG_ERR("Cannot open %s\n", NETSAMLOGON_TDB);
+ return -1;
+ }
+
+ mem_ctx = talloc_init("netsamlog_cache_for_all");
+ if (mem_ctx == NULL) {
+ return -1;
+ }
+
+ state = (struct netsamlog_cache_forall_state) {
+ .mem_ctx = mem_ctx,
+ .cb = cb,
+ .private_data = private_data,
+ };
+
+ ret = tdb_traverse_read(netsamlogon_tdb,
+ netsamlog_cache_traverse_cb,
+ &state);
+
+ TALLOC_FREE(state.mem_ctx);
+ return ret;
}