source: branches/samba-3.0/source/nsswitch/winbindd_cache.c@ 403

Last change on this file since 403 was 165, checked in by Paul Smedley, 17 years ago

Add 'missing' 3.0.34 diffs
File size: 66.9 KB
Line 
1/*
2 Unix SMB/CIFS implementation.
3
4 Winbind cache backend functions
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Gerald Carter 2003
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2005
10
11 This program is free software; you can redistribute it and/or modify
12 it under the terms of the GNU General Public License as published by
13 the Free Software Foundation; either version 2 of the License, or
14 (at your option) any later version.
15
16 This program is distributed in the hope that it will be useful,
17 but WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 GNU General Public License for more details.
20
21 You should have received a copy of the GNU General Public License
22 along with this program; if not, write to the Free Software
23 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24*/
25
26#include "includes.h"
27#include "winbindd.h"
28
29#undef DBGC_CLASS
30#define DBGC_CLASS DBGC_WINBIND
31
32#define WINBINDD_CACHE_VERSION 1
33#define WINBINDD_CACHE_VERSION_KEYSTR "WINBINDD_CACHE_VERSION"
34
35extern struct winbindd_methods reconnect_methods;
36extern BOOL opt_nocache;
37#ifdef HAVE_ADS
38extern struct winbindd_methods ads_methods;
39#endif
40extern struct winbindd_methods builtin_passdb_methods;
41
42/*
43 * JRA. KEEP THIS LIST UP TO DATE IF YOU ADD CACHE ENTRIES.
44 * Here are the list of entry types that are *not* stored
45 * as form struct cache_entry in the cache.
46 */
47
48static const char *non_centry_keys[] = {
49 "SEQNUM/",
50 "DR/",
51 "DE/",
52 "WINBINDD_OFFLINE",
53 WINBINDD_CACHE_VERSION_KEYSTR,
54 NULL
55};
56
57/************************************************************************
58 Is this key a non-centry type ?
59************************************************************************/
60
61static BOOL is_non_centry_key(TDB_DATA kbuf)
62{
63 int i;
64
65 if (kbuf.dptr == NULL || kbuf.dsize == 0) {
66 return False;
67 }
68 for (i = 0; non_centry_keys[i] != NULL; i++) {
69 size_t namelen = strlen(non_centry_keys[i]);
70 if (kbuf.dsize < namelen) {
71 continue;
72 }
73 if (strncmp(non_centry_keys[i], (const char *)kbuf.dptr, namelen) == 0) {
74 return True;
75 }
76 }
77 return False;
78}
79
80/* Global online/offline state - False when online. winbindd starts up online
81 and sets this to true if the first query fails and there's an entry in
82 the cache tdb telling us to stay offline. */
83
84static BOOL global_winbindd_offline_state;
85
86struct winbind_cache {
87 TDB_CONTEXT *tdb;
88};
89
90struct cache_entry {
91 NTSTATUS status;
92 uint32 sequence_number;
93 uint8 *data;
94 uint32 len, ofs;
95};
96
97#define WINBINDD_MAX_CACHE_SIZE (50*1024*1024)
98
99static struct winbind_cache *wcache;
100
101void winbindd_check_cache_size(time_t t)
102{
103 static time_t last_check_time;
104 struct stat st;
105
106 if (last_check_time == (time_t)0)
107 last_check_time = t;
108
109 if (t - last_check_time < 60 && t - last_check_time > 0)
110 return;
111
112 if (wcache == NULL || wcache->tdb == NULL) {
113 DEBUG(0, ("Unable to check size of tdb cache - cache not open !\n"));
114 return;
115 }
116
117 if (fstat(tdb_fd(wcache->tdb), &st) == -1) {
118 DEBUG(0, ("Unable to check size of tdb cache %s!\n", strerror(errno) ));
119 return;
120 }
121
122 if (st.st_size > WINBINDD_MAX_CACHE_SIZE) {
123 DEBUG(10,("flushing cache due to size (%lu) > (%lu)\n",
124 (unsigned long)st.st_size,
125 (unsigned long)WINBINDD_MAX_CACHE_SIZE));
126 wcache_flush_cache();
127 }
128}
129
130/* get the winbind_cache structure */
131static struct winbind_cache *get_cache(struct winbindd_domain *domain)
132{
133 struct winbind_cache *ret = wcache;
134#ifdef HAVE_ADS
135 struct winbindd_domain *our_domain = domain;
136#endif
137
138 /* We have to know what type of domain we are dealing with first. */
139
140 if (domain->internal) {
141 domain->backend = &builtin_passdb_methods;
142 domain->initialized = True;
143 }
144 if ( !domain->initialized ) {
145 init_dc_connection( domain );
146 }
147
148 /*
149 OK. listen up becasue I'm only going to say this once.
150 We have the following scenarios to consider
151 (a) trusted AD domains on a Samba DC,
152 (b) trusted AD domains and we are joined to a non-kerberos domain
153 (c) trusted AD domains and we are joined to a kerberos (AD) domain
154
155 For (a) we can always contact the trusted domain using krb5
156 since we have the domain trust account password
157
158 For (b) we can only use RPC since we have no way of
159 getting a krb5 ticket in our own domain
160
161 For (c) we can always use krb5 since we have a kerberos trust
162
163 --jerry
164 */
165
166 if (!domain->backend) {
167#ifdef HAVE_ADS
168 /* find our domain first so we can figure out if we
169 are joined to a kerberized domain */
170
171 if ( !domain->primary )
172 our_domain = find_our_domain();
173
174 if ( (our_domain->active_directory || IS_DC) && domain->active_directory ) {
175 DEBUG(5,("get_cache: Setting ADS methods for domain %s\n", domain->name));
176 domain->backend = &ads_methods;
177 } else {
178#endif /* HAVE_ADS */
179 DEBUG(5,("get_cache: Setting MS-RPC methods for domain %s\n", domain->name));
180 domain->backend = &reconnect_methods;
181#ifdef HAVE_ADS
182 }
183#endif /* HAVE_ADS */
184 }
185
186 if (ret)
187 return ret;
188
189 ret = SMB_XMALLOC_P(struct winbind_cache);
190 ZERO_STRUCTP(ret);
191
192 wcache = ret;
193 wcache_flush_cache();
194
195 return ret;
196}
197
198/*
199 free a centry structure
200*/
201static void centry_free(struct cache_entry *centry)
202{
203 if (!centry)
204 return;
205 SAFE_FREE(centry->data);
206 free(centry);
207}
208
209/*
210 pull a uint32 from a cache entry
211*/
212static uint32 centry_uint32(struct cache_entry *centry)
213{
214 uint32 ret;
215 if (centry->len - centry->ofs < 4) {
216 DEBUG(0,("centry corruption? needed 4 bytes, have %d\n",
217 centry->len - centry->ofs));
218 smb_panic("centry_uint32");
219 }
220 ret = IVAL(centry->data, centry->ofs);
221 centry->ofs += 4;
222 return ret;
223}
224
225/*
226 pull a uint16 from a cache entry
227*/
228static uint16 centry_uint16(struct cache_entry *centry)
229{
230 uint16 ret;
231 if (centry->len - centry->ofs < 2) {
232 DEBUG(0,("centry corruption? needed 2 bytes, have %d\n",
233 centry->len - centry->ofs));
234 smb_panic("centry_uint16");
235 }
236 ret = CVAL(centry->data, centry->ofs);
237 centry->ofs += 2;
238 return ret;
239}
240
241/*
242 pull a uint8 from a cache entry
243*/
244static uint8 centry_uint8(struct cache_entry *centry)
245{
246 uint8 ret;
247 if (centry->len - centry->ofs < 1) {
248 DEBUG(0,("centry corruption? needed 1 bytes, have %d\n",
249 centry->len - centry->ofs));
250 smb_panic("centry_uint32");
251 }
252 ret = CVAL(centry->data, centry->ofs);
253 centry->ofs += 1;
254 return ret;
255}
256
257/*
258 pull a NTTIME from a cache entry
259*/
260static NTTIME centry_nttime(struct cache_entry *centry)
261{
262 NTTIME ret;
263 if (centry->len - centry->ofs < 8) {
264 DEBUG(0,("centry corruption? needed 8 bytes, have %d\n",
265 centry->len - centry->ofs));
266 smb_panic("centry_nttime");
267 }
268 ret = IVAL(centry->data, centry->ofs);
269 centry->ofs += 4;
270 ret += (uint64_t)IVAL(centry->data, centry->ofs) << 32;
271 centry->ofs += 4;
272 return ret;
273}
274
275/*
276 pull a time_t from a cache entry. time_t stored portably as a 64-bit time.
277*/
278static time_t centry_time(struct cache_entry *centry)
279{
280 return (time_t)centry_nttime(centry);
281}
282
283/* pull a string from a cache entry, using the supplied
284 talloc context
285*/
286static char *centry_string(struct cache_entry *centry, TALLOC_CTX *mem_ctx)
287{
288 uint32 len;
289 char *ret;
290
291 len = centry_uint8(centry);
292
293 if (len == 0xFF) {
294 /* a deliberate NULL string */
295 return NULL;
296 }
297
298 if (centry->len - centry->ofs < len) {
299 DEBUG(0,("centry corruption? needed %d bytes, have %d\n",
300 len, centry->len - centry->ofs));
301 smb_panic("centry_string");
302 }
303
304 ret = TALLOC_ARRAY(mem_ctx, char, len+1);
305 if (!ret) {
306 smb_panic("centry_string out of memory\n");
307 }
308 memcpy(ret,centry->data + centry->ofs, len);
309 ret[len] = 0;
310 centry->ofs += len;
311 return ret;
312}
313
314/* pull a hash16 from a cache entry, using the supplied
315 talloc context
316*/
317static char *centry_hash16(struct cache_entry *centry, TALLOC_CTX *mem_ctx)
318{
319 uint32 len;
320 char *ret;
321
322 len = centry_uint8(centry);
323
324 if (len != 16) {
325 DEBUG(0,("centry corruption? hash len (%u) != 16\n",
326 len ));
327 return NULL;
328 }
329
330 if (centry->len - centry->ofs < 16) {
331 DEBUG(0,("centry corruption? needed 16 bytes, have %d\n",
332 centry->len - centry->ofs));
333 return NULL;
334 }
335
336 ret = TALLOC_ARRAY(mem_ctx, char, 16);
337 if (!ret) {
338 smb_panic("centry_hash out of memory\n");
339 }
340 memcpy(ret,centry->data + centry->ofs, 16);
341 centry->ofs += 16;
342 return ret;
343}
344
345/* pull a sid from a cache entry, using the supplied
346 talloc context
347*/
348static BOOL centry_sid(struct cache_entry *centry, TALLOC_CTX *mem_ctx, DOM_SID *sid)
349{
350 char *sid_string;
351 sid_string = centry_string(centry, mem_ctx);
352 if ((sid_string == NULL) || (!string_to_sid(sid, sid_string))) {
353 return False;
354 }
355 return True;
356}
357
358/* the server is considered down if it can't give us a sequence number */
359static BOOL wcache_server_down(struct winbindd_domain *domain)
360{
361 BOOL ret;
362
363 if (!wcache->tdb)
364 return False;
365
366 ret = (domain->sequence_number == DOM_SEQUENCE_NONE);
367
368 if (ret)
369 DEBUG(10,("wcache_server_down: server for Domain %s down\n",
370 domain->name ));
371 return ret;
372}
373
374static NTSTATUS fetch_cache_seqnum( struct winbindd_domain *domain, time_t now )
375{
376 TDB_DATA data;
377 fstring key;
378 uint32 time_diff;
379
380 if (!wcache->tdb) {
381 DEBUG(10,("fetch_cache_seqnum: tdb == NULL\n"));
382 return NT_STATUS_UNSUCCESSFUL;
383 }
384
385 fstr_sprintf( key, "SEQNUM/%s", domain->name );
386
387 data = tdb_fetch_bystring( wcache->tdb, key );
388 if ( !data.dptr || data.dsize!=8 ) {
389 DEBUG(10,("fetch_cache_seqnum: invalid data size key [%s]\n", key ));
390 return NT_STATUS_UNSUCCESSFUL;
391 }
392
393 domain->sequence_number = IVAL(data.dptr, 0);
394 domain->last_seq_check = IVAL(data.dptr, 4);
395
396 SAFE_FREE(data.dptr);
397
398 /* have we expired? */
399
400 time_diff = now - domain->last_seq_check;
401 if ( time_diff > lp_winbind_cache_time() ) {
402 DEBUG(10,("fetch_cache_seqnum: timeout [%s][%u @ %u]\n",
403 domain->name, domain->sequence_number,
404 (uint32)domain->last_seq_check));
405 return NT_STATUS_UNSUCCESSFUL;
406 }
407
408 DEBUG(10,("fetch_cache_seqnum: success [%s][%u @ %u]\n",
409 domain->name, domain->sequence_number,
410 (uint32)domain->last_seq_check));
411
412 return NT_STATUS_OK;
413}
414
415static NTSTATUS store_cache_seqnum( struct winbindd_domain *domain )
416{
417 TDB_DATA data;
418 fstring key_str;
419 char buf[8];
420
421 if (!wcache->tdb) {
422 DEBUG(10,("store_cache_seqnum: tdb == NULL\n"));
423 return NT_STATUS_UNSUCCESSFUL;
424 }
425
426 fstr_sprintf( key_str, "SEQNUM/%s", domain->name );
427
428 SIVAL(buf, 0, domain->sequence_number);
429 SIVAL(buf, 4, domain->last_seq_check);
430 data.dptr = buf;
431 data.dsize = 8;
432
433 if ( tdb_store_bystring( wcache->tdb, key_str, data, TDB_REPLACE) == -1 ) {
434 DEBUG(10,("store_cache_seqnum: tdb_store fail key [%s]\n", key_str ));
435 return NT_STATUS_UNSUCCESSFUL;
436 }
437
438 DEBUG(10,("store_cache_seqnum: success [%s][%u @ %u]\n",
439 domain->name, domain->sequence_number,
440 (uint32)domain->last_seq_check));
441
442 return NT_STATUS_OK;
443}
444
445/*
446 refresh the domain sequence number. If force is True
447 then always refresh it, no matter how recently we fetched it
448*/
449
450static void refresh_sequence_number(struct winbindd_domain *domain, BOOL force)
451{
452 NTSTATUS status;
453 unsigned time_diff;
454 time_t t = time(NULL);
455 unsigned cache_time = lp_winbind_cache_time();
456
457 get_cache( domain );
458
459#if 0 /* JERRY -- disable as the default cache time is now 5 minutes */
460 /* trying to reconnect is expensive, don't do it too often */
461 if (domain->sequence_number == DOM_SEQUENCE_NONE) {
462 cache_time *= 8;
463 }
464#endif
465
466 time_diff = t - domain->last_seq_check;
467
468 /* see if we have to refetch the domain sequence number */
469 if (!force && (time_diff < cache_time)) {
470 DEBUG(10, ("refresh_sequence_number: %s time ok\n", domain->name));
471 goto done;
472 }
473
474 /* try to get the sequence number from the tdb cache first */
475 /* this will update the timestamp as well */
476
477 status = fetch_cache_seqnum( domain, t );
478 if ( NT_STATUS_IS_OK(status) )
479 goto done;
480
481 /* important! make sure that we know if this is a native
482 mode domain or not */
483
484 status = domain->backend->sequence_number(domain, &domain->sequence_number);
485
486 /* the above call could have set our domain->backend to NULL when
487 * coming from offline to online mode, make sure to reinitialize the
488 * backend - Guenther */
489 get_cache( domain );
490
491 if (!NT_STATUS_IS_OK(status)) {
492 DEBUG(10,("refresh_sequence_number: failed with %s\n", nt_errstr(status)));
493 domain->sequence_number = DOM_SEQUENCE_NONE;
494 }
495
496 domain->last_status = status;
497 domain->last_seq_check = time(NULL);
498
499 /* save the new sequence number ni the cache */
500 store_cache_seqnum( domain );
501
502done:
503 DEBUG(10, ("refresh_sequence_number: %s seq number is now %d\n",
504 domain->name, domain->sequence_number));
505
506 return;
507}
508
509/*
510 decide if a cache entry has expired
511*/
512static BOOL centry_expired(struct winbindd_domain *domain, const char *keystr, struct cache_entry *centry)
513{
514 /* If we've been told to be offline - stay in that state... */
515 if (lp_winbind_offline_logon() && global_winbindd_offline_state) {
516 DEBUG(10,("centry_expired: Key %s for domain %s valid as winbindd is globally offline.\n",
517 keystr, domain->name ));
518 return False;
519 }
520
521 /* when the domain is offline return the cached entry.
522 * This deals with transient offline states... */
523
524 if (!domain->online) {
525 DEBUG(10,("centry_expired: Key %s for domain %s valid as domain is offline.\n",
526 keystr, domain->name ));
527 return False;
528 }
529
530 /* if the server is OK and our cache entry came from when it was down then
531 the entry is invalid */
532 if ((domain->sequence_number != DOM_SEQUENCE_NONE) &&
533 (centry->sequence_number == DOM_SEQUENCE_NONE)) {
534 DEBUG(10,("centry_expired: Key %s for domain %s invalid sequence.\n",
535 keystr, domain->name ));
536 return True;
537 }
538
539 /* if the server is down or the cache entry is not older than the
540 current sequence number then it is OK */
541 if (wcache_server_down(domain) ||
542 centry->sequence_number == domain->sequence_number) {
543 DEBUG(10,("centry_expired: Key %s for domain %s is good.\n",
544 keystr, domain->name ));
545 return False;
546 }
547
548 DEBUG(10,("centry_expired: Key %s for domain %s expired\n",
549 keystr, domain->name ));
550
551 /* it's expired */
552 return True;
553}
554
555static struct cache_entry *wcache_fetch_raw(char *kstr)
556{
557 TDB_DATA data;
558 struct cache_entry *centry;
559 TDB_DATA key;
560
561 key.dptr = kstr;
562 key.dsize = strlen(kstr);
563 data = tdb_fetch(wcache->tdb, key);
564 if (!data.dptr) {
565 /* a cache miss */
566 return NULL;
567 }
568
569 centry = SMB_XMALLOC_P(struct cache_entry);
570 centry->data = (unsigned char *)data.dptr;
571 centry->len = data.dsize;
572 centry->ofs = 0;
573
574 if (centry->len < 8) {
575 /* huh? corrupt cache? */
576 DEBUG(10,("wcache_fetch_raw: Corrupt cache for key %s (len < 8) ?\n", kstr));
577 centry_free(centry);
578 return NULL;
579 }
580
581 centry->status = NT_STATUS(centry_uint32(centry));
582 centry->sequence_number = centry_uint32(centry);
583
584 return centry;
585}
586
587/*
588 fetch an entry from the cache, with a varargs key. auto-fetch the sequence
589 number and return status
590*/
591static struct cache_entry *wcache_fetch(struct winbind_cache *cache,
592 struct winbindd_domain *domain,
593 const char *format, ...) PRINTF_ATTRIBUTE(3,4);
594static struct cache_entry *wcache_fetch(struct winbind_cache *cache,
595 struct winbindd_domain *domain,
596 const char *format, ...)
597{
598 va_list ap;
599 char *kstr;
600 struct cache_entry *centry;
601
602 if (opt_nocache) {
603 return NULL;
604 }
605
606 refresh_sequence_number(domain, False);
607
608 va_start(ap, format);
609 smb_xvasprintf(&kstr, format, ap);
610 va_end(ap);
611
612 centry = wcache_fetch_raw(kstr);
613 if (centry == NULL) {
614 free(kstr);
615 return NULL;
616 }
617
618 if (centry_expired(domain, kstr, centry)) {
619
620 DEBUG(10,("wcache_fetch: entry %s expired for domain %s\n",
621 kstr, domain->name ));
622
623 centry_free(centry);
624 free(kstr);
625 return NULL;
626 }
627
628 DEBUG(10,("wcache_fetch: returning entry %s for domain %s\n",
629 kstr, domain->name ));
630
631 free(kstr);
632 return centry;
633}
634
635static void wcache_delete(const char *format, ...) PRINTF_ATTRIBUTE(1,2);
636static void wcache_delete(const char *format, ...)
637{
638 va_list ap;
639 char *kstr;
640 TDB_DATA key;
641
642 va_start(ap, format);
643 smb_xvasprintf(&kstr, format, ap);
644 va_end(ap);
645
646 key.dptr = kstr;
647 key.dsize = strlen(kstr);
648
649 tdb_delete(wcache->tdb, key);
650 free(kstr);
651}
652
653/*
654 make sure we have at least len bytes available in a centry
655*/
656static void centry_expand(struct cache_entry *centry, uint32 len)
657{
658 if (centry->len - centry->ofs >= len)
659 return;
660 centry->len *= 2;
661 centry->data = SMB_REALLOC_ARRAY(centry->data, unsigned char,
662 centry->len);
663 if (!centry->data) {
664 DEBUG(0,("out of memory: needed %d bytes in centry_expand\n", centry->len));
665 smb_panic("out of memory in centry_expand");
666 }
667}
668
669/*
670 push a uint32 into a centry
671*/
672static void centry_put_uint32(struct cache_entry *centry, uint32 v)
673{
674 centry_expand(centry, 4);
675 SIVAL(centry->data, centry->ofs, v);
676 centry->ofs += 4;
677}
678
679/*
680 push a uint16 into a centry
681*/
682static void centry_put_uint16(struct cache_entry *centry, uint16 v)
683{
684 centry_expand(centry, 2);
685 SIVAL(centry->data, centry->ofs, v);
686 centry->ofs += 2;
687}
688
689/*
690 push a uint8 into a centry
691*/
692static void centry_put_uint8(struct cache_entry *centry, uint8 v)
693{
694 centry_expand(centry, 1);
695 SCVAL(centry->data, centry->ofs, v);
696 centry->ofs += 1;
697}
698
699/*
700 push a string into a centry
701 */
702static void centry_put_string(struct cache_entry *centry, const char *s)
703{
704 int len;
705
706 if (!s) {
707 /* null strings are marked as len 0xFFFF */
708 centry_put_uint8(centry, 0xFF);
709 return;
710 }
711
712 len = strlen(s);
713 /* can't handle more than 254 char strings. Truncating is probably best */
714 if (len > 254) {
715 DEBUG(10,("centry_put_string: truncating len (%d) to: 254\n", len));
716 len = 254;
717 }
718 centry_put_uint8(centry, len);
719 centry_expand(centry, len);
720 memcpy(centry->data + centry->ofs, s, len);
721 centry->ofs += len;
722}
723
724/*
725 push a 16 byte hash into a centry - treat as 16 byte string.
726 */
727static void centry_put_hash16(struct cache_entry *centry, const uint8 val[16])
728{
729 centry_put_uint8(centry, 16);
730 centry_expand(centry, 16);
731 memcpy(centry->data + centry->ofs, val, 16);
732 centry->ofs += 16;
733}
734
735static void centry_put_sid(struct cache_entry *centry, const DOM_SID *sid)
736{
737 fstring sid_string;
738 centry_put_string(centry, sid_to_string(sid_string, sid));
739}
740
741/*
742 push a NTTIME into a centry
743*/
744static void centry_put_nttime(struct cache_entry *centry, NTTIME nt)
745{
746 centry_expand(centry, 8);
747 SIVAL(centry->data, centry->ofs, nt & 0xFFFFFFFF);
748 centry->ofs += 4;
749 SIVAL(centry->data, centry->ofs, nt >> 32);
750 centry->ofs += 4;
751}
752
753/*
754 push a time_t into a centry - use a 64 bit size.
755 NTTIME here is being used as a convenient 64-bit size.
756*/
757static void centry_put_time(struct cache_entry *centry, time_t t)
758{
759 NTTIME nt = (NTTIME)t;
760 centry_put_nttime(centry, nt);
761}
762
763/*
764 start a centry for output. When finished, call centry_end()
765*/
766struct cache_entry *centry_start(struct winbindd_domain *domain, NTSTATUS status)
767{
768 struct cache_entry *centry;
769
770 if (!wcache->tdb)
771 return NULL;
772
773 centry = SMB_XMALLOC_P(struct cache_entry);
774
775 centry->len = 8192; /* reasonable default */
776 centry->data = SMB_XMALLOC_ARRAY(uint8, centry->len);
777 centry->ofs = 0;
778 centry->sequence_number = domain->sequence_number;
779 centry_put_uint32(centry, NT_STATUS_V(status));
780 centry_put_uint32(centry, centry->sequence_number);
781 return centry;
782}
783
784/*
785 finish a centry and write it to the tdb
786*/
787static void centry_end(struct cache_entry *centry, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
788static void centry_end(struct cache_entry *centry, const char *format, ...)
789{
790 va_list ap;
791 char *kstr;
792 TDB_DATA key, data;
793
794 va_start(ap, format);
795 smb_xvasprintf(&kstr, format, ap);
796 va_end(ap);
797
798 key.dptr = kstr;
799 key.dsize = strlen(kstr);
800 data.dptr = (char *)centry->data;
801 data.dsize = centry->ofs;
802
803 tdb_store(wcache->tdb, key, data, TDB_REPLACE);
804 free(kstr);
805}
806
807static void wcache_save_name_to_sid(struct winbindd_domain *domain,
808 NTSTATUS status, const char *domain_name,
809 const char *name, const DOM_SID *sid,
810 enum lsa_SidType type)
811{
812 struct cache_entry *centry;
813 fstring uname;
814
815 centry = centry_start(domain, status);
816 if (!centry)
817 return;
818 centry_put_uint32(centry, type);
819 centry_put_sid(centry, sid);
820 fstrcpy(uname, name);
821 strupper_m(uname);
822 centry_end(centry, "NS/%s/%s", domain_name, uname);
823 DEBUG(10,("wcache_save_name_to_sid: %s\\%s -> %s\n", domain_name, uname,
824 sid_string_static(sid)));
825 centry_free(centry);
826}
827
828static void wcache_save_sid_to_name(struct winbindd_domain *domain, NTSTATUS status,
829 const DOM_SID *sid, const char *domain_name, const char *name, enum lsa_SidType type)
830{
831 struct cache_entry *centry;
832 fstring sid_string;
833
834 if (is_null_sid(sid)) {
835 return;
836 }
837
838 centry = centry_start(domain, status);
839 if (!centry)
840 return;
841 if (NT_STATUS_IS_OK(status)) {
842 centry_put_uint32(centry, type);
843 centry_put_string(centry, domain_name);
844 centry_put_string(centry, name);
845 }
846 centry_end(centry, "SN/%s", sid_to_string(sid_string, sid));
847 DEBUG(10,("wcache_save_sid_to_name: %s -> %s\n", sid_string, name));
848 centry_free(centry);
849}
850
851
852static void wcache_save_user(struct winbindd_domain *domain, NTSTATUS status, WINBIND_USERINFO *info)
853{
854 struct cache_entry *centry;
855 fstring sid_string;
856
857 if (is_null_sid(&info->user_sid)) {
858 return;
859 }
860
861 centry = centry_start(domain, status);
862 if (!centry)
863 return;
864 centry_put_string(centry, info->acct_name);
865 centry_put_string(centry, info->full_name);
866 centry_put_string(centry, info->homedir);
867 centry_put_string(centry, info->shell);
868 centry_put_uint32(centry, info->primary_gid);
869 centry_put_sid(centry, &info->user_sid);
870 centry_put_sid(centry, &info->group_sid);
871 centry_end(centry, "U/%s", sid_to_string(sid_string, &info->user_sid));
872 DEBUG(10,("wcache_save_user: %s (acct_name %s)\n", sid_string, info->acct_name));
873 centry_free(centry);
874}
875
876static void wcache_save_lockout_policy(struct winbindd_domain *domain, NTSTATUS status, SAM_UNK_INFO_12 *lockout_policy)
877{
878 struct cache_entry *centry;
879
880 centry = centry_start(domain, status);
881 if (!centry)
882 return;
883
884 centry_put_nttime(centry, lockout_policy->duration);
885 centry_put_nttime(centry, lockout_policy->reset_count);
886 centry_put_uint16(centry, lockout_policy->bad_attempt_lockout);
887
888 centry_end(centry, "LOC_POL/%s", domain->name);
889
890 DEBUG(10,("wcache_save_lockout_policy: %s\n", domain->name));
891
892 centry_free(centry);
893}
894
895static void wcache_save_password_policy(struct winbindd_domain *domain, NTSTATUS status, SAM_UNK_INFO_1 *policy)
896{
897 struct cache_entry *centry;
898
899 centry = centry_start(domain, status);
900 if (!centry)
901 return;
902
903 centry_put_uint16(centry, policy->min_length_password);
904 centry_put_uint16(centry, policy->password_history);
905 centry_put_uint32(centry, policy->password_properties);
906 centry_put_nttime(centry, policy->expire);
907 centry_put_nttime(centry, policy->min_passwordage);
908
909 centry_end(centry, "PWD_POL/%s", domain->name);
910
911 DEBUG(10,("wcache_save_password_policy: %s\n", domain->name));
912
913 centry_free(centry);
914}
915
916NTSTATUS wcache_cached_creds_exist(struct winbindd_domain *domain, const DOM_SID *sid)
917{
918 struct winbind_cache *cache = get_cache(domain);
919 TDB_DATA data;
920 fstring key_str;
921 uint32 rid;
922
923 if (!cache->tdb) {
924 return NT_STATUS_INTERNAL_DB_ERROR;
925 }
926
927 if (is_null_sid(sid)) {
928 return NT_STATUS_INVALID_SID;
929 }
930
931 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
932 return NT_STATUS_INVALID_SID;
933 }
934
935 fstr_sprintf(key_str, "CRED/%s", sid_string_static(sid));
936
937 data = tdb_fetch(cache->tdb, make_tdb_data(key_str, strlen(key_str)));
938 if (!data.dptr) {
939 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
940 }
941
942 SAFE_FREE(data.dptr);
943 return NT_STATUS_OK;
944}
945
946/* Lookup creds for a SID - copes with old (unsalted) creds as well
947 as new salted ones. */
948
949NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
950 TALLOC_CTX *mem_ctx,
951 const DOM_SID *sid,
952 const uint8 **cached_nt_pass,
953 const uint8 **cached_salt)
954{
955 struct winbind_cache *cache = get_cache(domain);
956 struct cache_entry *centry = NULL;
957 NTSTATUS status;
958 time_t t;
959 uint32 rid;
960
961 if (!cache->tdb) {
962 return NT_STATUS_INTERNAL_DB_ERROR;
963 }
964
965 if (is_null_sid(sid)) {
966 return NT_STATUS_INVALID_SID;
967 }
968
969 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
970 return NT_STATUS_INVALID_SID;
971 }
972
973 /* Try and get a salted cred first. If we can't
974 fall back to an unsalted cred. */
975
976 centry = wcache_fetch(cache, domain, "CRED/%s", sid_string_static(sid));
977 if (!centry) {
978 DEBUG(10,("wcache_get_creds: entry for [CRED/%s] not found\n",
979 sid_string_static(sid)));
980 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
981 }
982
983 t = centry_time(centry);
984
985 /* In the salted case this isn't actually the nt_hash itself,
986 but the MD5 of the salt + nt_hash. Let the caller
987 sort this out. It can tell as we only return the cached_salt
988 if we are returning a salted cred. */
989
990 *cached_nt_pass = (const uint8 *)centry_hash16(centry, mem_ctx);
991 if (*cached_nt_pass == NULL) {
992 const char *sidstr = sid_string_static(sid);
993
994 /* Bad (old) cred cache. Delete and pretend we
995 don't have it. */
996 DEBUG(0,("wcache_get_creds: bad entry for [CRED/%s] - deleting\n",
997 sidstr));
998 wcache_delete("CRED/%s", sidstr);
999 centry_free(centry);
1000 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1001 }
1002
1003 /* We only have 17 bytes more data in the salted cred case. */
1004 if (centry->len - centry->ofs == 17) {
1005 *cached_salt = (const uint8 *)centry_hash16(centry, mem_ctx);
1006 } else {
1007 *cached_salt = NULL;
1008 }
1009
1010#if DEBUG_PASSWORD
1011 dump_data(100, (const char *)*cached_nt_pass, NT_HASH_LEN);
1012 if (*cached_salt) {
1013 dump_data(100, (const char *)*cached_salt, NT_HASH_LEN);
1014 }
1015#endif
1016 status = centry->status;
1017
1018 DEBUG(10,("wcache_get_creds: [Cached] - cached creds for user %s status: %s\n",
1019 sid_string_static(sid), nt_errstr(status) ));
1020
1021 centry_free(centry);
1022 return status;
1023}
1024
1025/* Store creds for a SID - only writes out new salted ones. */
1026
1027NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
1028 TALLOC_CTX *mem_ctx,
1029 const DOM_SID *sid,
1030 const uint8 nt_pass[NT_HASH_LEN])
1031{
1032 struct cache_entry *centry;
1033 fstring sid_string;
1034 uint32 rid;
1035 uint8 cred_salt[NT_HASH_LEN];
1036 uint8 salted_hash[NT_HASH_LEN];
1037
1038 if (is_null_sid(sid)) {
1039 return NT_STATUS_INVALID_SID;
1040 }
1041
1042 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
1043 return NT_STATUS_INVALID_SID;
1044 }
1045
1046 centry = centry_start(domain, NT_STATUS_OK);
1047 if (!centry) {
1048 return NT_STATUS_INTERNAL_DB_ERROR;
1049 }
1050
1051#if DEBUG_PASSWORD
1052 dump_data(100, (const char *)nt_pass, NT_HASH_LEN);
1053#endif
1054
1055 centry_put_time(centry, time(NULL));
1056
1057 /* Create a salt and then salt the hash. */
1058 generate_random_buffer(cred_salt, NT_HASH_LEN);
1059 E_md5hash(cred_salt, nt_pass, salted_hash);
1060
1061 centry_put_hash16(centry, salted_hash);
1062 centry_put_hash16(centry, cred_salt);
1063 centry_end(centry, "CRED/%s", sid_to_string(sid_string, sid));
1064
1065 DEBUG(10,("wcache_save_creds: %s\n", sid_string));
1066
1067 centry_free(centry);
1068
1069 return NT_STATUS_OK;
1070}
1071
1072
1073/* Query display info. This is the basic user list fn */
1074static NTSTATUS query_user_list(struct winbindd_domain *domain,
1075 TALLOC_CTX *mem_ctx,
1076 uint32 *num_entries,
1077 WINBIND_USERINFO **info)
1078{
1079 struct winbind_cache *cache = get_cache(domain);
1080 struct cache_entry *centry = NULL;
1081 NTSTATUS status;
1082 unsigned int i, retry;
1083
1084 if (!cache->tdb)
1085 goto do_query;
1086
1087 centry = wcache_fetch(cache, domain, "UL/%s", domain->name);
1088 if (!centry)
1089 goto do_query;
1090
1091 *num_entries = centry_uint32(centry);
1092
1093 if (*num_entries == 0)
1094 goto do_cached;
1095
1096 (*info) = TALLOC_ARRAY(mem_ctx, WINBIND_USERINFO, *num_entries);
1097 if (! (*info))
1098 smb_panic("query_user_list out of memory");
1099 for (i=0; i<(*num_entries); i++) {
1100 (*info)[i].acct_name = centry_string(centry, mem_ctx);
1101 (*info)[i].full_name = centry_string(centry, mem_ctx);
1102 (*info)[i].homedir = centry_string(centry, mem_ctx);
1103 (*info)[i].shell = centry_string(centry, mem_ctx);
1104 centry_sid(centry, mem_ctx, &(*info)[i].user_sid);
1105 centry_sid(centry, mem_ctx, &(*info)[i].group_sid);
1106 }
1107
1108do_cached:
1109 status = centry->status;
1110
1111 DEBUG(10,("query_user_list: [Cached] - cached list for domain %s status: %s\n",
1112 domain->name, nt_errstr(status) ));
1113
1114 centry_free(centry);
1115 return status;
1116
1117do_query:
1118 *num_entries = 0;
1119 *info = NULL;
1120
1121 /* Return status value returned by seq number check */
1122
1123 if (!NT_STATUS_IS_OK(domain->last_status))
1124 return domain->last_status;
1125
1126 /* Put the query_user_list() in a retry loop. There appears to be
1127 * some bug either with Windows 2000 or Samba's handling of large
1128 * rpc replies. This manifests itself as sudden disconnection
1129 * at a random point in the enumeration of a large (60k) user list.
1130 * The retry loop simply tries the operation again. )-: It's not
1131 * pretty but an acceptable workaround until we work out what the
1132 * real problem is. */
1133
1134 retry = 0;
1135 do {
1136
1137 DEBUG(10,("query_user_list: [Cached] - doing backend query for list for domain %s\n",
1138 domain->name ));
1139
1140 status = domain->backend->query_user_list(domain, mem_ctx, num_entries, info);
1141 if (!NT_STATUS_IS_OK(status)) {
1142 DEBUG(3, ("query_user_list: returned 0x%08x, "
1143 "retrying\n", NT_STATUS_V(status)));
1144 }
1145 if (NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL)) {
1146 DEBUG(3, ("query_user_list: flushing "
1147 "connection cache\n"));
1148 invalidate_cm_connection(&domain->conn);
1149 }
1150
1151 } while (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_UNSUCCESSFUL) &&
1152 (retry++ < 5));
1153
1154 /* and save it */
1155 refresh_sequence_number(domain, False);
1156 centry = centry_start(domain, status);
1157 if (!centry)
1158 goto skip_save;
1159 centry_put_uint32(centry, *num_entries);
1160 for (i=0; i<(*num_entries); i++) {
1161 centry_put_string(centry, (*info)[i].acct_name);
1162 centry_put_string(centry, (*info)[i].full_name);
1163 centry_put_string(centry, (*info)[i].homedir);
1164 centry_put_string(centry, (*info)[i].shell);
1165 centry_put_sid(centry, &(*info)[i].user_sid);
1166 centry_put_sid(centry, &(*info)[i].group_sid);
1167 if (domain->backend && domain->backend->consistent) {
1168 /* when the backend is consistent we can pre-prime some mappings */
1169 wcache_save_name_to_sid(domain, NT_STATUS_OK,
1170 domain->name,
1171 (*info)[i].acct_name,
1172 &(*info)[i].user_sid,
1173 SID_NAME_USER);
1174 wcache_save_sid_to_name(domain, NT_STATUS_OK,
1175 &(*info)[i].user_sid,
1176 domain->name,
1177 (*info)[i].acct_name,
1178 SID_NAME_USER);
1179 wcache_save_user(domain, NT_STATUS_OK, &(*info)[i]);
1180 }
1181 }
1182 centry_end(centry, "UL/%s", domain->name);
1183 centry_free(centry);
1184
1185skip_save:
1186 return status;
1187}
1188
1189/* list all domain groups */
1190static NTSTATUS enum_dom_groups(struct winbindd_domain *domain,
1191 TALLOC_CTX *mem_ctx,
1192 uint32 *num_entries,
1193 struct acct_info **info)
1194{
1195 struct winbind_cache *cache = get_cache(domain);
1196 struct cache_entry *centry = NULL;
1197 NTSTATUS status;
1198 unsigned int i;
1199
1200 if (!cache->tdb)
1201 goto do_query;
1202
1203 centry = wcache_fetch(cache, domain, "GL/%s/domain", domain->name);
1204 if (!centry)
1205 goto do_query;
1206
1207 *num_entries = centry_uint32(centry);
1208
1209 if (*num_entries == 0)
1210 goto do_cached;
1211
1212 (*info) = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries);
1213 if (! (*info))
1214 smb_panic("enum_dom_groups out of memory");
1215 for (i=0; i<(*num_entries); i++) {
1216 fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx));
1217 fstrcpy((*info)[i].acct_desc, centry_string(centry, mem_ctx));
1218 (*info)[i].rid = centry_uint32(centry);
1219 }
1220
1221do_cached:
1222 status = centry->status;
1223
1224 DEBUG(10,("enum_dom_groups: [Cached] - cached list for domain %s status: %s\n",
1225 domain->name, nt_errstr(status) ));
1226
1227 centry_free(centry);
1228 return status;
1229
1230do_query:
1231 *num_entries = 0;
1232 *info = NULL;
1233
1234 /* Return status value returned by seq number check */
1235
1236 if (!NT_STATUS_IS_OK(domain->last_status))
1237 return domain->last_status;
1238
1239 DEBUG(10,("enum_dom_groups: [Cached] - doing backend query for list for domain %s\n",
1240 domain->name ));
1241
1242 status = domain->backend->enum_dom_groups(domain, mem_ctx, num_entries, info);
1243
1244 /* and save it */
1245 refresh_sequence_number(domain, False);
1246 centry = centry_start(domain, status);
1247 if (!centry)
1248 goto skip_save;
1249 centry_put_uint32(centry, *num_entries);
1250 for (i=0; i<(*num_entries); i++) {
1251 centry_put_string(centry, (*info)[i].acct_name);
1252 centry_put_string(centry, (*info)[i].acct_desc);
1253 centry_put_uint32(centry, (*info)[i].rid);
1254 }
1255 centry_end(centry, "GL/%s/domain", domain->name);
1256 centry_free(centry);
1257
1258skip_save:
1259 return status;
1260}
1261
1262/* list all domain groups */
1263static NTSTATUS enum_local_groups(struct winbindd_domain *domain,
1264 TALLOC_CTX *mem_ctx,
1265 uint32 *num_entries,
1266 struct acct_info **info)
1267{
1268 struct winbind_cache *cache = get_cache(domain);
1269 struct cache_entry *centry = NULL;
1270 NTSTATUS status;
1271 unsigned int i;
1272
1273 if (!cache->tdb)
1274 goto do_query;
1275
1276 centry = wcache_fetch(cache, domain, "GL/%s/local", domain->name);
1277 if (!centry)
1278 goto do_query;
1279
1280 *num_entries = centry_uint32(centry);
1281
1282 if (*num_entries == 0)
1283 goto do_cached;
1284
1285 (*info) = TALLOC_ARRAY(mem_ctx, struct acct_info, *num_entries);
1286 if (! (*info))
1287 smb_panic("enum_dom_groups out of memory");
1288 for (i=0; i<(*num_entries); i++) {
1289 fstrcpy((*info)[i].acct_name, centry_string(centry, mem_ctx));
1290 fstrcpy((*info)[i].acct_desc, centry_string(centry, mem_ctx));
1291 (*info)[i].rid = centry_uint32(centry);
1292 }
1293
1294do_cached:
1295
1296 /* If we are returning cached data and the domain controller
1297 is down then we don't know whether the data is up to date
1298 or not. Return NT_STATUS_MORE_PROCESSING_REQUIRED to
1299 indicate this. */
1300
1301 if (wcache_server_down(domain)) {
1302 DEBUG(10, ("enum_local_groups: returning cached user list and server was down\n"));
1303 status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1304 } else
1305 status = centry->status;
1306
1307 DEBUG(10,("enum_local_groups: [Cached] - cached list for domain %s status: %s\n",
1308 domain->name, nt_errstr(status) ));
1309
1310 centry_free(centry);
1311 return status;
1312
1313do_query:
1314 *num_entries = 0;
1315 *info = NULL;
1316
1317 /* Return status value returned by seq number check */
1318
1319 if (!NT_STATUS_IS_OK(domain->last_status))
1320 return domain->last_status;
1321
1322 DEBUG(10,("enum_local_groups: [Cached] - doing backend query for list for domain %s\n",
1323 domain->name ));
1324
1325 status = domain->backend->enum_local_groups(domain, mem_ctx, num_entries, info);
1326
1327 /* and save it */
1328 refresh_sequence_number(domain, False);
1329 centry = centry_start(domain, status);
1330 if (!centry)
1331 goto skip_save;
1332 centry_put_uint32(centry, *num_entries);
1333 for (i=0; i<(*num_entries); i++) {
1334 centry_put_string(centry, (*info)[i].acct_name);
1335 centry_put_string(centry, (*info)[i].acct_desc);
1336 centry_put_uint32(centry, (*info)[i].rid);
1337 }
1338 centry_end(centry, "GL/%s/local", domain->name);
1339 centry_free(centry);
1340
1341skip_save:
1342 return status;
1343}
1344
1345/* convert a single name to a sid in a domain */
1346static NTSTATUS name_to_sid(struct winbindd_domain *domain,
1347 TALLOC_CTX *mem_ctx,
1348 const char *domain_name,
1349 const char *name,
1350 DOM_SID *sid,
1351 enum lsa_SidType *type)
1352{
1353 struct winbind_cache *cache = get_cache(domain);
1354 struct cache_entry *centry = NULL;
1355 NTSTATUS status;
1356 fstring uname;
1357
1358 if (!cache->tdb)
1359 goto do_query;
1360
1361 fstrcpy(uname, name);
1362 strupper_m(uname);
1363 centry = wcache_fetch(cache, domain, "NS/%s/%s", domain_name, uname);
1364 if (!centry)
1365 goto do_query;
1366 *type = (enum lsa_SidType)centry_uint32(centry);
1367 status = centry->status;
1368 if (NT_STATUS_IS_OK(status)) {
1369 centry_sid(centry, mem_ctx, sid);
1370 }
1371
1372 DEBUG(10,("name_to_sid: [Cached] - cached name for domain %s status: %s\n",
1373 domain->name, nt_errstr(status) ));
1374
1375 centry_free(centry);
1376 return status;
1377
1378do_query:
1379 ZERO_STRUCTP(sid);
1380
1381 /* If the seq number check indicated that there is a problem
1382 * with this DC, then return that status... except for
1383 * access_denied. This is special because the dc may be in
1384 * "restrict anonymous = 1" mode, in which case it will deny
1385 * most unauthenticated operations, but *will* allow the LSA
1386 * name-to-sid that we try as a fallback. */
1387
1388 if (!(NT_STATUS_IS_OK(domain->last_status)
1389 || NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED)))
1390 return domain->last_status;
1391
1392 DEBUG(10,("name_to_sid: [Cached] - doing backend query for name for domain %s\n",
1393 domain->name ));
1394
1395 status = domain->backend->name_to_sid(domain, mem_ctx, domain_name, name, sid, type);
1396
1397 /* and save it */
1398 refresh_sequence_number(domain, False);
1399
1400 if (domain->online && !is_null_sid(sid)) {
1401 wcache_save_name_to_sid(domain, status, domain_name, name, sid, *type);
1402 }
1403
1404 if (NT_STATUS_IS_OK(status)) {
1405 strupper_m(CONST_DISCARD(char *,domain_name));
1406 strlower_m(CONST_DISCARD(char *,name));
1407 wcache_save_sid_to_name(domain, status, sid, domain_name, name, *type);
1408 }
1409
1410 return status;
1411}
1412
1413/* convert a sid to a user or group name. The sid is guaranteed to be in the domain
1414 given */
1415static NTSTATUS sid_to_name(struct winbindd_domain *domain,
1416 TALLOC_CTX *mem_ctx,
1417 const DOM_SID *sid,
1418 char **domain_name,
1419 char **name,
1420 enum lsa_SidType *type)
1421{
1422 struct winbind_cache *cache = get_cache(domain);
1423 struct cache_entry *centry = NULL;
1424 NTSTATUS status;
1425 fstring sid_string;
1426
1427 if (!cache->tdb)
1428 goto do_query;
1429
1430 centry = wcache_fetch(cache, domain, "SN/%s", sid_to_string(sid_string, sid));
1431 if (!centry)
1432 goto do_query;
1433 if (NT_STATUS_IS_OK(centry->status)) {
1434 *type = (enum lsa_SidType)centry_uint32(centry);
1435 *domain_name = centry_string(centry, mem_ctx);
1436 *name = centry_string(centry, mem_ctx);
1437 }
1438 status = centry->status;
1439
1440 DEBUG(10,("sid_to_name: [Cached] - cached name for domain %s status: %s\n",
1441 domain->name, nt_errstr(status) ));
1442
1443 centry_free(centry);
1444 return status;
1445
1446do_query:
1447 *name = NULL;
1448 *domain_name = NULL;
1449
1450 /* If the seq number check indicated that there is a problem
1451 * with this DC, then return that status... except for
1452 * access_denied. This is special because the dc may be in
1453 * "restrict anonymous = 1" mode, in which case it will deny
1454 * most unauthenticated operations, but *will* allow the LSA
1455 * sid-to-name that we try as a fallback. */
1456
1457 if (!(NT_STATUS_IS_OK(domain->last_status)
1458 || NT_STATUS_EQUAL(domain->last_status, NT_STATUS_ACCESS_DENIED)))
1459 return domain->last_status;
1460
1461 DEBUG(10,("sid_to_name: [Cached] - doing backend query for name for domain %s\n",
1462 domain->name ));
1463
1464 status = domain->backend->sid_to_name(domain, mem_ctx, sid, domain_name, name, type);
1465
1466 /* and save it */
1467 refresh_sequence_number(domain, False);
1468 wcache_save_sid_to_name(domain, status, sid, *domain_name, *name, *type);
1469
1470 /* We can't save the name to sid mapping here, as with sid history a
1471 * later name2sid would give the wrong sid. */
1472
1473 return status;
1474}
1475
1476static NTSTATUS rids_to_names(struct winbindd_domain *domain,
1477 TALLOC_CTX *mem_ctx,
1478 const DOM_SID *domain_sid,
1479 uint32 *rids,
1480 size_t num_rids,
1481 char **domain_name,
1482 char ***names,
1483 enum lsa_SidType **types)
1484{
1485 struct winbind_cache *cache = get_cache(domain);
1486 size_t i;
1487 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1488 BOOL have_mapped;
1489 BOOL have_unmapped;
1490
1491 *domain_name = NULL;
1492 *names = NULL;
1493 *types = NULL;
1494
1495 if (!cache->tdb) {
1496 goto do_query;
1497 }
1498
1499 if (num_rids == 0) {
1500 return NT_STATUS_OK;
1501 }
1502
1503 *names = TALLOC_ARRAY(mem_ctx, char *, num_rids);
1504 *types = TALLOC_ARRAY(mem_ctx, enum lsa_SidType, num_rids);
1505
1506 if ((*names == NULL) || (*types == NULL)) {
1507 result = NT_STATUS_NO_MEMORY;
1508 goto error;
1509 }
1510
1511 have_mapped = have_unmapped = False;
1512
1513 for (i=0; i<num_rids; i++) {
1514 DOM_SID sid;
1515 struct cache_entry *centry;
1516
1517 if (!sid_compose(&sid, domain_sid, rids[i])) {
1518 result = NT_STATUS_INTERNAL_ERROR;
1519 goto error;
1520 }
1521
1522 centry = wcache_fetch(cache, domain, "SN/%s",
1523 sid_string_static(&sid));
1524 if (!centry) {
1525 goto do_query;
1526 }
1527
1528 (*types)[i] = SID_NAME_UNKNOWN;
1529 (*names)[i] = talloc_strdup(*names, "");
1530
1531 if (NT_STATUS_IS_OK(centry->status)) {
1532 char *dom;
1533 have_mapped = True;
1534 (*types)[i] = (enum lsa_SidType)centry_uint32(centry);
1535 dom = centry_string(centry, mem_ctx);
1536 if (*domain_name == NULL) {
1537 *domain_name = dom;
1538 } else {
1539 talloc_free(dom);
1540 }
1541 (*names)[i] = centry_string(centry, *names);
1542 } else {
1543 have_unmapped = True;
1544 }
1545
1546 centry_free(centry);
1547 }
1548
1549 if (!have_mapped) {
1550 return NT_STATUS_NONE_MAPPED;
1551 }
1552 if (!have_unmapped) {
1553 return NT_STATUS_OK;
1554 }
1555 return STATUS_SOME_UNMAPPED;
1556
1557 do_query:
1558
1559 TALLOC_FREE(*names);
1560 TALLOC_FREE(*types);
1561
1562 result = domain->backend->rids_to_names(domain, mem_ctx, domain_sid,
1563 rids, num_rids, domain_name,
1564 names, types);
1565
1566 if (!NT_STATUS_IS_OK(result) &&
1567 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
1568 return result;
1569 }
1570
1571 refresh_sequence_number(domain, False);
1572
1573 for (i=0; i<num_rids; i++) {
1574 DOM_SID sid;
1575 NTSTATUS status;
1576
1577 if (!sid_compose(&sid, domain_sid, rids[i])) {
1578 result = NT_STATUS_INTERNAL_ERROR;
1579 goto error;
1580 }
1581
1582 status = (*types)[i] == SID_NAME_UNKNOWN ?
1583 NT_STATUS_NONE_MAPPED : NT_STATUS_OK;
1584
1585 wcache_save_sid_to_name(domain, status, &sid, *domain_name,
1586 (*names)[i], (*types)[i]);
1587 }
1588
1589 return result;
1590
1591 error:
1592
1593 TALLOC_FREE(*names);
1594 TALLOC_FREE(*types);
1595 return result;
1596}
1597
1598/* Lookup user information from a rid */
1599static NTSTATUS query_user(struct winbindd_domain *domain,
1600 TALLOC_CTX *mem_ctx,
1601 const DOM_SID *user_sid,
1602 WINBIND_USERINFO *info)
1603{
1604 struct winbind_cache *cache = get_cache(domain);
1605 struct cache_entry *centry = NULL;
1606 NTSTATUS status;
1607
1608 if (!cache->tdb)
1609 goto do_query;
1610
1611 centry = wcache_fetch(cache, domain, "U/%s", sid_string_static(user_sid));
1612
1613 /* If we have an access denied cache entry and a cached info3 in the
1614 samlogon cache then do a query. This will force the rpc back end
1615 to return the info3 data. */
1616
1617 if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) &&
1618 netsamlogon_cache_have(user_sid)) {
1619 DEBUG(10, ("query_user: cached access denied and have cached info3\n"));
1620 domain->last_status = NT_STATUS_OK;
1621 centry_free(centry);
1622 goto do_query;
1623 }
1624
1625 if (!centry)
1626 goto do_query;
1627
1628 info->acct_name = centry_string(centry, mem_ctx);
1629 info->full_name = centry_string(centry, mem_ctx);
1630 info->homedir = centry_string(centry, mem_ctx);
1631 info->shell = centry_string(centry, mem_ctx);
1632 info->primary_gid = centry_uint32(centry);
1633 centry_sid(centry, mem_ctx, &info->user_sid);
1634 centry_sid(centry, mem_ctx, &info->group_sid);
1635 status = centry->status;
1636
1637 DEBUG(10,("query_user: [Cached] - cached info for domain %s status: %s\n",
1638 domain->name, nt_errstr(status) ));
1639
1640 centry_free(centry);
1641 return status;
1642
1643do_query:
1644 ZERO_STRUCTP(info);
1645
1646 /* Return status value returned by seq number check */
1647
1648 if (!NT_STATUS_IS_OK(domain->last_status))
1649 return domain->last_status;
1650
1651 DEBUG(10,("query_user: [Cached] - doing backend query for info for domain %s\n",
1652 domain->name ));
1653
1654 status = domain->backend->query_user(domain, mem_ctx, user_sid, info);
1655
1656 /* and save it */
1657 refresh_sequence_number(domain, False);
1658 wcache_save_user(domain, status, info);
1659
1660 return status;
1661}
1662
1663
1664/* Lookup groups a user is a member of. */
1665static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
1666 TALLOC_CTX *mem_ctx,
1667 const DOM_SID *user_sid,
1668 uint32 *num_groups, DOM_SID **user_gids)
1669{
1670 struct winbind_cache *cache = get_cache(domain);
1671 struct cache_entry *centry = NULL;
1672 NTSTATUS status;
1673 unsigned int i;
1674 fstring sid_string;
1675
1676 if (!cache->tdb)
1677 goto do_query;
1678
1679 centry = wcache_fetch(cache, domain, "UG/%s", sid_to_string(sid_string, user_sid));
1680
1681 /* If we have an access denied cache entry and a cached info3 in the
1682 samlogon cache then do a query. This will force the rpc back end
1683 to return the info3 data. */
1684
1685 if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) &&
1686 netsamlogon_cache_have(user_sid)) {
1687 DEBUG(10, ("lookup_usergroups: cached access denied and have cached info3\n"));
1688 domain->last_status = NT_STATUS_OK;
1689 centry_free(centry);
1690 goto do_query;
1691 }
1692
1693 if (!centry)
1694 goto do_query;
1695
1696 *num_groups = centry_uint32(centry);
1697
1698 if (*num_groups == 0)
1699 goto do_cached;
1700
1701 (*user_gids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_groups);
1702 if (! (*user_gids))
1703 smb_panic("lookup_usergroups out of memory");
1704 for (i=0; i<(*num_groups); i++) {
1705 centry_sid(centry, mem_ctx, &(*user_gids)[i]);
1706 }
1707
1708do_cached:
1709 status = centry->status;
1710
1711 DEBUG(10,("lookup_usergroups: [Cached] - cached info for domain %s status: %s\n",
1712 domain->name, nt_errstr(status) ));
1713
1714 centry_free(centry);
1715 return status;
1716
1717do_query:
1718 (*num_groups) = 0;
1719 (*user_gids) = NULL;
1720
1721 /* Return status value returned by seq number check */
1722
1723 if (!NT_STATUS_IS_OK(domain->last_status))
1724 return domain->last_status;
1725
1726 DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info for domain %s\n",
1727 domain->name ));
1728
1729 status = domain->backend->lookup_usergroups(domain, mem_ctx, user_sid, num_groups, user_gids);
1730
1731 /* and save it */
1732 refresh_sequence_number(domain, False);
1733 centry = centry_start(domain, status);
1734 if (!centry)
1735 goto skip_save;
1736 centry_put_uint32(centry, *num_groups);
1737 for (i=0; i<(*num_groups); i++) {
1738 centry_put_sid(centry, &(*user_gids)[i]);
1739 }
1740 centry_end(centry, "UG/%s", sid_to_string(sid_string, user_sid));
1741 centry_free(centry);
1742
1743skip_save:
1744 return status;
1745}
1746
1747static NTSTATUS lookup_useraliases(struct winbindd_domain *domain,
1748 TALLOC_CTX *mem_ctx,
1749 uint32 num_sids, const DOM_SID *sids,
1750 uint32 *num_aliases, uint32 **alias_rids)
1751{
1752 struct winbind_cache *cache = get_cache(domain);
1753 struct cache_entry *centry = NULL;
1754 NTSTATUS status;
1755 char *sidlist = talloc_strdup(mem_ctx, "");
1756 int i;
1757
1758 if (!cache->tdb)
1759 goto do_query;
1760
1761 if (num_sids == 0) {
1762 *num_aliases = 0;
1763 *alias_rids = NULL;
1764 return NT_STATUS_OK;
1765 }
1766
1767 /* We need to cache indexed by the whole list of SIDs, the aliases
1768 * resulting might come from any of the SIDs. */
1769
1770 for (i=0; i<num_sids; i++) {
1771 sidlist = talloc_asprintf(mem_ctx, "%s/%s", sidlist,
1772 sid_string_static(&sids[i]));
1773 if (sidlist == NULL)
1774 return NT_STATUS_NO_MEMORY;
1775 }
1776
1777 centry = wcache_fetch(cache, domain, "UA%s", sidlist);
1778
1779 if (!centry)
1780 goto do_query;
1781
1782 *num_aliases = centry_uint32(centry);
1783 *alias_rids = NULL;
1784
1785 if (*num_aliases) {
1786 (*alias_rids) = TALLOC_ARRAY(mem_ctx, uint32, *num_aliases);
1787
1788 if ((*alias_rids) == NULL) {
1789 centry_free(centry);
1790 return NT_STATUS_NO_MEMORY;
1791 }
1792 } else {
1793 (*alias_rids) = NULL;
1794 }
1795
1796 for (i=0; i<(*num_aliases); i++)
1797 (*alias_rids)[i] = centry_uint32(centry);
1798
1799 status = centry->status;
1800
1801 DEBUG(10,("lookup_useraliases: [Cached] - cached info for domain: %s "
1802 "status %s\n", domain->name, nt_errstr(status)));
1803
1804 centry_free(centry);
1805 return status;
1806
1807 do_query:
1808 (*num_aliases) = 0;
1809 (*alias_rids) = NULL;
1810
1811 if (!NT_STATUS_IS_OK(domain->last_status))
1812 return domain->last_status;
1813
1814 DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info "
1815 "for domain %s\n", domain->name ));
1816
1817 status = domain->backend->lookup_useraliases(domain, mem_ctx,
1818 num_sids, sids,
1819 num_aliases, alias_rids);
1820
1821 /* and save it */
1822 refresh_sequence_number(domain, False);
1823 centry = centry_start(domain, status);
1824 if (!centry)
1825 goto skip_save;
1826 centry_put_uint32(centry, *num_aliases);
1827 for (i=0; i<(*num_aliases); i++)
1828 centry_put_uint32(centry, (*alias_rids)[i]);
1829 centry_end(centry, "UA%s", sidlist);
1830 centry_free(centry);
1831
1832 skip_save:
1833 return status;
1834}
1835
1836
1837static NTSTATUS lookup_groupmem(struct winbindd_domain *domain,
1838 TALLOC_CTX *mem_ctx,
1839 const DOM_SID *group_sid, uint32 *num_names,
1840 DOM_SID **sid_mem, char ***names,
1841 uint32 **name_types)
1842{
1843 struct winbind_cache *cache = get_cache(domain);
1844 struct cache_entry *centry = NULL;
1845 NTSTATUS status;
1846 unsigned int i;
1847 fstring sid_string;
1848
1849 if (!cache->tdb)
1850 goto do_query;
1851
1852 centry = wcache_fetch(cache, domain, "GM/%s", sid_to_string(sid_string, group_sid));
1853 if (!centry)
1854 goto do_query;
1855
1856 *num_names = centry_uint32(centry);
1857
1858 if (*num_names == 0)
1859 goto do_cached;
1860
1861 (*sid_mem) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_names);
1862 (*names) = TALLOC_ARRAY(mem_ctx, char *, *num_names);
1863 (*name_types) = TALLOC_ARRAY(mem_ctx, uint32, *num_names);
1864
1865 if (! (*sid_mem) || ! (*names) || ! (*name_types)) {
1866 smb_panic("lookup_groupmem out of memory");
1867 }
1868
1869 for (i=0; i<(*num_names); i++) {
1870 centry_sid(centry, mem_ctx, &(*sid_mem)[i]);
1871 (*names)[i] = centry_string(centry, mem_ctx);
1872 (*name_types)[i] = centry_uint32(centry);
1873 }
1874
1875do_cached:
1876 status = centry->status;
1877
1878 DEBUG(10,("lookup_groupmem: [Cached] - cached info for domain %s status: %s\n",
1879 domain->name, nt_errstr(status)));
1880
1881 centry_free(centry);
1882 return status;
1883
1884do_query:
1885 (*num_names) = 0;
1886 (*sid_mem) = NULL;
1887 (*names) = NULL;
1888 (*name_types) = NULL;
1889
1890 /* Return status value returned by seq number check */
1891
1892 if (!NT_STATUS_IS_OK(domain->last_status))
1893 return domain->last_status;
1894
1895 DEBUG(10,("lookup_groupmem: [Cached] - doing backend query for info for domain %s\n",
1896 domain->name ));
1897
1898 status = domain->backend->lookup_groupmem(domain, mem_ctx, group_sid, num_names,
1899 sid_mem, names, name_types);
1900
1901 /* and save it */
1902 refresh_sequence_number(domain, False);
1903 centry = centry_start(domain, status);
1904 if (!centry)
1905 goto skip_save;
1906 centry_put_uint32(centry, *num_names);
1907 for (i=0; i<(*num_names); i++) {
1908 centry_put_sid(centry, &(*sid_mem)[i]);
1909 centry_put_string(centry, (*names)[i]);
1910 centry_put_uint32(centry, (*name_types)[i]);
1911 }
1912 centry_end(centry, "GM/%s", sid_to_string(sid_string, group_sid));
1913 centry_free(centry);
1914
1915skip_save:
1916 return status;
1917}
1918
1919/* find the sequence number for a domain */
1920static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq)
1921{
1922 refresh_sequence_number(domain, False);
1923
1924 *seq = domain->sequence_number;
1925
1926 return NT_STATUS_OK;
1927}
1928
1929/* enumerate trusted domains
1930 * (we need to have the list of trustdoms in the cache when we go offline) -
1931 * Guenther */
1932static NTSTATUS trusted_domains(struct winbindd_domain *domain,
1933 TALLOC_CTX *mem_ctx,
1934 uint32 *num_domains,
1935 char ***names,
1936 char ***alt_names,
1937 DOM_SID **dom_sids)
1938{
1939 struct winbind_cache *cache = get_cache(domain);
1940 struct cache_entry *centry = NULL;
1941 NTSTATUS status;
1942 int i;
1943
1944 if (!cache->tdb)
1945 goto do_query;
1946
1947 centry = wcache_fetch(cache, domain, "TRUSTDOMS/%s", domain->name);
1948
1949 if (!centry) {
1950 goto do_query;
1951 }
1952
1953 *num_domains = centry_uint32(centry);
1954
1955 if (*num_domains) {
1956 (*names) = TALLOC_ARRAY(mem_ctx, char *, *num_domains);
1957 (*alt_names) = TALLOC_ARRAY(mem_ctx, char *, *num_domains);
1958 (*dom_sids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_domains);
1959
1960 if (! (*dom_sids) || ! (*names) || ! (*alt_names)) {
1961 smb_panic("trusted_domains out of memory");
1962 }
1963 } else {
1964 (*names) = NULL;
1965 (*alt_names) = NULL;
1966 (*dom_sids) = NULL;
1967 }
1968
1969 for (i=0; i<(*num_domains); i++) {
1970 (*names)[i] = centry_string(centry, mem_ctx);
1971 (*alt_names)[i] = centry_string(centry, mem_ctx);
1972 centry_sid(centry, mem_ctx, &(*dom_sids)[i]);
1973 }
1974
1975 status = centry->status;
1976
1977 DEBUG(10,("trusted_domains: [Cached] - cached info for domain %s (%d trusts) status: %s\n",
1978 domain->name, *num_domains, nt_errstr(status) ));
1979
1980 centry_free(centry);
1981 return status;
1982
1983do_query:
1984 (*num_domains) = 0;
1985 (*dom_sids) = NULL;
1986 (*names) = NULL;
1987 (*alt_names) = NULL;
1988
1989 /* Return status value returned by seq number check */
1990
1991 if (!NT_STATUS_IS_OK(domain->last_status))
1992 return domain->last_status;
1993
1994 DEBUG(10,("trusted_domains: [Cached] - doing backend query for info for domain %s\n",
1995 domain->name ));
1996
1997 status = domain->backend->trusted_domains(domain, mem_ctx, num_domains,
1998 names, alt_names, dom_sids);
1999
2000 /* no trusts gives NT_STATUS_NO_MORE_ENTRIES resetting to NT_STATUS_OK
2001 * so that the generic centry handling still applies correctly -
2002 * Guenther*/
2003
2004 if (!NT_STATUS_IS_ERR(status)) {
2005 status = NT_STATUS_OK;
2006 }
2007
2008 /* and save it */
2009 refresh_sequence_number(domain, False);
2010
2011 centry = centry_start(domain, status);
2012 if (!centry)
2013 goto skip_save;
2014
2015 centry_put_uint32(centry, *num_domains);
2016
2017 for (i=0; i<(*num_domains); i++) {
2018 centry_put_string(centry, (*names)[i]);
2019 centry_put_string(centry, (*alt_names)[i]);
2020 centry_put_sid(centry, &(*dom_sids)[i]);
2021 }
2022
2023 centry_end(centry, "TRUSTDOMS/%s", domain->name);
2024
2025 centry_free(centry);
2026
2027skip_save:
2028 return status;
2029}
2030
2031/* get lockout policy */
2032static NTSTATUS lockout_policy(struct winbindd_domain *domain,
2033 TALLOC_CTX *mem_ctx,
2034 SAM_UNK_INFO_12 *policy){
2035 struct winbind_cache *cache = get_cache(domain);
2036 struct cache_entry *centry = NULL;
2037 NTSTATUS status;
2038
2039 if (!cache->tdb)
2040 goto do_query;
2041
2042 centry = wcache_fetch(cache, domain, "LOC_POL/%s", domain->name);
2043
2044 if (!centry)
2045 goto do_query;
2046
2047 policy->duration = centry_nttime(centry);
2048 policy->reset_count = centry_nttime(centry);
2049 policy->bad_attempt_lockout = centry_uint16(centry);
2050
2051 status = centry->status;
2052
2053 DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n",
2054 domain->name, nt_errstr(status) ));
2055
2056 centry_free(centry);
2057 return status;
2058
2059do_query:
2060 ZERO_STRUCTP(policy);
2061
2062 /* Return status value returned by seq number check */
2063
2064 if (!NT_STATUS_IS_OK(domain->last_status))
2065 return domain->last_status;
2066
2067 DEBUG(10,("lockout_policy: [Cached] - doing backend query for info for domain %s\n",
2068 domain->name ));
2069
2070 status = domain->backend->lockout_policy(domain, mem_ctx, policy);
2071
2072 /* and save it */
2073 refresh_sequence_number(domain, False);
2074 wcache_save_lockout_policy(domain, status, policy);
2075
2076 return status;
2077}
2078
2079/* get password policy */
2080static NTSTATUS password_policy(struct winbindd_domain *domain,
2081 TALLOC_CTX *mem_ctx,
2082 SAM_UNK_INFO_1 *policy)
2083{
2084 struct winbind_cache *cache = get_cache(domain);
2085 struct cache_entry *centry = NULL;
2086 NTSTATUS status;
2087
2088 if (!cache->tdb)
2089 goto do_query;
2090
2091 centry = wcache_fetch(cache, domain, "PWD_POL/%s", domain->name);
2092
2093 if (!centry)
2094 goto do_query;
2095
2096 policy->min_length_password = centry_uint16(centry);
2097 policy->password_history = centry_uint16(centry);
2098 policy->password_properties = centry_uint32(centry);
2099 policy->expire = centry_nttime(centry);
2100 policy->min_passwordage = centry_nttime(centry);
2101
2102 status = centry->status;
2103
2104 DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n",
2105 domain->name, nt_errstr(status) ));
2106
2107 centry_free(centry);
2108 return status;
2109
2110do_query:
2111 ZERO_STRUCTP(policy);
2112
2113 /* Return status value returned by seq number check */
2114
2115 if (!NT_STATUS_IS_OK(domain->last_status))
2116 return domain->last_status;
2117
2118 DEBUG(10,("password_policy: [Cached] - doing backend query for info for domain %s\n",
2119 domain->name ));
2120
2121 status = domain->backend->password_policy(domain, mem_ctx, policy);
2122
2123 /* and save it */
2124 refresh_sequence_number(domain, False);
2125 if (NT_STATUS_IS_OK(status)) {
2126 wcache_save_password_policy(domain, status, policy);
2127 }
2128
2129 return status;
2130}
2131
2132
2133/* Invalidate cached user and group lists coherently */
2134
2135static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
2136 void *state)
2137{
2138 if (strncmp(kbuf.dptr, "UL/", 3) == 0 ||
2139 strncmp(kbuf.dptr, "GL/", 3) == 0)
2140 tdb_delete(the_tdb, kbuf);
2141
2142 return 0;
2143}
2144
2145/* Invalidate the getpwnam and getgroups entries for a winbindd domain */
2146
2147void wcache_invalidate_samlogon(struct winbindd_domain *domain,
2148 NET_USER_INFO_3 *info3)
2149{
2150 struct winbind_cache *cache;
2151
2152 /* dont clear cached U/SID and UG/SID entries when we want to logon
2153 * offline - gd */
2154
2155 if (lp_winbind_offline_logon()) {
2156 return;
2157 }
2158
2159 if (!domain)
2160 return;
2161
2162 cache = get_cache(domain);
2163 netsamlogon_clear_cached_user(cache->tdb, info3);
2164}
2165
2166void wcache_invalidate_cache(void)
2167{
2168 struct winbindd_domain *domain;
2169
2170 for (domain = domain_list(); domain; domain = domain->next) {
2171 struct winbind_cache *cache = get_cache(domain);
2172
2173 DEBUG(10, ("wcache_invalidate_cache: invalidating cache "
2174 "entries for %s\n", domain->name));
2175 if (cache)
2176 tdb_traverse(cache->tdb, traverse_fn, NULL);
2177 }
2178}
2179
2180static BOOL init_wcache(void)
2181{
2182 if (wcache == NULL) {
2183 wcache = SMB_XMALLOC_P(struct winbind_cache);
2184 ZERO_STRUCTP(wcache);
2185 }
2186
2187 if (wcache->tdb != NULL)
2188 return True;
2189
2190 /* when working offline we must not clear the cache on restart */
2191 wcache->tdb = tdb_open_log(lock_path("winbindd_cache.tdb"),
2192 WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
2193 lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST),
2194 O_RDWR|O_CREAT, 0600);
2195
2196 if (wcache->tdb == NULL) {
2197 DEBUG(0,("Failed to open winbindd_cache.tdb!\n"));
2198 return False;
2199 }
2200
2201 return True;
2202}
2203
2204/************************************************************************
2205 This is called by the parent to initialize the cache file.
2206 We don't need sophisticated locking here as we know we're the
2207 only opener.
2208************************************************************************/
2209
2210BOOL initialize_winbindd_cache(void)
2211{
2212 BOOL cache_bad = True;
2213 uint32 vers;
2214
2215 if (!init_wcache()) {
2216 DEBUG(0,("initialize_winbindd_cache: init_wcache failed.\n"));
2217 return False;
2218 }
2219
2220 /* Check version number. */
2221 if (tdb_fetch_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, &vers) &&
2222 vers == WINBINDD_CACHE_VERSION) {
2223 cache_bad = False;
2224 }
2225
2226 if (cache_bad) {
2227 DEBUG(0,("initialize_winbindd_cache: clearing cache "
2228 "and re-creating with version number %d\n",
2229 WINBINDD_CACHE_VERSION ));
2230
2231 tdb_close(wcache->tdb);
2232 wcache->tdb = NULL;
2233
2234 if (unlink(lock_path("winbindd_cache.tdb")) == -1) {
2235 DEBUG(0,("initialize_winbindd_cache: unlink %s failed %s ",
2236 lock_path("winbindd_cache.tdb"),
2237 strerror(errno) ));
2238 return False;
2239 }
2240 if (!init_wcache()) {
2241 DEBUG(0,("initialize_winbindd_cache: re-initialization "
2242 "init_wcache failed.\n"));
2243 return False;
2244 }
2245
2246 /* Write the version. */
2247 if (!tdb_store_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, WINBINDD_CACHE_VERSION)) {
2248 DEBUG(0,("initialize_winbindd_cache: version number store failed %s\n",
2249 tdb_errorstr(wcache->tdb) ));
2250 return False;
2251 }
2252 }
2253
2254 tdb_close(wcache->tdb);
2255 wcache->tdb = NULL;
2256 return True;
2257}
2258
2259void cache_store_response(pid_t pid, struct winbindd_response *response)
2260{
2261 fstring key_str;
2262
2263 if (!init_wcache())
2264 return;
2265
2266 DEBUG(10, ("Storing response for pid %d, len %d\n",
2267 pid, response->length));
2268
2269 fstr_sprintf(key_str, "DR/%d", pid);
2270 if (tdb_store(wcache->tdb, string_tdb_data(key_str),
2271 make_tdb_data((const char *)response, sizeof(*response)),
2272 TDB_REPLACE) == -1)
2273 return;
2274
2275 if (response->length == sizeof(*response))
2276 return;
2277
2278 /* There's extra data */
2279
2280 DEBUG(10, ("Storing extra data: len=%d\n",
2281 (int)(response->length - sizeof(*response))));
2282
2283 fstr_sprintf(key_str, "DE/%d", pid);
2284 if (tdb_store(wcache->tdb, string_tdb_data(key_str),
2285 make_tdb_data((const char *)response->extra_data.data,
2286 response->length - sizeof(*response)),
2287 TDB_REPLACE) == 0)
2288 return;
2289
2290 /* We could not store the extra data, make sure the tdb does not
2291 * contain a main record with wrong dangling extra data */
2292
2293 fstr_sprintf(key_str, "DR/%d", pid);
2294 tdb_delete(wcache->tdb, string_tdb_data(key_str));
2295
2296 return;
2297}
2298
2299BOOL cache_retrieve_response(pid_t pid, struct winbindd_response * response)
2300{
2301 TDB_DATA data;
2302 fstring key_str;
2303
2304 if (!init_wcache())
2305 return False;
2306
2307 DEBUG(10, ("Retrieving response for pid %d\n", pid));
2308
2309 fstr_sprintf(key_str, "DR/%d", pid);
2310 data = tdb_fetch(wcache->tdb, string_tdb_data(key_str));
2311
2312 if (data.dptr == NULL)
2313 return False;
2314
2315 if (data.dsize != sizeof(*response))
2316 return False;
2317
2318 memcpy(response, data.dptr, data.dsize);
2319 SAFE_FREE(data.dptr);
2320
2321 if (response->length == sizeof(*response)) {
2322 response->extra_data.data = NULL;
2323 return True;
2324 }
2325
2326 /* There's extra data */
2327
2328 DEBUG(10, ("Retrieving extra data length=%d\n",
2329 (int)(response->length - sizeof(*response))));
2330
2331 fstr_sprintf(key_str, "DE/%d", pid);
2332 data = tdb_fetch(wcache->tdb, string_tdb_data(key_str));
2333
2334 if (data.dptr == NULL) {
2335 DEBUG(0, ("Did not find extra data\n"));
2336 return False;
2337 }
2338
2339 if (data.dsize != (response->length - sizeof(*response))) {
2340 DEBUG(0, ("Invalid extra data length: %d\n", (int)data.dsize));
2341 SAFE_FREE(data.dptr);
2342 return False;
2343 }
2344
2345 dump_data(11, data.dptr, data.dsize);
2346
2347 response->extra_data.data = data.dptr;
2348 return True;
2349}
2350
2351void cache_cleanup_response(pid_t pid)
2352{
2353 fstring key_str;
2354
2355 if (!init_wcache())
2356 return;
2357
2358 fstr_sprintf(key_str, "DR/%d", pid);
2359 tdb_delete(wcache->tdb, string_tdb_data(key_str));
2360
2361 fstr_sprintf(key_str, "DE/%d", pid);
2362 tdb_delete(wcache->tdb, string_tdb_data(key_str));
2363
2364 return;
2365}
2366
2367
2368BOOL lookup_cached_sid(TALLOC_CTX *mem_ctx, const DOM_SID *sid,
2369 const char **domain_name, const char **name,
2370 enum lsa_SidType *type)
2371{
2372 struct winbindd_domain *domain;
2373 struct winbind_cache *cache;
2374 struct cache_entry *centry = NULL;
2375 NTSTATUS status;
2376
2377 domain = find_lookup_domain_from_sid(sid);
2378 if (domain == NULL) {
2379 return False;
2380 }
2381
2382 cache = get_cache(domain);
2383
2384 if (cache->tdb == NULL) {
2385 return False;
2386 }
2387
2388 centry = wcache_fetch(cache, domain, "SN/%s", sid_string_static(sid));
2389 if (centry == NULL) {
2390 return False;
2391 }
2392
2393 if (NT_STATUS_IS_OK(centry->status)) {
2394 *type = (enum lsa_SidType)centry_uint32(centry);
2395 *domain_name = centry_string(centry, mem_ctx);
2396 *name = centry_string(centry, mem_ctx);
2397 }
2398
2399 status = centry->status;
2400 centry_free(centry);
2401 return NT_STATUS_IS_OK(status);
2402}
2403
2404BOOL lookup_cached_name(TALLOC_CTX *mem_ctx,
2405 const char *domain_name,
2406 const char *name,
2407 DOM_SID *sid,
2408 enum lsa_SidType *type)
2409{
2410 struct winbindd_domain *domain;
2411 struct winbind_cache *cache;
2412 struct cache_entry *centry = NULL;
2413 NTSTATUS status;
2414 fstring uname;
2415
2416 domain = find_lookup_domain_from_name(domain_name);
2417 if (domain == NULL) {
2418 return False;
2419 }
2420
2421 cache = get_cache(domain);
2422
2423 if (cache->tdb == NULL) {
2424 return False;
2425 }
2426
2427 fstrcpy(uname, name);
2428 strupper_m(uname);
2429
2430 centry = wcache_fetch(cache, domain, "NS/%s/%s", domain_name, uname);
2431 if (centry == NULL) {
2432 return False;
2433 }
2434
2435 if (NT_STATUS_IS_OK(centry->status)) {
2436 *type = (enum lsa_SidType)centry_uint32(centry);
2437 centry_sid(centry, mem_ctx, sid);
2438 }
2439
2440 status = centry->status;
2441 centry_free(centry);
2442
2443 return NT_STATUS_IS_OK(status);
2444}
2445
2446void cache_name2sid(struct winbindd_domain *domain,
2447 const char *domain_name, const char *name,
2448 enum lsa_SidType type, const DOM_SID *sid)
2449{
2450 refresh_sequence_number(domain, False);
2451 wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name,
2452 sid, type);
2453}
2454
2455/* delete all centries that don't have NT_STATUS_OK set */
2456/*
2457 * The original idea that this cache only contains centries has
2458 * been blurred - now other stuff gets put in here. Ensure we
2459 * ignore these things on cleanup.
2460 */
2461
2462static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb, TDB_DATA kbuf,
2463 TDB_DATA dbuf, void *state)
2464{
2465 struct cache_entry *centry;
2466
2467 if (is_non_centry_key(kbuf)) {
2468 return 0;
2469 }
2470
2471 centry = wcache_fetch_raw(kbuf.dptr);
2472 if (!centry) {
2473 return 0;
2474 }
2475
2476 if (!NT_STATUS_IS_OK(centry->status)) {
2477 DEBUG(10,("deleting centry %s\n", kbuf.dptr));
2478 tdb_delete(the_tdb, kbuf);
2479 }
2480
2481 centry_free(centry);
2482 return 0;
2483}
2484
2485/* flush the cache */
2486void wcache_flush_cache(void)
2487{
2488 if (!wcache)
2489 return;
2490 if (wcache->tdb) {
2491 tdb_close(wcache->tdb);
2492 wcache->tdb = NULL;
2493 }
2494 if (opt_nocache)
2495 return;
2496
2497 /* when working offline we must not clear the cache on restart */
2498 wcache->tdb = tdb_open_log(lock_path("winbindd_cache.tdb"),
2499 WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
2500 lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST),
2501 O_RDWR|O_CREAT, 0600);
2502
2503 if (!wcache->tdb) {
2504 DEBUG(0,("Failed to open winbindd_cache.tdb!\n"));
2505 return;
2506 }
2507
2508 tdb_traverse(wcache->tdb, traverse_fn_cleanup, NULL);
2509
2510 DEBUG(10,("wcache_flush_cache success\n"));
2511}
2512
2513/* Count cached creds */
2514
2515static int traverse_fn_cached_creds(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
2516 void *state)
2517{
2518 int *cred_count = (int*)state;
2519
2520 if (strncmp(kbuf.dptr, "CRED/", 5) == 0) {
2521 (*cred_count)++;
2522 }
2523 return 0;
2524}
2525
2526NTSTATUS wcache_count_cached_creds(struct winbindd_domain *domain, int *count)
2527{
2528 struct winbind_cache *cache = get_cache(domain);
2529
2530 *count = 0;
2531
2532 if (!cache->tdb) {
2533 return NT_STATUS_INTERNAL_DB_ERROR;
2534 }
2535
2536 tdb_traverse(cache->tdb, traverse_fn_cached_creds, (void *)count);
2537
2538 return NT_STATUS_OK;
2539}
2540
2541struct cred_list {
2542 struct cred_list *prev, *next;
2543 TDB_DATA key;
2544 fstring name;
2545 time_t created;
2546};
2547static struct cred_list *wcache_cred_list;
2548
2549static int traverse_fn_get_credlist(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
2550 void *state)
2551{
2552 struct cred_list *cred;
2553
2554 if (strncmp(kbuf.dptr, "CRED/", 5) == 0) {
2555
2556 cred = SMB_MALLOC_P(struct cred_list);
2557 if (cred == NULL) {
2558 DEBUG(0,("traverse_fn_remove_first_creds: failed to malloc new entry for list\n"));
2559 return -1;
2560 }
2561
2562 ZERO_STRUCTP(cred);
2563
2564 /* save a copy of the key */
2565
2566 fstrcpy(cred->name, kbuf.dptr);
2567 DLIST_ADD(wcache_cred_list, cred);
2568 }
2569
2570 return 0;
2571}
2572
2573NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const DOM_SID *sid)
2574{
2575 struct winbind_cache *cache = get_cache(domain);
2576 NTSTATUS status;
2577 int ret;
2578 struct cred_list *cred, *oldest = NULL;
2579
2580 if (!cache->tdb) {
2581 return NT_STATUS_INTERNAL_DB_ERROR;
2582 }
2583
2584 /* we possibly already have an entry */
2585 if (sid && NT_STATUS_IS_OK(wcache_cached_creds_exist(domain, sid))) {
2586
2587 fstring key_str;
2588
2589 DEBUG(11,("we already have an entry, deleting that\n"));
2590
2591 fstr_sprintf(key_str, "CRED/%s", sid_string_static(sid));
2592
2593 tdb_delete(cache->tdb, string_tdb_data(key_str));
2594
2595 return NT_STATUS_OK;
2596 }
2597
2598 ret = tdb_traverse(cache->tdb, traverse_fn_get_credlist, NULL);
2599 if (ret == 0) {
2600 return NT_STATUS_OK;
2601 } else if ((ret == -1) || (wcache_cred_list == NULL)) {
2602 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
2603 }
2604
2605 ZERO_STRUCTP(oldest);
2606
2607 for (cred = wcache_cred_list; cred; cred = cred->next) {
2608
2609 TDB_DATA data;
2610 time_t t;
2611
2612 data = tdb_fetch(cache->tdb, make_tdb_data(cred->name, strlen(cred->name)));
2613 if (!data.dptr) {
2614 DEBUG(10,("wcache_remove_oldest_cached_creds: entry for [%s] not found\n",
2615 cred->name));
2616 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
2617 goto done;
2618 }
2619
2620 t = IVAL(data.dptr, 0);
2621 SAFE_FREE(data.dptr);
2622
2623 if (!oldest) {
2624 oldest = SMB_MALLOC_P(struct cred_list);
2625 if (oldest == NULL) {
2626 status = NT_STATUS_NO_MEMORY;
2627 goto done;
2628 }
2629
2630 fstrcpy(oldest->name, cred->name);
2631 oldest->created = t;
2632 continue;
2633 }
2634
2635 if (t < oldest->created) {
2636 fstrcpy(oldest->name, cred->name);
2637 oldest->created = t;
2638 }
2639 }
2640
2641 if (tdb_delete(cache->tdb, string_tdb_data(oldest->name)) == 0) {
2642 status = NT_STATUS_OK;
2643 } else {
2644 status = NT_STATUS_UNSUCCESSFUL;
2645 }
2646done:
2647 SAFE_FREE(wcache_cred_list);
2648 SAFE_FREE(oldest);
2649
2650 return status;
2651}
2652
2653/* Change the global online/offline state. */
2654BOOL set_global_winbindd_state_offline(void)
2655{
2656 TDB_DATA data;
2657
2658 DEBUG(10,("set_global_winbindd_state_offline: offline requested.\n"));
2659
2660 /* Only go offline if someone has created
2661 the key "WINBINDD_OFFLINE" in the cache tdb. */
2662
2663 if (wcache == NULL || wcache->tdb == NULL) {
2664 DEBUG(10,("set_global_winbindd_state_offline: wcache not open yet.\n"));
2665 return False;
2666 }
2667
2668 if (!lp_winbind_offline_logon()) {
2669 DEBUG(10,("set_global_winbindd_state_offline: rejecting.\n"));
2670 return False;
2671 }
2672
2673 if (global_winbindd_offline_state) {
2674 /* Already offline. */
2675 return True;
2676 }
2677
2678 data = tdb_fetch_bystring( wcache->tdb, "WINBINDD_OFFLINE" );
2679
2680 if (!data.dptr || data.dsize != 4) {
2681 DEBUG(10,("set_global_winbindd_state_offline: offline state not set.\n"));
2682 SAFE_FREE(data.dptr);
2683 return False;
2684 } else {
2685 DEBUG(10,("set_global_winbindd_state_offline: offline state set.\n"));
2686 global_winbindd_offline_state = True;
2687 SAFE_FREE(data.dptr);
2688 return True;
2689 }
2690}
2691
2692void set_global_winbindd_state_online(void)
2693{
2694 DEBUG(10,("set_global_winbindd_state_online: online requested.\n"));
2695
2696 if (!lp_winbind_offline_logon()) {
2697 DEBUG(10,("set_global_winbindd_state_online: rejecting.\n"));
2698 return;
2699 }
2700
2701 if (!global_winbindd_offline_state) {
2702 /* Already online. */
2703 return;
2704 }
2705 global_winbindd_offline_state = False;
2706
2707 if (!wcache->tdb) {
2708 return;
2709 }
2710
2711 /* Ensure there is no key "WINBINDD_OFFLINE" in the cache tdb. */
2712 tdb_delete_bystring(wcache->tdb, "WINBINDD_OFFLINE");
2713}
2714
2715BOOL get_global_winbindd_state_offline(void)
2716{
2717 return global_winbindd_offline_state;
2718}
2719
2720/* the cache backend methods are exposed via this structure */
2721struct winbindd_methods cache_methods = {
2722 True,
2723 query_user_list,
2724 enum_dom_groups,
2725 enum_local_groups,
2726 name_to_sid,
2727 sid_to_name,
2728 rids_to_names,
2729 query_user,
2730 lookup_usergroups,
2731 lookup_useraliases,
2732 lookup_groupmem,
2733 sequence_number,
2734 lockout_policy,
2735 password_policy,
2736 trusted_domains
2737};
Note: See TracBrowser for help on using the repository browser.