s4:schannel merge code with s3
authorSimo Sorce <idra@samba.org>
Thu, 18 Feb 2010 20:11:25 +0000 (15:11 -0500)
committerSimo Sorce <idra@samba.org>
Tue, 23 Feb 2010 17:46:50 +0000 (12:46 -0500)
After looking at the s4 side of the (s)channel :) I found out that it makes
more sense to simply make it use the tdb based code than redo the same changes
done to s3 to simplify the interface.

Ldb is slow, to the point it needs haks to pre-open the db to speed it up, yet
that does not solve the lookup speed, with ldb it is always going to be slower.

Looking through the history it is evident that the schannel database doesn't
really need greate expanadability. And lookups are always done with a single
Key. This seem a perfet fit for tdb while ldb looks unnecessarily complicated.

The schannel database is not really a persistent one. It can be discared during
an upgrade without causing any real issue. all it contains is temproary session
data.

libcli/auth/config.mk
source4/auth/gensec/config.mk
source4/auth/gensec/schannel.c
source4/rpc_server/netlogon/dcerpc_netlogon.c
source4/smbd/server.c
source4/torture/rpc/samr.c

index bda9850db4b70a32e9b736dd426a23e20d627fe1..bc198f3f8e37f2cd2f6375006f5b26235f627dd0 100644 (file)
@@ -21,6 +21,6 @@ LIBCLI_AUTH_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, \
 PUBLIC_HEADERS += ../libcli/auth/credentials.h
 
 [SUBSYSTEM::COMMON_SCHANNELDB]
 PUBLIC_HEADERS += ../libcli/auth/credentials.h
 
 [SUBSYSTEM::COMMON_SCHANNELDB]
-PRIVATE_DEPENDENCIES = LDB_WRAP
+PRIVATE_DEPENDENCIES = TDB_WRAP
 
 
-COMMON_SCHANNELDB_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, schannel_state_ldb.o)
+COMMON_SCHANNELDB_OBJ_FILES = $(addprefix $(libclicommonsrcdir)/auth/, schannel_state_tdb.o)
index 947a91e8529a0c49fdf912344d40df23f9846013..6e86aab34f52709e77a0806b5147743211a41980 100644 (file)
@@ -67,7 +67,7 @@ $(eval $(call proto_header_template,$(gensecsrcdir)/spnego_proto.h,$(gensec_spne
 [MODULE::gensec_schannel]
 SUBSYSTEM = gensec
 INIT_FUNCTION = gensec_schannel_init
 [MODULE::gensec_schannel]
 SUBSYSTEM = gensec
 INIT_FUNCTION = gensec_schannel_init
-PRIVATE_DEPENDENCIES = SCHANNELDB NDR_SCHANNEL CREDENTIALS LIBNDR auth_session
+PRIVATE_DEPENDENCIES = COMMON_SCHANNELDB NDR_SCHANNEL CREDENTIALS LIBNDR auth_session
 OUTPUT_TYPE = MERGED_OBJ
 # End MODULE gensec_schannel
 ################################################
 OUTPUT_TYPE = MERGED_OBJ
 # End MODULE gensec_schannel
 ################################################
@@ -75,16 +75,6 @@ OUTPUT_TYPE = MERGED_OBJ
 gensec_schannel_OBJ_FILES = $(addprefix $(gensecsrcdir)/, schannel.o) ../libcli/auth/schannel_sign.o
 $(eval $(call proto_header_template,$(gensecsrcdir)/schannel_proto.h,$(gensec_schannel_OBJ_FILES:.o=.c)))
 
 gensec_schannel_OBJ_FILES = $(addprefix $(gensecsrcdir)/, schannel.o) ../libcli/auth/schannel_sign.o
 $(eval $(call proto_header_template,$(gensecsrcdir)/schannel_proto.h,$(gensec_schannel_OBJ_FILES:.o=.c)))
 
-################################################
-# Start SUBSYSTEM SCHANNELDB
-[SUBSYSTEM::SCHANNELDB]
-PRIVATE_DEPENDENCIES = LDB_WRAP COMMON_SCHANNELDB
-# End SUBSYSTEM SCHANNELDB
-################################################
-
-SCHANNELDB_OBJ_FILES = $(addprefix $(gensecsrcdir)/, schannel_state.o)
-$(eval $(call proto_header_template,$(gensecsrcdir)/schannel_state.h,$(SCHANNELDB_OBJ_FILES:.o=.c)))
-
 [PYTHON::pygensec]
 PRIVATE_DEPENDENCIES = gensec PYTALLOC pyparam_util
 LIBRARY_REALNAME = samba/gensec.$(SHLIBEXT)
 [PYTHON::pygensec]
 PRIVATE_DEPENDENCIES = gensec PYTALLOC pyparam_util
 LIBRARY_REALNAME = samba/gensec.$(SHLIBEXT)
index 7b8bdec27a7b15327b3178de12bc90b6499fd61b..939a383a04aca8b49e9184267168f4ee4ca0b921 100644 (file)
@@ -27,7 +27,6 @@
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
 #include "../libcli/auth/schannel.h"
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
 #include "../libcli/auth/schannel.h"
-#include "auth/gensec/schannel_state.h"
 #include "librpc/rpc/dcerpc.h"
 #include "param/param.h"
 
 #include "librpc/rpc/dcerpc.h"
 #include "param/param.h"
 
@@ -51,7 +50,6 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
        struct NL_AUTH_MESSAGE bind_schannel;
        struct NL_AUTH_MESSAGE bind_schannel_ack;
        struct netlogon_creds_CredentialState *creds;
        struct NL_AUTH_MESSAGE bind_schannel;
        struct NL_AUTH_MESSAGE bind_schannel_ack;
        struct netlogon_creds_CredentialState *creds;
-       struct ldb_context *schannel_ldb;
        const char *workstation;
        const char *domain;
        uint32_t required_flags;
        const char *workstation;
        const char *domain;
        uint32_t required_flags;
@@ -138,15 +136,10 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
                        return NT_STATUS_LOGON_FAILURE;
                }
 
                        return NT_STATUS_LOGON_FAILURE;
                }
 
-               schannel_ldb = schannel_db_connect(out_mem_ctx, gensec_security->event_ctx,
-                                                  gensec_security->settings->lp_ctx);
-               if (!schannel_ldb) {
-                       return NT_STATUS_ACCESS_DENIED;
-               }
-               /* pull the session key for this client */
-               status = schannel_fetch_session_key_ldb(schannel_ldb,
-                                                       out_mem_ctx, workstation, &creds);
-               talloc_unlink(out_mem_ctx, schannel_ldb);
+               status = schannel_get_creds_state(out_mem_ctx,
+                                                 gensec_security->settings->iconv_convenience,
+                                                 lp_private_dir(gensec_security->settings->lp_ctx),
+                                                 workstation, &creds);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
                                  workstation, nt_errstr(status)));
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
                                  workstation, nt_errstr(status)));
index 27186d8f0f0d14bd058809e7492a2ab5e758daf7..6f58e9c88cc5a307c13eebaeaab4681103c2d2dc 100644 (file)
@@ -28,7 +28,6 @@
 #include "dsdb/samdb/samdb.h"
 #include "../lib/util/util_ldb.h"
 #include "../libcli/auth/schannel.h"
 #include "dsdb/samdb/samdb.h"
 #include "../lib/util/util_ldb.h"
 #include "../libcli/auth/schannel.h"
-#include "auth/gensec/schannel_state.h"
 #include "libcli/security/security.h"
 #include "param/param.h"
 #include "lib/messaging/irpc.h"
 #include "libcli/security/security.h"
 #include "param/param.h"
 #include "lib/messaging/irpc.h"
@@ -75,7 +74,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
        struct netlogon_server_pipe_state *pipe_state =
                talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state);
        struct netlogon_creds_CredentialState *creds;
        struct netlogon_server_pipe_state *pipe_state =
                talloc_get_type(dce_call->context->private_data, struct netlogon_server_pipe_state);
        struct netlogon_creds_CredentialState *creds;
-       struct ldb_context *schannel_ldb;
        struct ldb_context *sam_ctx;
        struct samr_Password *mach_pwd;
        uint32_t user_account_control;
        struct ldb_context *sam_ctx;
        struct samr_Password *mach_pwd;
        uint32_t user_account_control;
@@ -248,13 +246,10 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 
        creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
 
 
        creds->sid = samdb_result_dom_sid(creds, msgs[0], "objectSid");
 
-       schannel_ldb = schannel_db_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx);
-       if (!schannel_ldb) {
-               return NT_STATUS_ACCESS_DENIED;
-       }
-
-       nt_status = schannel_store_session_key_ldb(schannel_ldb, mem_ctx, creds);
-       talloc_unlink(mem_ctx, schannel_ldb);
+       nt_status = schannel_save_creds_state(mem_ctx,
+                                             lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
+                                             lp_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+                                             creds);
 
        return nt_status;
 }
 
        return nt_status;
 }
@@ -352,7 +347,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
                                                    struct netlogon_creds_CredentialState **creds_out)
 {
        NTSTATUS nt_status;
                                                    struct netlogon_creds_CredentialState **creds_out)
 {
        NTSTATUS nt_status;
-       struct ldb_context *ldb;
        struct dcerpc_auth *auth_info = dce_call->conn->auth_state.auth_info;
        bool schannel_global_required = false; /* Should be lp_schannel_server() == true */
 
        struct dcerpc_auth *auth_info = dce_call->conn->auth_state.auth_info;
        bool schannel_global_required = false; /* Should be lp_schannel_server() == true */
 
@@ -365,15 +359,13 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
                }
        }
 
                }
        }
 
-       ldb = schannel_db_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx);
-       if (!ldb) {
-               return NT_STATUS_ACCESS_DENIED;
-       }
-       nt_status = schannel_creds_server_step_check_ldb(ldb, mem_ctx,
-                                                        computer_name,
-                                                        received_authenticator,
-                                                        return_authenticator, creds_out);
-       talloc_unlink(mem_ctx, ldb);
+       nt_status = schannel_check_creds_state(mem_ctx,
+                                              lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
+                                              lp_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+                                              computer_name,
+                                              received_authenticator,
+                                              return_authenticator,
+                                              creds_out);
        return nt_status;
 }
 
        return nt_status;
 }
 
@@ -697,12 +689,11 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
 {
        NTSTATUS nt_status;
        struct netlogon_creds_CredentialState *creds;
 {
        NTSTATUS nt_status;
        struct netlogon_creds_CredentialState *creds;
-       struct ldb_context *ldb = schannel_db_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx);
-       if (!ldb) {
-               return NT_STATUS_ACCESS_DENIED;
-       }
 
 
-       nt_status = schannel_fetch_session_key_ldb(ldb, mem_ctx, r->in.computer_name, &creds);
+       nt_status = schannel_get_creds_state(mem_ctx,
+                                            lp_iconv_convenience(dce_call->conn->dce_ctx->lp_ctx),
+                                            lp_private_dir(dce_call->conn->dce_ctx->lp_ctx),
+                                            r->in.computer_name, &creds);
        if (!NT_STATUS_IS_OK(nt_status)) {
                return nt_status;
        }
        if (!NT_STATUS_IS_OK(nt_status)) {
                return nt_status;
        }
index ce278fdaf6a3035362ab723633e594ed6fb71323..83f6e7d8063c660f68297abfdba024c39101b002 100644 (file)
@@ -31,7 +31,6 @@
 #include "ntvfs/ntvfs.h"
 #include "ntptr/ntptr.h"
 #include "auth/gensec/gensec.h"
 #include "ntvfs/ntvfs.h"
 #include "ntptr/ntptr.h"
 #include "auth/gensec/gensec.h"
-#include "auth/gensec/schannel_state.h"
 #include "smbd/process_model.h"
 #include "param/secrets.h"
 #include "smbd/pidfile.h"
 #include "smbd/process_model.h"
 #include "param/secrets.h"
 #include "smbd/pidfile.h"
@@ -192,7 +191,6 @@ static void prime_ldb_databases(struct tevent_context *event_ctx)
 
        samdb_connect(db_context, event_ctx, cmdline_lp_ctx, system_session(cmdline_lp_ctx));
        privilege_connect(db_context, event_ctx, cmdline_lp_ctx);
 
        samdb_connect(db_context, event_ctx, cmdline_lp_ctx, system_session(cmdline_lp_ctx));
        privilege_connect(db_context, event_ctx, cmdline_lp_ctx);
-       schannel_db_connect(db_context, event_ctx, cmdline_lp_ctx);
 
        /* we deliberately leave these open, which allows them to be
         * re-used in ldb_wrap_connect() */
 
        /* we deliberately leave these open, which allows them to be
         * re-used in ldb_wrap_connect() */
index 62716da0cd929e9aca8965c60fb606ff893e26ab..41e12acc4038da58fd3c56d605ddd422e3adf10f 100644 (file)
@@ -36,7 +36,6 @@
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
 #include "../libcli/auth/schannel.h"
 #include "auth/gensec/gensec.h"
 #include "auth/gensec/gensec_proto.h"
 #include "../libcli/auth/schannel.h"
-#include "auth/gensec/schannel_state.h"
 
 #include <unistd.h>
 
 
 #include <unistd.h>