2 Unix SMB/CIFS implementation.
4 Winbind cache backend functions
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Gerald Carter 2003
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2005
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
30 #define DBGC_CLASS DBGC_WINBIND
32 /* Global online/offline state - False when online. winbindd starts up online
33 and sets this to true if the first query fails and there's an entry in
34 the cache tdb telling us to stay offline. */
36 static BOOL global_winbindd_offline_state;
38 struct winbind_cache {
44 uint32 sequence_number;
49 #define WINBINDD_MAX_CACHE_SIZE (50*1024*1024)
51 static struct winbind_cache *wcache;
53 void winbindd_check_cache_size(time_t t)
55 static time_t last_check_time;
58 if (last_check_time == (time_t)0)
61 if (t - last_check_time < 60 && t - last_check_time > 0)
64 if (wcache == NULL || wcache->tdb == NULL) {
65 DEBUG(0, ("Unable to check size of tdb cache - cache not open !\n"));
69 if (fstat(tdb_fd(wcache->tdb), &st) == -1) {
70 DEBUG(0, ("Unable to check size of tdb cache %s!\n", strerror(errno) ));
74 if (st.st_size > WINBINDD_MAX_CACHE_SIZE) {
75 DEBUG(10,("flushing cache due to size (%lu) > (%lu)\n",
76 (unsigned long)st.st_size,
77 (unsigned long)WINBINDD_MAX_CACHE_SIZE));
82 /* get the winbind_cache structure */
83 static struct winbind_cache *get_cache(struct winbindd_domain *domain)
85 struct winbind_cache *ret = wcache;
87 struct winbindd_domain *our_domain = domain;
90 /* we have to know what type of domain we are dealing with first */
92 if ( !domain->initialized )
93 init_dc_connection( domain );
96 OK. listen up becasue I'm only going to say this once.
97 We have the following scenarios to consider
98 (a) trusted AD domains on a Samba DC,
99 (b) trusted AD domains and we are joined to a non-kerberos domain
100 (c) trusted AD domains and we are joined to a kerberos (AD) domain
102 For (a) we can always contact the trusted domain using krb5
103 since we have the domain trust account password
105 For (b) we can only use RPC since we have no way of
106 getting a krb5 ticket in our own domain
108 For (c) we can always use krb5 since we have a kerberos trust
113 if (!domain->backend) {
114 extern struct winbindd_methods reconnect_methods;
116 extern struct winbindd_methods ads_methods;
118 /* find our domain first so we can figure out if we
119 are joined to a kerberized domain */
121 if ( !domain->primary )
122 our_domain = find_our_domain();
124 if ( (our_domain->active_directory || IS_DC) && domain->active_directory ) {
125 DEBUG(5,("get_cache: Setting ADS methods for domain %s\n", domain->name));
126 domain->backend = &ads_methods;
128 #endif /* HAVE_ADS */
129 DEBUG(5,("get_cache: Setting MS-RPC methods for domain %s\n", domain->name));
130 domain->backend = &reconnect_methods;
133 #endif /* HAVE_ADS */
139 ret = SMB_XMALLOC_P(struct winbind_cache);
143 wcache_flush_cache();
149 free a centry structure
151 static void centry_free(struct cache_entry *centry)
155 SAFE_FREE(centry->data);
160 pull a uint32 from a cache entry
162 static uint32 centry_uint32(struct cache_entry *centry)
165 if (centry->len - centry->ofs < 4) {
166 DEBUG(0,("centry corruption? needed 4 bytes, have %d\n",
167 centry->len - centry->ofs));
168 smb_panic("centry_uint32");
170 ret = IVAL(centry->data, centry->ofs);
176 pull a uint16 from a cache entry
178 static uint16 centry_uint16(struct cache_entry *centry)
181 if (centry->len - centry->ofs < 2) {
182 DEBUG(0,("centry corruption? needed 2 bytes, have %d\n",
183 centry->len - centry->ofs));
184 smb_panic("centry_uint16");
186 ret = CVAL(centry->data, centry->ofs);
192 pull a uint8 from a cache entry
194 static uint8 centry_uint8(struct cache_entry *centry)
197 if (centry->len - centry->ofs < 1) {
198 DEBUG(0,("centry corruption? needed 1 bytes, have %d\n",
199 centry->len - centry->ofs));
200 smb_panic("centry_uint32");
202 ret = CVAL(centry->data, centry->ofs);
208 pull a NTTIME from a cache entry
210 static NTTIME centry_nttime(struct cache_entry *centry)
213 if (centry->len - centry->ofs < 8) {
214 DEBUG(0,("centry corruption? needed 8 bytes, have %d\n",
215 centry->len - centry->ofs));
216 smb_panic("centry_nttime");
218 ret = IVAL(centry->data, centry->ofs);
220 ret += (uint64_t)IVAL(centry->data, centry->ofs) << 32;
226 pull a time_t from a cache entry
228 static time_t centry_time(struct cache_entry *centry)
231 if (centry->len - centry->ofs < sizeof(time_t)) {
232 DEBUG(0,("centry corruption? needed %u bytes, have %u\n",
233 (unsigned int)sizeof(time_t), (unsigned int)(centry->len - centry->ofs)));
234 smb_panic("centry_time");
236 ret = IVAL(centry->data, centry->ofs); /* FIXME: correct ? */
237 centry->ofs += sizeof(time_t);
241 /* pull a string from a cache entry, using the supplied
244 static char *centry_string(struct cache_entry *centry, TALLOC_CTX *mem_ctx)
249 len = centry_uint8(centry);
252 /* a deliberate NULL string */
256 if (centry->len - centry->ofs < len) {
257 DEBUG(0,("centry corruption? needed %d bytes, have %d\n",
258 len, centry->len - centry->ofs));
259 smb_panic("centry_string");
262 ret = TALLOC_ARRAY(mem_ctx, char, len+1);
264 smb_panic("centry_string out of memory\n");
266 memcpy(ret,centry->data + centry->ofs, len);
272 /* pull a hash16 from a cache entry, using the supplied
275 static char *centry_hash16(struct cache_entry *centry, TALLOC_CTX *mem_ctx)
280 len = centry_uint8(centry);
283 DEBUG(0,("centry corruption? hash len (%u) != 16\n",
288 if (centry->len - centry->ofs < 16) {
289 DEBUG(0,("centry corruption? needed 16 bytes, have %d\n",
290 centry->len - centry->ofs));
294 ret = TALLOC_ARRAY(mem_ctx, char, 16);
296 smb_panic("centry_hash out of memory\n");
298 memcpy(ret,centry->data + centry->ofs, 16);
303 /* pull a sid from a cache entry, using the supplied
306 static BOOL centry_sid(struct cache_entry *centry, TALLOC_CTX *mem_ctx, DOM_SID *sid)
309 sid_string = centry_string(centry, mem_ctx);
310 if ((sid_string == NULL) || (!string_to_sid(sid, sid_string))) {
316 /* the server is considered down if it can't give us a sequence number */
317 static BOOL wcache_server_down(struct winbindd_domain *domain)
324 ret = (domain->sequence_number == DOM_SEQUENCE_NONE);
327 DEBUG(10,("wcache_server_down: server for Domain %s down\n",
332 static NTSTATUS fetch_cache_seqnum( struct winbindd_domain *domain, time_t now )
339 DEBUG(10,("fetch_cache_seqnum: tdb == NULL\n"));
340 return NT_STATUS_UNSUCCESSFUL;
343 fstr_sprintf( key, "SEQNUM/%s", domain->name );
345 data = tdb_fetch_bystring( wcache->tdb, key );
346 if ( !data.dptr || data.dsize!=8 ) {
347 DEBUG(10,("fetch_cache_seqnum: invalid data size key [%s]\n", key ));
348 return NT_STATUS_UNSUCCESSFUL;
351 domain->sequence_number = IVAL(data.dptr, 0);
352 domain->last_seq_check = IVAL(data.dptr, 4);
354 SAFE_FREE(data.dptr);
356 /* have we expired? */
358 time_diff = now - domain->last_seq_check;
359 if ( time_diff > lp_winbind_cache_time() ) {
360 DEBUG(10,("fetch_cache_seqnum: timeout [%s][%u @ %u]\n",
361 domain->name, domain->sequence_number,
362 (uint32)domain->last_seq_check));
363 return NT_STATUS_UNSUCCESSFUL;
366 DEBUG(10,("fetch_cache_seqnum: success [%s][%u @ %u]\n",
367 domain->name, domain->sequence_number,
368 (uint32)domain->last_seq_check));
373 static NTSTATUS store_cache_seqnum( struct winbindd_domain *domain )
380 DEBUG(10,("store_cache_seqnum: tdb == NULL\n"));
381 return NT_STATUS_UNSUCCESSFUL;
384 fstr_sprintf( key_str, "SEQNUM/%s", domain->name );
386 key.dsize = strlen(key_str)+1;
388 SIVAL(buf, 0, domain->sequence_number);
389 SIVAL(buf, 4, domain->last_seq_check);
393 if ( tdb_store( wcache->tdb, key, data, TDB_REPLACE) == -1 ) {
394 DEBUG(10,("store_cache_seqnum: tdb_store fail key [%s]\n", key_str ));
395 return NT_STATUS_UNSUCCESSFUL;
398 DEBUG(10,("store_cache_seqnum: success [%s][%u @ %u]\n",
399 domain->name, domain->sequence_number,
400 (uint32)domain->last_seq_check));
406 refresh the domain sequence number. If force is True
407 then always refresh it, no matter how recently we fetched it
410 static void refresh_sequence_number(struct winbindd_domain *domain, BOOL force)
414 time_t t = time(NULL);
415 unsigned cache_time = lp_winbind_cache_time();
419 #if 0 /* JERRY -- disable as the default cache time is now 5 minutes */
420 /* trying to reconnect is expensive, don't do it too often */
421 if (domain->sequence_number == DOM_SEQUENCE_NONE) {
426 time_diff = t - domain->last_seq_check;
428 /* see if we have to refetch the domain sequence number */
429 if (!force && (time_diff < cache_time)) {
430 DEBUG(10, ("refresh_sequence_number: %s time ok\n", domain->name));
434 /* try to get the sequence number from the tdb cache first */
435 /* this will update the timestamp as well */
437 status = fetch_cache_seqnum( domain, t );
438 if ( NT_STATUS_IS_OK(status) )
441 /* important! make sure that we know if this is a native
442 mode domain or not */
444 status = domain->backend->sequence_number(domain, &domain->sequence_number);
446 /* the above call could have set our domain->backend to NULL when
447 * coming from offline to online mode, make sure to reinitialize the
448 * backend - Guenther */
451 if (!NT_STATUS_IS_OK(status)) {
452 DEBUG(10,("refresh_sequence_number: failed with %s\n", nt_errstr(status)));
453 domain->sequence_number = DOM_SEQUENCE_NONE;
456 domain->last_status = status;
457 domain->last_seq_check = time(NULL);
459 /* save the new sequence number ni the cache */
460 store_cache_seqnum( domain );
463 DEBUG(10, ("refresh_sequence_number: %s seq number is now %d\n",
464 domain->name, domain->sequence_number));
470 decide if a cache entry has expired
472 static BOOL centry_expired(struct winbindd_domain *domain, const char *keystr, struct cache_entry *centry)
474 /* If we've been told to be offline - stay in that state... */
475 if (lp_winbind_offline_logon() && global_winbindd_offline_state) {
476 DEBUG(10,("centry_expired: Key %s for domain %s valid as winbindd is globally offline.\n",
477 keystr, domain->name ));
481 /* when the domain is offline return the cached entry.
482 * This deals with transient offline states... */
484 if (!domain->online) {
485 DEBUG(10,("centry_expired: Key %s for domain %s valid as domain is offline.\n",
486 keystr, domain->name ));
490 /* if the server is OK and our cache entry came from when it was down then
491 the entry is invalid */
492 if ((domain->sequence_number != DOM_SEQUENCE_NONE) &&
493 (centry->sequence_number == DOM_SEQUENCE_NONE)) {
494 DEBUG(10,("centry_expired: Key %s for domain %s invalid sequence.\n",
495 keystr, domain->name ));
499 /* if the server is down or the cache entry is not older than the
500 current sequence number then it is OK */
501 if (wcache_server_down(domain) ||
502 centry->sequence_number == domain->sequence_number) {
503 DEBUG(10,("centry_expired: Key %s for domain %s is good.\n",
504 keystr, domain->name ));
508 DEBUG(10,("centry_expired: Key %s for domain %s expired\n",
509 keystr, domain->name ));
515 static struct cache_entry *wcache_fetch_raw(char *kstr)
518 struct cache_entry *centry;
522 key.dsize = strlen(kstr);
523 data = tdb_fetch(wcache->tdb, key);
529 centry = SMB_XMALLOC_P(struct cache_entry);
530 centry->data = (unsigned char *)data.dptr;
531 centry->len = data.dsize;
534 if (centry->len < 8) {
535 /* huh? corrupt cache? */
536 DEBUG(10,("wcache_fetch_raw: Corrupt cache for key %s (len < 8) ?\n", kstr));
541 centry->status = NT_STATUS(centry_uint32(centry));
542 centry->sequence_number = centry_uint32(centry);
548 fetch an entry from the cache, with a varargs key. auto-fetch the sequence
549 number and return status
551 static struct cache_entry *wcache_fetch(struct winbind_cache *cache,
552 struct winbindd_domain *domain,
553 const char *format, ...) PRINTF_ATTRIBUTE(3,4);
554 static struct cache_entry *wcache_fetch(struct winbind_cache *cache,
555 struct winbindd_domain *domain,
556 const char *format, ...)
560 struct cache_entry *centry;
562 extern BOOL opt_nocache;
568 refresh_sequence_number(domain, False);
570 va_start(ap, format);
571 smb_xvasprintf(&kstr, format, ap);
574 centry = wcache_fetch_raw(kstr);
575 if (centry == NULL) {
580 if (centry_expired(domain, kstr, centry)) {
582 DEBUG(10,("wcache_fetch: entry %s expired for domain %s\n",
583 kstr, domain->name ));
590 DEBUG(10,("wcache_fetch: returning entry %s for domain %s\n",
591 kstr, domain->name ));
597 static void wcache_delete(const char *format, ...) PRINTF_ATTRIBUTE(1,2);
598 static void wcache_delete(const char *format, ...)
604 va_start(ap, format);
605 smb_xvasprintf(&kstr, format, ap);
609 key.dsize = strlen(kstr);
611 tdb_delete(wcache->tdb, key);
616 make sure we have at least len bytes available in a centry
618 static void centry_expand(struct cache_entry *centry, uint32 len)
620 if (centry->len - centry->ofs >= len)
623 centry->data = SMB_REALLOC_ARRAY(centry->data, unsigned char,
626 DEBUG(0,("out of memory: needed %d bytes in centry_expand\n", centry->len));
627 smb_panic("out of memory in centry_expand");
632 push a uint32 into a centry
634 static void centry_put_uint32(struct cache_entry *centry, uint32 v)
636 centry_expand(centry, 4);
637 SIVAL(centry->data, centry->ofs, v);
642 push a uint16 into a centry
644 static void centry_put_uint16(struct cache_entry *centry, uint16 v)
646 centry_expand(centry, 2);
647 SIVAL(centry->data, centry->ofs, v);
652 push a uint8 into a centry
654 static void centry_put_uint8(struct cache_entry *centry, uint8 v)
656 centry_expand(centry, 1);
657 SCVAL(centry->data, centry->ofs, v);
662 push a string into a centry
664 static void centry_put_string(struct cache_entry *centry, const char *s)
669 /* null strings are marked as len 0xFFFF */
670 centry_put_uint8(centry, 0xFF);
675 /* can't handle more than 254 char strings. Truncating is probably best */
677 DEBUG(10,("centry_put_string: truncating len (%d) to: 254\n", len));
680 centry_put_uint8(centry, len);
681 centry_expand(centry, len);
682 memcpy(centry->data + centry->ofs, s, len);
687 push a 16 byte hash into a centry - treat as 16 byte string.
689 static void centry_put_hash16(struct cache_entry *centry, const uint8 val[16])
691 centry_put_uint8(centry, 16);
692 centry_expand(centry, 16);
693 memcpy(centry->data + centry->ofs, val, 16);
697 static void centry_put_sid(struct cache_entry *centry, const DOM_SID *sid)
700 centry_put_string(centry, sid_to_string(sid_string, sid));
704 push a NTTIME into a centry
706 static void centry_put_nttime(struct cache_entry *centry, NTTIME nt)
708 centry_expand(centry, 8);
709 SIVAL(centry->data, centry->ofs, nt & 0xFFFFFFFF);
711 SIVAL(centry->data, centry->ofs, nt >> 32);
716 push a time_t into a centry
718 static void centry_put_time(struct cache_entry *centry, time_t t)
720 centry_expand(centry, sizeof(time_t));
721 SIVAL(centry->data, centry->ofs, t); /* FIXME: is this correct ?? */
722 centry->ofs += sizeof(time_t);
726 start a centry for output. When finished, call centry_end()
728 struct cache_entry *centry_start(struct winbindd_domain *domain, NTSTATUS status)
730 struct cache_entry *centry;
735 centry = SMB_XMALLOC_P(struct cache_entry);
737 centry->len = 8192; /* reasonable default */
738 centry->data = SMB_XMALLOC_ARRAY(uint8, centry->len);
740 centry->sequence_number = domain->sequence_number;
741 centry_put_uint32(centry, NT_STATUS_V(status));
742 centry_put_uint32(centry, centry->sequence_number);
747 finish a centry and write it to the tdb
749 static void centry_end(struct cache_entry *centry, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
750 static void centry_end(struct cache_entry *centry, const char *format, ...)
756 va_start(ap, format);
757 smb_xvasprintf(&kstr, format, ap);
761 key.dsize = strlen(kstr);
762 data.dptr = (char *)centry->data;
763 data.dsize = centry->ofs;
765 tdb_store(wcache->tdb, key, data, TDB_REPLACE);
769 static void wcache_save_name_to_sid(struct winbindd_domain *domain,
770 NTSTATUS status, const char *domain_name,
771 const char *name, const DOM_SID *sid,
772 enum lsa_SidType type)
774 struct cache_entry *centry;
777 centry = centry_start(domain, status);
780 centry_put_uint32(centry, type);
781 centry_put_sid(centry, sid);
782 fstrcpy(uname, name);
784 centry_end(centry, "NS/%s/%s", domain_name, uname);
785 DEBUG(10,("wcache_save_name_to_sid: %s\\%s -> %s\n", domain_name, uname,
786 sid_string_static(sid)));
790 static void wcache_save_sid_to_name(struct winbindd_domain *domain, NTSTATUS status,
791 const DOM_SID *sid, const char *domain_name, const char *name, enum lsa_SidType type)
793 struct cache_entry *centry;
796 if (is_null_sid(sid)) {
800 centry = centry_start(domain, status);
803 if (NT_STATUS_IS_OK(status)) {
804 centry_put_uint32(centry, type);
805 centry_put_string(centry, domain_name);
806 centry_put_string(centry, name);
808 centry_end(centry, "SN/%s", sid_to_string(sid_string, sid));
809 DEBUG(10,("wcache_save_sid_to_name: %s -> %s\n", sid_string, name));
814 static void wcache_save_user(struct winbindd_domain *domain, NTSTATUS status, WINBIND_USERINFO *info)
816 struct cache_entry *centry;
819 if (is_null_sid(&info->user_sid)) {
823 centry = centry_start(domain, status);
826 centry_put_string(centry, info->acct_name);
827 centry_put_string(centry, info->full_name);
828 centry_put_string(centry, info->homedir);
829 centry_put_string(centry, info->shell);
830 centry_put_sid(centry, &info->user_sid);
831 centry_put_sid(centry, &info->group_sid);
832 centry_end(centry, "U/%s", sid_to_string(sid_string, &info->user_sid));
833 DEBUG(10,("wcache_save_user: %s (acct_name %s)\n", sid_string, info->acct_name));
837 static void wcache_save_lockout_policy(struct winbindd_domain *domain, NTSTATUS status, SAM_UNK_INFO_12 *lockout_policy)
839 struct cache_entry *centry;
841 centry = centry_start(domain, status);
845 centry_put_nttime(centry, lockout_policy->duration);
846 centry_put_nttime(centry, lockout_policy->reset_count);
847 centry_put_uint16(centry, lockout_policy->bad_attempt_lockout);
849 centry_end(centry, "LOC_POL/%s", domain->name);
851 DEBUG(10,("wcache_save_lockout_policy: %s\n", domain->name));
856 static void wcache_save_password_policy(struct winbindd_domain *domain, NTSTATUS status, SAM_UNK_INFO_1 *policy)
858 struct cache_entry *centry;
860 centry = centry_start(domain, status);
864 centry_put_uint16(centry, policy->min_length_password);
865 centry_put_uint16(centry, policy->password_history);
866 centry_put_uint32(centry, policy->password_properties);
867 centry_put_nttime(centry, policy->expire);
868 centry_put_nttime(centry, policy->min_passwordage);
870 centry_end(centry, "PWD_POL/%s", domain->name);
872 DEBUG(10,("wcache_save_password_policy: %s\n", domain->name));
877 NTSTATUS wcache_cached_creds_exist(struct winbindd_domain *domain, const DOM_SID *sid)
879 struct winbind_cache *cache = get_cache(domain);
885 return NT_STATUS_INTERNAL_DB_ERROR;
888 if (is_null_sid(sid)) {
889 return NT_STATUS_INVALID_SID;
892 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
893 return NT_STATUS_INVALID_SID;
896 fstr_sprintf(key_str, "CRED/%s", sid_string_static(sid));
898 data = tdb_fetch(cache->tdb, make_tdb_data(key_str, strlen(key_str)));
900 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
903 SAFE_FREE(data.dptr);
907 /* Lookup creds for a SID - copes with old (unsalted) creds as well
908 as new salted ones. */
910 NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
913 const uint8 **cached_nt_pass,
914 const uint8 **cached_salt)
916 struct winbind_cache *cache = get_cache(domain);
917 struct cache_entry *centry = NULL;
923 return NT_STATUS_INTERNAL_DB_ERROR;
926 if (is_null_sid(sid)) {
927 return NT_STATUS_INVALID_SID;
930 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
931 return NT_STATUS_INVALID_SID;
934 /* Try and get a salted cred first. If we can't
935 fall back to an unsalted cred. */
937 centry = wcache_fetch(cache, domain, "CRED/%s", sid_string_static(sid));
939 DEBUG(10,("wcache_get_creds: entry for [CRED/%s] not found\n",
940 sid_string_static(sid)));
941 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
944 t = centry_time(centry);
946 /* In the salted case this isn't actually the nt_hash itself,
947 but the MD5 of the salt + nt_hash. Let the caller
948 sort this out. It can tell as we only return the cached_salt
949 if we are returning a salted cred. */
951 *cached_nt_pass = (const uint8 *)centry_hash16(centry, mem_ctx);
952 if (*cached_nt_pass == NULL) {
953 const char *sidstr = sid_string_static(sid);
955 /* Bad (old) cred cache. Delete and pretend we
957 DEBUG(0,("wcache_get_creds: bad entry for [CRED/%s] - deleting\n",
959 wcache_delete("CRED/%s", sidstr);
961 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
964 /* We only have 17 bytes more data in the salted cred case. */
965 if (centry->len - centry->ofs == 17) {
966 *cached_salt = (const uint8 *)centry_hash16(centry, mem_ctx);
972 dump_data(100, (const char *)*cached_nt_pass, NT_HASH_LEN);
974 dump_data(100, (const char *)*cached_salt, NT_HASH_LEN);
977 status = centry->status;
979 DEBUG(10,("wcache_get_creds: [Cached] - cached creds for user %s status: %s\n",
980 sid_string_static(sid), nt_errstr(status) ));
986 /* Store creds for a SID - only writes out new salted ones. */
988 NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
991 const uint8 nt_pass[NT_HASH_LEN])
993 struct cache_entry *centry;
996 uint8 cred_salt[NT_HASH_LEN];
997 uint8 salted_hash[NT_HASH_LEN];
999 if (is_null_sid(sid)) {
1000 return NT_STATUS_INVALID_SID;
1003 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
1004 return NT_STATUS_INVALID_SID;
1007 centry = centry_start(domain, NT_STATUS_OK);
1009 return NT_STATUS_INTERNAL_DB_ERROR;
1013 dump_data(100, (const char *)nt_pass, NT_HASH_LEN);
1016 centry_put_time(centry, time(NULL));
1018 /* Create a salt and then salt the hash. */
1019 generate_random_buffer(cred_salt, NT_HASH_LEN);
1020 E_md5hash(cred_salt, nt_pass, salted_hash);
1022 centry_put_hash16(centry, salted_hash);
1023 centry_put_hash16(centry, cred_salt);
1024 centry_end(centry, "CRED/%s", sid_to_string(sid_string, sid));
1026 DEBUG(10,("wcache_save_creds: %s\n", sid_string));
1028 centry_free(centry);
1030 return NT_STATUS_OK;
1034 /* Query display info. This is the basic user list fn */
1035 static NTSTATUS query_user_list(struct winbindd_domain *domain,
1036 TALLOC_CTX *mem_ctx,
1037 uint32 *num_entries,
1038 WINBIND_USERINFO **info)
1040 struct winbind_cache *cache = get_cache(domain);
1041 struct cache_entry *centry = NULL;
1043 unsigned int i, retry;
1048 centry = wcache_fetch(cache, domain, "UL/%s", domain->name);
1052 *num_entries = centry_uint32(centry);
1054 if (*num_entries == 0)
1057 (*info) = TALLOC_ARRAY(mem_ctx, WINBIND_USERINFO, *num_entries);
1059 smb_panic("query_user_list out of memory");
1060 for (i=0; i<(*num_entries); i++) {
1061 (*info)[i].acct_name = centry_string(centry, mem_ctx);
1062 (*info)[i].full_name = centry_string(centry, mem_ctx);
1063 (*info)[i].homedir = centry_string(centry, mem_ctx);
1064 (*info)[i].shell = centry_string(centry, mem_ctx);
1065 centry_sid(centry, mem_ctx, &(*info)[i].user_sid);
1066 centry_sid(centry, mem_ctx, &(*info)[i].group_sid);
1070 status = centry->status;
1072 DEBUG(10,("query_user_list: [Cached] - cached list for domain %s status: %s\n",
1073 domain->name, nt_errstr(status) ));
1075 centry_free(centry);
1082 /* Return status value returned by seq number check */
1084 if (!NT_STATUS_IS_OK(domain->last_status))
1085 return domain->last_status;
1087 /* Put the query_user_list() in a retry loop. There appears to be
1088 * some bug either with Windows 2000 or Samba's handling of large
1089 * rpc replies. This manifests itself as sudden disconnection
1090 * at a random point in the enumeration of a large (60k) user list.
1091 * The retry loop simply tries the operation again. )-: It's not
1092 * pretty but an acceptable workaround until we work out what the
1093 * real problem is. */
1098 DEBUG(10,("query_user_list: [Cached] - doing backend query for list for domain %s\n",
1101 status = domain->backend->query_user_list(domain, mem_ctx, num_entries, info);
1102 if (!NT_STATUS_IS_OK(status))
1103 DEBUG(3, ("query_user_list: returned 0x%08x, "
1104 "retrying\n", NT_STATUS_V(status)));
1105 if (NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL)) {
1106 DEBUG(3, ("query_user_list: flushing "
1107 "connection cache\n"));
1108 invalidate_cm_connection(&domain->conn);
1111 } while (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_UNSUCCESSFUL) &&
1115 refresh_sequence_number(domain, False);
1116 centry = centry_start(domain, status);
1119 centry_put_uint32(centry, *num_entries);
1120 for (i=0; i<(*num_entries); i++) {
1121 centry_put_string(centry, (*info)[i].acct_name);
1122 centry_put_string(centry, (*info)[i].full_name);
1123 centry_put_string(centry, (*info)[i].homedir);
1124 centry_put_string(centry, (*info)[i].shell);
1125 centry_put_sid(centry, &(*info)[i].user_sid);
1126 centry_put_sid(centry, &(*info)[i].group_sid);
1127 if (domain->backend->consistent) {
1128 /* when the backend is consistent we can pre-prime some mappings */
1129 wcache_save_name_to_sid(domain, NT_STATUS_OK,
1131 (*info)[i].acct_name,
1132 &(*info)[i].user_sid,
1134 wcache_save_sid_to_name(domain, NT_STATUS_OK,
1135 &(*info)[i].user_sid,
1137 (*info)[i].acct_name,
1139 wcache_save_user(domain, NT_STATUS_OK, &(*info)[i]);
1142 centry_end(centry, "UL/%s", domain->name);
1143 centry_free(centry);
1149 /* list all domain groups */
1150 static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
1151 TALLOC_CTX *mem_ctx,
1152 uint32 *num_entries,
1153 struct acct_info **info)
1155 struct winbind_cache *cache = get_cache(domain);
1156 struct cache_entry *centry = NULL;
1163 centry = wcache_fetch(cache, domain, "GL/%s/domain", domain->name);
1167 *num_entries = centry_uint32(centry);
1169 if (*num_entries == 0)
1172 (*info) = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries);
1174 smb_panic("enum_dom_groups out of memory");
1175 for (i=0; i<(*num_entries); i++) {
1176 fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx));
1177 fstrcpy((*info)[i].acct_desc, centry_string(centry, mem_ctx));
1178 (*info)[i].rid = centry_uint32(centry);
1182 status = centry->status;
1184 DEBUG(10,("enum_dom_groups: [Cached] - cached list for domain %s status: %s\n",
1185 domain->name, nt_errstr(status) ));
1187 centry_free(centry);
1194 /* Return status value returned by seq number check */
1196 if (!NT_STATUS_IS_OK(domain->last_status))
1197 return domain->last_status;
1199 DEBUG(10,("enum_dom_groups: [Cached] - doing backend query for list for domain %s\n",
1202 status = domain->backend->enum_dom_groups(domain, mem_ctx, num_entries, info);
1205 refresh_sequence_number(domain, False);
1206 centry = centry_start(domain, status);
1209 centry_put_uint32(centry, *num_entries);
1210 for (i=0; i<(*num_entries); i++) {
1211 centry_put_string(centry, (*info)[i].acct_name);
1212 centry_put_string(centry, (*info)[i].acct_desc);
1213 centry_put_uint32(centry, (*info)[i].rid);
1215 centry_end(centry, "GL/%s/domain", domain->name);
1216 centry_free(centry);
1222 /* list all domain groups */
1223 static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
1224 TALLOC_CTX *mem_ctx,
1225 uint32 *num_entries,
1226 struct acct_info **info)
1228 struct winbind_cache *cache = get_cache(domain);
1229 struct cache_entry *centry = NULL;
1236 centry = wcache_fetch(cache, domain, "GL/%s/local", domain->name);
1240 *num_entries = centry_uint32(centry);
1242 if (*num_entries == 0)
1245 (*info) = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries);
1247 smb_panic("enum_dom_groups out of memory");
1248 for (i=0; i<(*num_entries); i++) {
1249 fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx));
1250 fstrcpy((*info)[i].acct_desc, centry_string(centry, mem_ctx));
1251 (*info)[i].rid = centry_uint32(centry);
1256 /* If we are returning cached data and the domain controller
1257 is down then we don't know whether the data is up to date
1258 or not. Return NT_STATUS_MORE_PROCESSING_REQUIRED to
1261 if (wcache_server_down(domain)) {
1262 DEBUG(10, ("enum_local_groups: returning cached user list and server was down\n"));
1263 status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1265 status = centry->status;
1267 DEBUG(10,("enum_local_groups: [Cached] - cached list for domain %s status: %s\n",
1268 domain->name, nt_errstr(status) ));
1270 centry_free(centry);
1277 /* Return status value returned by seq number check */
1279 if (!NT_STATUS_IS_OK(domain->last_status))
1280 return domain->last_status;
1282 DEBUG(10,("enum_local_groups: [Cached] - doing backend query for list for domain %s\n",
1285 status = domain->backend->enum_local_groups(domain, mem_ctx, num_entries, info);
1288 refresh_sequence_number(domain, False);
1289 centry = centry_start(domain, status);
1292 centry_put_uint32(centry, *num_entries);
1293 for (i=0; i<(*num_entries); i++) {
1294 centry_put_string(centry, (*info)[i].acct_name);
1295 centry_put_string(centry, (*info)[i].acct_desc);
1296 centry_put_uint32(centry, (*info)[i].rid);
1298 centry_end(centry, "GL/%s/local", domain->name);
1299 centry_free(centry);
1305 /* convert a single name to a sid in a domain */
1306 static NTSTATUS name_to_sid(struct winbindd_domain *domain,
1307 TALLOC_CTX *mem_ctx,
1308 const char *domain_name,
1311 enum lsa_SidType *type)
1313 struct winbind_cache *cache = get_cache(domain);
1314 struct cache_entry *centry = NULL;
1321 fstrcpy(uname, name);
1323 centry = wcache_fetch(cache, domain, "NS/%s/%s", domain_name, uname);
1326 *type = (enum lsa_SidType)centry_uint32(centry);
1327 status = centry->status;
1328 if (NT_STATUS_IS_OK(status)) {
1329 centry_sid(centry, mem_ctx, sid);
1332 DEBUG(10,("name_to_sid: [Cached] - cached name for domain %s status: %s\n",
1333 domain->name, nt_errstr(status) ));
1335 centry_free(centry);
1341 /* If the seq number check indicated that there is a problem
1342 * with this DC, then return that status... except for
1343 * access_denied. This is special because the dc may be in
1344 * "restrict anonymous = 1" mode, in which case it will deny
1345 * most unauthenticated operations, but *will* allow the LSA
1346 * name-to-sid that we try as a fallback. */
1348 if (!(NT_STATUS_IS_OK(domain->last_status)
1349 || NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED)))
1350 return domain->last_status;
1352 DEBUG(10,("name_to_sid: [Cached] - doing backend query for name for domain %s\n",
1355 status = domain->backend->name_to_sid(domain, mem_ctx, domain_name, name, sid, type);
1358 refresh_sequence_number(domain, False);
1360 if (domain->online && !is_null_sid(sid)) {
1361 wcache_save_name_to_sid(domain, status, domain_name, name, sid, *type);
1364 if (NT_STATUS_IS_OK(status)) {
1365 strupper_m(CONST_DISCARD(char *,domain_name));
1366 strlower_m(CONST_DISCARD(char *,name));
1367 wcache_save_sid_to_name(domain, status, sid, domain_name, name, *type);
1373 /* convert a sid to a user or group name. The sid is guaranteed to be in the domain
1375 static NTSTATUS sid_to_name(struct winbindd_domain *domain,
1376 TALLOC_CTX *mem_ctx,
1380 enum lsa_SidType *type)
1382 struct winbind_cache *cache = get_cache(domain);
1383 struct cache_entry *centry = NULL;
1390 centry = wcache_fetch(cache, domain, "SN/%s", sid_to_string(sid_string, sid));
1393 if (NT_STATUS_IS_OK(centry->status)) {
1394 *type = (enum lsa_SidType)centry_uint32(centry);
1395 *domain_name = centry_string(centry, mem_ctx);
1396 *name = centry_string(centry, mem_ctx);
1398 status = centry->status;
1400 DEBUG(10,("sid_to_name: [Cached] - cached name for domain %s status: %s\n",
1401 domain->name, nt_errstr(status) ));
1403 centry_free(centry);
1408 *domain_name = NULL;
1410 /* If the seq number check indicated that there is a problem
1411 * with this DC, then return that status... except for
1412 * access_denied. This is special because the dc may be in
1413 * "restrict anonymous = 1" mode, in which case it will deny
1414 * most unauthenticated operations, but *will* allow the LSA
1415 * sid-to-name that we try as a fallback. */
1417 if (!(NT_STATUS_IS_OK(domain->last_status)
1418 || NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED)))
1419 return domain->last_status;
1421 DEBUG(10,("sid_to_name: [Cached] - doing backend query for name for domain %s\n",
1424 status = domain->backend->sid_to_name(domain, mem_ctx, sid, domain_name, name, type);
1427 refresh_sequence_number(domain, False);
1428 wcache_save_sid_to_name(domain, status, sid, *domain_name, *name, *type);
1430 /* We can't save the name to sid mapping here, as with sid history a
1431 * later name2sid would give the wrong sid. */
1436 static NTSTATUS rids_to_names(struct winbindd_domain *domain,
1437 TALLOC_CTX *mem_ctx,
1438 const DOM_SID *domain_sid,
1443 enum lsa_SidType **types)
1445 struct winbind_cache *cache = get_cache(domain);
1447 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1451 *domain_name = NULL;
1459 if (num_rids == 0) {
1460 return NT_STATUS_OK;
1463 *names = TALLOC_ARRAY(mem_ctx, char *, num_rids);
1464 *types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
1466 if ((*names == NULL) || (*types == NULL)) {
1467 result = NT_STATUS_NO_MEMORY;
1471 have_mapped = have_unmapped = False;
1473 for (i=0; i<num_rids; i++) {
1475 struct cache_entry *centry;
1477 if (!sid_compose(&sid, domain_sid, rids[i])) {
1478 result = NT_STATUS_INTERNAL_ERROR;
1482 centry = wcache_fetch(cache, domain, "SN/%s",
1483 sid_string_static(&sid));
1488 (*types)[i] = SID_NAME_UNKNOWN;
1489 (*names)[i] = talloc_strdup(*names, "");
1491 if (NT_STATUS_IS_OK(centry->status)) {
1494 (*types)[i] = (enum lsa_SidType)centry_uint32(centry);
1495 dom = centry_string(centry, mem_ctx);
1496 if (*domain_name == NULL) {
1501 (*names)[i] = centry_string(centry, *names);
1503 have_unmapped = True;
1506 centry_free(centry);
1510 return NT_STATUS_NONE_MAPPED;
1512 if (!have_unmapped) {
1513 return NT_STATUS_OK;
1515 return STATUS_SOME_UNMAPPED;
1519 TALLOC_FREE(*names);
1520 TALLOC_FREE(*types);
1522 result = domain->backend->rids_to_names(domain, mem_ctx, domain_sid,
1523 rids, num_rids, domain_name,
1526 if (!NT_STATUS_IS_OK(result) &&
1527 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
1531 refresh_sequence_number(domain, False);
1533 for (i=0; i<num_rids; i++) {
1537 if (!sid_compose(&sid, domain_sid, rids[i])) {
1538 result = NT_STATUS_INTERNAL_ERROR;
1542 status = (*types)[i] == SID_NAME_UNKNOWN ?
1543 NT_STATUS_NONE_MAPPED : NT_STATUS_OK;
1545 wcache_save_sid_to_name(domain, status, &sid, *domain_name,
1546 (*names)[i], (*types)[i]);
1553 TALLOC_FREE(*names);
1554 TALLOC_FREE(*types);
1558 /* Lookup user information from a rid */
1559 static NTSTATUS query_user(struct winbindd_domain *domain,
1560 TALLOC_CTX *mem_ctx,
1561 const DOM_SID *user_sid,
1562 WINBIND_USERINFO *info)
1564 struct winbind_cache *cache = get_cache(domain);
1565 struct cache_entry *centry = NULL;
1571 centry = wcache_fetch(cache, domain, "U/%s", sid_string_static(user_sid));
1573 /* If we have an access denied cache entry and a cached info3 in the
1574 samlogon cache then do a query. This will force the rpc back end
1575 to return the info3 data. */
1577 if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) &&
1578 netsamlogon_cache_have(user_sid)) {
1579 DEBUG(10, ("query_user: cached access denied and have cached info3\n"));
1580 domain->last_status = NT_STATUS_OK;
1581 centry_free(centry);
1588 info->acct_name = centry_string(centry, mem_ctx);
1589 info->full_name = centry_string(centry, mem_ctx);
1590 info->homedir = centry_string(centry, mem_ctx);
1591 info->shell = centry_string(centry, mem_ctx);
1592 centry_sid(centry, mem_ctx, &info->user_sid);
1593 centry_sid(centry, mem_ctx, &info->group_sid);
1594 status = centry->status;
1596 DEBUG(10,("query_user: [Cached] - cached info for domain %s status: %s\n",
1597 domain->name, nt_errstr(status) ));
1599 centry_free(centry);
1605 /* Return status value returned by seq number check */
1607 if (!NT_STATUS_IS_OK(domain->last_status))
1608 return domain->last_status;
1610 DEBUG(10,("sid_to_name: [Cached] - doing backend query for info for domain %s\n",
1613 status = domain->backend->query_user(domain, mem_ctx, user_sid, info);
1616 refresh_sequence_number(domain, False);
1617 wcache_save_user(domain, status, info);
1623 /* Lookup groups a user is a member of. */
1624 static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
1625 TALLOC_CTX *mem_ctx,
1626 const DOM_SID *user_sid,
1627 uint32 *num_groups, DOM_SID **user_gids)
1629 struct winbind_cache *cache = get_cache(domain);
1630 struct cache_entry *centry = NULL;
1638 centry = wcache_fetch(cache, domain, "UG/%s", sid_to_string(sid_string, user_sid));
1640 /* If we have an access denied cache entry and a cached info3 in the
1641 samlogon cache then do a query. This will force the rpc back end
1642 to return the info3 data. */
1644 if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) &&
1645 netsamlogon_cache_have(user_sid)) {
1646 DEBUG(10, ("lookup_usergroups: cached access denied and have cached info3\n"));
1647 domain->last_status = NT_STATUS_OK;
1648 centry_free(centry);
1655 *num_groups = centry_uint32(centry);
1657 if (*num_groups == 0)
1660 (*user_gids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_groups);
1662 smb_panic("lookup_usergroups out of memory");
1663 for (i=0; i<(*num_groups); i++) {
1664 centry_sid(centry, mem_ctx, &(*user_gids)[i]);
1668 status = centry->status;
1670 DEBUG(10,("lookup_usergroups: [Cached] - cached info for domain %s status: %s\n",
1671 domain->name, nt_errstr(status) ));
1673 centry_free(centry);
1678 (*user_gids) = NULL;
1680 /* Return status value returned by seq number check */
1682 if (!NT_STATUS_IS_OK(domain->last_status))
1683 return domain->last_status;
1685 DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info for domain %s\n",
1688 status = domain->backend->lookup_usergroups(domain, mem_ctx, user_sid, num_groups, user_gids);
1691 refresh_sequence_number(domain, False);
1692 centry = centry_start(domain, status);
1695 centry_put_uint32(centry, *num_groups);
1696 for (i=0; i<(*num_groups); i++) {
1697 centry_put_sid(centry, &(*user_gids)[i]);
1699 centry_end(centry, "UG/%s", sid_to_string(sid_string, user_sid));
1700 centry_free(centry);
1706 static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
1707 TALLOC_CTX *mem_ctx,
1708 uint32 num_sids, const DOM_SID *sids,
1709 uint32 *num_aliases, uint32 **alias_rids)
1711 struct winbind_cache *cache = get_cache(domain);
1712 struct cache_entry *centry = NULL;
1714 char *sidlist = talloc_strdup(mem_ctx, "");
1720 if (num_sids == 0) {
1723 return NT_STATUS_OK;
1726 /* We need to cache indexed by the whole list of SIDs, the aliases
1727 * resulting might come from any of the SIDs. */
1729 for (i=0; i<num_sids; i++) {
1730 sidlist = talloc_asprintf(mem_ctx, "%s/%s", sidlist,
1731 sid_string_static(&sids[i]));
1732 if (sidlist == NULL)
1733 return NT_STATUS_NO_MEMORY;
1736 centry = wcache_fetch(cache, domain, "UA%s", sidlist);
1741 *num_aliases = centry_uint32(centry);
1744 (*alias_rids) = TALLOC_ARRAY(mem_ctx, uint32, *num_aliases);
1746 if ((*num_aliases != 0) && ((*alias_rids) == NULL)) {
1747 centry_free(centry);
1748 return NT_STATUS_NO_MEMORY;
1751 for (i=0; i<(*num_aliases); i++)
1752 (*alias_rids)[i] = centry_uint32(centry);
1754 status = centry->status;
1756 DEBUG(10,("lookup_useraliases: [Cached] - cached info for domain: %s "
1757 "status %s\n", domain->name, nt_errstr(status)));
1759 centry_free(centry);
1764 (*alias_rids) = NULL;
1766 if (!NT_STATUS_IS_OK(domain->last_status))
1767 return domain->last_status;
1769 DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info "
1770 "for domain %s\n", domain->name ));
1772 status = domain->backend->lookup_useraliases(domain, mem_ctx,
1774 num_aliases, alias_rids);
1777 refresh_sequence_number(domain, False);
1778 centry = centry_start(domain, status);
1781 centry_put_uint32(centry, *num_aliases);
1782 for (i=0; i<(*num_aliases); i++)
1783 centry_put_uint32(centry, (*alias_rids)[i]);
1784 centry_end(centry, "UA%s", sidlist);
1785 centry_free(centry);
1792 static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
1793 TALLOC_CTX *mem_ctx,
1794 const DOM_SID *group_sid, uint32 *num_names,
1795 DOM_SID **sid_mem, char ***names,
1796 uint32 **name_types)
1798 struct winbind_cache *cache = get_cache(domain);
1799 struct cache_entry *centry = NULL;
1807 centry = wcache_fetch(cache, domain, "GM/%s", sid_to_string(sid_string, group_sid));
1811 *num_names = centry_uint32(centry);
1813 if (*num_names == 0)
1816 (*sid_mem) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_names);
1817 (*names) = TALLOC_ARRAY(mem_ctx, char *, *num_names);
1818 (*name_types) = TALLOC_ARRAY(mem_ctx, uint32, *num_names);
1820 if (! (*sid_mem) || ! (*names) || ! (*name_types)) {
1821 smb_panic("lookup_groupmem out of memory");
1824 for (i=0; i<(*num_names); i++) {
1825 centry_sid(centry, mem_ctx, &(*sid_mem)[i]);
1826 (*names)[i] = centry_string(centry, mem_ctx);
1827 (*name_types)[i] = centry_uint32(centry);
1831 status = centry->status;
1833 DEBUG(10,("lookup_groupmem: [Cached] - cached info for domain %s status: %s\n",
1834 domain->name, nt_errstr(status)));
1836 centry_free(centry);
1843 (*name_types) = NULL;
1845 /* Return status value returned by seq number check */
1847 if (!NT_STATUS_IS_OK(domain->last_status))
1848 return domain->last_status;
1850 DEBUG(10,("lookup_groupmem: [Cached] - doing backend query for info for domain %s\n",
1853 status = domain->backend->lookup_groupmem(domain, mem_ctx, group_sid, num_names,
1854 sid_mem, names, name_types);
1857 refresh_sequence_number(domain, False);
1858 centry = centry_start(domain, status);
1861 centry_put_uint32(centry, *num_names);
1862 for (i=0; i<(*num_names); i++) {
1863 centry_put_sid(centry, &(*sid_mem)[i]);
1864 centry_put_string(centry, (*names)[i]);
1865 centry_put_uint32(centry, (*name_types)[i]);
1867 centry_end(centry, "GM/%s", sid_to_string(sid_string, group_sid));
1868 centry_free(centry);
1874 /* find the sequence number for a domain */
1875 static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1877 refresh_sequence_number(domain, False);
1879 *seq = domain->sequence_number;
1881 return NT_STATUS_OK;
1884 /* enumerate trusted domains
1885 * (we need to have the list of trustdoms in the cache when we go offline) -
1887 static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1888 TALLOC_CTX *mem_ctx,
1889 uint32 *num_domains,
1894 struct winbind_cache *cache = get_cache(domain);
1895 struct cache_entry *centry = NULL;
1902 centry = wcache_fetch(cache, domain, "TRUSTDOMS/%s", domain->name);
1908 *num_domains = centry_uint32(centry);
1910 (*names) = TALLOC_ARRAY(mem_ctx, char *, *num_domains);
1911 (*alt_names) = TALLOC_ARRAY(mem_ctx, char *, *num_domains);
1912 (*dom_sids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_domains);
1914 if (! (*dom_sids) || ! (*names) || ! (*alt_names)) {
1915 smb_panic("trusted_domains out of memory");
1918 for (i=0; i<(*num_domains); i++) {
1919 (*names)[i] = centry_string(centry, mem_ctx);
1920 (*alt_names)[i] = centry_string(centry, mem_ctx);
1921 centry_sid(centry, mem_ctx, &(*dom_sids)[i]);
1924 status = centry->status;
1926 DEBUG(10,("trusted_domains: [Cached] - cached info for domain %s (%d trusts) status: %s\n",
1927 domain->name, *num_domains, nt_errstr(status) ));
1929 centry_free(centry);
1936 (*alt_names) = NULL;
1938 /* Return status value returned by seq number check */
1940 if (!NT_STATUS_IS_OK(domain->last_status))
1941 return domain->last_status;
1943 DEBUG(10,("trusted_domains: [Cached] - doing backend query for info for domain %s\n",
1946 status = domain->backend->trusted_domains(domain, mem_ctx, num_domains,
1947 names, alt_names, dom_sids);
1949 /* no trusts gives NT_STATUS_NO_MORE_ENTRIES resetting to NT_STATUS_OK
1950 * so that the generic centry handling still applies correctly -
1953 if (!NT_STATUS_IS_ERR(status)) {
1954 status = NT_STATUS_OK;
1958 refresh_sequence_number(domain, False);
1960 centry = centry_start(domain, status);
1964 centry_put_uint32(centry, *num_domains);
1966 for (i=0; i<(*num_domains); i++) {
1967 centry_put_string(centry, (*names)[i]);
1968 centry_put_string(centry, (*alt_names)[i]);
1969 centry_put_sid(centry, &(*dom_sids)[i]);
1972 centry_end(centry, "TRUSTDOMS/%s", domain->name);
1974 centry_free(centry);
1980 /* get lockout policy */
1981 static NTSTATUS lockout_policy(struct winbindd_domain *domain,
1982 TALLOC_CTX *mem_ctx,
1983 SAM_UNK_INFO_12 *policy){
1984 struct winbind_cache *cache = get_cache(domain);
1985 struct cache_entry *centry = NULL;
1991 centry = wcache_fetch(cache, domain, "LOC_POL/%s", domain->name);
1996 policy->duration = centry_nttime(centry);
1997 policy->reset_count = centry_nttime(centry);
1998 policy->bad_attempt_lockout = centry_uint16(centry);
2000 status = centry->status;
2002 DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n",
2003 domain->name, nt_errstr(status) ));
2005 centry_free(centry);
2009 ZERO_STRUCTP(policy);
2011 /* Return status value returned by seq number check */
2013 if (!NT_STATUS_IS_OK(domain->last_status))
2014 return domain->last_status;
2016 DEBUG(10,("lockout_policy: [Cached] - doing backend query for info for domain %s\n",
2019 status = domain->backend->lockout_policy(domain, mem_ctx, policy);
2022 refresh_sequence_number(domain, False);
2023 wcache_save_lockout_policy(domain, status, policy);
2028 /* get password policy */
2029 static NTSTATUS password_policy(struct winbindd_domain *domain,
2030 TALLOC_CTX *mem_ctx,
2031 SAM_UNK_INFO_1 *policy)
2033 struct winbind_cache *cache = get_cache(domain);
2034 struct cache_entry *centry = NULL;
2040 centry = wcache_fetch(cache, domain, "PWD_POL/%s", domain->name);
2045 policy->min_length_password = centry_uint16(centry);
2046 policy->password_history = centry_uint16(centry);
2047 policy->password_properties = centry_uint32(centry);
2048 policy->expire = centry_nttime(centry);
2049 policy->min_passwordage = centry_nttime(centry);
2051 status = centry->status;
2053 DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n",
2054 domain->name, nt_errstr(status) ));
2056 centry_free(centry);
2060 ZERO_STRUCTP(policy);
2062 /* Return status value returned by seq number check */
2064 if (!NT_STATUS_IS_OK(domain->last_status))
2065 return domain->last_status;
2067 DEBUG(10,("password_policy: [Cached] - doing backend query for info for domain %s\n",
2070 status = domain->backend->password_policy(domain, mem_ctx, policy);
2073 refresh_sequence_number(domain, False);
2074 wcache_save_password_policy(domain, status, policy);
2080 /* Invalidate cached user and group lists coherently */
2082 static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
2085 if (strncmp(kbuf.dptr, "UL/", 3) == 0 ||
2086 strncmp(kbuf.dptr, "GL/", 3) == 0)
2087 tdb_delete(the_tdb, kbuf);
2092 /* Invalidate the getpwnam and getgroups entries for a winbindd domain */
2094 void wcache_invalidate_samlogon(struct winbindd_domain *domain,
2095 NET_USER_INFO_3 *info3)
2097 struct winbind_cache *cache;
2102 cache = get_cache(domain);
2103 netsamlogon_clear_cached_user(cache->tdb, info3);
2106 void wcache_invalidate_cache(void)
2108 struct winbindd_domain *domain;
2110 for (domain = domain_list(); domain; domain = domain->next) {
2111 struct winbind_cache *cache = get_cache(domain);
2113 DEBUG(10, ("wcache_invalidate_cache: invalidating cache "
2114 "entries for %s\n", domain->name));
2116 tdb_traverse(cache->tdb, traverse_fn, NULL);
2120 static BOOL init_wcache(void)
2122 if (wcache == NULL) {
2123 wcache = SMB_XMALLOC_P(struct winbind_cache);
2124 ZERO_STRUCTP(wcache);
2127 if (wcache->tdb != NULL)
2130 /* when working offline we must not clear the cache on restart */
2131 wcache->tdb = tdb_open_log(lock_path("winbindd_cache.tdb"),
2132 WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
2133 lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST),
2134 O_RDWR|O_CREAT, 0600);
2136 if (wcache->tdb == NULL) {
2137 DEBUG(0,("Failed to open winbindd_cache.tdb!\n"));
2144 void cache_store_response(pid_t pid, struct winbindd_response *response)
2151 DEBUG(10, ("Storing response for pid %d, len %d\n",
2152 pid, response->length));
2154 fstr_sprintf(key_str, "DR/%d", pid);
2155 if (tdb_store(wcache->tdb, string_tdb_data(key_str),
2156 make_tdb_data((const char *)response, sizeof(*response)),
2160 if (response->length == sizeof(*response))
2163 /* There's extra data */
2165 DEBUG(10, ("Storing extra data: len=%d\n",
2166 (int)(response->length - sizeof(*response))));
2168 fstr_sprintf(key_str, "DE/%d", pid);
2169 if (tdb_store(wcache->tdb, string_tdb_data(key_str),
2170 make_tdb_data((const char *)response->extra_data.data,
2171 response->length - sizeof(*response)),
2175 /* We could not store the extra data, make sure the tdb does not
2176 * contain a main record with wrong dangling extra data */
2178 fstr_sprintf(key_str, "DR/%d", pid);
2179 tdb_delete(wcache->tdb, string_tdb_data(key_str));
2184 BOOL cache_retrieve_response(pid_t pid, struct winbindd_response * response)
2192 DEBUG(10, ("Retrieving response for pid %d\n", pid));
2194 fstr_sprintf(key_str, "DR/%d", pid);
2195 data = tdb_fetch(wcache->tdb, string_tdb_data(key_str));
2197 if (data.dptr == NULL)
2200 if (data.dsize != sizeof(*response))
2203 memcpy(response, data.dptr, data.dsize);
2204 SAFE_FREE(data.dptr);
2206 if (response->length == sizeof(*response)) {
2207 response->extra_data.data = NULL;
2211 /* There's extra data */
2213 DEBUG(10, ("Retrieving extra data length=%d\n",
2214 (int)(response->length - sizeof(*response))));
2216 fstr_sprintf(key_str, "DE/%d", pid);
2217 data = tdb_fetch(wcache->tdb, string_tdb_data(key_str));
2219 if (data.dptr == NULL) {
2220 DEBUG(0, ("Did not find extra data\n"));
2224 if (data.dsize != (response->length - sizeof(*response))) {
2225 DEBUG(0, ("Invalid extra data length: %d\n", (int)data.dsize));
2226 SAFE_FREE(data.dptr);
2230 dump_data(11, data.dptr, data.dsize);
2232 response->extra_data.data = data.dptr;
2236 void cache_cleanup_response(pid_t pid)
2243 fstr_sprintf(key_str, "DR/%d", pid);
2244 tdb_delete(wcache->tdb, string_tdb_data(key_str));
2246 fstr_sprintf(key_str, "DE/%d", pid);
2247 tdb_delete(wcache->tdb, string_tdb_data(key_str));
2253 BOOL lookup_cached_sid(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
2254 const char **domain_name, const char **name,
2255 enum lsa_SidType *type)
2257 struct winbindd_domain *domain;
2258 struct winbind_cache *cache;
2259 struct cache_entry *centry = NULL;
2262 domain = find_lookup_domain_from_sid(sid);
2263 if (domain == NULL) {
2267 cache = get_cache(domain);
2269 if (cache->tdb == NULL) {
2273 centry = wcache_fetch(cache, domain, "SN/%s", sid_string_static(sid));
2274 if (centry == NULL) {
2278 if (NT_STATUS_IS_OK(centry->status)) {
2279 *type = (enum lsa_SidType)centry_uint32(centry);
2280 *domain_name = centry_string(centry, mem_ctx);
2281 *name = centry_string(centry, mem_ctx);
2284 status = centry->status;
2285 centry_free(centry);
2286 return NT_STATUS_IS_OK(status);
2289 BOOL lookup_cached_name(TALLOC_CTX *mem_ctx,
2290 const char *domain_name,
2293 enum lsa_SidType *type)
2295 struct winbindd_domain *domain;
2296 struct winbind_cache *cache;
2297 struct cache_entry *centry = NULL;
2301 domain = find_lookup_domain_from_name(domain_name);
2302 if (domain == NULL) {
2306 cache = get_cache(domain);
2308 if (cache->tdb == NULL) {
2312 fstrcpy(uname, name);
2315 centry = wcache_fetch(cache, domain, "NS/%s/%s", domain_name, uname);
2316 if (centry == NULL) {
2320 if (NT_STATUS_IS_OK(centry->status)) {
2321 *type = (enum lsa_SidType)centry_uint32(centry);
2322 centry_sid(centry, mem_ctx, sid);
2325 status = centry->status;
2326 centry_free(centry);
2328 return NT_STATUS_IS_OK(status);
2331 void cache_name2sid(struct winbindd_domain *domain,
2332 const char *domain_name, const char *name,
2333 enum lsa_SidType type, const DOM_SID *sid)
2335 refresh_sequence_number(domain, False);
2336 wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name,
2340 /* delete all centries that don't have NT_STATUS_OK set */
2341 static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb, TDB_DATA kbuf,
2342 TDB_DATA dbuf, void *state)
2344 struct cache_entry *centry;
2346 centry = wcache_fetch_raw(kbuf.dptr);
2351 if (!NT_STATUS_IS_OK(centry->status)) {
2352 DEBUG(10,("deleting centry %s\n", kbuf.dptr));
2353 tdb_delete(the_tdb, kbuf);
2356 centry_free(centry);
2360 /* flush the cache */
2361 void wcache_flush_cache(void)
2363 extern BOOL opt_nocache;
2368 tdb_close(wcache->tdb);
2374 /* when working offline we must not clear the cache on restart */
2375 wcache->tdb = tdb_open_log(lock_path("winbindd_cache.tdb"),
2376 WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
2377 lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST),
2378 O_RDWR|O_CREAT, 0600);
2381 DEBUG(0,("Failed to open winbindd_cache.tdb!\n"));
2385 tdb_traverse(wcache->tdb, traverse_fn_cleanup, NULL);
2387 DEBUG(10,("wcache_flush_cache success\n"));
2390 /* Count cached creds */
2392 static int traverse_fn_cached_creds(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
2395 int *cred_count = (int*)state;
2397 if (strncmp(kbuf.dptr, "CRED/", 5) == 0) {
2403 NTSTATUS wcache_count_cached_creds(struct winbindd_domain *domain, int *count)
2405 struct winbind_cache *cache = get_cache(domain);
2410 return NT_STATUS_INTERNAL_DB_ERROR;
2413 tdb_traverse(cache->tdb, traverse_fn_cached_creds, (void *)count);
2415 return NT_STATUS_OK;
2419 struct cred_list *prev, *next;
2424 static struct cred_list *wcache_cred_list;
2426 static int traverse_fn_get_credlist(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
2429 struct cred_list *cred;
2431 if (strncmp(kbuf.dptr, "CRED/", 5) == 0) {
2433 cred = SMB_MALLOC_P(struct cred_list);
2435 DEBUG(0,("traverse_fn_remove_first_creds: failed to malloc new entry for list\n"));
2441 /* save a copy of the key */
2443 fstrcpy(cred->name, kbuf.dptr);
2444 DLIST_ADD(wcache_cred_list, cred);
2450 NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const DOM_SID *sid)
2452 struct winbind_cache *cache = get_cache(domain);
2455 struct cred_list *cred, *oldest = NULL;
2458 return NT_STATUS_INTERNAL_DB_ERROR;
2461 /* we possibly already have an entry */
2462 if (sid && NT_STATUS_IS_OK(wcache_cached_creds_exist(domain, sid))) {
2466 DEBUG(11,("we already have an entry, deleting that\n"));
2468 fstr_sprintf(key_str, "CRED/%s", sid_string_static(sid));
2470 tdb_delete(cache->tdb, string_tdb_data(key_str));
2472 return NT_STATUS_OK;
2475 ret = tdb_traverse(cache->tdb, traverse_fn_get_credlist, NULL);
2477 return NT_STATUS_OK;
2478 } else if ((ret == -1) || (wcache_cred_list == NULL)) {
2479 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2482 ZERO_STRUCTP(oldest);
2484 for (cred = wcache_cred_list; cred; cred = cred->next) {
2489 data = tdb_fetch(cache->tdb, make_tdb_data(cred->name, strlen(cred->name)));
2491 DEBUG(10,("wcache_remove_oldest_cached_creds: entry for [%s] not found\n",
2493 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
2497 t = IVAL(data.dptr, 0);
2498 SAFE_FREE(data.dptr);
2501 oldest = SMB_MALLOC_P(struct cred_list);
2502 if (oldest == NULL) {
2503 status = NT_STATUS_NO_MEMORY;
2507 fstrcpy(oldest->name, cred->name);
2508 oldest->created = t;
2512 if (t < oldest->created) {
2513 fstrcpy(oldest->name, cred->name);
2514 oldest->created = t;
2518 if (tdb_delete(cache->tdb, string_tdb_data(oldest->name)) == 0) {
2519 status = NT_STATUS_OK;
2521 status = NT_STATUS_UNSUCCESSFUL;
2524 SAFE_FREE(wcache_cred_list);
2530 /* Change the global online/offline state. */
2531 BOOL set_global_winbindd_state_offline(void)
2535 DEBUG(10,("set_global_winbindd_state_offline: offline requested.\n"));
2537 /* Only go offline if someone has created
2538 the key "WINBINDD_OFFLINE" in the cache tdb. */
2540 if (wcache == NULL || wcache->tdb == NULL) {
2541 DEBUG(10,("set_global_winbindd_state_offline: wcache not open yet.\n"));
2545 if (!lp_winbind_offline_logon()) {
2546 DEBUG(10,("set_global_winbindd_state_offline: rejecting.\n"));
2550 if (global_winbindd_offline_state) {
2551 /* Already offline. */
2555 data = tdb_fetch_bystring( wcache->tdb, "WINBINDD_OFFLINE" );
2557 if (!data.dptr || data.dsize != 4) {
2558 DEBUG(10,("set_global_winbindd_state_offline: offline state not set.\n"));
2559 SAFE_FREE(data.dptr);
2562 DEBUG(10,("set_global_winbindd_state_offline: offline state set.\n"));
2563 global_winbindd_offline_state = True;
2564 SAFE_FREE(data.dptr);
2569 void set_global_winbindd_state_online(void)
2571 DEBUG(10,("set_global_winbindd_state_online: online requested.\n"));
2573 if (!lp_winbind_offline_logon()) {
2574 DEBUG(10,("set_global_winbindd_state_online: rejecting.\n"));
2578 if (!global_winbindd_offline_state) {
2579 /* Already online. */
2582 global_winbindd_offline_state = False;
2588 /* Ensure there is no key "WINBINDD_OFFLINE" in the cache tdb. */
2589 tdb_delete_bystring(wcache->tdb, "WINBINDD_OFFLINE");
2592 BOOL get_global_winbindd_state_offline(void)
2594 return global_winbindd_offline_state;
2597 /* the cache backend methods are exposed via this structure */
2598 struct winbindd_methods cache_methods = {
git.samba.org / sfrench / samba-autobuild / .git / blob