search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
samba-tool group: Add --special parameter to add predefined special group
[Samba.git] / source3 / winbindd / winbindd_cache.c
blob631b3277164edf1db9fef69b5171f006853cef6d
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind cache backend functions
5
6 Copyright (C) Andrew Tridgell 2001
7 Copyright (C) Gerald Carter 2003-2007
8 Copyright (C) Volker Lendecke 2005
9 Copyright (C) Guenther Deschner 2005
10 Copyright (C) Michael Adam 2007
11
12 This program is free software; you can redistribute it and/or modify
13 it under the terms of the GNU General Public License as published by
14 the Free Software Foundation; either version 3 of the License, or
15 (at your option) any later version.
16
17 This program is distributed in the hope that it will be useful,
18 but WITHOUT ANY WARRANTY; without even the implied warranty of
19 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 GNU General Public License for more details.
21
22 You should have received a copy of the GNU General Public License
23 along with this program. If not, see <http://www.gnu.org/licenses/>.
24 */
25
26 #include "includes.h"
27 #include "system/filesys.h"
28 #include "winbindd.h"
29 #include "tdb_validate.h"
30 #include "../libcli/auth/libcli_auth.h"
31 #include "../librpc/gen_ndr/ndr_winbind.h"
32 #include "ads.h"
33 #include "nss_info.h"
34 #include "../libcli/security/security.h"
35 #include "passdb/machine_sid.h"
36 #include "util_tdb.h"
37 #include "libsmb/samlogon_cache.h"
38 #include "lib/namemap_cache.h"
39 #include "lib/util/string_wrappers.h"
40
41 #include "lib/crypto/gnutls_helpers.h"
42 #include <gnutls/crypto.h>
43
44 #undef DBGC_CLASS
45 #define DBGC_CLASS DBGC_WINBIND
46
47 #define WINBINDD_CACHE_VER1 1 /* initial db version */
48 #define WINBINDD_CACHE_VER2 2 /* second version with timeouts for NDR entries */
49
50 #define WINBINDD_CACHE_VERSION WINBINDD_CACHE_VER2
51 #define WINBINDD_CACHE_VERSION_KEYSTR "WINBINDD_CACHE_VERSION"
52
53 extern struct winbindd_methods reconnect_methods;
54 #ifdef HAVE_ADS
55 extern struct winbindd_methods reconnect_ads_methods;
56 #endif
57 extern struct winbindd_methods builtin_passdb_methods;
58 extern struct winbindd_methods sam_passdb_methods;
59
60 static void wcache_flush_cache(void);
61
62 /*
63 * JRA. KEEP THIS LIST UP TO DATE IF YOU ADD CACHE ENTRIES.
64 * Here are the list of entry types that are *not* stored
65 * as form struct cache_entry in the cache.
66 */
67
68 static const char *non_centry_keys[] = {
69 "SEQNUM/",
70 "WINBINDD_OFFLINE",
71 WINBINDD_CACHE_VERSION_KEYSTR,
72 NULL
73 };
74
75 /************************************************************************
76 Is this key a non-centry type ?
77 ************************************************************************/
78
79 static bool is_non_centry_key(TDB_DATA kbuf)
80 {
81 int i;
82
83 if (kbuf.dptr == NULL || kbuf.dsize == 0) {
84 return false;
85 }
86 for (i = 0; non_centry_keys[i] != NULL; i++) {
87 size_t namelen = strlen(non_centry_keys[i]);
88 if (kbuf.dsize < namelen) {
89 continue;
90 }
91 if (strncmp(non_centry_keys[i], (const char *)kbuf.dptr, namelen) == 0) {
92 return true;
93 }
94 }
95 return false;
96 }
97
98 struct winbind_cache {
99 TDB_CONTEXT *tdb;
100 };
101
102 struct cache_entry {
103 NTSTATUS status;
104 uint32_t sequence_number;
105 uint64_t timeout;
106 uint8_t *data;
107 uint32_t len, ofs;
108 };
109
110 void (*smb_panic_fn)(const char *const why) = smb_panic;
111
112 static struct winbind_cache *wcache;
113
114 static char *wcache_path(void)
115 {
116 /*
117 * Data needs to be kept persistent in state directory for
118 * running with "winbindd offline logon".
119 */
120 return state_path(talloc_tos(), "winbindd_cache.tdb");
121 }
122
123 static void winbindd_domain_init_backend(struct winbindd_domain *domain)
124 {
125 if (domain->backend != NULL) {
126 return;
127 }
128
129 if (domain->internal) {
130 domain->backend = &builtin_passdb_methods;
131 }
132
133 if (dom_sid_equal(&domain->sid, &global_sid_Builtin)) {
134 domain->initialized = true;
135 }
136
137 if (strequal(domain->name, get_global_sam_name()) &&
138 sid_check_is_our_sam(&domain->sid))
139 {
140 domain->backend = &sam_passdb_methods;
141 }
142
143 if (!domain->initialized) {
144 /* We do not need a connection to an RW DC for cache operation */
145 init_dc_connection(domain, false);
146 }
147
148 #ifdef HAVE_ADS
149 if (domain->backend == NULL) {
150 struct winbindd_domain *our_domain = domain;
151
152 /* find our domain first so we can figure out if we
153 are joined to a kerberized domain */
154
155 if (!domain->primary) {
156 our_domain = find_our_domain();
157 }
158
159 if ((our_domain->active_directory || IS_DC)
160 && domain->active_directory
161 && !lp_winbind_rpc_only())
162 {
163 DBG_INFO("Setting ADS methods for domain %s\n",
164 domain->name);
165 domain->backend = &reconnect_ads_methods;
166 }
167 }
168 #endif /* HAVE_ADS */
169
170 if (domain->backend == NULL) {
171 DBG_INFO("Setting MS-RPC methods for domain %s\n", domain->name);
172 domain->backend = &reconnect_methods;
173 }
174 }
175
176 /* get the winbind_cache structure */
177 static struct winbind_cache *get_cache(struct winbindd_domain *domain)
178 {
179 struct winbind_cache *ret = wcache;
180
181 winbindd_domain_init_backend(domain);
182
183 if (ret != NULL) {
184 return ret;
185 }
186
187 ret = SMB_XMALLOC_P(struct winbind_cache);
188 ZERO_STRUCTP(ret);
189
190 wcache = ret;
191 wcache_flush_cache();
192
193 return ret;
194 }
195
196 /*
197 free a centry structure
198 */
199 static void centry_free(struct cache_entry *centry)
200 {
201 if (!centry)
202 return;
203 SAFE_FREE(centry->data);
204 free(centry);
205 }
206
207 static bool centry_check_bytes(struct cache_entry *centry, size_t nbytes)
208 {
209 if (centry->len - centry->ofs < nbytes) {
210 DEBUG(0,("centry corruption? needed %u bytes, have %d\n",
211 (unsigned int)nbytes,
212 centry->len - centry->ofs));
213 return false;
214 }
215 return true;
216 }
217
218 /*
219 pull a uint64_t from a cache entry
220 */
221 static uint64_t centry_uint64_t(struct cache_entry *centry)
222 {
223 uint64_t ret;
224
225 if (!centry_check_bytes(centry, 8)) {
226 smb_panic_fn("centry_uint64_t");
227 }
228 ret = BVAL(centry->data, centry->ofs);
229 centry->ofs += 8;
230 return ret;
231 }
232
233 /*
234 pull a uint32_t from a cache entry
235 */
236 static uint32_t centry_uint32(struct cache_entry *centry)
237 {
238 uint32_t ret;
239
240 if (!centry_check_bytes(centry, 4)) {
241 smb_panic_fn("centry_uint32");
242 }
243 ret = IVAL(centry->data, centry->ofs);
244 centry->ofs += 4;
245 return ret;
246 }
247
248 /*
249 pull a uint16_t from a cache entry
250 */
251 static uint16_t centry_uint16(struct cache_entry *centry)
252 {
253 uint16_t ret;
254 if (!centry_check_bytes(centry, 2)) {
255 smb_panic_fn("centry_uint16");
256 }
257 ret = SVAL(centry->data, centry->ofs);
258 centry->ofs += 2;
259 return ret;
260 }
261
262 /*
263 pull a uint8_t from a cache entry
264 */
265 static uint8_t centry_uint8(struct cache_entry *centry)
266 {
267 uint8_t ret;
268 if (!centry_check_bytes(centry, 1)) {
269 smb_panic_fn("centry_uint8");
270 }
271 ret = CVAL(centry->data, centry->ofs);
272 centry->ofs += 1;
273 return ret;
274 }
275
276 /*
277 pull a NTTIME from a cache entry
278 */
279 static NTTIME centry_nttime(struct cache_entry *centry)
280 {
281 NTTIME ret;
282 if (!centry_check_bytes(centry, 8)) {
283 smb_panic_fn("centry_nttime");
284 }
285 ret = IVAL(centry->data, centry->ofs);
286 centry->ofs += 4;
287 ret += (uint64_t)IVAL(centry->data, centry->ofs) << 32;
288 centry->ofs += 4;
289 return ret;
290 }
291
292 /*
293 pull a time_t from a cache entry. time_t stored portably as a 64-bit time.
294 */
295 static time_t centry_time(struct cache_entry *centry)
296 {
297 return (time_t)centry_nttime(centry);
298 }
299
300 /* pull a string from a cache entry, using the supplied
301 talloc context
302 */
303 static char *centry_string(struct cache_entry *centry, TALLOC_CTX *mem_ctx)
304 {
305 uint32_t len;
306 char *ret;
307
308 len = centry_uint8(centry);
309
310 if (len == 0xFF) {
311 /* a deliberate NULL string */
312 return NULL;
313 }
314
315 if (!centry_check_bytes(centry, (size_t)len)) {
316 smb_panic_fn("centry_string");
317 }
318
319 ret = talloc_array(mem_ctx, char, len+1);
320 if (!ret) {
321 smb_panic_fn("centry_string out of memory\n");
322 }
323 memcpy(ret,centry->data + centry->ofs, len);
324 ret[len] = 0;
325 centry->ofs += len;
326 return ret;
327 }
328
329 /* pull a hash16 from a cache entry, using the supplied
330 talloc context
331 */
332 static char *centry_hash16(struct cache_entry *centry, TALLOC_CTX *mem_ctx)
333 {
334 uint32_t len;
335 char *ret;
336
337 len = centry_uint8(centry);
338
339 if (len != 16) {
340 DEBUG(0,("centry corruption? hash len (%u) != 16\n",
341 len ));
342 return NULL;
343 }
344
345 if (!centry_check_bytes(centry, 16)) {
346 return NULL;
347 }
348
349 ret = talloc_array(mem_ctx, char, 16);
350 if (!ret) {
351 smb_panic_fn("centry_hash out of memory\n");
352 }
353 memcpy(ret,centry->data + centry->ofs, 16);
354 centry->ofs += 16;
355 return ret;
356 }
357
358 /* pull a sid from a cache entry, using the supplied
359 talloc context
360 */
361 static bool centry_sid(struct cache_entry *centry, struct dom_sid *sid)
362 {
363 char *sid_string;
364 bool ret;
365
366 sid_string = centry_string(centry, talloc_tos());
367 if (sid_string == NULL) {
368 return false;
369 }
370 ret = string_to_sid(sid, sid_string);
371 TALLOC_FREE(sid_string);
372 return ret;
373 }
374
375
376 /*
377 pull a NTSTATUS from a cache entry
378 */
379 static NTSTATUS centry_ntstatus(struct cache_entry *centry)
380 {
381 NTSTATUS status;
382
383 status = NT_STATUS(centry_uint32(centry));
384 return status;
385 }
386
387
388 /* the server is considered down if it can't give us a sequence number */
389 static bool wcache_server_down(struct winbindd_domain *domain)
390 {
391 bool ret;
392
393 if (!wcache->tdb)
394 return false;
395
396 ret = (domain->sequence_number == DOM_SEQUENCE_NONE);
397
398 if (ret)
399 DEBUG(10,("wcache_server_down: server for Domain %s down\n",
400 domain->name ));
401 return ret;
402 }
403
404 struct wcache_seqnum_state {
405 uint32_t *seqnum;
406 uint32_t *last_seq_check;
407 };
408
409 static int wcache_seqnum_parser(TDB_DATA key, TDB_DATA data,
410 void *private_data)
411 {
412 struct wcache_seqnum_state *state = private_data;
413
414 if (data.dsize != 8) {
415 DEBUG(10, ("wcache_fetch_seqnum: invalid data size %d\n",
416 (int)data.dsize));
417 return -1;
418 }
419
420 *state->seqnum = IVAL(data.dptr, 0);
421 *state->last_seq_check = IVAL(data.dptr, 4);
422 return 0;
423 }
424
425 static bool wcache_fetch_seqnum(const char *domain_name, uint32_t *seqnum,
426 uint32_t *last_seq_check)
427 {
428 struct wcache_seqnum_state state = {
429 .seqnum = seqnum, .last_seq_check = last_seq_check
430 };
431 size_t len = strlen(domain_name);
432 char keystr[len+8];
433 TDB_DATA key = { .dptr = (uint8_t *)keystr, .dsize = sizeof(keystr) };
434 int ret;
435
436 if (wcache->tdb == NULL) {
437 DEBUG(10,("wcache_fetch_seqnum: tdb == NULL\n"));
438 return false;
439 }
440
441 snprintf(keystr, sizeof(keystr), "SEQNUM/%s", domain_name);
442
443 ret = tdb_parse_record(wcache->tdb, key, wcache_seqnum_parser,
444 &state);
445 return (ret == 0);
446 }
447
448 static NTSTATUS fetch_cache_seqnum( struct winbindd_domain *domain, time_t now )
449 {
450 uint32_t last_check, time_diff;
451
452 if (!wcache_fetch_seqnum(domain->name, &domain->sequence_number,
453 &last_check)) {
454 return NT_STATUS_UNSUCCESSFUL;
455 }
456 domain->last_seq_check = last_check;
457
458 /* have we expired? */
459
460 time_diff = now - domain->last_seq_check;
461 if ((int)time_diff > lp_winbind_cache_time()) {
462 DEBUG(10,("fetch_cache_seqnum: timeout [%s][%u @ %u]\n",
463 domain->name, domain->sequence_number,
464 (uint32_t)domain->last_seq_check));
465 return NT_STATUS_UNSUCCESSFUL;
466 }
467
468 DEBUG(10,("fetch_cache_seqnum: success [%s][%u @ %u]\n",
469 domain->name, domain->sequence_number,
470 (uint32_t)domain->last_seq_check));
471
472 return NT_STATUS_OK;
473 }
474
475 bool wcache_store_seqnum(const char *domain_name, uint32_t seqnum,
476 time_t last_seq_check)
477 {
478 size_t len = strlen(domain_name);
479 char keystr[len+8];
480 TDB_DATA key = { .dptr = (uint8_t *)keystr, .dsize = sizeof(keystr) };
481 uint8_t buf[8];
482 int ret;
483
484 if (wcache->tdb == NULL) {
485 DEBUG(10, ("wcache_store_seqnum: wcache->tdb == NULL\n"));
486 return false;
487 }
488
489 snprintf(keystr, sizeof(keystr), "SEQNUM/%s", domain_name);
490
491 SIVAL(buf, 0, seqnum);
492 SIVAL(buf, 4, last_seq_check);
493
494 ret = tdb_store(wcache->tdb, key, make_tdb_data(buf, sizeof(buf)),
495 TDB_REPLACE);
496 if (ret != 0) {
497 DEBUG(10, ("tdb_store_bystring failed: %s\n",
498 tdb_errorstr(wcache->tdb)));
499 return false;
500 }
501
502 DEBUG(10, ("wcache_store_seqnum: success [%s][%u @ %u]\n",
503 domain_name, seqnum, (unsigned)last_seq_check));
504
505 return true;
506 }
507
508 static bool store_cache_seqnum( struct winbindd_domain *domain )
509 {
510 return wcache_store_seqnum(domain->name, domain->sequence_number,
511 domain->last_seq_check);
512 }
513
514 /*
515 refresh the domain sequence number on timeout.
516 */
517
518 static void refresh_sequence_number(struct winbindd_domain *domain)
519 {
520 NTSTATUS status;
521 unsigned time_diff;
522 time_t t = time(NULL);
523 unsigned cache_time = lp_winbind_cache_time();
524
525 if (is_domain_offline(domain)) {
526 return;
527 }
528
529 get_cache( domain );
530
531 time_diff = t - domain->last_seq_check;
532
533 /* see if we have to refetch the domain sequence number */
534 if ((time_diff < cache_time) &&
535 (domain->sequence_number != DOM_SEQUENCE_NONE) &&
536 NT_STATUS_IS_OK(domain->last_status)) {
537 DEBUG(10, ("refresh_sequence_number: %s time ok\n", domain->name));
538 goto done;
539 }
540
541 /* try to get the sequence number from the tdb cache first */
542 /* this will update the timestamp as well */
543
544 status = fetch_cache_seqnum( domain, t );
545 if (NT_STATUS_IS_OK(status) &&
546 (domain->sequence_number != DOM_SEQUENCE_NONE) &&
547 NT_STATUS_IS_OK(domain->last_status)) {
548 goto done;
549 }
550
551 /* just use the current time */
552 domain->last_status = NT_STATUS_OK;
553 domain->sequence_number = time(NULL);
554 domain->last_seq_check = time(NULL);
555
556 /* save the new sequence number in the cache */
557 store_cache_seqnum( domain );
558
559 done:
560 DEBUG(10, ("refresh_sequence_number: %s seq number is now %d\n",
561 domain->name, domain->sequence_number));
562
563 return;
564 }
565
566 /*
567 decide if a cache entry has expired
568 */
569 static bool centry_expired(struct winbindd_domain *domain, const char *keystr, struct cache_entry *centry)
570 {
571 /* If we've been told to be offline - stay in that state... */
572 if (lp_winbind_offline_logon() && get_global_winbindd_state_offline()) {
573 DEBUG(10,("centry_expired: Key %s for domain %s valid as winbindd is globally offline.\n",
574 keystr, domain->name ));
575 return false;
576 }
577
578 /* when the domain is offline return the cached entry.
579 * This deals with transient offline states... */
580
581 if (!domain->online) {
582 DEBUG(10,("centry_expired: Key %s for domain %s valid as domain is offline.\n",
583 keystr, domain->name ));
584 return false;
585 }
586
587 /* if the server is OK and our cache entry came from when it was down then
588 the entry is invalid */
589 if ((domain->sequence_number != DOM_SEQUENCE_NONE) &&
590 (centry->sequence_number == DOM_SEQUENCE_NONE)) {
591 DEBUG(10,("centry_expired: Key %s for domain %s invalid sequence.\n",
592 keystr, domain->name ));
593 return true;
594 }
595
596 /* if the server is down or the cache entry is not older than the
597 current sequence number or it did not timeout then it is OK */
598 if (wcache_server_down(domain)
599 || ((centry->sequence_number == domain->sequence_number)
600 && ((time_t)centry->timeout > time(NULL)))) {
601 DEBUG(10,("centry_expired: Key %s for domain %s is good.\n",
602 keystr, domain->name ));
603 return false;
604 }
605
606 DEBUG(10,("centry_expired: Key %s for domain %s expired\n",
607 keystr, domain->name ));
608
609 /* it's expired */
610 return true;
611 }
612
613 static struct cache_entry *wcache_fetch_raw(char *kstr)
614 {
615 TDB_DATA data;
616 struct cache_entry *centry;
617 TDB_DATA key;
618
619 key = string_tdb_data(kstr);
620 data = tdb_fetch(wcache->tdb, key);
621 if (!data.dptr) {
622 /* a cache miss */
623 return NULL;
624 }
625
626 centry = SMB_XMALLOC_P(struct cache_entry);
627 centry->data = (unsigned char *)data.dptr;
628 centry->len = data.dsize;
629 centry->ofs = 0;
630
631 if (centry->len < 16) {
632 /* huh? corrupt cache? */
633 DEBUG(10,("wcache_fetch_raw: Corrupt cache for key %s "
634 "(len < 16)?\n", kstr));
635 centry_free(centry);
636 return NULL;
637 }
638
639 centry->status = centry_ntstatus(centry);
640 centry->sequence_number = centry_uint32(centry);
641 centry->timeout = centry_uint64_t(centry);
642
643 return centry;
644 }
645
646 static bool is_my_own_sam_domain(struct winbindd_domain *domain)
647 {
648 if (strequal(domain->name, get_global_sam_name()) &&
649 sid_check_is_our_sam(&domain->sid)) {
650 return true;
651 }
652
653 return false;
654 }
655
656 static bool is_builtin_domain(struct winbindd_domain *domain)
657 {
658 if (strequal(domain->name, "BUILTIN") &&
659 sid_check_is_builtin(&domain->sid)) {
660 return true;
661 }
662
663 return false;
664 }
665
666 /*
667 fetch an entry from the cache, with a varargs key. auto-fetch the sequence
668 number and return status
669 */
670 static struct cache_entry *wcache_fetch(struct winbind_cache *cache,
671 struct winbindd_domain *domain,
672 const char *format, ...) PRINTF_ATTRIBUTE(3,4);
673 static struct cache_entry *wcache_fetch(struct winbind_cache *cache,
674 struct winbindd_domain *domain,
675 const char *format, ...)
676 {
677 va_list ap;
678 char *kstr;
679 struct cache_entry *centry;
680 int ret;
681
682 if (!winbindd_use_cache() ||
683 is_my_own_sam_domain(domain) ||
684 is_builtin_domain(domain)) {
685 return NULL;
686 }
687
688 refresh_sequence_number(domain);
689
690 va_start(ap, format);
691 ret = vasprintf(&kstr, format, ap);
692 va_end(ap);
693
694 if (ret == -1) {
695 return NULL;
696 }
697
698 centry = wcache_fetch_raw(kstr);
699 if (centry == NULL) {
700 free(kstr);
701 return NULL;
702 }
703
704 if (centry_expired(domain, kstr, centry)) {
705
706 DEBUG(10,("wcache_fetch: entry %s expired for domain %s\n",
707 kstr, domain->name ));
708
709 centry_free(centry);
710 free(kstr);
711 return NULL;
712 }
713
714 DEBUG(10,("wcache_fetch: returning entry %s for domain %s\n",
715 kstr, domain->name ));
716
717 free(kstr);
718 return centry;
719 }
720
721 static void wcache_delete(const char *format, ...) PRINTF_ATTRIBUTE(1,2);
722 static void wcache_delete(const char *format, ...)
723 {
724 va_list ap;
725 char *kstr;
726 TDB_DATA key;
727 int ret;
728
729 va_start(ap, format);
730 ret = vasprintf(&kstr, format, ap);
731 va_end(ap);
732
733 if (ret == -1) {
734 return;
735 }
736
737 key = string_tdb_data(kstr);
738
739 tdb_delete(wcache->tdb, key);
740 free(kstr);
741 }
742
743 /*
744 make sure we have at least len bytes available in a centry
745 */
746 static void centry_expand(struct cache_entry *centry, uint32_t len)
747 {
748 if (centry->len - centry->ofs >= len)
749 return;
750 centry->len *= 2;
751 centry->data = SMB_REALLOC_ARRAY(centry->data, unsigned char,
752 centry->len);
753 if (!centry->data) {
754 DEBUG(0,("out of memory: needed %d bytes in centry_expand\n", centry->len));
755 smb_panic_fn("out of memory in centry_expand");
756 }
757 }
758
759 /*
760 push a uint64_t into a centry
761 */
762 static void centry_put_uint64_t(struct cache_entry *centry, uint64_t v)
763 {
764 centry_expand(centry, 8);
765 SBVAL(centry->data, centry->ofs, v);
766 centry->ofs += 8;
767 }
768
769 /*
770 push a uint32_t into a centry
771 */
772 static void centry_put_uint32(struct cache_entry *centry, uint32_t v)
773 {
774 centry_expand(centry, 4);
775 SIVAL(centry->data, centry->ofs, v);
776 centry->ofs += 4;
777 }
778
779 /*
780 push a uint16_t into a centry
781 */
782 static void centry_put_uint16(struct cache_entry *centry, uint16_t v)
783 {
784 centry_expand(centry, 2);
785 SSVAL(centry->data, centry->ofs, v);
786 centry->ofs += 2;
787 }
788
789 /*
790 push a uint8_t into a centry
791 */
792 static void centry_put_uint8(struct cache_entry *centry, uint8_t v)
793 {
794 centry_expand(centry, 1);
795 SCVAL(centry->data, centry->ofs, v);
796 centry->ofs += 1;
797 }
798
799 /*
800 push a string into a centry
801 */
802 static void centry_put_string(struct cache_entry *centry, const char *s)
803 {
804 int len;
805
806 if (!s) {
807 /* null strings are marked as len 0xFFFF */
808 centry_put_uint8(centry, 0xFF);
809 return;
810 }
811
812 len = strlen(s);
813 /* can't handle more than 254 char strings. Truncating is probably best */
814 if (len > 254) {
815 DEBUG(10,("centry_put_string: truncating len (%d) to: 254\n", len));
816 len = 254;
817 }
818 centry_put_uint8(centry, len);
819 centry_expand(centry, len);
820 memcpy(centry->data + centry->ofs, s, len);
821 centry->ofs += len;
822 }
823
824 /*
825 push a 16 byte hash into a centry - treat as 16 byte string.
826 */
827 static void centry_put_hash16(struct cache_entry *centry, const uint8_t val[16])
828 {
829 centry_put_uint8(centry, 16);
830 centry_expand(centry, 16);
831 memcpy(centry->data + centry->ofs, val, 16);
832 centry->ofs += 16;
833 }
834
835 static void centry_put_sid(struct cache_entry *centry, const struct dom_sid *sid)
836 {
837 struct dom_sid_buf sid_string;
838 centry_put_string(centry, dom_sid_str_buf(sid, &sid_string));
839 }
840
841
842 /*
843 put NTSTATUS into a centry
844 */
845 static void centry_put_ntstatus(struct cache_entry *centry, NTSTATUS status)
846 {
847 uint32_t status_value = NT_STATUS_V(status);
848 centry_put_uint32(centry, status_value);
849 }
850
851
852 /*
853 push a NTTIME into a centry
854 */
855 static void centry_put_nttime(struct cache_entry *centry, NTTIME nt)
856 {
857 centry_expand(centry, 8);
858 SIVAL(centry->data, centry->ofs, nt & 0xFFFFFFFF);
859 centry->ofs += 4;
860 SIVAL(centry->data, centry->ofs, nt >> 32);
861 centry->ofs += 4;
862 }
863
864 /*
865 push a time_t into a centry - use a 64 bit size.
866 NTTIME here is being used as a convenient 64-bit size.
867 */
868 static void centry_put_time(struct cache_entry *centry, time_t t)
869 {
870 NTTIME nt = (NTTIME)t;
871 centry_put_nttime(centry, nt);
872 }
873
874 /*
875 start a centry for output. When finished, call centry_end()
876 */
877 static struct cache_entry *centry_start(struct winbindd_domain *domain,
878 NTSTATUS status)
879 {
880 struct cache_entry *centry;
881
882 if (!wcache->tdb)
883 return NULL;
884
885 centry = SMB_XMALLOC_P(struct cache_entry);
886
887 centry->len = 8192; /* reasonable default */
888 centry->data = SMB_XMALLOC_ARRAY(uint8_t, centry->len);
889 centry->ofs = 0;
890 centry->sequence_number = domain->sequence_number;
891 centry->timeout = lp_winbind_cache_time() + time(NULL);
892 centry_put_ntstatus(centry, status);
893 centry_put_uint32(centry, centry->sequence_number);
894 centry_put_uint64_t(centry, centry->timeout);
895 return centry;
896 }
897
898 /*
899 finish a centry and write it to the tdb
900 */
901 static void centry_end(struct cache_entry *centry, const char *format, ...) PRINTF_ATTRIBUTE(2,3);
902 static void centry_end(struct cache_entry *centry, const char *format, ...)
903 {
904 va_list ap;
905 char *kstr;
906 TDB_DATA key, data;
907 int ret;
908
909 if (!winbindd_use_cache()) {
910 return;
911 }
912
913 va_start(ap, format);
914 ret = vasprintf(&kstr, format, ap);
915 va_end(ap);
916
917 if (ret == -1) {
918 return;
919 }
920
921 key = string_tdb_data(kstr);
922 data.dptr = centry->data;
923 data.dsize = centry->ofs;
924
925 tdb_store(wcache->tdb, key, data, TDB_REPLACE);
926 free(kstr);
927 }
928
929 static void wcache_save_name_to_sid(struct winbindd_domain *domain,
930 NTSTATUS status, const char *domain_name,
931 const char *name, const struct dom_sid *sid,
932 enum lsa_SidType type)
933 {
934 bool ok;
935
936 ok = namemap_cache_set_name2sid(domain_name, name, sid, type,
937 time(NULL) + lp_winbind_cache_time());
938 if (!ok) {
939 DBG_DEBUG("namemap_cache_set_name2sid failed\n");
940 }
941
942 /*
943 * Don't store the reverse mapping. The name came from user
944 * input, and we might not have the correct capitalization,
945 * which is important for nsswitch.
946 */
947 }
948
949 static void wcache_save_sid_to_name(struct winbindd_domain *domain, NTSTATUS status,
950 const struct dom_sid *sid, const char *domain_name, const char *name, enum lsa_SidType type)
951 {
952 bool ok;
953
954 ok = namemap_cache_set_sid2name(sid, domain_name, name, type,
955 time(NULL) + lp_winbind_cache_time());
956 if (!ok) {
957 DBG_DEBUG("namemap_cache_set_sid2name failed\n");
958 }
959
960 if (type != SID_NAME_UNKNOWN) {
961 ok = namemap_cache_set_name2sid(
962 domain_name, name, sid, type,
963 time(NULL) + lp_winbind_cache_time());
964 if (!ok) {
965 DBG_DEBUG("namemap_cache_set_name2sid failed\n");
966 }
967 }
968 }
969
970 static void wcache_save_lockout_policy(struct winbindd_domain *domain,
971 NTSTATUS status,
972 struct samr_DomInfo12 *lockout_policy)
973 {
974 struct cache_entry *centry;
975
976 centry = centry_start(domain, status);
977 if (!centry)
978 return;
979
980 centry_put_nttime(centry, lockout_policy->lockout_duration);
981 centry_put_nttime(centry, lockout_policy->lockout_window);
982 centry_put_uint16(centry, lockout_policy->lockout_threshold);
983
984 centry_end(centry, "LOC_POL/%s", domain->name);
985
986 DEBUG(10,("wcache_save_lockout_policy: %s\n", domain->name));
987
988 centry_free(centry);
989 }
990
991
992
993 static void wcache_save_password_policy(struct winbindd_domain *domain,
994 NTSTATUS status,
995 struct samr_DomInfo1 *policy)
996 {
997 struct cache_entry *centry;
998
999 centry = centry_start(domain, status);
1000 if (!centry)
1001 return;
1002
1003 centry_put_uint16(centry, policy->min_password_length);
1004 centry_put_uint16(centry, policy->password_history_length);
1005 centry_put_uint32(centry, policy->password_properties);
1006 centry_put_nttime(centry, policy->max_password_age);
1007 centry_put_nttime(centry, policy->min_password_age);
1008
1009 centry_end(centry, "PWD_POL/%s", domain->name);
1010
1011 DEBUG(10,("wcache_save_password_policy: %s\n", domain->name));
1012
1013 centry_free(centry);
1014 }
1015
1016 /***************************************************************************
1017 ***************************************************************************/
1018
1019 static void wcache_save_username_alias(struct winbindd_domain *domain,
1020 NTSTATUS status,
1021 const char *name, const char *alias)
1022 {
1023 struct cache_entry *centry;
1024 fstring uname;
1025
1026 if ( (centry = centry_start(domain, status)) == NULL )
1027 return;
1028
1029 centry_put_string( centry, alias );
1030
1031 fstrcpy(uname, name);
1032 (void)strupper_m(uname);
1033 centry_end(centry, "NSS/NA/%s", uname);
1034
1035 DEBUG(10,("wcache_save_username_alias: %s -> %s\n", name, alias ));
1036
1037 centry_free(centry);
1038 }
1039
1040 static void wcache_save_alias_username(struct winbindd_domain *domain,
1041 NTSTATUS status,
1042 const char *alias, const char *name)
1043 {
1044 struct cache_entry *centry;
1045 fstring uname;
1046
1047 if ( (centry = centry_start(domain, status)) == NULL )
1048 return;
1049
1050 centry_put_string( centry, name );
1051
1052 fstrcpy(uname, alias);
1053 (void)strupper_m(uname);
1054 centry_end(centry, "NSS/AN/%s", uname);
1055
1056 DEBUG(10,("wcache_save_alias_username: %s -> %s\n", alias, name ));
1057
1058 centry_free(centry);
1059 }
1060
1061 /***************************************************************************
1062 ***************************************************************************/
1063
1064 NTSTATUS resolve_username_to_alias( TALLOC_CTX *mem_ctx,
1065 struct winbindd_domain *domain,
1066 const char *name, char **alias )
1067 {
1068 struct winbind_cache *cache = get_cache(domain);
1069 struct cache_entry *centry = NULL;
1070 NTSTATUS status;
1071 char *upper_name;
1072
1073 if ( domain->internal )
1074 return NT_STATUS_NOT_SUPPORTED;
1075
1076 if (!cache->tdb)
1077 goto do_query;
1078
1079 upper_name = talloc_strdup_upper(mem_ctx, name);
1080 if (upper_name == NULL) {
1081 return NT_STATUS_NO_MEMORY;
1082 }
1083
1084 centry = wcache_fetch(cache, domain, "NSS/NA/%s", upper_name);
1085
1086 talloc_free(upper_name);
1087
1088 if (!centry)
1089 goto do_query;
1090
1091 status = centry->status;
1092
1093 if (!NT_STATUS_IS_OK(status)) {
1094 centry_free(centry);
1095 return status;
1096 }
1097
1098 *alias = centry_string( centry, mem_ctx );
1099
1100 centry_free(centry);
1101
1102 DEBUG(10,("resolve_username_to_alias: [Cached] - mapped %s to %s\n",
1103 name, *alias ? *alias : "(none)"));
1104
1105 return (*alias) ? NT_STATUS_OK : NT_STATUS_OBJECT_NAME_NOT_FOUND;
1106
1107 do_query:
1108
1109 /* If its not in cache and we are offline, then fail */
1110
1111 if (is_domain_offline(domain)) {
1112 DEBUG(8,("resolve_username_to_alias: rejecting query "
1113 "in offline mode\n"));
1114 return NT_STATUS_NOT_FOUND;
1115 }
1116
1117 status = nss_map_to_alias( mem_ctx, domain->name, name, alias );
1118
1119 if ( NT_STATUS_IS_OK( status ) ) {
1120 wcache_save_username_alias(domain, status, name, *alias);
1121 }
1122
1123 if ( NT_STATUS_EQUAL( status, NT_STATUS_NONE_MAPPED ) ) {
1124 wcache_save_username_alias(domain, status, name, "(NULL)");
1125 }
1126
1127 DEBUG(5,("resolve_username_to_alias: backend query returned %s\n",
1128 nt_errstr(status)));
1129
1130 if ( NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ) {
1131 set_domain_offline( domain );
1132 }
1133
1134 return status;
1135 }
1136
1137 /***************************************************************************
1138 ***************************************************************************/
1139
1140 NTSTATUS resolve_alias_to_username( TALLOC_CTX *mem_ctx,
1141 struct winbindd_domain *domain,
1142 const char *alias, char **name )
1143 {
1144 struct winbind_cache *cache = get_cache(domain);
1145 struct cache_entry *centry = NULL;
1146 NTSTATUS status;
1147 char *upper_name;
1148
1149 if ( domain->internal )
1150 return NT_STATUS_NOT_SUPPORTED;
1151
1152 if (!cache->tdb)
1153 goto do_query;
1154
1155 upper_name = talloc_strdup(mem_ctx, alias);
1156 if (upper_name == NULL) {
1157 return NT_STATUS_NO_MEMORY;
1158 }
1159 if (!strupper_m(upper_name)) {
1160 talloc_free(upper_name);
1161 return NT_STATUS_INVALID_PARAMETER;
1162 }
1163
1164 centry = wcache_fetch(cache, domain, "NSS/AN/%s", upper_name);
1165
1166 talloc_free(upper_name);
1167
1168 if (!centry)
1169 goto do_query;
1170
1171 status = centry->status;
1172
1173 if (!NT_STATUS_IS_OK(status)) {
1174 centry_free(centry);
1175 return status;
1176 }
1177
1178 *name = centry_string( centry, mem_ctx );
1179
1180 centry_free(centry);
1181
1182 DEBUG(10,("resolve_alias_to_username: [Cached] - mapped %s to %s\n",
1183 alias, *name ? *name : "(none)"));
1184
1185 return (*name) ? NT_STATUS_OK : NT_STATUS_OBJECT_NAME_NOT_FOUND;
1186
1187 do_query:
1188
1189 /* If its not in cache and we are offline, then fail */
1190
1191 if (is_domain_offline(domain)) {
1192 DEBUG(8,("resolve_alias_to_username: rejecting query "
1193 "in offline mode\n"));
1194 return NT_STATUS_NOT_FOUND;
1195 }
1196
1197 /* an alias cannot contain a domain prefix or '@' */
1198
1199 if (strchr(alias, '\\') || strchr(alias, '@')) {
1200 DEBUG(10,("resolve_alias_to_username: skipping fully "
1201 "qualified name %s\n", alias));
1202 return NT_STATUS_OBJECT_NAME_INVALID;
1203 }
1204
1205 status = nss_map_from_alias( mem_ctx, domain->name, alias, name );
1206
1207 if ( NT_STATUS_IS_OK( status ) ) {
1208 wcache_save_alias_username( domain, status, alias, *name );
1209 }
1210
1211 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1212 wcache_save_alias_username(domain, status, alias, "(NULL)");
1213 }
1214
1215 DEBUG(5,("resolve_alias_to_username: backend query returned %s\n",
1216 nt_errstr(status)));
1217
1218 if ( NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND) ) {
1219 set_domain_offline( domain );
1220 }
1221
1222 return status;
1223 }
1224
1225 NTSTATUS wcache_cached_creds_exist(struct winbindd_domain *domain, const struct dom_sid *sid)
1226 {
1227 struct winbind_cache *cache = get_cache(domain);
1228 int ret;
1229 struct dom_sid_buf tmp;
1230 fstring key_str;
1231 uint32_t rid;
1232
1233 if (!cache->tdb) {
1234 return NT_STATUS_INTERNAL_DB_ERROR;
1235 }
1236
1237 if (is_null_sid(sid)) {
1238 return NT_STATUS_INVALID_SID;
1239 }
1240
1241 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
1242 return NT_STATUS_INVALID_SID;
1243 }
1244
1245 fstr_sprintf(key_str, "CRED/%s", dom_sid_str_buf(sid, &tmp));
1246
1247 ret = tdb_exists(cache->tdb, string_tdb_data(key_str));
1248 if (ret != 1) {
1249 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1250 }
1251
1252 return NT_STATUS_OK;
1253 }
1254
1255 /* Lookup creds for a SID - copes with old (unsalted) creds as well
1256 as new salted ones. */
1257
1258 NTSTATUS wcache_get_creds(struct winbindd_domain *domain,
1259 TALLOC_CTX *mem_ctx,
1260 const struct dom_sid *sid,
1261 const uint8_t **cached_nt_pass,
1262 const uint8_t **cached_salt)
1263 {
1264 struct winbind_cache *cache = get_cache(domain);
1265 struct cache_entry *centry = NULL;
1266 NTSTATUS status;
1267 uint32_t rid;
1268 struct dom_sid_buf sidstr;
1269
1270 if (!cache->tdb) {
1271 return NT_STATUS_INTERNAL_DB_ERROR;
1272 }
1273
1274 if (is_null_sid(sid)) {
1275 return NT_STATUS_INVALID_SID;
1276 }
1277
1278 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
1279 return NT_STATUS_INVALID_SID;
1280 }
1281
1282 /* Try and get a salted cred first. If we can't
1283 fall back to an unsalted cred. */
1284
1285 centry = wcache_fetch(cache, domain, "CRED/%s",
1286 dom_sid_str_buf(sid, &sidstr));
1287 if (!centry) {
1288 DEBUG(10,("wcache_get_creds: entry for [CRED/%s] not found\n",
1289 dom_sid_str_buf(sid, &sidstr)));
1290 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1291 }
1292
1293 /*
1294 * We don't use the time element at this moment,
1295 * but we have to consume it, so that we don't
1296 * neet to change the disk format of the cache.
1297 */
1298 (void)centry_time(centry);
1299
1300 /* In the salted case this isn't actually the nt_hash itself,
1301 but the MD5 of the salt + nt_hash. Let the caller
1302 sort this out. It can tell as we only return the cached_salt
1303 if we are returning a salted cred. */
1304
1305 *cached_nt_pass = (const uint8_t *)centry_hash16(centry, mem_ctx);
1306 if (*cached_nt_pass == NULL) {
1307
1308 dom_sid_str_buf(sid, &sidstr);
1309
1310 /* Bad (old) cred cache. Delete and pretend we
1311 don't have it. */
1312 DEBUG(0,("wcache_get_creds: bad entry for [CRED/%s] - deleting\n",
1313 sidstr.buf));
1314 wcache_delete("CRED/%s", sidstr.buf);
1315 centry_free(centry);
1316 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1317 }
1318
1319 /* We only have 17 bytes more data in the salted cred case. */
1320 if (centry->len - centry->ofs == 17) {
1321 *cached_salt = (const uint8_t *)centry_hash16(centry, mem_ctx);
1322 } else {
1323 *cached_salt = NULL;
1324 }
1325
1326 dump_data_pw("cached_nt_pass", *cached_nt_pass, NT_HASH_LEN);
1327 if (*cached_salt) {
1328 dump_data_pw("cached_salt", *cached_salt, NT_HASH_LEN);
1329 }
1330
1331 status = centry->status;
1332
1333 DEBUG(10,("wcache_get_creds: [Cached] - cached creds for user %s status: %s\n",
1334 dom_sid_str_buf(sid, &sidstr),
1335 nt_errstr(status) ));
1336
1337 centry_free(centry);
1338 return status;
1339 }
1340
1341 /* Store creds for a SID - only writes out new salted ones. */
1342
1343 NTSTATUS wcache_save_creds(struct winbindd_domain *domain,
1344 const struct dom_sid *sid,
1345 const uint8_t nt_pass[NT_HASH_LEN])
1346 {
1347 struct cache_entry *centry;
1348 struct dom_sid_buf sid_str;
1349 uint32_t rid;
1350 uint8_t cred_salt[NT_HASH_LEN];
1351 uint8_t salted_hash[NT_HASH_LEN];
1352 gnutls_hash_hd_t hash_hnd = NULL;
1353 int rc;
1354
1355 if (is_null_sid(sid)) {
1356 return NT_STATUS_INVALID_SID;
1357 }
1358
1359 if (!(sid_peek_rid(sid, &rid)) || (rid == 0)) {
1360 return NT_STATUS_INVALID_SID;
1361 }
1362
1363 centry = centry_start(domain, NT_STATUS_OK);
1364 if (!centry) {
1365 return NT_STATUS_INTERNAL_DB_ERROR;
1366 }
1367
1368 dump_data_pw("nt_pass", nt_pass, NT_HASH_LEN);
1369
1370 centry_put_time(centry, time(NULL));
1371
1372 /* Create a salt and then salt the hash. */
1373 generate_random_buffer(cred_salt, NT_HASH_LEN);
1374
1375 rc = gnutls_hash_init(&hash_hnd, GNUTLS_DIG_MD5);
1376 if (rc < 0) {
1377 centry_free(centry);
1378 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
1379 }
1380
1381 rc = gnutls_hash(hash_hnd, cred_salt, 16);
1382 if (rc < 0) {
1383 gnutls_hash_deinit(hash_hnd, NULL);
1384 centry_free(centry);
1385 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
1386 }
1387 rc = gnutls_hash(hash_hnd, nt_pass, 16);
1388 if (rc < 0) {
1389 gnutls_hash_deinit(hash_hnd, NULL);
1390 centry_free(centry);
1391 return gnutls_error_to_ntstatus(rc, NT_STATUS_HASH_NOT_SUPPORTED);
1392 }
1393 gnutls_hash_deinit(hash_hnd, salted_hash);
1394
1395 centry_put_hash16(centry, salted_hash);
1396 centry_put_hash16(centry, cred_salt);
1397 centry_end(centry, "CRED/%s", dom_sid_str_buf(sid, &sid_str));
1398
1399 DEBUG(10,("wcache_save_creds: %s\n", sid_str.buf));
1400
1401 centry_free(centry);
1402
1403 return NT_STATUS_OK;
1404 }
1405
1406
1407 /* Query display info. This is the basic user list fn */
1408 NTSTATUS wb_cache_query_user_list(struct winbindd_domain *domain,
1409 TALLOC_CTX *mem_ctx,
1410 uint32_t **prids)
1411 {
1412 struct winbind_cache *cache = get_cache(domain);
1413 struct cache_entry *centry = NULL;
1414 uint32_t num_rids = 0;
1415 uint32_t *rids = NULL;
1416 NTSTATUS status;
1417 unsigned int i, retry;
1418 bool old_status = domain->online;
1419
1420 *prids = NULL;
1421
1422 if (!cache->tdb)
1423 goto do_query;
1424
1425 centry = wcache_fetch(cache, domain, "UL/%s", domain->name);
1426 if (!centry)
1427 goto do_query;
1428
1429 do_fetch_cache:
1430 num_rids = centry_uint32(centry);
1431
1432 if (num_rids == 0) {
1433 goto do_cached;
1434 }
1435
1436 rids = talloc_array(mem_ctx, uint32_t, num_rids);
1437 if (rids == NULL) {
1438 centry_free(centry);
1439 return NT_STATUS_NO_MEMORY;
1440 }
1441
1442 for (i=0; i<num_rids; i++) {
1443 rids[i] = centry_uint32(centry);
1444 }
1445
1446 do_cached:
1447 status = centry->status;
1448
1449 DEBUG(10,("query_user_list: [Cached] - cached list for domain %s status: %s\n",
1450 domain->name, nt_errstr(status) ));
1451
1452 centry_free(centry);
1453 return status;
1454
1455 do_query:
1456
1457 /* Put the query_user_list() in a retry loop. There appears to be
1458 * some bug either with Windows 2000 or Samba's handling of large
1459 * rpc replies. This manifests itself as sudden disconnection
1460 * at a random point in the enumeration of a large (60k) user list.
1461 * The retry loop simply tries the operation again. )-: It's not
1462 * pretty but an acceptable workaround until we work out what the
1463 * real problem is. */
1464
1465 retry = 0;
1466 do {
1467
1468 DEBUG(10,("query_user_list: [Cached] - doing backend query for list for domain %s\n",
1469 domain->name ));
1470
1471 rids = NULL;
1472 status = domain->backend->query_user_list(domain, mem_ctx,
1473 &rids);
1474 num_rids = talloc_array_length(rids);
1475
1476 if (!NT_STATUS_IS_OK(status)) {
1477 DEBUG(3, ("query_user_list: returned 0x%08x, "
1478 "retrying\n", NT_STATUS_V(status)));
1479 }
1480 if (NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL)) {
1481 DEBUG(3, ("query_user_list: flushing "
1482 "connection cache\n"));
1483 invalidate_cm_connection(domain);
1484 }
1485 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
1486 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1487 if (!domain->internal && old_status) {
1488 set_domain_offline(domain);
1489 }
1490 /* store partial response. */
1491 if (num_rids > 0) {
1492 /*
1493 * humm, what about the status used for cache?
1494 * Should it be NT_STATUS_OK?
1495 */
1496 break;
1497 }
1498 /*
1499 * domain is offline now, and there is no user entries,
1500 * try to fetch from cache again.
1501 */
1502 if (cache->tdb && !domain->online && !domain->internal && old_status) {
1503 centry = wcache_fetch(cache, domain, "UL/%s", domain->name);
1504 /* partial response... */
1505 if (!centry) {
1506 goto skip_save;
1507 } else {
1508 goto do_fetch_cache;
1509 }
1510 } else {
1511 goto skip_save;
1512 }
1513 }
1514
1515 } while (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_UNSUCCESSFUL) &&
1516 (retry++ < 5));
1517
1518 /* and save it */
1519 refresh_sequence_number(domain);
1520 if (!NT_STATUS_IS_OK(status)) {
1521 return status;
1522 }
1523 centry = centry_start(domain, status);
1524 if (!centry)
1525 goto skip_save;
1526 centry_put_uint32(centry, num_rids);
1527 for (i=0; i<num_rids; i++) {
1528 centry_put_uint32(centry, rids[i]);
1529 }
1530 centry_end(centry, "UL/%s", domain->name);
1531 centry_free(centry);
1532
1533 *prids = rids;
1534
1535 skip_save:
1536 return status;
1537 }
1538
1539 /* list all domain groups */
1540 NTSTATUS wb_cache_enum_dom_groups(struct winbindd_domain *domain,
1541 TALLOC_CTX *mem_ctx,
1542 uint32_t *num_entries,
1543 struct wb_acct_info **info)
1544 {
1545 struct winbind_cache *cache = get_cache(domain);
1546 struct cache_entry *centry = NULL;
1547 NTSTATUS status;
1548 unsigned int i;
1549 bool old_status;
1550
1551 old_status = domain->online;
1552 if (!cache->tdb)
1553 goto do_query;
1554
1555 centry = wcache_fetch(cache, domain, "GL/%s/domain", domain->name);
1556 if (!centry)
1557 goto do_query;
1558
1559 do_fetch_cache:
1560 *num_entries = centry_uint32(centry);
1561
1562 if (*num_entries == 0)
1563 goto do_cached;
1564
1565 (*info) = talloc_array(mem_ctx, struct wb_acct_info, *num_entries);
1566 if (! (*info)) {
1567 smb_panic_fn("enum_dom_groups out of memory");
1568 }
1569 for (i=0; i<(*num_entries); i++) {
1570 (*info)[i].acct_name = centry_string(centry, (*info));
1571 (*info)[i].acct_desc = centry_string(centry, (*info));
1572 (*info)[i].rid = centry_uint32(centry);
1573 }
1574
1575 do_cached:
1576 status = centry->status;
1577
1578 DEBUG(10,("enum_dom_groups: [Cached] - cached list for domain %s status: %s\n",
1579 domain->name, nt_errstr(status) ));
1580
1581 centry_free(centry);
1582 return status;
1583
1584 do_query:
1585 *num_entries = 0;
1586 *info = NULL;
1587
1588 DEBUG(10,("enum_dom_groups: [Cached] - doing backend query for list for domain %s\n",
1589 domain->name ));
1590
1591 status = domain->backend->enum_dom_groups(domain, mem_ctx, num_entries, info);
1592
1593 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
1594 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1595 if (!domain->internal && old_status) {
1596 set_domain_offline(domain);
1597 }
1598 if (cache->tdb &&
1599 !domain->online &&
1600 !domain->internal &&
1601 old_status) {
1602 centry = wcache_fetch(cache, domain, "GL/%s/domain", domain->name);
1603 if (centry) {
1604 goto do_fetch_cache;
1605 }
1606 }
1607 }
1608 /* and save it */
1609 refresh_sequence_number(domain);
1610 if (!NT_STATUS_IS_OK(status)) {
1611 return status;
1612 }
1613 centry = centry_start(domain, status);
1614 if (!centry)
1615 goto skip_save;
1616 centry_put_uint32(centry, *num_entries);
1617 for (i=0; i<(*num_entries); i++) {
1618 centry_put_string(centry, (*info)[i].acct_name);
1619 centry_put_string(centry, (*info)[i].acct_desc);
1620 centry_put_uint32(centry, (*info)[i].rid);
1621 }
1622 centry_end(centry, "GL/%s/domain", domain->name);
1623 centry_free(centry);
1624
1625 skip_save:
1626 return status;
1627 }
1628
1629 /* list all domain groups */
1630 NTSTATUS wb_cache_enum_local_groups(struct winbindd_domain *domain,
1631 TALLOC_CTX *mem_ctx,
1632 uint32_t *num_entries,
1633 struct wb_acct_info **info)
1634 {
1635 struct winbind_cache *cache = get_cache(domain);
1636 struct cache_entry *centry = NULL;
1637 NTSTATUS status;
1638 unsigned int i;
1639 bool old_status;
1640
1641 old_status = domain->online;
1642 if (!cache->tdb)
1643 goto do_query;
1644
1645 centry = wcache_fetch(cache, domain, "GL/%s/local", domain->name);
1646 if (!centry)
1647 goto do_query;
1648
1649 do_fetch_cache:
1650 *num_entries = centry_uint32(centry);
1651
1652 if (*num_entries == 0)
1653 goto do_cached;
1654
1655 (*info) = talloc_array(mem_ctx, struct wb_acct_info, *num_entries);
1656 if (! (*info)) {
1657 smb_panic_fn("enum_dom_groups out of memory");
1658 }
1659 for (i=0; i<(*num_entries); i++) {
1660 (*info)[i].acct_name = centry_string(centry, (*info));
1661 (*info)[i].acct_desc = centry_string(centry, (*info));
1662 (*info)[i].rid = centry_uint32(centry);
1663 }
1664
1665 do_cached:
1666
1667 /* If we are returning cached data and the domain controller
1668 is down then we don't know whether the data is up to date
1669 or not. Return NT_STATUS_MORE_PROCESSING_REQUIRED to
1670 indicate this. */
1671
1672 if (wcache_server_down(domain)) {
1673 DEBUG(10, ("enum_local_groups: returning cached user list and server was down\n"));
1674 status = NT_STATUS_MORE_PROCESSING_REQUIRED;
1675 } else
1676 status = centry->status;
1677
1678 DEBUG(10,("enum_local_groups: [Cached] - cached list for domain %s status: %s\n",
1679 domain->name, nt_errstr(status) ));
1680
1681 centry_free(centry);
1682 return status;
1683
1684 do_query:
1685 *num_entries = 0;
1686 *info = NULL;
1687
1688 DEBUG(10,("enum_local_groups: [Cached] - doing backend query for list for domain %s\n",
1689 domain->name ));
1690
1691 status = domain->backend->enum_local_groups(domain, mem_ctx, num_entries, info);
1692
1693 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
1694 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1695 if (!domain->internal && old_status) {
1696 set_domain_offline(domain);
1697 }
1698 if (cache->tdb &&
1699 !domain->internal &&
1700 !domain->online &&
1701 old_status) {
1702 centry = wcache_fetch(cache, domain, "GL/%s/local", domain->name);
1703 if (centry) {
1704 goto do_fetch_cache;
1705 }
1706 }
1707 }
1708 /* and save it */
1709 refresh_sequence_number(domain);
1710 if (!NT_STATUS_IS_OK(status)) {
1711 return status;
1712 }
1713 centry = centry_start(domain, status);
1714 if (!centry)
1715 goto skip_save;
1716 centry_put_uint32(centry, *num_entries);
1717 for (i=0; i<(*num_entries); i++) {
1718 centry_put_string(centry, (*info)[i].acct_name);
1719 centry_put_string(centry, (*info)[i].acct_desc);
1720 centry_put_uint32(centry, (*info)[i].rid);
1721 }
1722 centry_end(centry, "GL/%s/local", domain->name);
1723 centry_free(centry);
1724
1725 skip_save:
1726 return status;
1727 }
1728
1729 struct wcache_name_to_sid_state {
1730 struct dom_sid *sid;
1731 enum lsa_SidType *type;
1732 bool offline;
1733 bool found;
1734 };
1735
1736 static void wcache_name_to_sid_fn(const struct dom_sid *sid,
1737 enum lsa_SidType type,
1738 bool expired,
1739 void *private_data)
1740 {
1741 struct wcache_name_to_sid_state *state = private_data;
1742
1743 *state->sid = *sid;
1744 *state->type = type;
1745 state->found = (!expired || state->offline);
1746 }
1747
1748 static NTSTATUS wcache_name_to_sid(struct winbindd_domain *domain,
1749 const char *domain_name,
1750 const char *name,
1751 struct dom_sid *sid,
1752 enum lsa_SidType *type)
1753 {
1754 struct wcache_name_to_sid_state state = {
1755 .sid = sid, .type = type, .found = false,
1756 .offline = is_domain_offline(domain),
1757 };
1758 bool ok;
1759
1760 ok = namemap_cache_find_name(domain_name, name, wcache_name_to_sid_fn,
1761 &state);
1762 if (!ok) {
1763 DBG_DEBUG("namemap_cache_find_name failed\n");
1764 return NT_STATUS_NOT_FOUND;
1765 }
1766 if (!state.found) {
1767 DBG_DEBUG("cache entry not found\n");
1768 return NT_STATUS_NOT_FOUND;
1769 }
1770 if (*type == SID_NAME_UNKNOWN) {
1771 return NT_STATUS_NONE_MAPPED;
1772 }
1773
1774 return NT_STATUS_OK;
1775 }
1776
1777 /* convert a single name to a sid in a domain */
1778 NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
1779 TALLOC_CTX *mem_ctx,
1780 const char *domain_name,
1781 const char *name,
1782 uint32_t flags,
1783 struct dom_sid *sid,
1784 enum lsa_SidType *type)
1785 {
1786 NTSTATUS status;
1787 bool old_status;
1788 const char *dom_name;
1789
1790 old_status = domain->online;
1791
1792 status = wcache_name_to_sid(domain, domain_name, name, sid, type);
1793 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1794 return status;
1795 }
1796
1797 ZERO_STRUCTP(sid);
1798
1799 DEBUG(10,("name_to_sid: [Cached] - doing backend query for name for domain %s\n",
1800 domain->name ));
1801
1802 winbindd_domain_init_backend(domain);
1803 status = domain->backend->name_to_sid(domain, mem_ctx, domain_name,
1804 name, flags, &dom_name, sid, type);
1805
1806 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
1807 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1808 if (!domain->internal && old_status) {
1809 set_domain_offline(domain);
1810 }
1811 if (!domain->internal &&
1812 !domain->online &&
1813 old_status) {
1814 NTSTATUS cache_status;
1815 cache_status = wcache_name_to_sid(domain, domain_name, name, sid, type);
1816 return cache_status;
1817 }
1818 }
1819 /* and save it */
1820
1821 if (domain->online &&
1822 (NT_STATUS_IS_OK(status) || NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED))) {
1823 enum lsa_SidType save_type = *type;
1824
1825 if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
1826 save_type = SID_NAME_UNKNOWN;
1827 }
1828
1829 wcache_save_name_to_sid(domain, status, domain_name, name, sid,
1830 save_type);
1831
1832 /* Only save the reverse mapping if this was not a UPN */
1833 if (!strchr(name, '@')) {
1834 if (!strupper_m(discard_const_p(char, domain_name))) {
1835 return NT_STATUS_INVALID_PARAMETER;
1836 }
1837 (void)strlower_m(discard_const_p(char, name));
1838 wcache_save_sid_to_name(domain, status, sid,
1839 dom_name, name, save_type);
1840 }
1841 }
1842
1843 return status;
1844 }
1845
1846 struct wcache_sid_to_name_state {
1847 TALLOC_CTX *mem_ctx;
1848 char **domain_name;
1849 char **name;
1850 enum lsa_SidType *type;
1851 bool offline;
1852 bool found;
1853 };
1854
1855 static void wcache_sid_to_name_fn(const char *domain,
1856 const char *name,
1857 enum lsa_SidType type,
1858 bool expired,
1859 void *private_data)
1860 {
1861 struct wcache_sid_to_name_state *state = private_data;
1862
1863 *state->domain_name = talloc_strdup(state->mem_ctx, domain);
1864 if (*state->domain_name == NULL) {
1865 return;
1866 }
1867 *state->name = talloc_strdup(state->mem_ctx, name);
1868 if (*state->name == NULL) {
1869 return;
1870 }
1871 *state->type = type;
1872 state->found = (!expired || state->offline);
1873 }
1874
1875 static NTSTATUS wcache_sid_to_name(struct winbindd_domain *domain,
1876 const struct dom_sid *sid,
1877 TALLOC_CTX *mem_ctx,
1878 char **domain_name,
1879 char **name,
1880 enum lsa_SidType *type)
1881 {
1882 struct wcache_sid_to_name_state state = {
1883 .mem_ctx = mem_ctx, .found = false,
1884 .domain_name = domain_name, .name = name, .type = type,
1885 .offline = is_domain_offline(domain)
1886 };
1887 bool ok;
1888
1889 ok = namemap_cache_find_sid(sid, wcache_sid_to_name_fn, &state);
1890 if (!ok) {
1891 DBG_DEBUG("namemap_cache_find_name failed\n");
1892 return NT_STATUS_NOT_FOUND;
1893 }
1894 if (!state.found) {
1895 DBG_DEBUG("cache entry not found\n");
1896 return NT_STATUS_NOT_FOUND;
1897 }
1898 if (*type == SID_NAME_UNKNOWN) {
1899 return NT_STATUS_NONE_MAPPED;
1900 }
1901
1902 return NT_STATUS_OK;
1903 }
1904
1905 /* convert a sid to a user or group name. The sid is guaranteed to be in the domain
1906 given */
1907 NTSTATUS wb_cache_sid_to_name(struct winbindd_domain *domain,
1908 TALLOC_CTX *mem_ctx,
1909 const struct dom_sid *sid,
1910 char **domain_name,
1911 char **name,
1912 enum lsa_SidType *type)
1913 {
1914 NTSTATUS status;
1915 bool old_status;
1916
1917 old_status = domain->online;
1918 status = wcache_sid_to_name(domain, sid, mem_ctx, domain_name, name,
1919 type);
1920 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
1921 return status;
1922 }
1923
1924 *name = NULL;
1925 *domain_name = NULL;
1926
1927 DEBUG(10,("sid_to_name: [Cached] - doing backend query for name for domain %s\n",
1928 domain->name ));
1929
1930 winbindd_domain_init_backend(domain);
1931
1932 status = domain->backend->sid_to_name(domain, mem_ctx, sid, domain_name, name, type);
1933
1934 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
1935 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
1936 if (!domain->internal && old_status) {
1937 set_domain_offline(domain);
1938 }
1939 if (!domain->internal &&
1940 !domain->online &&
1941 old_status) {
1942 NTSTATUS cache_status;
1943 cache_status = wcache_sid_to_name(domain, sid, mem_ctx,
1944 domain_name, name, type);
1945 return cache_status;
1946 }
1947 }
1948 /* and save it */
1949 if (!NT_STATUS_IS_OK(status)) {
1950 return status;
1951 }
1952 wcache_save_sid_to_name(domain, status, sid, *domain_name, *name, *type);
1953
1954 /* We can't save the name to sid mapping here, as with sid history a
1955 * later name2sid would give the wrong sid. */
1956
1957 return status;
1958 }
1959
1960 NTSTATUS wb_cache_rids_to_names(struct winbindd_domain *domain,
1961 TALLOC_CTX *mem_ctx,
1962 const struct dom_sid *domain_sid,
1963 uint32_t *rids,
1964 size_t num_rids,
1965 char **domain_name,
1966 char ***names,
1967 enum lsa_SidType **types)
1968 {
1969 struct winbind_cache *cache = get_cache(domain);
1970 size_t i;
1971 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
1972 bool have_mapped;
1973 bool have_unmapped;
1974 bool old_status;
1975
1976 old_status = domain->online;
1977 *domain_name = NULL;
1978 *names = NULL;
1979 *types = NULL;
1980
1981 if (!cache->tdb) {
1982 goto do_query;
1983 }
1984
1985 if (num_rids == 0) {
1986 return NT_STATUS_OK;
1987 }
1988
1989 *names = talloc_array(mem_ctx, char *, num_rids);
1990 *types = talloc_array(mem_ctx, enum lsa_SidType, num_rids);
1991
1992 if ((*names == NULL) || (*types == NULL)) {
1993 result = NT_STATUS_NO_MEMORY;
1994 goto error;
1995 }
1996
1997 have_mapped = have_unmapped = false;
1998
1999 for (i=0; i<num_rids; i++) {
2000 struct dom_sid sid;
2001 NTSTATUS status;
2002 enum lsa_SidType type;
2003 char *dom, *name;
2004
2005 if (!sid_compose(&sid, domain_sid, rids[i])) {
2006 result = NT_STATUS_INTERNAL_ERROR;
2007 goto error;
2008 }
2009
2010 status = wcache_sid_to_name(domain, &sid, *names, &dom,
2011 &name, &type);
2012
2013 (*types)[i] = SID_NAME_UNKNOWN;
2014 (*names)[i] = talloc_strdup(*names, "");
2015
2016 if (NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
2017 /* not cached */
2018 goto do_query;
2019 }
2020
2021 if (NT_STATUS_IS_OK(status)) {
2022 have_mapped = true;
2023 (*types)[i] = type;
2024
2025 if (*domain_name == NULL) {
2026 *domain_name = dom;
2027 } else {
2028 TALLOC_FREE(dom);
2029 }
2030
2031 (*names)[i] = name;
2032
2033 } else if (NT_STATUS_EQUAL(status, NT_STATUS_NONE_MAPPED)) {
2034 have_unmapped = true;
2035 } else {
2036 /* something's definitely wrong */
2037 result = status;
2038 goto error;
2039 }
2040 }
2041
2042 if (!have_mapped) {
2043 return NT_STATUS_NONE_MAPPED;
2044 }
2045 if (!have_unmapped) {
2046 return NT_STATUS_OK;
2047 }
2048 return STATUS_SOME_UNMAPPED;
2049
2050 do_query:
2051
2052 TALLOC_FREE(*names);
2053 TALLOC_FREE(*types);
2054
2055 result = domain->backend->rids_to_names(domain, mem_ctx, domain_sid,
2056 rids, num_rids, domain_name,
2057 names, types);
2058
2059 if (NT_STATUS_EQUAL(result, NT_STATUS_IO_TIMEOUT) ||
2060 NT_STATUS_EQUAL(result, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2061 if (!domain->internal && old_status) {
2062 set_domain_offline(domain);
2063 }
2064 if (cache->tdb &&
2065 !domain->internal &&
2066 !domain->online &&
2067 old_status) {
2068 have_mapped = have_unmapped = false;
2069
2070 *names = talloc_array(mem_ctx, char *, num_rids);
2071 if (*names == NULL) {
2072 result = NT_STATUS_NO_MEMORY;
2073 goto error;
2074 }
2075
2076 *types = talloc_array(mem_ctx, enum lsa_SidType,
2077 num_rids);
2078 if (*types == NULL) {
2079 result = NT_STATUS_NO_MEMORY;
2080 goto error;
2081 }
2082
2083 for (i=0; i<num_rids; i++) {
2084 struct dom_sid sid;
2085 NTSTATUS status;
2086 enum lsa_SidType type;
2087 char *dom, *name;
2088
2089 if (!sid_compose(&sid, domain_sid, rids[i])) {
2090 result = NT_STATUS_INTERNAL_ERROR;
2091 goto error;
2092 }
2093
2094 status = wcache_sid_to_name(domain, &sid,
2095 *names, &dom,
2096 &name, &type);
2097
2098 (*types)[i] = SID_NAME_UNKNOWN;
2099 (*names)[i] = talloc_strdup(*names, "");
2100
2101 if (NT_STATUS_IS_OK(status)) {
2102 have_mapped = true;
2103 (*types)[i] = type;
2104
2105 if (*domain_name == NULL) {
2106 *domain_name = dom;
2107 } else {
2108 TALLOC_FREE(dom);
2109 }
2110
2111 (*names)[i] = name;
2112
2113 } else if (NT_STATUS_EQUAL(
2114 status,
2115 NT_STATUS_NONE_MAPPED)) {
2116 have_unmapped = true;
2117 } else {
2118 /* something's definitely wrong */
2119 result = status;
2120 goto error;
2121 }
2122 }
2123
2124 if (!have_mapped) {
2125 return NT_STATUS_NONE_MAPPED;
2126 }
2127 if (!have_unmapped) {
2128 return NT_STATUS_OK;
2129 }
2130 return STATUS_SOME_UNMAPPED;
2131 }
2132 }
2133 /*
2134 None of the queried rids has been found so save all negative entries
2135 */
2136 if (NT_STATUS_EQUAL(result, NT_STATUS_NONE_MAPPED)) {
2137 for (i = 0; i < num_rids; i++) {
2138 struct dom_sid sid;
2139 const char *name = "";
2140 const enum lsa_SidType type = SID_NAME_UNKNOWN;
2141 NTSTATUS status = NT_STATUS_NONE_MAPPED;
2142
2143 if (!sid_compose(&sid, domain_sid, rids[i])) {
2144 return NT_STATUS_INTERNAL_ERROR;
2145 }
2146
2147 wcache_save_sid_to_name(domain, status, &sid, *domain_name,
2148 name, type);
2149 }
2150
2151 return result;
2152 }
2153
2154 /*
2155 Some or all of the queried rids have been found.
2156 */
2157 if (!NT_STATUS_IS_OK(result) &&
2158 !NT_STATUS_EQUAL(result, STATUS_SOME_UNMAPPED)) {
2159 return result;
2160 }
2161
2162 refresh_sequence_number(domain);
2163
2164 for (i=0; i<num_rids; i++) {
2165 struct dom_sid sid;
2166 NTSTATUS status;
2167
2168 if (!sid_compose(&sid, domain_sid, rids[i])) {
2169 result = NT_STATUS_INTERNAL_ERROR;
2170 goto error;
2171 }
2172
2173 status = (*types)[i] == SID_NAME_UNKNOWN ?
2174 NT_STATUS_NONE_MAPPED : NT_STATUS_OK;
2175
2176 wcache_save_sid_to_name(domain, status, &sid, *domain_name,
2177 (*names)[i], (*types)[i]);
2178 }
2179
2180 return result;
2181
2182 error:
2183 TALLOC_FREE(*names);
2184 TALLOC_FREE(*types);
2185 return result;
2186 }
2187
2188 static NTSTATUS wcache_query_user(struct winbindd_domain *domain,
2189 TALLOC_CTX *mem_ctx,
2190 const struct dom_sid *user_sid,
2191 struct wbint_userinfo *info)
2192 {
2193 struct winbind_cache *cache = get_cache(domain);
2194 struct cache_entry *centry = NULL;
2195 NTSTATUS status;
2196 struct dom_sid_buf sid_string;
2197
2198 if (cache->tdb == NULL) {
2199 return NT_STATUS_NOT_FOUND;
2200 }
2201
2202 centry = wcache_fetch(
2203 cache, domain, "U/%s", dom_sid_str_buf(user_sid, &sid_string));
2204 if (centry == NULL) {
2205 return NT_STATUS_NOT_FOUND;
2206 }
2207
2208 /* if status is not ok then this is a negative hit
2209 and the rest of the data doesn't matter */
2210 status = centry->status;
2211 if (NT_STATUS_IS_OK(status)) {
2212 info->domain_name = centry_string(centry, mem_ctx);
2213 info->acct_name = centry_string(centry, mem_ctx);
2214 info->full_name = centry_string(centry, mem_ctx);
2215 info->homedir = centry_string(centry, mem_ctx);
2216 info->shell = centry_string(centry, mem_ctx);
2217 info->uid = centry_uint32(centry);
2218 info->primary_gid = centry_uint32(centry);
2219 info->primary_group_name = centry_string(centry, mem_ctx);
2220 centry_sid(centry, &info->user_sid);
2221 centry_sid(centry, &info->group_sid);
2222 }
2223
2224 DEBUG(10,("query_user: [Cached] - cached info for domain %s status: "
2225 "%s\n", domain->name, nt_errstr(status) ));
2226
2227 centry_free(centry);
2228 return status;
2229 }
2230
2231
2232 /**
2233 * @brief Query a fullname from the username cache (for further gecos processing)
2234 *
2235 * @param domain A pointer to the winbindd_domain struct.
2236 * @param mem_ctx The talloc context.
2237 * @param user_sid The user sid.
2238 * @param full_name A pointer to the full_name string.
2239 *
2240 * @return NTSTATUS code
2241 */
2242 NTSTATUS wcache_query_user_fullname(struct winbindd_domain *domain,
2243 TALLOC_CTX *mem_ctx,
2244 const struct dom_sid *user_sid,
2245 const char **full_name)
2246 {
2247 NTSTATUS status;
2248 struct wbint_userinfo info;
2249
2250 status = wcache_query_user(domain, mem_ctx, user_sid, &info);
2251 if (!NT_STATUS_IS_OK(status)) {
2252 return status;
2253 }
2254
2255 if (info.full_name != NULL) {
2256 *full_name = talloc_strdup(mem_ctx, info.full_name);
2257 if (*full_name == NULL) {
2258 return NT_STATUS_NO_MEMORY;
2259 }
2260 }
2261
2262 return NT_STATUS_OK;
2263 }
2264
2265 static NTSTATUS wcache_lookup_usergroups(struct winbindd_domain *domain,
2266 TALLOC_CTX *mem_ctx,
2267 const struct dom_sid *user_sid,
2268 uint32_t *pnum_sids,
2269 struct dom_sid **psids)
2270 {
2271 struct winbind_cache *cache = get_cache(domain);
2272 struct cache_entry *centry = NULL;
2273 NTSTATUS status;
2274 uint32_t i, num_sids;
2275 struct dom_sid *sids;
2276 struct dom_sid_buf sid_string;
2277
2278 if (cache->tdb == NULL) {
2279 return NT_STATUS_NOT_FOUND;
2280 }
2281
2282 centry = wcache_fetch(
2283 cache,
2284 domain,
2285 "UG/%s",
2286 dom_sid_str_buf(user_sid, &sid_string));
2287 if (centry == NULL) {
2288 return NT_STATUS_NOT_FOUND;
2289 }
2290
2291 num_sids = centry_uint32(centry);
2292 sids = talloc_array(mem_ctx, struct dom_sid, num_sids);
2293 if (sids == NULL) {
2294 centry_free(centry);
2295 return NT_STATUS_NO_MEMORY;
2296 }
2297
2298 for (i=0; i<num_sids; i++) {
2299 centry_sid(centry, &sids[i]);
2300 }
2301
2302 status = centry->status;
2303
2304 DEBUG(10,("lookup_usergroups: [Cached] - cached info for domain %s "
2305 "status: %s\n", domain->name, nt_errstr(status)));
2306
2307 centry_free(centry);
2308
2309 *pnum_sids = num_sids;
2310 *psids = sids;
2311 return status;
2312 }
2313
2314 /* Lookup groups a user is a member of. */
2315 NTSTATUS wb_cache_lookup_usergroups(struct winbindd_domain *domain,
2316 TALLOC_CTX *mem_ctx,
2317 const struct dom_sid *user_sid,
2318 uint32_t *num_groups,
2319 struct dom_sid **user_gids)
2320 {
2321 struct cache_entry *centry = NULL;
2322 NTSTATUS status;
2323 unsigned int i;
2324 struct dom_sid_buf sid_string;
2325 bool old_status;
2326
2327 old_status = domain->online;
2328 status = wcache_lookup_usergroups(domain, mem_ctx, user_sid,
2329 num_groups, user_gids);
2330 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
2331 return status;
2332 }
2333
2334 (*num_groups) = 0;
2335 (*user_gids) = NULL;
2336
2337 DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info for domain %s\n",
2338 domain->name ));
2339
2340 status = domain->backend->lookup_usergroups(domain, mem_ctx, user_sid, num_groups, user_gids);
2341
2342 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2343 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2344 if (!domain->internal && old_status) {
2345 set_domain_offline(domain);
2346 }
2347 if (!domain->internal &&
2348 !domain->online &&
2349 old_status) {
2350 NTSTATUS cache_status;
2351 cache_status = wcache_lookup_usergroups(domain, mem_ctx, user_sid,
2352 num_groups, user_gids);
2353 return cache_status;
2354 }
2355 }
2356 if ( NT_STATUS_EQUAL(status, NT_STATUS_SYNCHRONIZATION_REQUIRED) )
2357 goto skip_save;
2358
2359 /* and save it */
2360 refresh_sequence_number(domain);
2361 if (!NT_STATUS_IS_OK(status)) {
2362 return status;
2363 }
2364 centry = centry_start(domain, status);
2365 if (!centry)
2366 goto skip_save;
2367
2368 centry_put_uint32(centry, *num_groups);
2369 for (i=0; i<(*num_groups); i++) {
2370 centry_put_sid(centry, &(*user_gids)[i]);
2371 }
2372
2373 centry_end(centry, "UG/%s", dom_sid_str_buf(user_sid, &sid_string));
2374 centry_free(centry);
2375
2376 skip_save:
2377 return status;
2378 }
2379
2380 static char *wcache_make_sidlist(TALLOC_CTX *mem_ctx, uint32_t num_sids,
2381 const struct dom_sid *sids)
2382 {
2383 uint32_t i;
2384 char *sidlist;
2385
2386 sidlist = talloc_strdup(mem_ctx, "");
2387 if (sidlist == NULL) {
2388 return NULL;
2389 }
2390 for (i=0; i<num_sids; i++) {
2391 struct dom_sid_buf tmp;
2392 sidlist = talloc_asprintf_append_buffer(
2393 sidlist,
2394 "/%s",
2395 dom_sid_str_buf(&sids[i], &tmp));
2396 if (sidlist == NULL) {
2397 return NULL;
2398 }
2399 }
2400 return sidlist;
2401 }
2402
2403 static NTSTATUS wcache_lookup_useraliases(struct winbindd_domain *domain,
2404 TALLOC_CTX *mem_ctx,
2405 uint32_t num_sids,
2406 const struct dom_sid *sids,
2407 uint32_t *pnum_aliases,
2408 uint32_t **paliases)
2409 {
2410 struct winbind_cache *cache = get_cache(domain);
2411 struct cache_entry *centry = NULL;
2412 uint32_t i, num_aliases;
2413 uint32_t *aliases;
2414 NTSTATUS status;
2415 char *sidlist;
2416
2417 if (cache->tdb == NULL) {
2418 return NT_STATUS_NOT_FOUND;
2419 }
2420
2421 if (num_sids == 0) {
2422 *pnum_aliases = 0;
2423 *paliases = NULL;
2424 return NT_STATUS_OK;
2425 }
2426
2427 /* We need to cache indexed by the whole list of SIDs, the aliases
2428 * resulting might come from any of the SIDs. */
2429
2430 sidlist = wcache_make_sidlist(talloc_tos(), num_sids, sids);
2431 if (sidlist == NULL) {
2432 return NT_STATUS_NO_MEMORY;
2433 }
2434
2435 centry = wcache_fetch(cache, domain, "UA%s", sidlist);
2436 TALLOC_FREE(sidlist);
2437 if (centry == NULL) {
2438 return NT_STATUS_NOT_FOUND;
2439 }
2440
2441 num_aliases = centry_uint32(centry);
2442 aliases = talloc_array(mem_ctx, uint32_t, num_aliases);
2443 if (aliases == NULL) {
2444 centry_free(centry);
2445 return NT_STATUS_NO_MEMORY;
2446 }
2447
2448 for (i=0; i<num_aliases; i++) {
2449 aliases[i] = centry_uint32(centry);
2450 }
2451
2452 status = centry->status;
2453
2454 DEBUG(10,("lookup_useraliases: [Cached] - cached info for domain: %s "
2455 "status %s\n", domain->name, nt_errstr(status)));
2456
2457 centry_free(centry);
2458
2459 *pnum_aliases = num_aliases;
2460 *paliases = aliases;
2461
2462 return status;
2463 }
2464
2465 NTSTATUS wb_cache_lookup_useraliases(struct winbindd_domain *domain,
2466 TALLOC_CTX *mem_ctx,
2467 uint32_t num_sids,
2468 const struct dom_sid *sids,
2469 uint32_t *num_aliases,
2470 uint32_t **alias_rids)
2471 {
2472 struct cache_entry *centry = NULL;
2473 NTSTATUS status;
2474 char *sidlist;
2475 uint32_t i;
2476 bool old_status;
2477
2478 old_status = domain->online;
2479 status = wcache_lookup_useraliases(domain, mem_ctx, num_sids, sids,
2480 num_aliases, alias_rids);
2481 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
2482 return status;
2483 }
2484
2485 (*num_aliases) = 0;
2486 (*alias_rids) = NULL;
2487
2488 DEBUG(10,("lookup_usergroups: [Cached] - doing backend query for info "
2489 "for domain %s\n", domain->name ));
2490
2491 sidlist = wcache_make_sidlist(talloc_tos(), num_sids, sids);
2492 if (sidlist == NULL) {
2493 return NT_STATUS_NO_MEMORY;
2494 }
2495
2496 status = domain->backend->lookup_useraliases(domain, mem_ctx,
2497 num_sids, sids,
2498 num_aliases, alias_rids);
2499
2500 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2501 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2502 if (!domain->internal && old_status) {
2503 set_domain_offline(domain);
2504 }
2505 if (!domain->internal &&
2506 !domain->online &&
2507 old_status) {
2508 NTSTATUS cache_status;
2509 cache_status = wcache_lookup_useraliases(domain, mem_ctx, num_sids,
2510 sids, num_aliases, alias_rids);
2511 return cache_status;
2512 }
2513 }
2514 /* and save it */
2515 refresh_sequence_number(domain);
2516 if (!NT_STATUS_IS_OK(status)) {
2517 return status;
2518 }
2519 centry = centry_start(domain, status);
2520 if (!centry)
2521 goto skip_save;
2522 centry_put_uint32(centry, *num_aliases);
2523 for (i=0; i<(*num_aliases); i++)
2524 centry_put_uint32(centry, (*alias_rids)[i]);
2525 centry_end(centry, "UA%s", sidlist);
2526 centry_free(centry);
2527
2528 skip_save:
2529 return status;
2530 }
2531
2532 static NTSTATUS wcache_lookup_groupmem(struct winbindd_domain *domain,
2533 TALLOC_CTX *mem_ctx,
2534 const struct dom_sid *group_sid,
2535 uint32_t *num_names,
2536 struct dom_sid **sid_mem, char ***names,
2537 uint32_t **name_types)
2538 {
2539 struct winbind_cache *cache = get_cache(domain);
2540 struct cache_entry *centry = NULL;
2541 NTSTATUS status;
2542 unsigned int i;
2543 struct dom_sid_buf sid_string;
2544
2545 if (cache->tdb == NULL) {
2546 return NT_STATUS_NOT_FOUND;
2547 }
2548
2549 centry = wcache_fetch(
2550 cache,
2551 domain,
2552 "GM/%s",
2553 dom_sid_str_buf(group_sid, &sid_string));
2554 if (centry == NULL) {
2555 return NT_STATUS_NOT_FOUND;
2556 }
2557
2558 *sid_mem = NULL;
2559 *names = NULL;
2560 *name_types = NULL;
2561
2562 *num_names = centry_uint32(centry);
2563 if (*num_names == 0) {
2564 centry_free(centry);
2565 return NT_STATUS_OK;
2566 }
2567
2568 *sid_mem = talloc_array(mem_ctx, struct dom_sid, *num_names);
2569 *names = talloc_array(mem_ctx, char *, *num_names);
2570 *name_types = talloc_array(mem_ctx, uint32_t, *num_names);
2571
2572 if ((*sid_mem == NULL) || (*names == NULL) || (*name_types == NULL)) {
2573 TALLOC_FREE(*sid_mem);
2574 TALLOC_FREE(*names);
2575 TALLOC_FREE(*name_types);
2576 centry_free(centry);
2577 return NT_STATUS_NO_MEMORY;
2578 }
2579
2580 for (i=0; i<(*num_names); i++) {
2581 centry_sid(centry, &(*sid_mem)[i]);
2582 (*names)[i] = centry_string(centry, mem_ctx);
2583 (*name_types)[i] = centry_uint32(centry);
2584 }
2585
2586 status = centry->status;
2587
2588 DEBUG(10,("lookup_groupmem: [Cached] - cached info for domain %s "
2589 "status: %s\n", domain->name, nt_errstr(status)));
2590
2591 centry_free(centry);
2592 return status;
2593 }
2594
2595 NTSTATUS wb_cache_lookup_groupmem(struct winbindd_domain *domain,
2596 TALLOC_CTX *mem_ctx,
2597 const struct dom_sid *group_sid,
2598 enum lsa_SidType type,
2599 uint32_t *num_names,
2600 struct dom_sid **sid_mem,
2601 char ***names,
2602 uint32_t **name_types)
2603 {
2604 struct cache_entry *centry = NULL;
2605 NTSTATUS status;
2606 unsigned int i;
2607 struct dom_sid_buf sid_string;
2608 bool old_status;
2609
2610 old_status = domain->online;
2611 status = wcache_lookup_groupmem(domain, mem_ctx, group_sid, num_names,
2612 sid_mem, names, name_types);
2613 if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
2614 return status;
2615 }
2616
2617 (*num_names) = 0;
2618 (*sid_mem) = NULL;
2619 (*names) = NULL;
2620 (*name_types) = NULL;
2621
2622 DEBUG(10,("lookup_groupmem: [Cached] - doing backend query for info for domain %s\n",
2623 domain->name ));
2624
2625 status = domain->backend->lookup_groupmem(domain, mem_ctx, group_sid,
2626 type, num_names,
2627 sid_mem, names, name_types);
2628
2629 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2630 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2631 if (!domain->internal && old_status) {
2632 set_domain_offline(domain);
2633 }
2634 if (!domain->internal &&
2635 !domain->online &&
2636 old_status) {
2637 NTSTATUS cache_status;
2638 cache_status = wcache_lookup_groupmem(domain, mem_ctx, group_sid,
2639 num_names, sid_mem, names,
2640 name_types);
2641 return cache_status;
2642 }
2643 }
2644 /* and save it */
2645 refresh_sequence_number(domain);
2646 if (!NT_STATUS_IS_OK(status)) {
2647 return status;
2648 }
2649 centry = centry_start(domain, status);
2650 if (!centry)
2651 goto skip_save;
2652 centry_put_uint32(centry, *num_names);
2653 for (i=0; i<(*num_names); i++) {
2654 centry_put_sid(centry, &(*sid_mem)[i]);
2655 centry_put_string(centry, (*names)[i]);
2656 centry_put_uint32(centry, (*name_types)[i]);
2657 }
2658 centry_end(centry,
2659 "GM/%s",
2660 dom_sid_str_buf(group_sid, &sid_string));
2661 centry_free(centry);
2662
2663 skip_save:
2664 return status;
2665 }
2666
2667 /* find the sequence number for a domain */
2668 NTSTATUS wb_cache_sequence_number(struct winbindd_domain *domain,
2669 uint32_t *seq)
2670 {
2671 refresh_sequence_number(domain);
2672
2673 *seq = domain->sequence_number;
2674
2675 return NT_STATUS_OK;
2676 }
2677
2678 /* enumerate trusted domains
2679 * (we need to have the list of trustdoms in the cache when we go offline) -
2680 * Guenther */
2681 NTSTATUS wb_cache_trusted_domains(struct winbindd_domain *domain,
2682 TALLOC_CTX *mem_ctx,
2683 struct netr_DomainTrustList *trusts)
2684 {
2685 NTSTATUS status;
2686 struct winbind_cache *cache;
2687 struct winbindd_tdc_domain *dom_list = NULL;
2688 size_t num_domains = 0;
2689 bool retval = false;
2690 size_t i;
2691 bool old_status;
2692
2693 old_status = domain->online;
2694 trusts->count = 0;
2695 trusts->array = NULL;
2696
2697 cache = get_cache(domain);
2698 if (!cache || !cache->tdb) {
2699 goto do_query;
2700 }
2701
2702 if (domain->online) {
2703 goto do_query;
2704 }
2705
2706 retval = wcache_tdc_fetch_list(&dom_list, &num_domains);
2707 if (!retval || !num_domains || !dom_list) {
2708 TALLOC_FREE(dom_list);
2709 goto do_query;
2710 }
2711
2712 do_fetch_cache:
2713 trusts->array = talloc_zero_array(mem_ctx, struct netr_DomainTrust, num_domains);
2714 if (!trusts->array) {
2715 TALLOC_FREE(dom_list);
2716 return NT_STATUS_NO_MEMORY;
2717 }
2718
2719 for (i = 0; i < num_domains; i++) {
2720 struct netr_DomainTrust *trust;
2721 struct dom_sid *sid;
2722 struct winbindd_domain *dom;
2723
2724 dom = find_domain_from_name_noinit(dom_list[i].domain_name);
2725 if (dom && dom->internal) {
2726 continue;
2727 }
2728
2729 trust = &trusts->array[trusts->count];
2730 trust->netbios_name = talloc_strdup(trusts->array, dom_list[i].domain_name);
2731 trust->dns_name = talloc_strdup(trusts->array, dom_list[i].dns_name);
2732 sid = talloc(trusts->array, struct dom_sid);
2733 if (!trust->netbios_name || !trust->dns_name ||
2734 !sid) {
2735 TALLOC_FREE(dom_list);
2736 TALLOC_FREE(trusts->array);
2737 return NT_STATUS_NO_MEMORY;
2738 }
2739
2740 trust->trust_flags = dom_list[i].trust_flags;
2741 trust->trust_attributes = dom_list[i].trust_attribs;
2742 trust->trust_type = dom_list[i].trust_type;
2743 sid_copy(sid, &dom_list[i].sid);
2744 trust->sid = sid;
2745 trusts->count++;
2746 }
2747
2748 TALLOC_FREE(dom_list);
2749 return NT_STATUS_OK;
2750
2751 do_query:
2752 DEBUG(10,("trusted_domains: [Cached] - doing backend query for info for domain %s\n",
2753 domain->name ));
2754
2755 status = domain->backend->trusted_domains(domain, mem_ctx, trusts);
2756
2757 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2758 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2759 if (!domain->internal && old_status) {
2760 set_domain_offline(domain);
2761 }
2762 if (!domain->internal &&
2763 !domain->online &&
2764 old_status) {
2765 retval = wcache_tdc_fetch_list(&dom_list, &num_domains);
2766 if (retval && num_domains && dom_list) {
2767 TALLOC_FREE(trusts->array);
2768 trusts->count = 0;
2769 goto do_fetch_cache;
2770 }
2771 }
2772 }
2773 /* no trusts gives NT_STATUS_NO_MORE_ENTRIES resetting to NT_STATUS_OK
2774 * so that the generic centry handling still applies correctly -
2775 * Guenther*/
2776
2777 if (!NT_STATUS_IS_ERR(status)) {
2778 status = NT_STATUS_OK;
2779 }
2780 return status;
2781 }
2782
2783 /* get lockout policy */
2784 NTSTATUS wb_cache_lockout_policy(struct winbindd_domain *domain,
2785 TALLOC_CTX *mem_ctx,
2786 struct samr_DomInfo12 *policy)
2787 {
2788 struct winbind_cache *cache = get_cache(domain);
2789 struct cache_entry *centry = NULL;
2790 NTSTATUS status;
2791 bool old_status;
2792
2793 old_status = domain->online;
2794 if (!cache->tdb)
2795 goto do_query;
2796
2797 centry = wcache_fetch(cache, domain, "LOC_POL/%s", domain->name);
2798
2799 if (!centry)
2800 goto do_query;
2801
2802 do_fetch_cache:
2803 policy->lockout_duration = centry_nttime(centry);
2804 policy->lockout_window = centry_nttime(centry);
2805 policy->lockout_threshold = centry_uint16(centry);
2806
2807 status = centry->status;
2808
2809 DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n",
2810 domain->name, nt_errstr(status) ));
2811
2812 centry_free(centry);
2813 return status;
2814
2815 do_query:
2816 ZERO_STRUCTP(policy);
2817
2818 DEBUG(10,("lockout_policy: [Cached] - doing backend query for info for domain %s\n",
2819 domain->name ));
2820
2821 status = domain->backend->lockout_policy(domain, mem_ctx, policy);
2822
2823 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2824 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2825 if (!domain->internal && old_status) {
2826 set_domain_offline(domain);
2827 }
2828 if (cache->tdb &&
2829 !domain->internal &&
2830 !domain->online &&
2831 old_status) {
2832 centry = wcache_fetch(cache, domain, "LOC_POL/%s", domain->name);
2833 if (centry) {
2834 goto do_fetch_cache;
2835 }
2836 }
2837 }
2838 /* and save it */
2839 refresh_sequence_number(domain);
2840 if (!NT_STATUS_IS_OK(status)) {
2841 return status;
2842 }
2843 wcache_save_lockout_policy(domain, status, policy);
2844
2845 return status;
2846 }
2847
2848 /* get password policy */
2849 NTSTATUS wb_cache_password_policy(struct winbindd_domain *domain,
2850 TALLOC_CTX *mem_ctx,
2851 struct samr_DomInfo1 *policy)
2852 {
2853 struct winbind_cache *cache = get_cache(domain);
2854 struct cache_entry *centry = NULL;
2855 NTSTATUS status;
2856 bool old_status;
2857
2858 old_status = domain->online;
2859 if (!cache->tdb)
2860 goto do_query;
2861
2862 centry = wcache_fetch(cache, domain, "PWD_POL/%s", domain->name);
2863
2864 if (!centry)
2865 goto do_query;
2866
2867 do_fetch_cache:
2868 policy->min_password_length = centry_uint16(centry);
2869 policy->password_history_length = centry_uint16(centry);
2870 policy->password_properties = centry_uint32(centry);
2871 policy->max_password_age = centry_nttime(centry);
2872 policy->min_password_age = centry_nttime(centry);
2873
2874 status = centry->status;
2875
2876 DEBUG(10,("lockout_policy: [Cached] - cached info for domain %s status: %s\n",
2877 domain->name, nt_errstr(status) ));
2878
2879 centry_free(centry);
2880 return status;
2881
2882 do_query:
2883 ZERO_STRUCTP(policy);
2884
2885 DEBUG(10,("password_policy: [Cached] - doing backend query for info for domain %s\n",
2886 domain->name ));
2887
2888 status = domain->backend->password_policy(domain, mem_ctx, policy);
2889
2890 if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT) ||
2891 NT_STATUS_EQUAL(status, NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND)) {
2892 if (!domain->internal && old_status) {
2893 set_domain_offline(domain);
2894 }
2895 if (cache->tdb &&
2896 !domain->internal &&
2897 !domain->online &&
2898 old_status) {
2899 centry = wcache_fetch(cache, domain, "PWD_POL/%s", domain->name);
2900 if (centry) {
2901 goto do_fetch_cache;
2902 }
2903 }
2904 }
2905 /* and save it */
2906 refresh_sequence_number(domain);
2907 if (!NT_STATUS_IS_OK(status)) {
2908 return status;
2909 }
2910 wcache_save_password_policy(domain, status, policy);
2911
2912 return status;
2913 }
2914
2915
2916 /* Invalidate cached user and group lists coherently */
2917
2918 static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
2919 void *state)
2920 {
2921 if (strncmp((const char *)kbuf.dptr, "UL/", 3) == 0 ||
2922 strncmp((const char *)kbuf.dptr, "GL/", 3) == 0)
2923 tdb_delete(the_tdb, kbuf);
2924
2925 return 0;
2926 }
2927
2928 /* Invalidate the getpwnam and getgroups entries for a winbindd domain */
2929
2930 void wcache_invalidate_samlogon(struct winbindd_domain *domain,
2931 const struct dom_sid *sid)
2932 {
2933 fstring key_str;
2934 struct dom_sid_buf sid_string;
2935 struct winbind_cache *cache;
2936
2937 /* don't clear cached U/SID and UG/SID entries when we want to logon
2938 * offline - gd */
2939
2940 if (lp_winbind_offline_logon()) {
2941 return;
2942 }
2943
2944 if (!domain)
2945 return;
2946
2947 cache = get_cache(domain);
2948
2949 if (!cache->tdb) {
2950 return;
2951 }
2952
2953 /* Clear U/SID cache entry */
2954 fstr_sprintf(key_str, "U/%s", dom_sid_str_buf(sid, &sid_string));
2955 DEBUG(10, ("wcache_invalidate_samlogon: clearing %s\n", key_str));
2956 tdb_delete(cache->tdb, string_tdb_data(key_str));
2957
2958 /* Clear UG/SID cache entry */
2959 fstr_sprintf(key_str, "UG/%s", dom_sid_str_buf(sid, &sid_string));
2960 DEBUG(10, ("wcache_invalidate_samlogon: clearing %s\n", key_str));
2961 tdb_delete(cache->tdb, string_tdb_data(key_str));
2962
2963 /* Samba/winbindd never needs this. */
2964 netsamlogon_clear_cached_user(sid);
2965 }
2966
2967 bool wcache_invalidate_cache(void)
2968 {
2969 struct winbindd_domain *domain;
2970
2971 for (domain = domain_list(); domain; domain = domain->next) {
2972 struct winbind_cache *cache = get_cache(domain);
2973
2974 DEBUG(10, ("wcache_invalidate_cache: invalidating cache "
2975 "entries for %s\n", domain->name));
2976 if (cache) {
2977 if (cache->tdb) {
2978 tdb_traverse(cache->tdb, traverse_fn, NULL);
2979 } else {
2980 return false;
2981 }
2982 }
2983 }
2984 return true;
2985 }
2986
2987 bool wcache_invalidate_cache_noinit(void)
2988 {
2989 struct winbindd_domain *domain;
2990
2991 for (domain = domain_list(); domain; domain = domain->next) {
2992 struct winbind_cache *cache;
2993
2994 /* Skip uninitialized domains. */
2995 if (!domain->initialized && !domain->internal) {
2996 continue;
2997 }
2998
2999 cache = get_cache(domain);
3000
3001 DEBUG(10, ("wcache_invalidate_cache: invalidating cache "
3002 "entries for %s\n", domain->name));
3003 if (cache) {
3004 if (cache->tdb) {
3005 tdb_traverse(cache->tdb, traverse_fn, NULL);
3006 /*
3007 * Flushing cache has nothing to with domains.
3008 * return here if we successfully flushed once.
3009 * To avoid unnecessary traversing the cache.
3010 */
3011 return true;
3012 } else {
3013 return false;
3014 }
3015 }
3016 }
3017 return true;
3018 }
3019
3020 static bool init_wcache(void)
3021 {
3022 char *db_path;
3023
3024 if (wcache == NULL) {
3025 wcache = SMB_XMALLOC_P(struct winbind_cache);
3026 ZERO_STRUCTP(wcache);
3027 }
3028
3029 if (wcache->tdb != NULL)
3030 return true;
3031
3032 db_path = wcache_path();
3033 if (db_path == NULL) {
3034 return false;
3035 }
3036
3037 /* when working offline we must not clear the cache on restart */
3038 wcache->tdb = tdb_open_log(db_path,
3039 WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
3040 TDB_INCOMPATIBLE_HASH |
3041 (lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST)),
3042 O_RDWR|O_CREAT, 0600);
3043 TALLOC_FREE(db_path);
3044 if (wcache->tdb == NULL) {
3045 DEBUG(0,("Failed to open winbindd_cache.tdb!\n"));
3046 return false;
3047 }
3048
3049 return true;
3050 }
3051
3052 /************************************************************************
3053 This is called by the parent to initialize the cache file.
3054 We don't need sophisticated locking here as we know we're the
3055 only opener.
3056 ************************************************************************/
3057
3058 bool initialize_winbindd_cache(void)
3059 {
3060 bool cache_bad = false;
3061 uint32_t vers = 0;
3062 bool ok;
3063
3064 if (!init_wcache()) {
3065 DEBUG(0,("initialize_winbindd_cache: init_wcache failed.\n"));
3066 return false;
3067 }
3068
3069 /* Check version number. */
3070 ok = tdb_fetch_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, &vers);
3071 if (!ok) {
3072 DBG_DEBUG("Failed to get cache version\n");
3073 cache_bad = true;
3074 }
3075 if (vers != WINBINDD_CACHE_VERSION) {
3076 DBG_DEBUG("Invalid cache version %u != %u\n",
3077 vers,
3078 WINBINDD_CACHE_VERSION);
3079 cache_bad = true;
3080 }
3081
3082 if (cache_bad) {
3083 char *db_path;
3084
3085 DEBUG(0,("initialize_winbindd_cache: clearing cache "
3086 "and re-creating with version number %d\n",
3087 WINBINDD_CACHE_VERSION ));
3088
3089 tdb_close(wcache->tdb);
3090 wcache->tdb = NULL;
3091
3092 db_path = wcache_path();
3093 if (db_path == NULL) {
3094 return false;
3095 }
3096
3097 if (unlink(db_path) == -1) {
3098 DEBUG(0,("initialize_winbindd_cache: unlink %s failed %s ",
3099 db_path,
3100 strerror(errno) ));
3101 TALLOC_FREE(db_path);
3102 return false;
3103 }
3104 TALLOC_FREE(db_path);
3105 if (!init_wcache()) {
3106 DEBUG(0,("initialize_winbindd_cache: re-initialization "
3107 "init_wcache failed.\n"));
3108 return false;
3109 }
3110
3111 /* Write the version. */
3112 if (!tdb_store_uint32(wcache->tdb, WINBINDD_CACHE_VERSION_KEYSTR, WINBINDD_CACHE_VERSION)) {
3113 DEBUG(0,("initialize_winbindd_cache: version number store failed %s\n",
3114 tdb_errorstr(wcache->tdb) ));
3115 return false;
3116 }
3117 }
3118
3119 tdb_close(wcache->tdb);
3120 wcache->tdb = NULL;
3121 return true;
3122 }
3123
3124 void close_winbindd_cache(void)
3125 {
3126 if (!wcache) {
3127 return;
3128 }
3129 if (wcache->tdb) {
3130 tdb_close(wcache->tdb);
3131 wcache->tdb = NULL;
3132 }
3133 }
3134
3135 bool lookup_cached_sid(TALLOC_CTX *mem_ctx, const struct dom_sid *sid,
3136 char **domain_name, char **name,
3137 enum lsa_SidType *type)
3138 {
3139 struct winbindd_domain *domain;
3140 NTSTATUS status;
3141
3142 domain = find_lookup_domain_from_sid(sid);
3143 if (domain == NULL) {
3144 return false;
3145 }
3146 status = wcache_sid_to_name(domain, sid, mem_ctx, domain_name, name,
3147 type);
3148 return NT_STATUS_IS_OK(status);
3149 }
3150
3151 bool lookup_cached_name(const char *namespace,
3152 const char *domain_name,
3153 const char *name,
3154 struct dom_sid *sid,
3155 enum lsa_SidType *type)
3156 {
3157 struct winbindd_domain *domain;
3158 NTSTATUS status;
3159 bool original_online_state;
3160
3161 domain = find_lookup_domain_from_name(namespace);
3162 if (domain == NULL) {
3163 return false;
3164 }
3165
3166 /* If we are doing a cached logon, temporarily set the domain
3167 offline so the cache won't expire the entry */
3168
3169 original_online_state = domain->online;
3170 domain->online = false;
3171 status = wcache_name_to_sid(domain, domain_name, name, sid, type);
3172 domain->online = original_online_state;
3173
3174 return NT_STATUS_IS_OK(status);
3175 }
3176
3177 /*
3178 * Cache a name to sid without checking the sequence number.
3179 * Used when caching from a trusted PAC.
3180 */
3181
3182 void cache_name2sid_trusted(struct winbindd_domain *domain,
3183 const char *domain_name,
3184 const char *name,
3185 enum lsa_SidType type,
3186 const struct dom_sid *sid)
3187 {
3188 /*
3189 * Ensure we store the mapping with the
3190 * existing sequence number from the cache.
3191 */
3192 get_cache(domain);
3193 (void)fetch_cache_seqnum(domain, time(NULL));
3194 wcache_save_name_to_sid(domain,
3195 NT_STATUS_OK,
3196 domain_name,
3197 name,
3198 sid,
3199 type);
3200 }
3201
3202 void cache_name2sid(struct winbindd_domain *domain,
3203 const char *domain_name, const char *name,
3204 enum lsa_SidType type, const struct dom_sid *sid)
3205 {
3206 refresh_sequence_number(domain);
3207 wcache_save_name_to_sid(domain, NT_STATUS_OK, domain_name, name,
3208 sid, type);
3209 }
3210
3211 /*
3212 * The original idea that this cache only contains centries has
3213 * been blurred - now other stuff gets put in here. Ensure we
3214 * ignore these things on cleanup.
3215 */
3216
3217 static int traverse_fn_cleanup(TDB_CONTEXT *the_tdb, TDB_DATA kbuf,
3218 TDB_DATA dbuf, void *state)
3219 {
3220 struct cache_entry *centry;
3221
3222 if (is_non_centry_key(kbuf)) {
3223 return 0;
3224 }
3225
3226 centry = wcache_fetch_raw((char *)kbuf.dptr);
3227 if (!centry) {
3228 return 0;
3229 }
3230
3231 if (!NT_STATUS_IS_OK(centry->status)) {
3232 DEBUG(10,("deleting centry %s\n", (const char *)kbuf.dptr));
3233 tdb_delete(the_tdb, kbuf);
3234 }
3235
3236 centry_free(centry);
3237 return 0;
3238 }
3239
3240 /* flush the cache */
3241 static void wcache_flush_cache(void)
3242 {
3243 char *db_path;
3244
3245 if (!wcache)
3246 return;
3247 if (wcache->tdb) {
3248 tdb_close(wcache->tdb);
3249 wcache->tdb = NULL;
3250 }
3251 if (!winbindd_use_cache()) {
3252 return;
3253 }
3254
3255 db_path = wcache_path();
3256 if (db_path == NULL) {
3257 return;
3258 }
3259
3260 /* when working offline we must not clear the cache on restart */
3261 wcache->tdb = tdb_open_log(db_path,
3262 WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
3263 TDB_INCOMPATIBLE_HASH |
3264 (lp_winbind_offline_logon() ? TDB_DEFAULT : (TDB_DEFAULT | TDB_CLEAR_IF_FIRST)),
3265 O_RDWR|O_CREAT, 0600);
3266 TALLOC_FREE(db_path);
3267 if (!wcache->tdb) {
3268 DEBUG(0,("Failed to open winbindd_cache.tdb!\n"));
3269 return;
3270 }
3271
3272 tdb_traverse(wcache->tdb, traverse_fn_cleanup, NULL);
3273
3274 DEBUG(10,("wcache_flush_cache success\n"));
3275 }
3276
3277 /* Count cached creds */
3278
3279 static int traverse_fn_cached_creds(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
3280 void *state)
3281 {
3282 int *cred_count = (int*)state;
3283
3284 if (strncmp((const char *)kbuf.dptr, "CRED/", 5) == 0) {
3285 (*cred_count)++;
3286 }
3287 return 0;
3288 }
3289
3290 NTSTATUS wcache_count_cached_creds(struct winbindd_domain *domain, int *count)
3291 {
3292 struct winbind_cache *cache = get_cache(domain);
3293
3294 *count = 0;
3295
3296 if (!cache->tdb) {
3297 return NT_STATUS_INTERNAL_DB_ERROR;
3298 }
3299
3300 tdb_traverse(cache->tdb, traverse_fn_cached_creds, (void *)count);
3301
3302 return NT_STATUS_OK;
3303 }
3304
3305 struct cred_list {
3306 struct cred_list *prev, *next;
3307 TDB_DATA key;
3308 fstring name;
3309 time_t created;
3310 };
3311 static struct cred_list *wcache_cred_list;
3312
3313 static int traverse_fn_get_credlist(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
3314 void *state)
3315 {
3316 struct cred_list *cred;
3317
3318 if (strncmp((const char *)kbuf.dptr, "CRED/", 5) == 0) {
3319
3320 cred = SMB_MALLOC_P(struct cred_list);
3321 if (cred == NULL) {
3322 DEBUG(0,("traverse_fn_remove_first_creds: failed to malloc new entry for list\n"));
3323 return -1;
3324 }
3325
3326 ZERO_STRUCTP(cred);
3327
3328 /* save a copy of the key */
3329
3330 fstrcpy(cred->name, (const char *)kbuf.dptr);
3331 DLIST_ADD(wcache_cred_list, cred);
3332 }
3333
3334 return 0;
3335 }
3336
3337 NTSTATUS wcache_remove_oldest_cached_creds(struct winbindd_domain *domain, const struct dom_sid *sid)
3338 {
3339 struct winbind_cache *cache = get_cache(domain);
3340 NTSTATUS status;
3341 int ret;
3342 struct cred_list *cred, *next, *oldest = NULL;
3343
3344 if (!cache->tdb) {
3345 return NT_STATUS_INTERNAL_DB_ERROR;
3346 }
3347
3348 /* we possibly already have an entry */
3349 if (sid && NT_STATUS_IS_OK(wcache_cached_creds_exist(domain, sid))) {
3350
3351 fstring key_str;
3352 struct dom_sid_buf tmp;
3353
3354 DEBUG(11,("we already have an entry, deleting that\n"));
3355
3356 fstr_sprintf(key_str, "CRED/%s", dom_sid_str_buf(sid, &tmp));
3357
3358 tdb_delete(cache->tdb, string_tdb_data(key_str));
3359
3360 return NT_STATUS_OK;
3361 }
3362
3363 ret = tdb_traverse(cache->tdb, traverse_fn_get_credlist, NULL);
3364 if (ret == 0) {
3365 return NT_STATUS_OK;
3366 } else if ((ret < 0) || (wcache_cred_list == NULL)) {
3367 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
3368 }
3369
3370 ZERO_STRUCTP(oldest);
3371
3372 for (cred = wcache_cred_list; cred; cred = cred->next) {
3373
3374 TDB_DATA data;
3375 time_t t;
3376
3377 data = tdb_fetch(cache->tdb, string_tdb_data(cred->name));
3378 if (!data.dptr) {
3379 DEBUG(10,("wcache_remove_oldest_cached_creds: entry for [%s] not found\n",
3380 cred->name));
3381 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
3382 goto done;
3383 }
3384
3385 t = IVAL(data.dptr, 0);
3386 SAFE_FREE(data.dptr);
3387
3388 if (!oldest) {
3389 oldest = SMB_MALLOC_P(struct cred_list);
3390 if (oldest == NULL) {
3391 status = NT_STATUS_NO_MEMORY;
3392 goto done;
3393 }
3394
3395 fstrcpy(oldest->name, cred->name);
3396 oldest->created = t;
3397 continue;
3398 }
3399
3400 if (t < oldest->created) {
3401 fstrcpy(oldest->name, cred->name);
3402 oldest->created = t;
3403 }
3404 }
3405
3406 if (tdb_delete(cache->tdb, string_tdb_data(oldest->name)) == 0) {
3407 status = NT_STATUS_OK;
3408 } else {
3409 status = NT_STATUS_UNSUCCESSFUL;
3410 }
3411 done:
3412 for (cred = wcache_cred_list; cred; cred = next) {
3413 next = cred->next;
3414 DLIST_REMOVE(wcache_cred_list, cred);
3415 SAFE_FREE(cred);
3416 }
3417 SAFE_FREE(oldest);
3418
3419 return status;
3420 }
3421
3422 /* Change the global online/offline state. */
3423 bool set_global_winbindd_state_offline(void)
3424 {
3425 bool ok;
3426 uint8_t buf[4] = {0};
3427 TDB_DATA data = {
3428 .dptr = buf,
3429 .dsize = sizeof(buf)
3430 };
3431 int rc;
3432
3433 DBG_ERR("Offline requested\n");
3434
3435 if (wcache == NULL || wcache->tdb == NULL) {
3436 DBG_ERR("Winbind cache doesn't exist yet\n");
3437 return false;
3438 }
3439
3440 if (!lp_winbind_offline_logon()) {
3441 DBG_DEBUG("Rejecting request to set winbind offline, "
3442 "offline logons are disabled in smb.conf\n");
3443 return false;
3444 }
3445
3446 ok = get_global_winbindd_state_offline();
3447 if (ok) {
3448 return true;
3449 }
3450
3451 PUSH_LE_U32(buf, 0, time(NULL));
3452
3453 rc = tdb_store_bystring(wcache->tdb,
3454 "WINBINDD_OFFLINE",
3455 data,
3456 TDB_INSERT);
3457 if (rc != 0) {
3458 return false;
3459 }
3460
3461 return true;
3462
3463 }
3464
3465 void set_global_winbindd_state_online(void)
3466 {
3467 DEBUG(10,("set_global_winbindd_state_online: online requested.\n"));
3468
3469 if (!lp_winbind_offline_logon()) {
3470 DBG_DEBUG("Rejecting request to set winbind online, "
3471 "offline logons are disabled in smb.conf.\n");
3472 return;
3473 }
3474
3475 if (!wcache->tdb) {
3476 return;
3477 }
3478
3479 /* Ensure there is no key "WINBINDD_OFFLINE" in the cache tdb. */
3480 tdb_delete_bystring(wcache->tdb, "WINBINDD_OFFLINE");
3481 }
3482
3483 bool get_global_winbindd_state_offline(void)
3484 {
3485 TDB_DATA data;
3486
3487 data = tdb_fetch_bystring(wcache->tdb, "WINBINDD_OFFLINE");
3488 if (data.dptr == NULL || data.dsize != 4) {
3489 DBG_DEBUG("Offline state not set.\n");
3490 SAFE_FREE(data.dptr);
3491 return false;
3492 }
3493
3494 return true;
3495 }
3496
3497 /***********************************************************************
3498 Validate functions for all possible cache tdb keys.
3499 ***********************************************************************/
3500
3501 static struct cache_entry *create_centry_validate(const char *kstr, TDB_DATA data,
3502 struct tdb_validation_status *state)
3503 {
3504 struct cache_entry *centry;
3505
3506 centry = SMB_XMALLOC_P(struct cache_entry);
3507 centry->data = (unsigned char *)smb_memdup(data.dptr, data.dsize);
3508 if (!centry->data) {
3509 SAFE_FREE(centry);
3510 return NULL;
3511 }
3512 centry->len = data.dsize;
3513 centry->ofs = 0;
3514
3515 if (centry->len < 16) {
3516 /* huh? corrupt cache? */
3517 DEBUG(0,("create_centry_validate: Corrupt cache for key %s "
3518 "(len < 16) ?\n", kstr));
3519 centry_free(centry);
3520 state->bad_entry = true;
3521 state->success = false;
3522 return NULL;
3523 }
3524
3525 centry->status = NT_STATUS(centry_uint32(centry));
3526 centry->sequence_number = centry_uint32(centry);
3527 centry->timeout = centry_uint64_t(centry);
3528 return centry;
3529 }
3530
3531 static int validate_seqnum(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3532 struct tdb_validation_status *state)
3533 {
3534 if (dbuf.dsize != 8) {
3535 DEBUG(0,("validate_seqnum: Corrupt cache for key %s (len %u != 8) ?\n",
3536 keystr, (unsigned int)dbuf.dsize ));
3537 state->bad_entry = true;
3538 return 1;
3539 }
3540 return 0;
3541 }
3542
3543 static int validate_u(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3544 struct tdb_validation_status *state)
3545 {
3546 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3547 struct dom_sid sid;
3548
3549 if (!centry) {
3550 return 1;
3551 }
3552
3553 (void)centry_string(centry, mem_ctx);
3554 (void)centry_string(centry, mem_ctx);
3555 (void)centry_string(centry, mem_ctx);
3556 (void)centry_string(centry, mem_ctx);
3557 (void)centry_string(centry, mem_ctx);
3558 (void)centry_uint32(centry);
3559 (void)centry_uint32(centry);
3560 (void)centry_string(centry, mem_ctx);
3561 (void)centry_sid(centry, &sid);
3562 (void)centry_sid(centry, &sid);
3563
3564 centry_free(centry);
3565
3566 if (!(state->success)) {
3567 return 1;
3568 }
3569 DEBUG(10,("validate_u: %s ok\n", keystr));
3570 return 0;
3571 }
3572
3573 static int validate_loc_pol(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3574 struct tdb_validation_status *state)
3575 {
3576 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3577
3578 if (!centry) {
3579 return 1;
3580 }
3581
3582 (void)centry_nttime(centry);
3583 (void)centry_nttime(centry);
3584 (void)centry_uint16(centry);
3585
3586 centry_free(centry);
3587
3588 if (!(state->success)) {
3589 return 1;
3590 }
3591 DEBUG(10,("validate_loc_pol: %s ok\n", keystr));
3592 return 0;
3593 }
3594
3595 static int validate_pwd_pol(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3596 struct tdb_validation_status *state)
3597 {
3598 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3599
3600 if (!centry) {
3601 return 1;
3602 }
3603
3604 (void)centry_uint16(centry);
3605 (void)centry_uint16(centry);
3606 (void)centry_uint32(centry);
3607 (void)centry_nttime(centry);
3608 (void)centry_nttime(centry);
3609
3610 centry_free(centry);
3611
3612 if (!(state->success)) {
3613 return 1;
3614 }
3615 DEBUG(10,("validate_pwd_pol: %s ok\n", keystr));
3616 return 0;
3617 }
3618
3619 static int validate_cred(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3620 struct tdb_validation_status *state)
3621 {
3622 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3623
3624 if (!centry) {
3625 return 1;
3626 }
3627
3628 (void)centry_time(centry);
3629 (void)centry_hash16(centry, mem_ctx);
3630
3631 /* We only have 17 bytes more data in the salted cred case. */
3632 if (centry->len - centry->ofs == 17) {
3633 (void)centry_hash16(centry, mem_ctx);
3634 }
3635
3636 centry_free(centry);
3637
3638 if (!(state->success)) {
3639 return 1;
3640 }
3641 DEBUG(10,("validate_cred: %s ok\n", keystr));
3642 return 0;
3643 }
3644
3645 static int validate_ul(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3646 struct tdb_validation_status *state)
3647 {
3648 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3649 int32_t num_entries, i;
3650
3651 if (!centry) {
3652 return 1;
3653 }
3654
3655 num_entries = (int32_t)centry_uint32(centry);
3656
3657 for (i=0; i< num_entries; i++) {
3658 (void)centry_uint32(centry);
3659 }
3660
3661 centry_free(centry);
3662
3663 if (!(state->success)) {
3664 return 1;
3665 }
3666 DEBUG(10,("validate_ul: %s ok\n", keystr));
3667 return 0;
3668 }
3669
3670 static int validate_gl(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3671 struct tdb_validation_status *state)
3672 {
3673 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3674 int32_t num_entries, i;
3675
3676 if (!centry) {
3677 return 1;
3678 }
3679
3680 num_entries = centry_uint32(centry);
3681
3682 for (i=0; i< num_entries; i++) {
3683 (void)centry_string(centry, mem_ctx);
3684 (void)centry_string(centry, mem_ctx);
3685 (void)centry_uint32(centry);
3686 }
3687
3688 centry_free(centry);
3689
3690 if (!(state->success)) {
3691 return 1;
3692 }
3693 DEBUG(10,("validate_gl: %s ok\n", keystr));
3694 return 0;
3695 }
3696
3697 static int validate_ug(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3698 struct tdb_validation_status *state)
3699 {
3700 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3701 int32_t num_groups, i;
3702
3703 if (!centry) {
3704 return 1;
3705 }
3706
3707 num_groups = centry_uint32(centry);
3708
3709 for (i=0; i< num_groups; i++) {
3710 struct dom_sid sid;
3711 centry_sid(centry, &sid);
3712 }
3713
3714 centry_free(centry);
3715
3716 if (!(state->success)) {
3717 return 1;
3718 }
3719 DEBUG(10,("validate_ug: %s ok\n", keystr));
3720 return 0;
3721 }
3722
3723 static int validate_ua(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3724 struct tdb_validation_status *state)
3725 {
3726 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3727 int32_t num_aliases, i;
3728
3729 if (!centry) {
3730 return 1;
3731 }
3732
3733 num_aliases = centry_uint32(centry);
3734
3735 for (i=0; i < num_aliases; i++) {
3736 (void)centry_uint32(centry);
3737 }
3738
3739 centry_free(centry);
3740
3741 if (!(state->success)) {
3742 return 1;
3743 }
3744 DEBUG(10,("validate_ua: %s ok\n", keystr));
3745 return 0;
3746 }
3747
3748 static int validate_gm(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3749 struct tdb_validation_status *state)
3750 {
3751 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3752 int32_t num_names, i;
3753
3754 if (!centry) {
3755 return 1;
3756 }
3757
3758 num_names = centry_uint32(centry);
3759
3760 for (i=0; i< num_names; i++) {
3761 struct dom_sid sid;
3762 centry_sid(centry, &sid);
3763 (void)centry_string(centry, mem_ctx);
3764 (void)centry_uint32(centry);
3765 }
3766
3767 centry_free(centry);
3768
3769 if (!(state->success)) {
3770 return 1;
3771 }
3772 DEBUG(10,("validate_gm: %s ok\n", keystr));
3773 return 0;
3774 }
3775
3776 static int validate_dr(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3777 struct tdb_validation_status *state)
3778 {
3779 /* Can't say anything about this other than must be nonzero. */
3780 if (dbuf.dsize == 0) {
3781 DEBUG(0,("validate_dr: Corrupt cache for key %s (len == 0) ?\n",
3782 keystr));
3783 state->bad_entry = true;
3784 state->success = false;
3785 return 1;
3786 }
3787
3788 DEBUG(10,("validate_dr: %s ok\n", keystr));
3789 return 0;
3790 }
3791
3792 static int validate_de(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3793 struct tdb_validation_status *state)
3794 {
3795 /* Can't say anything about this other than must be nonzero. */
3796 if (dbuf.dsize == 0) {
3797 DEBUG(0,("validate_de: Corrupt cache for key %s (len == 0) ?\n",
3798 keystr));
3799 state->bad_entry = true;
3800 state->success = false;
3801 return 1;
3802 }
3803
3804 DEBUG(10,("validate_de: %s ok\n", keystr));
3805 return 0;
3806 }
3807
3808 static int validate_nss_an(TALLOC_CTX *mem_ctx, const char *keystr,
3809 TDB_DATA dbuf,
3810 struct tdb_validation_status *state)
3811 {
3812 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3813
3814 if (!centry) {
3815 return 1;
3816 }
3817
3818 (void)centry_string( centry, mem_ctx );
3819
3820 centry_free(centry);
3821
3822 if (!(state->success)) {
3823 return 1;
3824 }
3825 DEBUG(10,("validate_pwinfo: %s ok\n", keystr));
3826 return 0;
3827 }
3828
3829 static int validate_nss_na(TALLOC_CTX *mem_ctx, const char *keystr,
3830 TDB_DATA dbuf,
3831 struct tdb_validation_status *state)
3832 {
3833 struct cache_entry *centry = create_centry_validate(keystr, dbuf, state);
3834
3835 if (!centry) {
3836 return 1;
3837 }
3838
3839 (void)centry_string( centry, mem_ctx );
3840
3841 centry_free(centry);
3842
3843 if (!(state->success)) {
3844 return 1;
3845 }
3846 DBG_DEBUG("%s ok\n", keystr);
3847 return 0;
3848 }
3849
3850 static int validate_trustdomcache(TALLOC_CTX *mem_ctx, const char *keystr,
3851 TDB_DATA dbuf,
3852 struct tdb_validation_status *state)
3853 {
3854 if (dbuf.dsize == 0) {
3855 DEBUG(0, ("validate_trustdomcache: Corrupt cache for "
3856 "key %s (len ==0) ?\n", keystr));
3857 state->bad_entry = true;
3858 state->success = false;
3859 return 1;
3860 }
3861
3862 DEBUG(10, ("validate_trustdomcache: %s ok\n", keystr));
3863 DEBUGADD(10, (" Don't trust me, I am a DUMMY!\n"));
3864 return 0;
3865 }
3866
3867 static int validate_offline(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3868 struct tdb_validation_status *state)
3869 {
3870 if (dbuf.dsize != 4) {
3871 DEBUG(0,("validate_offline: Corrupt cache for key %s (len %u != 4) ?\n",
3872 keystr, (unsigned int)dbuf.dsize ));
3873 state->bad_entry = true;
3874 state->success = false;
3875 return 1;
3876 }
3877 DEBUG(10,("validate_offline: %s ok\n", keystr));
3878 return 0;
3879 }
3880
3881 static int validate_ndr(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3882 struct tdb_validation_status *state)
3883 {
3884 /*
3885 * Ignore validation for now. The proper way to do this is with a
3886 * checksum. Just pure parsing does not really catch much.
3887 */
3888 return 0;
3889 }
3890
3891 static int validate_cache_version(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf,
3892 struct tdb_validation_status *state)
3893 {
3894 if (dbuf.dsize != 4) {
3895 DEBUG(0, ("validate_cache_version: Corrupt cache for "
3896 "key %s (len %u != 4) ?\n",
3897 keystr, (unsigned int)dbuf.dsize));
3898 state->bad_entry = true;
3899 state->success = false;
3900 return 1;
3901 }
3902
3903 DEBUG(10, ("validate_cache_version: %s ok\n", keystr));
3904 return 0;
3905 }
3906
3907 /***********************************************************************
3908 A list of all possible cache tdb keys with associated validation
3909 functions.
3910 ***********************************************************************/
3911
3912 struct key_val_struct {
3913 const char *keyname;
3914 int (*validate_data_fn)(TALLOC_CTX *mem_ctx, const char *keystr, TDB_DATA dbuf, struct tdb_validation_status* state);
3915 } key_val[] = {
3916 {"SEQNUM/", validate_seqnum},
3917 {"U/", validate_u},
3918 {"LOC_POL/", validate_loc_pol},
3919 {"PWD_POL/", validate_pwd_pol},
3920 {"CRED/", validate_cred},
3921 {"UL/", validate_ul},
3922 {"GL/", validate_gl},
3923 {"UG/", validate_ug},
3924 {"UA", validate_ua},
3925 {"GM/", validate_gm},
3926 {"DR/", validate_dr},
3927 {"DE/", validate_de},
3928 {"TRUSTDOMCACHE/", validate_trustdomcache},
3929 {"NSS/NA/", validate_nss_na},
3930 {"NSS/AN/", validate_nss_an},
3931 {"WINBINDD_OFFLINE", validate_offline},
3932 {"NDR/", validate_ndr},
3933 {WINBINDD_CACHE_VERSION_KEYSTR, validate_cache_version},
3934 {NULL, NULL}
3935 };
3936
3937 /***********************************************************************
3938 Function to look at every entry in the tdb and validate it as far as
3939 possible.
3940 ***********************************************************************/
3941
3942 static int cache_traverse_validate_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, void *state)
3943 {
3944 int i;
3945 unsigned int max_key_len = 1024;
3946 struct tdb_validation_status *v_state = (struct tdb_validation_status *)state;
3947
3948 /* Paranoia check. */
3949 if (strncmp("UA/", (const char *)kbuf.dptr, 3) == 0 ||
3950 strncmp("NDR/", (const char *)kbuf.dptr, 4) == 0) {
3951 max_key_len = 1024 * 1024;
3952 }
3953 if (kbuf.dsize > max_key_len) {
3954 DEBUG(0, ("cache_traverse_validate_fn: key length too large: "
3955 "(%u) > (%u)\n\n",
3956 (unsigned int)kbuf.dsize, (unsigned int)max_key_len));
3957 return 1;
3958 }
3959
3960 for (i = 0; key_val[i].keyname; i++) {
3961 size_t namelen = strlen(key_val[i].keyname);
3962 if (kbuf.dsize >= namelen && (
3963 strncmp(key_val[i].keyname, (const char *)kbuf.dptr, namelen)) == 0) {
3964 TALLOC_CTX *mem_ctx;
3965 char *keystr;
3966 int ret;
3967
3968 keystr = SMB_MALLOC_ARRAY(char, kbuf.dsize+1);
3969 if (!keystr) {
3970 return 1;
3971 }
3972 memcpy(keystr, kbuf.dptr, kbuf.dsize);
3973 keystr[kbuf.dsize] = '\0';
3974
3975 mem_ctx = talloc_init("validate_ctx");
3976 if (!mem_ctx) {
3977 SAFE_FREE(keystr);
3978 return 1;
3979 }
3980
3981 ret = key_val[i].validate_data_fn(mem_ctx, keystr, dbuf,
3982 v_state);
3983
3984 SAFE_FREE(keystr);
3985 talloc_destroy(mem_ctx);
3986 return ret;
3987 }
3988 }
3989
3990 DEBUG(0,("cache_traverse_validate_fn: unknown cache entry\nkey :\n"));
3991 dump_data(0, (uint8_t *)kbuf.dptr, kbuf.dsize);
3992 DEBUG(0,("data :\n"));
3993 dump_data(0, (uint8_t *)dbuf.dptr, dbuf.dsize);
3994 v_state->unknown_key = true;
3995 v_state->success = false;
3996 return 1; /* terminate. */
3997 }
3998
3999 static void validate_panic(const char *const why)
4000 {
4001 DEBUG(0,("validating cache: would panic %s\n", why ));
4002 DEBUGADD(0, ("exiting instead (cache validation mode)\n"));
4003 exit(47);
4004 }
4005
4006 static int wbcache_update_centry_fn(TDB_CONTEXT *tdb,
4007 TDB_DATA key,
4008 TDB_DATA data,
4009 void *state)
4010 {
4011 uint64_t ctimeout;
4012 TDB_DATA blob;
4013
4014 if (is_non_centry_key(key)) {
4015 return 0;
4016 }
4017
4018 if (data.dptr == NULL || data.dsize == 0) {
4019 if (tdb_delete(tdb, key) < 0) {
4020 DEBUG(0, ("tdb_delete for [%s] failed!\n",
4021 key.dptr));
4022 return 1;
4023 }
4024 }
4025
4026 /* add timeout to blob (uint64_t) */
4027 blob.dsize = data.dsize + 8;
4028
4029 blob.dptr = SMB_XMALLOC_ARRAY(uint8_t, blob.dsize);
4030 if (blob.dptr == NULL) {
4031 return 1;
4032 }
4033 memset(blob.dptr, 0, blob.dsize);
4034
4035 /* copy status and seqnum */
4036 memcpy(blob.dptr, data.dptr, 8);
4037
4038 /* add timeout */
4039 ctimeout = lp_winbind_cache_time() + time(NULL);
4040 SBVAL(blob.dptr, 8, ctimeout);
4041
4042 /* copy the rest */
4043 memcpy(blob.dptr + 16, data.dptr + 8, data.dsize - 8);
4044
4045 if (tdb_store(tdb, key, blob, TDB_REPLACE) < 0) {
4046 DEBUG(0, ("tdb_store to update [%s] failed!\n",
4047 key.dptr));
4048 SAFE_FREE(blob.dptr);
4049 return 1;
4050 }
4051
4052 SAFE_FREE(blob.dptr);
4053 return 0;
4054 }
4055
4056 static bool wbcache_upgrade_v1_to_v2(TDB_CONTEXT *tdb)
4057 {
4058 int rc;
4059
4060 DEBUG(1, ("Upgrade to version 2 of the winbindd_cache.tdb\n"));
4061
4062 rc = tdb_traverse(tdb, wbcache_update_centry_fn, NULL);
4063 if (rc < 0) {
4064 return false;
4065 }
4066
4067 return true;
4068 }
4069
4070 /***********************************************************************
4071 Try and validate every entry in the winbindd cache. If we fail here,
4072 delete the cache tdb and return non-zero.
4073 ***********************************************************************/
4074
4075 int winbindd_validate_cache(void)
4076 {
4077 int ret = -1;
4078 char *tdb_path = NULL;
4079 TDB_CONTEXT *tdb = NULL;
4080 uint32_t vers_id;
4081 bool ok;
4082
4083 DEBUG(10, ("winbindd_validate_cache: replacing panic function\n"));
4084 smb_panic_fn = validate_panic;
4085
4086 tdb_path = wcache_path();
4087 if (tdb_path == NULL) {
4088 goto done;
4089 }
4090
4091 tdb = tdb_open_log(tdb_path,
4092 WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
4093 TDB_INCOMPATIBLE_HASH |
4094 ( lp_winbind_offline_logon()
4095 ? TDB_DEFAULT
4096 : TDB_DEFAULT | TDB_CLEAR_IF_FIRST ),
4097 O_RDWR|O_CREAT,
4098 0600);
4099 if (!tdb) {
4100 DEBUG(0, ("winbindd_validate_cache: "
4101 "error opening/initializing tdb\n"));
4102 goto done;
4103 }
4104
4105 /* Version check and upgrade code. */
4106 if (!tdb_fetch_uint32(tdb, WINBINDD_CACHE_VERSION_KEYSTR, &vers_id)) {
4107 DEBUG(10, ("Fresh database\n"));
4108 tdb_store_uint32(tdb, WINBINDD_CACHE_VERSION_KEYSTR, WINBINDD_CACHE_VERSION);
4109 vers_id = WINBINDD_CACHE_VERSION;
4110 }
4111
4112 if (vers_id != WINBINDD_CACHE_VERSION) {
4113 if (vers_id == WINBINDD_CACHE_VER1) {
4114 ok = wbcache_upgrade_v1_to_v2(tdb);
4115 if (!ok) {
4116 DEBUG(10, ("winbindd_validate_cache: upgrade to version 2 failed.\n"));
4117 unlink(tdb_path);
4118 goto done;
4119 }
4120
4121 tdb_store_uint32(tdb,
4122 WINBINDD_CACHE_VERSION_KEYSTR,
4123 WINBINDD_CACHE_VERSION);
4124 vers_id = WINBINDD_CACHE_VER2;
4125 }
4126 }
4127
4128 tdb_close(tdb);
4129
4130 ret = tdb_validate_and_backup(tdb_path, cache_traverse_validate_fn);
4131
4132 if (ret != 0) {
4133 DEBUG(10, ("winbindd_validate_cache: validation not successful.\n"));
4134 DEBUGADD(10, ("removing tdb %s.\n", tdb_path));
4135 unlink(tdb_path);
4136 }
4137
4138 done:
4139 TALLOC_FREE(tdb_path);
4140 DEBUG(10, ("winbindd_validate_cache: restoring panic function\n"));
4141 smb_panic_fn = smb_panic;
4142 return ret;
4143 }
4144
4145 /***********************************************************************
4146 Try and validate every entry in the winbindd cache.
4147 ***********************************************************************/
4148
4149 int winbindd_validate_cache_nobackup(void)
4150 {
4151 int ret = -1;
4152 char *tdb_path;
4153
4154 DEBUG(10, ("winbindd_validate_cache: replacing panic function\n"));
4155 smb_panic_fn = validate_panic;
4156
4157 tdb_path = wcache_path();
4158 if (tdb_path == NULL) {
4159 goto err_panic_restore;
4160 }
4161
4162 if (wcache == NULL || wcache->tdb == NULL) {
4163 ret = tdb_validate_open(tdb_path, cache_traverse_validate_fn);
4164 } else {
4165 ret = tdb_validate(wcache->tdb, cache_traverse_validate_fn);
4166 }
4167
4168 if (ret != 0) {
4169 DEBUG(10, ("winbindd_validate_cache_nobackup: validation not "
4170 "successful.\n"));
4171 }
4172
4173 TALLOC_FREE(tdb_path);
4174 err_panic_restore:
4175 DEBUG(10, ("winbindd_validate_cache_nobackup: restoring panic "
4176 "function\n"));
4177 smb_panic_fn = smb_panic;
4178 return ret;
4179 }
4180
4181 bool winbindd_cache_validate_and_initialize(void)
4182 {
4183 close_winbindd_cache();
4184
4185 if (lp_winbind_offline_logon()) {
4186 if (winbindd_validate_cache() < 0) {
4187 DEBUG(0, ("winbindd cache tdb corrupt and no backup "
4188 "could be restored.\n"));
4189 }
4190 }
4191
4192 return initialize_winbindd_cache();
4193 }
4194
4195 /*********************************************************************
4196 ********************************************************************/
4197
4198 static bool add_wbdomain_to_tdc_array( struct winbindd_domain *new_dom,
4199 struct winbindd_tdc_domain **domains,
4200 size_t *num_domains )
4201 {
4202 struct winbindd_tdc_domain *list = NULL;
4203 size_t i, idx;
4204 bool set_only = false;
4205
4206 /* don't allow duplicates */
4207
4208 idx = *num_domains;
4209 list = *domains;
4210
4211 for ( i=0; i< (*num_domains); i++ ) {
4212 if ( strequal( new_dom->name, list[i].domain_name ) ) {
4213 DEBUG(10,("add_wbdomain_to_tdc_array: Found existing record for %s\n",
4214 new_dom->name));
4215 idx = i;
4216 set_only = true;
4217
4218 break;
4219 }
4220 }
4221
4222 if ( !set_only ) {
4223 if ( !*domains ) {
4224 list = talloc_array( NULL, struct winbindd_tdc_domain, 1 );
4225 idx = 0;
4226 } else {
4227 list = talloc_realloc( *domains, *domains,
4228 struct winbindd_tdc_domain,
4229 (*num_domains)+1);
4230 idx = *num_domains;
4231 }
4232
4233 ZERO_STRUCT( list[idx] );
4234 }
4235
4236 if ( !list )
4237 return false;
4238
4239 list[idx].domain_name = talloc_strdup(list, new_dom->name);
4240 if (list[idx].domain_name == NULL) {
4241 return false;
4242 }
4243 if (new_dom->alt_name != NULL) {
4244 list[idx].dns_name = talloc_strdup(list, new_dom->alt_name);
4245 if (list[idx].dns_name == NULL) {
4246 return false;
4247 }
4248 }
4249
4250 if ( !is_null_sid( &new_dom->sid ) ) {
4251 sid_copy( &list[idx].sid, &new_dom->sid );
4252 } else {
4253 sid_copy(&list[idx].sid, &global_sid_NULL);
4254 }
4255
4256 if ( new_dom->domain_flags != 0x0 )
4257 list[idx].trust_flags = new_dom->domain_flags;
4258
4259 if ( new_dom->domain_type != 0x0 )
4260 list[idx].trust_type = new_dom->domain_type;
4261
4262 if ( new_dom->domain_trust_attribs != 0x0 )
4263 list[idx].trust_attribs = new_dom->domain_trust_attribs;
4264
4265 if ( !set_only ) {
4266 *domains = list;
4267 *num_domains = idx + 1;
4268 }
4269
4270 return true;
4271 }
4272
4273 /*********************************************************************
4274 ********************************************************************/
4275
4276 static TDB_DATA make_tdc_key( const char *domain_name )
4277 {
4278 char *keystr = NULL;
4279 TDB_DATA key = { NULL, 0 };
4280
4281 if ( !domain_name ) {
4282 DEBUG(5,("make_tdc_key: Keyname workgroup is NULL!\n"));
4283 return key;
4284 }
4285
4286 if (asprintf( &keystr, "TRUSTDOMCACHE/%s", domain_name ) == -1) {
4287 return key;
4288 }
4289 key = string_term_tdb_data(keystr);
4290
4291 return key;
4292 }
4293
4294 /*********************************************************************
4295 ********************************************************************/
4296
4297 static int pack_tdc_domains( struct winbindd_tdc_domain *domains,
4298 size_t num_domains,
4299 unsigned char **buf )
4300 {
4301 unsigned char *buffer = NULL;
4302 int len = 0;
4303 int buflen = 0;
4304 size_t i = 0;
4305
4306 DEBUG(10,("pack_tdc_domains: Packing %d trusted domains\n",
4307 (int)num_domains));
4308
4309 buflen = 0;
4310
4311 again:
4312 len = 0;
4313
4314 /* Store the number of array items first */
4315 len += tdb_pack( buffer ? buffer+len : NULL,
4316 buffer ? buflen-len : 0, "d",
4317 num_domains );
4318
4319 /* now pack each domain trust record */
4320 for ( i=0; i<num_domains; i++ ) {
4321
4322 struct dom_sid_buf tmp;
4323
4324 if ( buflen > 0 ) {
4325 DEBUG(10,("pack_tdc_domains: Packing domain %s (%s)\n",
4326 domains[i].domain_name,
4327 domains[i].dns_name ? domains[i].dns_name : "UNKNOWN" ));
4328 }
4329
4330 len += tdb_pack( buffer ? buffer+len : NULL,
4331 buffer ? buflen-len : 0, "fffddd",
4332 domains[i].domain_name,
4333 domains[i].dns_name ? domains[i].dns_name : "",
4334 dom_sid_str_buf(&domains[i].sid, &tmp),
4335 domains[i].trust_flags,
4336 domains[i].trust_attribs,
4337 domains[i].trust_type );
4338 }
4339
4340 if ( buflen < len ) {
4341 SAFE_FREE(buffer);
4342 if ( (buffer = SMB_MALLOC_ARRAY(unsigned char, len)) == NULL ) {
4343 DEBUG(0,("pack_tdc_domains: failed to alloc buffer!\n"));
4344 buflen = -1;
4345 goto done;
4346 }
4347 buflen = len;
4348 goto again;
4349 }
4350
4351 *buf = buffer;
4352
4353 done:
4354 return buflen;
4355 }
4356
4357 /*********************************************************************
4358 ********************************************************************/
4359
4360 static size_t unpack_tdc_domains( unsigned char *buf, int buflen,
4361 struct winbindd_tdc_domain **domains )
4362 {
4363 fstring domain_name, dns_name, sid_string;
4364 uint32_t type, attribs, flags;
4365 int num_domains;
4366 int len = 0;
4367 int i;
4368 struct winbindd_tdc_domain *list = NULL;
4369
4370 /* get the number of domains */
4371 len += tdb_unpack( buf+len, buflen-len, "d", &num_domains);
4372 if ( len == -1 ) {
4373 DEBUG(5,("unpack_tdc_domains: Failed to unpack domain array\n"));
4374 return 0;
4375 }
4376
4377 list = talloc_array( NULL, struct winbindd_tdc_domain, num_domains );
4378 if ( !list ) {
4379 DEBUG(0,("unpack_tdc_domains: Failed to talloc() domain list!\n"));
4380 return 0;
4381 }
4382
4383 for ( i=0; i<num_domains; i++ ) {
4384 int this_len;
4385
4386 this_len = tdb_unpack( buf+len, buflen-len, "fffddd",
4387 domain_name,
4388 dns_name,
4389 sid_string,
4390 &flags,
4391 &attribs,
4392 &type );
4393
4394 if ( this_len == -1 ) {
4395 DEBUG(5,("unpack_tdc_domains: Failed to unpack domain array\n"));
4396 TALLOC_FREE( list );
4397 return 0;
4398 }
4399 len += this_len;
4400
4401 DEBUG(11,("unpack_tdc_domains: Unpacking domain %s (%s) "
4402 "SID %s, flags = 0x%x, attribs = 0x%x, type = 0x%x\n",
4403 domain_name, dns_name, sid_string,
4404 flags, attribs, type));
4405
4406 list[i].domain_name = talloc_strdup( list, domain_name );
4407 list[i].dns_name = NULL;
4408 if (dns_name[0] != '\0') {
4409 list[i].dns_name = talloc_strdup(list, dns_name);
4410 }
4411 if ( !string_to_sid( &(list[i].sid), sid_string ) ) {
4412 DEBUG(10,("unpack_tdc_domains: no SID for domain %s\n",
4413 domain_name));
4414 }
4415 list[i].trust_flags = flags;
4416 list[i].trust_attribs = attribs;
4417 list[i].trust_type = type;
4418 }
4419
4420 *domains = list;
4421
4422 return num_domains;
4423 }
4424
4425 /*********************************************************************
4426 ********************************************************************/
4427
4428 static bool wcache_tdc_store_list( struct winbindd_tdc_domain *domains, size_t num_domains )
4429 {
4430 TDB_DATA key = make_tdc_key( lp_workgroup() );
4431 TDB_DATA data = { NULL, 0 };
4432 int ret;
4433
4434 if ( !key.dptr )
4435 return false;
4436
4437 /* See if we were asked to delete the cache entry */
4438
4439 if ( !domains ) {
4440 ret = tdb_delete( wcache->tdb, key );
4441 goto done;
4442 }
4443
4444 data.dsize = pack_tdc_domains( domains, num_domains, &data.dptr );
4445
4446 if ( !data.dptr ) {
4447 ret = -1;
4448 goto done;
4449 }
4450
4451 ret = tdb_store( wcache->tdb, key, data, 0 );
4452
4453 done:
4454 SAFE_FREE( data.dptr );
4455 SAFE_FREE( key.dptr );
4456
4457 return ( ret == 0 );
4458 }
4459
4460 /*********************************************************************
4461 ********************************************************************/
4462
4463 bool wcache_tdc_fetch_list( struct winbindd_tdc_domain **domains, size_t *num_domains )
4464 {
4465 TDB_DATA key = make_tdc_key( lp_workgroup() );
4466 TDB_DATA data = { NULL, 0 };
4467
4468 *domains = NULL;
4469 *num_domains = 0;
4470
4471 if ( !key.dptr )
4472 return false;
4473
4474 data = tdb_fetch( wcache->tdb, key );
4475
4476 SAFE_FREE( key.dptr );
4477
4478 if ( !data.dptr )
4479 return false;
4480
4481 *num_domains = unpack_tdc_domains( data.dptr, data.dsize, domains );
4482
4483 SAFE_FREE( data.dptr );
4484
4485 if ( !*domains )
4486 return false;
4487
4488 return true;
4489 }
4490
4491 /*********************************************************************
4492 ********************************************************************/
4493
4494 bool wcache_tdc_add_domain( struct winbindd_domain *domain )
4495 {
4496 struct winbindd_tdc_domain *dom_list = NULL;
4497 size_t num_domains = 0;
4498 bool ret = false;
4499 struct dom_sid_buf buf;
4500
4501 DEBUG(10,("wcache_tdc_add_domain: Adding domain %s (%s), SID %s, "
4502 "flags = 0x%x, attributes = 0x%x, type = 0x%x\n",
4503 domain->name, domain->alt_name,
4504 dom_sid_str_buf(&domain->sid, &buf),
4505 domain->domain_flags,
4506 domain->domain_trust_attribs,
4507 domain->domain_type));
4508
4509 if ( !init_wcache() ) {
4510 return false;
4511 }
4512
4513 /* fetch the list */
4514
4515 wcache_tdc_fetch_list( &dom_list, &num_domains );
4516
4517 /* add the new domain */
4518
4519 if ( !add_wbdomain_to_tdc_array( domain, &dom_list, &num_domains ) ) {
4520 goto done;
4521 }
4522
4523 /* pack the domain */
4524
4525 if ( !wcache_tdc_store_list( dom_list, num_domains ) ) {
4526 goto done;
4527 }
4528
4529 /* Success */
4530
4531 ret = true;
4532 done:
4533 TALLOC_FREE( dom_list );
4534
4535 return ret;
4536 }
4537
4538 static struct winbindd_tdc_domain *wcache_tdc_dup_domain(
4539 TALLOC_CTX *mem_ctx, const struct winbindd_tdc_domain *src)
4540 {
4541 struct winbindd_tdc_domain *dst;
4542
4543 dst = talloc(mem_ctx, struct winbindd_tdc_domain);
4544 if (dst == NULL) {
4545 goto fail;
4546 }
4547 dst->domain_name = talloc_strdup(dst, src->domain_name);
4548 if (dst->domain_name == NULL) {
4549 goto fail;
4550 }
4551
4552 dst->dns_name = NULL;
4553 if (src->dns_name != NULL) {
4554 dst->dns_name = talloc_strdup(dst, src->dns_name);
4555 if (dst->dns_name == NULL) {
4556 goto fail;
4557 }
4558 }
4559
4560 sid_copy(&dst->sid, &src->sid);
4561 dst->trust_flags = src->trust_flags;
4562 dst->trust_type = src->trust_type;
4563 dst->trust_attribs = src->trust_attribs;
4564 return dst;
4565 fail:
4566 TALLOC_FREE(dst);
4567 return NULL;
4568 }
4569
4570 /*********************************************************************
4571 ********************************************************************/
4572
4573 struct winbindd_tdc_domain * wcache_tdc_fetch_domain( TALLOC_CTX *ctx, const char *name )
4574 {
4575 struct winbindd_tdc_domain *dom_list = NULL;
4576 size_t num_domains = 0;
4577 size_t i;
4578 struct winbindd_tdc_domain *d = NULL;
4579
4580 DEBUG(10,("wcache_tdc_fetch_domain: Searching for domain %s\n", name));
4581
4582 if ( !init_wcache() ) {
4583 return NULL;
4584 }
4585
4586 /* fetch the list */
4587
4588 wcache_tdc_fetch_list( &dom_list, &num_domains );
4589
4590 for ( i=0; i<num_domains; i++ ) {
4591 if ( strequal(name, dom_list[i].domain_name) ||
4592 strequal(name, dom_list[i].dns_name) )
4593 {
4594 DEBUG(10,("wcache_tdc_fetch_domain: Found domain %s\n",
4595 name));
4596
4597 d = wcache_tdc_dup_domain(ctx, &dom_list[i]);
4598 break;
4599 }
4600 }
4601
4602 TALLOC_FREE( dom_list );
4603
4604 return d;
4605 }
4606
4607 /*********************************************************************
4608 ********************************************************************/
4609
4610 void wcache_tdc_clear( void )
4611 {
4612 if ( !init_wcache() )
4613 return;
4614
4615 wcache_tdc_store_list( NULL, 0 );
4616
4617 return;
4618 }
4619
4620 static bool wcache_ndr_key(TALLOC_CTX *mem_ctx, const char *domain_name,
4621 uint32_t opnum, const DATA_BLOB *req,
4622 TDB_DATA *pkey)
4623 {
4624 char *key;
4625 size_t keylen;
4626
4627 key = talloc_asprintf(mem_ctx, "NDR/%s/%d/", domain_name, (int)opnum);
4628 if (key == NULL) {
4629 return false;
4630 }
4631 keylen = talloc_get_size(key) - 1;
4632
4633 key = talloc_realloc(mem_ctx, key, char, keylen + req->length);
4634 if (key == NULL) {
4635 return false;
4636 }
4637 memcpy(key + keylen, req->data, req->length);
4638
4639 pkey->dptr = (uint8_t *)key;
4640 pkey->dsize = talloc_get_size(key);
4641 return true;
4642 }
4643
4644 static bool wcache_opnum_cacheable(uint32_t opnum)
4645 {
4646 switch (opnum) {
4647 case NDR_WBINT_PING:
4648 case NDR_WBINT_QUERYSEQUENCENUMBER:
4649 case NDR_WBINT_ALLOCATEUID:
4650 case NDR_WBINT_ALLOCATEGID:
4651 case NDR_WBINT_CHECKMACHINEACCOUNT:
4652 case NDR_WBINT_CHANGEMACHINEACCOUNT:
4653 case NDR_WBINT_PINGDC:
4654 return false;
4655 }
4656 return true;
4657 }
4658
4659 bool wcache_fetch_ndr(TALLOC_CTX *mem_ctx, struct winbindd_domain *domain,
4660 uint32_t opnum, const DATA_BLOB *req, DATA_BLOB *resp)
4661 {
4662 TDB_DATA key, data;
4663 bool ret = false;
4664
4665 if (!wcache_opnum_cacheable(opnum) ||
4666 is_my_own_sam_domain(domain) ||
4667 is_builtin_domain(domain)) {
4668 return false;
4669 }
4670
4671 if (wcache->tdb == NULL) {
4672 return false;
4673 }
4674
4675 if (!wcache_ndr_key(talloc_tos(), domain->name, opnum, req, &key)) {
4676 return false;
4677 }
4678 data = tdb_fetch(wcache->tdb, key);
4679 TALLOC_FREE(key.dptr);
4680
4681 if (data.dptr == NULL) {
4682 return false;
4683 }
4684 if (data.dsize < 12) {
4685 goto fail;
4686 }
4687
4688 if (is_domain_online(domain)) {
4689 uint32_t entry_seqnum, dom_seqnum, last_check;
4690 uint64_t entry_timeout;
4691
4692 if (!wcache_fetch_seqnum(domain->name, &dom_seqnum,
4693 &last_check)) {
4694 goto fail;
4695 }
4696 entry_seqnum = IVAL(data.dptr, 0);
4697 if (entry_seqnum != dom_seqnum) {
4698 DEBUG(10, ("Entry has wrong sequence number: %d\n",
4699 (int)entry_seqnum));
4700 goto fail;
4701 }
4702 entry_timeout = BVAL(data.dptr, 4);
4703 if (time(NULL) > (time_t)entry_timeout) {
4704 DEBUG(10, ("Entry has timed out\n"));
4705 goto fail;
4706 }
4707 }
4708
4709 resp->data = (uint8_t *)talloc_memdup(mem_ctx, data.dptr + 12,
4710 data.dsize - 12);
4711 if (resp->data == NULL) {
4712 DEBUG(10, ("talloc failed\n"));
4713 goto fail;
4714 }
4715 resp->length = data.dsize - 12;
4716
4717 ret = true;
4718 fail:
4719 SAFE_FREE(data.dptr);
4720 return ret;
4721 }
4722
4723 void wcache_store_ndr(struct winbindd_domain *domain, uint32_t opnum,
4724 const DATA_BLOB *req, const DATA_BLOB *resp)
4725 {
4726 TDB_DATA key, data;
4727 uint32_t dom_seqnum, last_check;
4728 uint64_t timeout;
4729
4730 if (!wcache_opnum_cacheable(opnum) ||
4731 is_my_own_sam_domain(domain) ||
4732 is_builtin_domain(domain)) {
4733 return;
4734 }
4735
4736 if (wcache->tdb == NULL) {
4737 return;
4738 }
4739
4740 if (!wcache_fetch_seqnum(domain->name, &dom_seqnum, &last_check)) {
4741 DEBUG(10, ("could not fetch seqnum for domain %s\n",
4742 domain->name));
4743 return;
4744 }
4745
4746 if (!wcache_ndr_key(talloc_tos(), domain->name, opnum, req, &key)) {
4747 return;
4748 }
4749
4750 timeout = time(NULL) + lp_winbind_cache_time();
4751
4752 data.dsize = resp->length + 12;
4753 data.dptr = talloc_array(key.dptr, uint8_t, data.dsize);
4754 if (data.dptr == NULL) {
4755 goto done;
4756 }
4757
4758 SIVAL(data.dptr, 0, dom_seqnum);
4759 SBVAL(data.dptr, 4, timeout);
4760 memcpy(data.dptr + 12, resp->data, resp->length);
4761
4762 tdb_store(wcache->tdb, key, data, 0);
4763
4764 done:
4765 TALLOC_FREE(key.dptr);
4766 return;
4767 }
Samba GIT mirror