Trusted domain names cache on top of gencache.
Copyright (C) Rafal Szczesniak 2002
-
+
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
+#include "../libcli/security/security.h"
+#include "../librpc/gen_ndr/ndr_lsa_c.h"
+#include "libsmb/libsmb.h"
+#include "rpc_client/cli_pipe.h"
+#include "rpc_client/cli_lsarpc.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_ALL /* there's no proper class yet */
* list of trusted domains
**/
-
/**
* Initialise trustdom name caching system. Call gencache
* initialisation routine to perform necessary activities.
* @return true upon successful cache initialisation or
* false if cache init failed
**/
-
-BOOL trustdom_cache_enable(void)
-{
- /* Init trustdom cache by calling gencache initialisation */
- if (!gencache_init()) {
- DEBUG(2, ("trustdomcache_enable: Couldn't initialise trustdom cache on top of gencache.\n"));
- return False;
- }
+bool trustdom_cache_enable(void)
+{
return True;
}
* @return true upon successful cache close or
* false if it failed
**/
-
-BOOL trustdom_cache_shutdown(void)
+
+bool trustdom_cache_shutdown(void)
{
- /* Close trustdom cache by calling gencache shutdown */
- if (!gencache_shutdown()) {
- DEBUG(2, ("trustdomcache_shutdown: Couldn't shutdown trustdom cache on top of gencache.\n"));
- return False;
- }
-
return True;
}
static char* trustdom_cache_key(const char* name)
{
char* keystr = NULL;
- asprintf(&keystr, TDOMKEY_FMT, strupper_static(name));
-
+ asprintf_strupper_m(&keystr, TDOMKEY_FMT, name);
+
return keystr;
}
/**
* Store trusted domain in gencache as the domain name (key)
- * and ip address of domain controller (value)
+ * and trusted domain's SID (value)
*
* @param name trusted domain name
* @param alt_name alternative trusted domain name (used in ADS domains)
* false if store attempt failed
**/
-BOOL trustdom_cache_store(char* name, char* alt_name, const DOM_SID *sid,
- time_t timeout)
+bool trustdom_cache_store(const char *name, const char *alt_name,
+ const struct dom_sid *sid, time_t timeout)
{
char *key, *alt_key;
fstring sid_string;
- BOOL ret;
-
- /*
- * we use gecache call to avoid annoying debug messages
- * about initialised trustdom
- */
- if (!gencache_init())
- return False;
+ bool ret;
DEBUG(5, ("trustdom_store: storing SID %s of domain %s\n",
- sid_string_static(sid), name));
+ sid_string_dbg(sid), name));
key = trustdom_cache_key(name);
alt_key = alt_name ? trustdom_cache_key(alt_name) : NULL;
/* Generate string representation domain SID */
- sid_to_string(sid_string, sid);
+ sid_to_fstring(sid_string, sid);
/*
* try to put the names in the cache
/**
- * Fetch trusted domain's dc from the gencache.
+ * Fetch trusted domain's SID from the gencache.
* This routine can also be used to check whether given
* domain is currently trusted one.
*
* @return true if entry is found or
* false if has expired/doesn't exist
**/
-
-BOOL trustdom_cache_fetch(const char* name, DOM_SID* sid)
+
+bool trustdom_cache_fetch(const char* name, struct dom_sid* sid)
{
char *key = NULL, *value = NULL;
time_t timeout;
- /* init the cache */
- if (!gencache_init())
- return False;
-
/* exit now if null pointers were passed as they're required further */
if (!sid)
return False;
key = trustdom_cache_key(name);
if (!key)
return False;
-
- if (!gencache_get(key, &value, &timeout)) {
+
+ if (!gencache_get(key, talloc_tos(), &value, &timeout)) {
DEBUG(5, ("no entry for trusted domain %s found.\n", name));
SAFE_FREE(key);
return False;
DEBUG(5, ("trusted domain %s found (%s)\n", name, value));
}
- /* convert ip string representation into in_addr structure */
+ /* convert sid string representation into struct dom_sid structure */
if(! string_to_sid(sid, value)) {
sid = NULL;
- SAFE_FREE(value);
+ TALLOC_FREE(value);
return False;
}
-
- SAFE_FREE(value);
+
+ TALLOC_FREE(value);
return True;
}
time_t timeout;
uint32 timestamp;
- /* init the cache */
- if (!gencache_init())
- return False;
-
- if (!gencache_get(TDOMTSKEY, &value, &timeout)) {
+ if (!gencache_get(TDOMTSKEY, talloc_tos(), &value, &timeout)) {
DEBUG(5, ("no timestamp for trusted domain cache located.\n"));
SAFE_FREE(value);
return 0;
}
timestamp = atoi(value);
-
- SAFE_FREE(value);
+
+ TALLOC_FREE(value);
return timestamp;
}
store the timestamp from the last update
*******************************************************************/
-BOOL trustdom_cache_store_timestamp( uint32 t, time_t timeout )
+bool trustdom_cache_store_timestamp( uint32 t, time_t timeout )
{
fstring value;
- /* init the cache */
- if (!gencache_init())
- return False;
-
fstr_sprintf(value, "%d", t );
-
+
if (!gencache_set(TDOMTSKEY, value, timeout)) {
DEBUG(5, ("failed to set timestamp for trustdom_cache\n"));
return False;
void trustdom_cache_flush(void)
{
- if (!gencache_init())
- return;
-
/*
* iterate through each TDOM cache's entry and flush it
* by flush_trustdom_name function
DEBUG(5, ("Trusted domains cache flushed\n"));
}
+/*********************************************************************
+ Enumerate the list of trusted domains from a DC
+*********************************************************************/
+
+static bool enumerate_domain_trusts( TALLOC_CTX *mem_ctx, const char *domain,
+ char ***domain_names, uint32 *num_domains,
+ struct dom_sid **sids )
+{
+ struct policy_handle pol;
+ NTSTATUS status, result;
+ fstring dc_name;
+ struct sockaddr_storage dc_ss;
+ uint32 enum_ctx = 0;
+ struct cli_state *cli = NULL;
+ struct rpc_pipe_client *lsa_pipe = NULL;
+ struct lsa_DomainList dom_list;
+ int i;
+ struct dcerpc_binding_handle *b = NULL;
+
+ *domain_names = NULL;
+ *num_domains = 0;
+ *sids = NULL;
+
+ /* lookup a DC first */
+
+ if ( !get_dc_name(domain, NULL, dc_name, &dc_ss) ) {
+ DEBUG(3,("enumerate_domain_trusts: can't locate a DC for domain %s\n",
+ domain));
+ return False;
+ }
+
+ /* setup the anonymous connection */
+
+ status = cli_full_connection( &cli, lp_netbios_name(), dc_name, &dc_ss, 0, "IPC$", "IPC",
+ "", "", "", 0, Undefined);
+ if ( !NT_STATUS_IS_OK(status) )
+ goto done;
+
+ /* open the LSARPC_PIPE */
+
+ status = cli_rpc_pipe_open_noauth(cli, &ndr_table_lsarpc,
+ &lsa_pipe);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto done;
+ }
+
+ b = lsa_pipe->binding_handle;
+
+ /* get a handle */
+
+ status = rpccli_lsa_open_policy(lsa_pipe, mem_ctx, True,
+ LSA_POLICY_VIEW_LOCAL_INFORMATION, &pol);
+ if ( !NT_STATUS_IS_OK(status) )
+ goto done;
+
+ /* Lookup list of trusted domains */
+
+ status = dcerpc_lsa_EnumTrustDom(b, mem_ctx,
+ &pol,
+ &enum_ctx,
+ &dom_list,
+ (uint32_t)-1,
+ &result);
+ if ( !NT_STATUS_IS_OK(status) )
+ goto done;
+ if (!NT_STATUS_IS_OK(result)) {
+ status = result;
+ goto done;
+ }
+
+ *num_domains = dom_list.count;
+
+ *domain_names = talloc_zero_array(mem_ctx, char *, *num_domains);
+ if (!*domain_names) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ *sids = talloc_zero_array(mem_ctx, struct dom_sid, *num_domains);
+ if (!*sids) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ for (i=0; i< *num_domains; i++) {
+ (*domain_names)[i] = discard_const_p(char, dom_list.domains[i].name.string);
+ (*sids)[i] = *dom_list.domains[i].sid;
+ }
+
+done:
+ /* cleanup */
+ if (cli) {
+ DEBUG(10,("enumerate_domain_trusts: shutting down connection...\n"));
+ cli_shutdown( cli );
+ }
+
+ return NT_STATUS_IS_OK(status);
+}
+
/********************************************************************
update the trustdom_cache if needed
********************************************************************/
void update_trustdom_cache( void )
{
char **domain_names;
- DOM_SID *dom_sids;
+ struct dom_sid *dom_sids;
uint32 num_domains;
uint32 last_check;
int time_diff;
TALLOC_CTX *mem_ctx = NULL;
time_t now = time(NULL);
int i;
-
+
/* get the timestamp. We have to initialise it if the last timestamp == 0 */
if ( (last_check = trustdom_cache_fetch_timestamp()) == 0 )
trustdom_cache_store_timestamp(0, now+TRUSTDOM_UPDATE_INTERVAL);
time_diff = (int) (now - last_check);
-
+
if ( (time_diff > 0) && (time_diff < TRUSTDOM_UPDATE_INTERVAL) ) {
DEBUG(10,("update_trustdom_cache: not time to update trustdom_cache yet\n"));
return;
smbd from blocking all other smbd daemons while we
enumerate the trusted domains */
trustdom_cache_store_timestamp(now, now+TRUSTDOM_UPDATE_INTERVAL);
-
+
if ( !(mem_ctx = talloc_init("update_trustdom_cache")) ) {
DEBUG(0,("update_trustdom_cache: talloc_init() failed!\n"));
goto done;
}
/* get the domains and store them */
-
+
if ( enumerate_domain_trusts(mem_ctx, lp_workgroup(), &domain_names,
&num_domains, &dom_sids)) {
for ( i=0; i<num_domains; i++ ) {
done:
talloc_destroy( mem_ctx );
-
+
return;
}