diff options
Diffstat (limited to 'source3/libsmb/samlogon_cache.c')
-rw-r--r-- | source3/libsmb/samlogon_cache.c | 405 |
1 files changed, 405 insertions, 0 deletions
diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c new file mode 100644 index 0000000..ab81b43 --- /dev/null +++ b/source3/libsmb/samlogon_cache.c @@ -0,0 +1,405 @@ +/* + Unix SMB/CIFS implementation. + Net_sam_logon info3 helpers + Copyright (C) Alexander Bokovoy 2002. + Copyright (C) Andrew Bartlett 2002. + Copyright (C) Gerald Carter 2003. + Copyright (C) Tim Potter 2003. + Copyright (C) Guenther Deschner 2008. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "replace.h" +#include "samlogon_cache.h" +#include "system/filesys.h" +#include "system/time.h" +#include "lib/util/debug.h" +#include "lib/util/talloc_stack.h" +#include "lib/util/memory.h" /* for SAFE_FREE() */ +#include "source3/lib/util_path.h" +#include "librpc/gen_ndr/ndr_krb5pac.h" +#include "../libcli/security/security.h" +#include "util_tdb.h" + +#define NETSAMLOGON_TDB "netsamlogon_cache.tdb" + +static TDB_CONTEXT *netsamlogon_tdb = NULL; + +/*********************************************************************** + open the tdb + ***********************************************************************/ + +bool netsamlogon_cache_init(void) +{ + bool first_try = true; + char *path = NULL; + int ret; + struct tdb_context *tdb; + + if (netsamlogon_tdb) { + return true; + } + + path = cache_path(talloc_tos(), NETSAMLOGON_TDB); + if (path == NULL) { + return false; + } +again: + tdb = tdb_open_log(path, 0, TDB_DEFAULT|TDB_INCOMPATIBLE_HASH, + O_RDWR | O_CREAT, 0600); + if (tdb == NULL) { + DEBUG(0,("tdb_open_log('%s') - failed\n", path)); + goto clear; + } + + ret = tdb_check(tdb, NULL, NULL); + if (ret != 0) { + tdb_close(tdb); + DEBUG(0,("tdb_check('%s') - failed\n", path)); + goto clear; + } + + netsamlogon_tdb = tdb; + talloc_free(path); + return true; + +clear: + if (!first_try) { + talloc_free(path); + return false; + } + first_try = false; + + DEBUG(0,("retry after truncate for '%s'\n", path)); + ret = truncate(path, 0); + if (ret == -1) { + DBG_ERR("truncate failed: %s\n", strerror(errno)); + talloc_free(path); + return false; + } + + goto again; +} + +/*********************************************************************** + Clear cache getpwnam and getgroups entries from the winbindd cache +***********************************************************************/ + +void netsamlogon_clear_cached_user(const struct dom_sid *user_sid) +{ + struct dom_sid_buf keystr; + + if (!netsamlogon_cache_init()) { + DEBUG(0,("netsamlogon_clear_cached_user: cannot open " + "%s for write!\n", + NETSAMLOGON_TDB)); + return; + } + + /* Prepare key as DOMAIN-SID/USER-RID string */ + dom_sid_str_buf(user_sid, &keystr); + + DBG_DEBUG("SID [%s]\n", keystr.buf); + + tdb_delete_bystring(netsamlogon_tdb, keystr.buf); +} + +/*********************************************************************** + Store a netr_SamInfo3 structure in a tdb for later user + username should be in UTF-8 format +***********************************************************************/ + +bool netsamlogon_cache_store(const char *username, struct netr_SamInfo3 *info3) +{ + uint8_t dummy = 0; + TDB_DATA data = { .dptr = &dummy, .dsize = sizeof(dummy) }; + struct dom_sid_buf keystr; + bool result = false; + struct dom_sid user_sid; + TALLOC_CTX *tmp_ctx = talloc_stackframe(); + DATA_BLOB blob; + enum ndr_err_code ndr_err; + struct netsamlogoncache_entry r; + int ret; + + if (!info3) { + goto fail; + } + + if (!netsamlogon_cache_init()) { + D_WARNING("netsamlogon_cache_store: cannot open %s for write!\n", + NETSAMLOGON_TDB); + goto fail; + } + + /* + * First write a record with just the domain sid for + * netsamlogon_cache_domain_known. Use TDB_INSERT to avoid + * overwriting potentially other data. We're just interested + * in the existence of that record. + */ + dom_sid_str_buf(info3->base.domain_sid, &keystr); + + ret = tdb_store_bystring(netsamlogon_tdb, keystr.buf, data, TDB_INSERT); + + if ((ret == -1) && (tdb_error(netsamlogon_tdb) != TDB_ERR_EXISTS)) { + D_WARNING("Could not store domain marker for %s: %s\n", + keystr.buf, tdb_errorstr(netsamlogon_tdb)); + goto fail; + } + + sid_compose(&user_sid, info3->base.domain_sid, info3->base.rid); + + /* Prepare key as DOMAIN-SID/USER-RID string */ + dom_sid_str_buf(&user_sid, &keystr); + + DBG_DEBUG("SID [%s]\n", keystr.buf); + + /* Prepare data */ + + if (info3->base.full_name.string == NULL) { + struct netr_SamInfo3 *cached_info3; + const char *full_name = NULL; + + cached_info3 = netsamlogon_cache_get(tmp_ctx, &user_sid); + if (cached_info3 != NULL) { + full_name = cached_info3->base.full_name.string; + } + + if (full_name != NULL) { + info3->base.full_name.string = talloc_strdup(info3, full_name); + if (info3->base.full_name.string == NULL) { + goto fail; + } + } + } + + /* only Samba fills in the username, not sure why NT doesn't */ + /* so we fill it in since winbindd_getpwnam() makes use of it */ + + if (!info3->base.account_name.string) { + info3->base.account_name.string = talloc_strdup(info3, username); + if (info3->base.account_name.string == NULL) { + goto fail; + } + } + + r.timestamp = time(NULL); + r.info3 = *info3; + + /* avoid storing secret information */ + ZERO_STRUCT(r.info3.base.key); + ZERO_STRUCT(r.info3.base.LMSessKey); + + if (DEBUGLEVEL >= 10) { + NDR_PRINT_DEBUG(netsamlogoncache_entry, &r); + } + + ndr_err = ndr_push_struct_blob(&blob, tmp_ctx, &r, + (ndr_push_flags_fn_t)ndr_push_netsamlogoncache_entry); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DBG_WARNING("failed to push entry to cache: %s\n", + ndr_errstr(ndr_err)); + goto fail; + } + + data.dsize = blob.length; + data.dptr = blob.data; + + if (tdb_store_bystring(netsamlogon_tdb, keystr.buf, data, TDB_REPLACE) == 0) { + result = true; + } + +fail: + TALLOC_FREE(tmp_ctx); + return result; +} + +/*********************************************************************** + Retrieves a netr_SamInfo3 structure from a tdb. Caller must + free the user_info struct (talloced memory) +***********************************************************************/ + +struct netr_SamInfo3 *netsamlogon_cache_get(TALLOC_CTX *mem_ctx, const struct dom_sid *user_sid) +{ + struct netr_SamInfo3 *info3 = NULL; + TDB_DATA data; + struct dom_sid_buf keystr; + enum ndr_err_code ndr_err; + DATA_BLOB blob; + struct netsamlogoncache_entry r; + + if (!netsamlogon_cache_init()) { + DEBUG(0,("netsamlogon_cache_get: cannot open %s for write!\n", + NETSAMLOGON_TDB)); + return NULL; + } + + /* Prepare key as DOMAIN-SID/USER-RID string */ + dom_sid_str_buf(user_sid, &keystr); + DBG_DEBUG("SID [%s]\n", keystr.buf); + data = tdb_fetch_bystring( netsamlogon_tdb, keystr.buf ); + + if (!data.dptr) { + D_DEBUG("tdb fetch for %s is empty\n", keystr.buf); + return NULL; + } + + info3 = talloc_zero(mem_ctx, struct netr_SamInfo3); + if (!info3) { + goto done; + } + + blob = data_blob_const(data.dptr, data.dsize); + + ndr_err = ndr_pull_struct_blob_all( + &blob, mem_ctx, &r, + (ndr_pull_flags_fn_t)ndr_pull_netsamlogoncache_entry); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + D_WARNING("netsamlogon_cache_get: failed to pull entry from cache\n"); + tdb_delete_bystring(netsamlogon_tdb, keystr.buf); + TALLOC_FREE(info3); + goto done; + } + + NDR_PRINT_DEBUG_LEVEL(DBGLVL_DEBUG, netsamlogoncache_entry, &r); + + info3 = (struct netr_SamInfo3 *)talloc_memdup(mem_ctx, &r.info3, + sizeof(r.info3)); + + done: + SAFE_FREE(data.dptr); + + return info3; +} + +bool netsamlogon_cache_have(const struct dom_sid *sid) +{ + struct dom_sid_buf keystr; + bool ok; + + if (!netsamlogon_cache_init()) { + DBG_WARNING("Cannot open %s\n", NETSAMLOGON_TDB); + return false; + } + + dom_sid_str_buf(sid, &keystr); + + ok = tdb_exists(netsamlogon_tdb, string_term_tdb_data(keystr.buf)); + return ok; +} + +struct netsamlog_cache_forall_state { + TALLOC_CTX *mem_ctx; + int (*cb)(const char *sid_str, + time_t when_cached, + struct netr_SamInfo3 *, + void *private_data); + void *private_data; +}; + +static int netsamlog_cache_traverse_cb(struct tdb_context *tdb, + TDB_DATA key, + TDB_DATA data, + void *private_data) +{ + struct netsamlog_cache_forall_state *state = + (struct netsamlog_cache_forall_state *)private_data; + TALLOC_CTX *mem_ctx = NULL; + DATA_BLOB blob; + const char *sid_str = NULL; + struct dom_sid sid; + struct netsamlogoncache_entry r; + enum ndr_err_code ndr_err; + int ret; + bool ok; + + if (key.dsize == 0) { + return 0; + } + if (key.dptr[key.dsize - 1] != '\0') { + return 0; + } + if (data.dptr == NULL) { + return 0; + } + sid_str = (char *)key.dptr; + + ok = string_to_sid(&sid, sid_str); + if (!ok) { + DBG_ERR("String to SID failed for %s\n", sid_str); + return -1; + } + + if (sid.num_auths != 5) { + return 0; + } + + mem_ctx = talloc_new(state->mem_ctx); + if (mem_ctx == NULL) { + return -1; + } + + blob = data_blob_const(data.dptr, data.dsize); + + ndr_err = ndr_pull_struct_blob( + &blob, state->mem_ctx, &r, + (ndr_pull_flags_fn_t)ndr_pull_netsamlogoncache_entry); + + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + DBG_ERR("failed to pull entry from cache\n"); + return -1; + } + + ret = state->cb(sid_str, r.timestamp, &r.info3, state->private_data); + + TALLOC_FREE(mem_ctx); + return ret; +} + +int netsamlog_cache_for_all(int (*cb)(const char *sid_str, + time_t when_cached, + struct netr_SamInfo3 *, + void *private_data), + void *private_data) +{ + int ret; + TALLOC_CTX *mem_ctx = NULL; + struct netsamlog_cache_forall_state state; + + if (!netsamlogon_cache_init()) { + DBG_ERR("Cannot open %s\n", NETSAMLOGON_TDB); + return -1; + } + + mem_ctx = talloc_init("netsamlog_cache_for_all"); + if (mem_ctx == NULL) { + return -1; + } + + state = (struct netsamlog_cache_forall_state) { + .mem_ctx = mem_ctx, + .cb = cb, + .private_data = private_data, + }; + + ret = tdb_traverse_read(netsamlogon_tdb, + netsamlog_cache_traverse_cb, + &state); + + TALLOC_FREE(state.mem_ctx); + return ret; +} |