search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r16792: minor (but critical fixes) from Jeremy, Volker, & Guenther
[Samba.git] / source / nsswitch / winbindd_cred_cache.c
blobf5003ac8c6342df4fb7dcb25af4be13f38b31b15
1 /*
2 Unix SMB/CIFS implementation.
3
4 Winbind daemon - krb5 credential cache funcions
5
6 Copyright (C) Guenther Deschner 2005
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 2 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program; if not, write to the Free Software
20 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
21 */
22
23 #include "includes.h"
24 #include "winbindd.h"
25 #undef DBGC_CLASS
26 #define DBGC_CLASS DBGC_WINBIND
27
28 #define MAX_CCACHES 100
29
30 static struct WINBINDD_CCACHE_ENTRY *ccache_list;
31
32 static TALLOC_CTX *mem_ctx;
33
34 const char *get_ccache_name_by_username(const char *username)
35 {
36 struct WINBINDD_CCACHE_ENTRY *entry;
37
38 for (entry = ccache_list; entry; entry = entry->next) {
39 if (strequal(entry->username, username)) {
40 return entry->ccname;
41 }
42 }
43 return NULL;
44 }
45
46 struct WINBINDD_CCACHE_ENTRY *get_ccache_by_username(const char *username)
47 {
48 struct WINBINDD_CCACHE_ENTRY *entry;
49
50 for (entry = ccache_list; entry; entry = entry->next) {
51 if (strequal(entry->username, username)) {
52 return entry;
53 }
54 }
55 return NULL;
56 }
57
58 static int ccache_entry_count(void)
59 {
60 struct WINBINDD_CCACHE_ENTRY *entry;
61 int i = 0;
62
63 for (entry = ccache_list; entry; entry = entry->next) {
64 i++;
65 }
66 return i;
67 }
68
69 NTSTATUS remove_ccache_by_ccname(const char *ccname)
70 {
71 struct WINBINDD_CCACHE_ENTRY *entry;
72
73 for (entry = ccache_list; entry; entry = entry->next) {
74 if (strequal(entry->ccname, ccname)) {
75 DLIST_REMOVE(ccache_list, entry);
76 TALLOC_FREE(entry->event); /* unregisters events */
77 #ifdef HAVE_MUNLOCK
78 if (entry->pass) {
79 size_t len = strlen(entry->pass)+1;
80 #ifdef DEBUG_PASSWORD
81 DEBUG(10,("unlocking memory: %p\n", entry->pass));
82 #endif
83 memset(entry->pass, 0, len);
84 if ((munlock(entry->pass, len)) == -1) {
85 DEBUG(0,("failed to munlock memory: %s (%d)\n",
86 strerror(errno), errno));
87 return map_nt_error_from_unix(errno);
88 }
89 #ifdef DEBUG_PASSWORD
90 DEBUG(10,("munlocked memory: %p\n", entry->pass));
91 #endif
92 }
93 #endif /* HAVE_MUNLOCK */
94 TALLOC_FREE(entry);
95 DEBUG(10,("remove_ccache_by_ccname: removed ccache %s\n", ccname));
96 return NT_STATUS_OK;
97 }
98 }
99 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
100 }
101
102 static void krb5_ticket_refresh_handler(struct timed_event *te,
103 const struct timeval *now,
104 void *private_data)
105 {
106 struct WINBINDD_CCACHE_ENTRY *entry =
107 talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
108 int ret;
109 time_t new_start;
110 struct timeval t;
111
112
113 DEBUG(10,("krb5_ticket_refresh_handler called\n"));
114 DEBUGADD(10,("event called for: %s, %s\n", entry->ccname, entry->username));
115
116 TALLOC_FREE(entry->event);
117
118 #ifdef HAVE_KRB5
119
120 /* Kinit again if we have the user password and we can't renew the old
121 * tgt anymore */
122
123 if ((entry->renew_until < time(NULL)) && (entry->pass != NULL)) {
124
125 set_effective_uid(entry->uid);
126
127 ret = kerberos_kinit_password_ext(entry->principal_name,
128 entry->pass,
129 0, /* hm, can we do time correction here ? */
130 &entry->refresh_time,
131 &entry->renew_until,
132 entry->ccname,
133 False, /* no PAC required anymore */
134 True,
135 WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
136 gain_root_privilege();
137
138 if (ret) {
139 DEBUG(3,("could not re-kinit: %s\n", error_message(ret)));
140 TALLOC_FREE(entry->event);
141 return;
142 }
143
144 DEBUG(10,("successful re-kinit for: %s in ccache: %s\n",
145 entry->principal_name, entry->ccname));
146
147 new_start = entry->refresh_time;
148
149 goto done;
150 }
151
152 set_effective_uid(entry->uid);
153
154 ret = smb_krb5_renew_ticket(entry->ccname,
155 entry->principal_name,
156 entry->service,
157 &new_start);
158 gain_root_privilege();
159
160 if (ret) {
161 DEBUG(3,("could not renew tickets: %s\n", error_message(ret)));
162 /* maybe we are beyond the renewing window */
163 return;
164 }
165
166 done:
167
168 t = timeval_set(new_start, 0);
169
170 entry->event = add_timed_event(mem_ctx,
171 t,
172 "krb5_ticket_refresh_handler",
173 krb5_ticket_refresh_handler,
174 entry);
175
176 #endif
177 }
178
179 NTSTATUS add_ccache_to_list(const char *princ_name,
180 const char *ccname,
181 const char *service,
182 const char *username,
183 const char *sid_string,
184 const char *pass,
185 uid_t uid,
186 time_t create_time,
187 time_t ticket_end,
188 time_t renew_until,
189 BOOL schedule_refresh_event)
190 {
191 struct WINBINDD_CCACHE_ENTRY *new_entry = NULL;
192 struct WINBINDD_CCACHE_ENTRY *old_entry = NULL;
193 NTSTATUS status;
194
195 if ((username == NULL && sid_string == NULL && princ_name == NULL) ||
196 ccname == NULL) {
197 return NT_STATUS_INVALID_PARAMETER;
198 }
199
200 status = init_ccache_list();
201 if (!NT_STATUS_IS_OK(status)) {
202 return status;
203 }
204
205 if (mem_ctx == NULL) {
206 return NT_STATUS_NO_MEMORY;
207 }
208
209 if (ccache_entry_count() + 1 > MAX_CCACHES) {
210 DEBUG(10,("add_ccache_to_list: max number of ccaches reached\n"));
211 return NT_STATUS_NO_MORE_ENTRIES;
212 }
213
214 /* get rid of old entries */
215 old_entry = get_ccache_by_username(username);
216 if (old_entry) {
217 status = remove_ccache_by_ccname(old_entry->ccname);
218 if (!NT_STATUS_IS_OK(status)) {
219 DEBUG(10,("add_ccache_to_list: failed to delete old ccache entry\n"));
220 return status;
221 }
222 }
223
224 new_entry = TALLOC_P(mem_ctx, struct WINBINDD_CCACHE_ENTRY);
225 if (new_entry == NULL) {
226 return NT_STATUS_NO_MEMORY;
227 }
228
229 ZERO_STRUCTP(new_entry);
230
231 if (username) {
232 new_entry->username = talloc_strdup(mem_ctx, username);
233 NT_STATUS_HAVE_NO_MEMORY(new_entry->username);
234 }
235 if (sid_string) {
236 new_entry->sid_string = talloc_strdup(mem_ctx, sid_string);
237 NT_STATUS_HAVE_NO_MEMORY(new_entry->sid_string);
238 }
239 if (princ_name) {
240 new_entry->principal_name = talloc_strdup(mem_ctx, princ_name);
241 NT_STATUS_HAVE_NO_MEMORY(new_entry->principal_name);
242 }
243 if (service) {
244 new_entry->service = talloc_strdup(mem_ctx, service);
245 NT_STATUS_HAVE_NO_MEMORY(new_entry->service);
246 }
247
248 if (schedule_refresh_event && pass) {
249 #ifdef HAVE_MLOCK
250 size_t len = strlen(pass)+1;
251
252 new_entry->pass = TALLOC_ZERO(mem_ctx, len);
253 NT_STATUS_HAVE_NO_MEMORY(new_entry->pass);
254
255 #ifdef DEBUG_PASSWORD
256 DEBUG(10,("mlocking memory: %p\n", new_entry->pass));
257 #endif
258 if ((mlock(new_entry->pass, len)) == -1) {
259 DEBUG(0,("failed to mlock memory: %s (%d)\n",
260 strerror(errno), errno));
261 return map_nt_error_from_unix(errno);
262 }
263
264 #ifdef DEBUG_PASSWORD
265 DEBUG(10,("mlocked memory: %p\n", new_entry->pass));
266 #endif
267 memcpy(new_entry->pass, pass, len);
268 #else
269 new_entry->pass = talloc_strdup(mem_ctx, pass);
270 NT_STATUS_HAVE_NO_MEMORY(new_entry->pass);
271 #endif /* HAVE_MLOCK */
272 }
273
274 new_entry->create_time = create_time;
275 new_entry->renew_until = renew_until;
276 new_entry->ccname = talloc_strdup(mem_ctx, ccname);
277 if (new_entry->ccname == NULL) {
278 return NT_STATUS_NO_MEMORY;
279 }
280 new_entry->uid = uid;
281
282
283 if (schedule_refresh_event && renew_until > 0) {
284
285 struct timeval t = timeval_set((ticket_end -1 ), 0);
286
287 new_entry->event = add_timed_event(mem_ctx,
288 t,
289 "krb5_ticket_refresh_handler",
290 krb5_ticket_refresh_handler,
291 new_entry);
292 }
293
294 DLIST_ADD(ccache_list, new_entry);
295
296 DEBUG(10,("add_ccache_to_list: added ccache [%s] for user [%s] to the list\n", ccname, username));
297
298 return NT_STATUS_OK;
299 }
300
301 NTSTATUS destroy_ccache_list(void)
302 {
303 #ifdef HAVE_MUNLOCKALL
304 if ((munlockall()) == -1) {
305 DEBUG(0,("failed to unlock memory: %s (%d)\n",
306 strerror(errno), errno));
307 return map_nt_error_from_unix(errno);
308 }
309 #endif /* HAVE_MUNLOCKALL */
310 return talloc_destroy(mem_ctx) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL;
311 }
312
313 NTSTATUS init_ccache_list(void)
314 {
315 if (ccache_list) {
316 return NT_STATUS_OK;
317 }
318
319 mem_ctx = talloc_init("winbindd_ccache_krb5_handling");
320 if (mem_ctx == NULL) {
321 return NT_STATUS_NO_MEMORY;
322 }
323
324 ZERO_STRUCTP(ccache_list);
325
326 return NT_STATUS_OK;
327 }
Samba GIT mirror