2 Unix SMB/CIFS implementation.
4 Winbind daemon - krb5 credential cache funcions
6 Copyright (C) Guenther Deschner 2005
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #define DBGC_CLASS DBGC_WINBIND
28 #define MAX_CCACHES 100
30 static struct WINBINDD_CCACHE_ENTRY
*ccache_list
;
32 static TALLOC_CTX
*mem_ctx
;
34 const char *get_ccache_name_by_username(const char *username
)
36 struct WINBINDD_CCACHE_ENTRY
*entry
;
38 for (entry
= ccache_list
; entry
; entry
= entry
->next
) {
39 if (strequal(entry
->username
, username
)) {
46 struct WINBINDD_CCACHE_ENTRY
*get_ccache_by_username(const char *username
)
48 struct WINBINDD_CCACHE_ENTRY
*entry
;
50 for (entry
= ccache_list
; entry
; entry
= entry
->next
) {
51 if (strequal(entry
->username
, username
)) {
58 static int ccache_entry_count(void)
60 struct WINBINDD_CCACHE_ENTRY
*entry
;
63 for (entry
= ccache_list
; entry
; entry
= entry
->next
) {
69 NTSTATUS
remove_ccache_by_ccname(const char *ccname
)
71 struct WINBINDD_CCACHE_ENTRY
*entry
;
73 for (entry
= ccache_list
; entry
; entry
= entry
->next
) {
74 if (strequal(entry
->ccname
, ccname
)) {
75 DLIST_REMOVE(ccache_list
, entry
);
76 TALLOC_FREE(entry
->event
); /* unregisters events */
79 size_t len
= strlen(entry
->pass
)+1;
81 DEBUG(10,("unlocking memory: %p\n", entry
->pass
));
83 memset(entry
->pass
, 0, len
);
84 if ((munlock(entry
->pass
, len
)) == -1) {
85 DEBUG(0,("failed to munlock memory: %s (%d)\n",
86 strerror(errno
), errno
));
87 return map_nt_error_from_unix(errno
);
90 DEBUG(10,("munlocked memory: %p\n", entry
->pass
));
93 #endif /* HAVE_MUNLOCK */
95 DEBUG(10,("remove_ccache_by_ccname: removed ccache %s\n", ccname
));
99 return NT_STATUS_OBJECT_NAME_NOT_FOUND
;
102 static void krb5_ticket_refresh_handler(struct timed_event
*te
,
103 const struct timeval
*now
,
106 struct WINBINDD_CCACHE_ENTRY
*entry
=
107 talloc_get_type_abort(private_data
, struct WINBINDD_CCACHE_ENTRY
);
113 DEBUG(10,("krb5_ticket_refresh_handler called\n"));
114 DEBUGADD(10,("event called for: %s, %s\n", entry
->ccname
, entry
->username
));
116 TALLOC_FREE(entry
->event
);
120 /* Kinit again if we have the user password and we can't renew the old
123 if ((entry
->renew_until
< time(NULL
)) && (entry
->pass
!= NULL
)) {
125 set_effective_uid(entry
->uid
);
127 ret
= kerberos_kinit_password_ext(entry
->principal_name
,
129 0, /* hm, can we do time correction here ? */
130 &entry
->refresh_time
,
133 False
, /* no PAC required anymore */
135 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME
);
136 gain_root_privilege();
139 DEBUG(3,("could not re-kinit: %s\n", error_message(ret
)));
140 TALLOC_FREE(entry
->event
);
144 DEBUG(10,("successful re-kinit for: %s in ccache: %s\n",
145 entry
->principal_name
, entry
->ccname
));
147 new_start
= entry
->refresh_time
;
152 set_effective_uid(entry
->uid
);
154 ret
= smb_krb5_renew_ticket(entry
->ccname
,
155 entry
->principal_name
,
158 gain_root_privilege();
161 DEBUG(3,("could not renew tickets: %s\n", error_message(ret
)));
162 /* maybe we are beyond the renewing window */
168 t
= timeval_set(new_start
, 0);
170 entry
->event
= add_timed_event(mem_ctx
,
172 "krb5_ticket_refresh_handler",
173 krb5_ticket_refresh_handler
,
179 NTSTATUS
add_ccache_to_list(const char *princ_name
,
182 const char *username
,
183 const char *sid_string
,
189 BOOL schedule_refresh_event
)
191 struct WINBINDD_CCACHE_ENTRY
*new_entry
= NULL
;
192 struct WINBINDD_CCACHE_ENTRY
*old_entry
= NULL
;
195 if ((username
== NULL
&& sid_string
== NULL
&& princ_name
== NULL
) ||
197 return NT_STATUS_INVALID_PARAMETER
;
200 status
= init_ccache_list();
201 if (!NT_STATUS_IS_OK(status
)) {
205 if (mem_ctx
== NULL
) {
206 return NT_STATUS_NO_MEMORY
;
209 if (ccache_entry_count() + 1 > MAX_CCACHES
) {
210 DEBUG(10,("add_ccache_to_list: max number of ccaches reached\n"));
211 return NT_STATUS_NO_MORE_ENTRIES
;
214 /* get rid of old entries */
215 old_entry
= get_ccache_by_username(username
);
217 status
= remove_ccache_by_ccname(old_entry
->ccname
);
218 if (!NT_STATUS_IS_OK(status
)) {
219 DEBUG(10,("add_ccache_to_list: failed to delete old ccache entry\n"));
224 new_entry
= TALLOC_P(mem_ctx
, struct WINBINDD_CCACHE_ENTRY
);
225 if (new_entry
== NULL
) {
226 return NT_STATUS_NO_MEMORY
;
229 ZERO_STRUCTP(new_entry
);
232 new_entry
->username
= talloc_strdup(mem_ctx
, username
);
233 NT_STATUS_HAVE_NO_MEMORY(new_entry
->username
);
236 new_entry
->sid_string
= talloc_strdup(mem_ctx
, sid_string
);
237 NT_STATUS_HAVE_NO_MEMORY(new_entry
->sid_string
);
240 new_entry
->principal_name
= talloc_strdup(mem_ctx
, princ_name
);
241 NT_STATUS_HAVE_NO_MEMORY(new_entry
->principal_name
);
244 new_entry
->service
= talloc_strdup(mem_ctx
, service
);
245 NT_STATUS_HAVE_NO_MEMORY(new_entry
->service
);
248 if (schedule_refresh_event
&& pass
) {
250 size_t len
= strlen(pass
)+1;
252 new_entry
->pass
= TALLOC_ZERO(mem_ctx
, len
);
253 NT_STATUS_HAVE_NO_MEMORY(new_entry
->pass
);
255 #ifdef DEBUG_PASSWORD
256 DEBUG(10,("mlocking memory: %p\n", new_entry
->pass
));
258 if ((mlock(new_entry
->pass
, len
)) == -1) {
259 DEBUG(0,("failed to mlock memory: %s (%d)\n",
260 strerror(errno
), errno
));
261 return map_nt_error_from_unix(errno
);
264 #ifdef DEBUG_PASSWORD
265 DEBUG(10,("mlocked memory: %p\n", new_entry
->pass
));
267 memcpy(new_entry
->pass
, pass
, len
);
269 new_entry
->pass
= talloc_strdup(mem_ctx
, pass
);
270 NT_STATUS_HAVE_NO_MEMORY(new_entry
->pass
);
271 #endif /* HAVE_MLOCK */
274 new_entry
->create_time
= create_time
;
275 new_entry
->renew_until
= renew_until
;
276 new_entry
->ccname
= talloc_strdup(mem_ctx
, ccname
);
277 if (new_entry
->ccname
== NULL
) {
278 return NT_STATUS_NO_MEMORY
;
280 new_entry
->uid
= uid
;
283 if (schedule_refresh_event
&& renew_until
> 0) {
285 struct timeval t
= timeval_set((ticket_end
-1 ), 0);
287 new_entry
->event
= add_timed_event(mem_ctx
,
289 "krb5_ticket_refresh_handler",
290 krb5_ticket_refresh_handler
,
294 DLIST_ADD(ccache_list
, new_entry
);
296 DEBUG(10,("add_ccache_to_list: added ccache [%s] for user [%s] to the list\n", ccname
, username
));
301 NTSTATUS
destroy_ccache_list(void)
303 #ifdef HAVE_MUNLOCKALL
304 if ((munlockall()) == -1) {
305 DEBUG(0,("failed to unlock memory: %s (%d)\n",
306 strerror(errno
), errno
));
307 return map_nt_error_from_unix(errno
);
309 #endif /* HAVE_MUNLOCKALL */
310 return talloc_destroy(mem_ctx
) ? NT_STATUS_OK
: NT_STATUS_UNSUCCESSFUL
;
313 NTSTATUS
init_ccache_list(void)
319 mem_ctx
= talloc_init("winbindd_ccache_krb5_handling");
320 if (mem_ctx
== NULL
) {
321 return NT_STATUS_NO_MEMORY
;
324 ZERO_STRUCTP(ccache_list
);