diff options
| author | Günther Deschner <gd@samba.org> | 2007-02-08 17:02:39 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:17:50 -0500 |
| commit | 69cee2a3ec4f39aab83a8cbf55307df182bf3065 (patch) | |
| tree | 9fa3b999223e30149041cbd17665f19f18abdb1c | |
| parent | e6ce37679f121672802ea69e21d16ea360364389 (diff) | |
| download | samba-69cee2a3ec4f39aab83a8cbf55307df182bf3065.tar.gz samba-69cee2a3ec4f39aab83a8cbf55307df182bf3065.tar.bz2 samba-69cee2a3ec4f39aab83a8cbf55307df182bf3065.zip | |
r21240: Fix longstanding Bug #4009.
For the winbind cached ADS LDAP connection handling
(ads_cached_connection()) we were (incorrectly) assuming that the
service ticket lifetime equaled the tgt lifetime. For setups where the
service ticket just lives 10 minutes, we were leaving hundreds of LDAP
connections in CLOSE_WAIT state, until we fail to service entirely with
"Too many open files".
Also sequence_number() in winbindd_ads.c needs to delete the cached LDAP
connection after the ads_do_search_retry() has failed to submit the
search request (although the bind succeeded (returning an expired
service ticket that we cannot delete from the memory cred cache - this
will get fixed later)).
Guenther
(This used to be commit 7e1a84b7226fb8dcd5d34c64a3478a6d886a9a91)
| -rw-r--r-- | source3/include/ads.h | 3 | ||||
| -rw-r--r-- | source3/include/includes.h | 2 | ||||
| -rw-r--r-- | source3/libads/kerberos.c | 6 | ||||
| -rw-r--r-- | source3/libads/ldap_utils.c | 4 | ||||
| -rw-r--r-- | source3/libads/sasl.c | 8 | ||||
| -rw-r--r-- | source3/libsmb/cliconnect.c | 2 | ||||
| -rw-r--r-- | source3/libsmb/clikrb5.c | 20 | ||||
| -rw-r--r-- | source3/libsmb/clispnego.c | 6 | ||||
| -rw-r--r-- | source3/nsswitch/idmap_ad.c | 13 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_ads.c | 32 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_pam.c | 3 | ||||
| -rw-r--r-- | source3/rpc_client/cli_pipe.c | 2 | ||||
| -rw-r--r-- | source3/utils/ntlm_auth.c | 4 |
13 files changed, 72 insertions, 33 deletions
diff --git a/source3/include/ads.h b/source3/include/ads.h index d97ae1531f..29df0d2f35 100644 --- a/source3/include/ads.h +++ b/source3/include/ads.h @@ -42,7 +42,8 @@ typedef struct { char *kdc_server; unsigned flags; int time_offset; - time_t expire; + time_t tgt_expire; + time_t tgs_expire; time_t renewable; } auth; diff --git a/source3/include/includes.h b/source3/include/includes.h index 8aaaba9799..3864faddb9 100644 --- a/source3/include/includes.h +++ b/source3/include/includes.h @@ -1165,7 +1165,7 @@ BOOL smb_krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2); int cli_krb5_get_ticket(const char *principal, time_t time_offset, - DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, const char *ccname); + DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, const char *ccname, time_t *tgs_expire); PAC_LOGON_INFO *get_logon_info_from_pac(PAC_DATA *pac_data); krb5_error_code smb_krb5_renew_ticket(const char *ccache_string, const char *client_string, const char *service_string, time_t *new_start_time); krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code); diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c index 92461bd9c1..8e8297b07e 100644 --- a/source3/libads/kerberos.c +++ b/source3/libads/kerberos.c @@ -110,6 +110,10 @@ int kerberos_kinit_password_ext(const char *principal, krb5_get_init_creds_opt_set_renew_life(opt, renewable_time); krb5_get_init_creds_opt_set_forwardable(opt, True); +#if 0 + /* insane testing */ + krb5_get_init_creds_opt_set_tkt_life(opt, 60); +#endif #ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST if (request_pac) { @@ -216,7 +220,7 @@ int ads_kinit_password(ADS_STRUCT *ads) } ret = kerberos_kinit_password_ext(s, ads->auth.password, ads->auth.time_offset, - &ads->auth.expire, NULL, NULL, False, False, ads->auth.renewable); + &ads->auth.tgt_expire, NULL, NULL, False, False, ads->auth.renewable); if (ret) { DEBUG(0,("kerberos_kinit_password %s failed: %s\n", diff --git a/source3/libads/ldap_utils.c b/source3/libads/ldap_utils.c index af9e9af2b8..1da51b3c5c 100644 --- a/source3/libads/ldap_utils.c +++ b/source3/libads/ldap_utils.c @@ -110,10 +110,10 @@ static ADS_STATUS ads_do_search_retry_internal(ADS_STRUCT *ads, const char *bind } SAFE_FREE(bp); - if (!ADS_ERR_OK(status)) + if (!ADS_ERR_OK(status)) { DEBUG(1,("ads reopen failed after error %s\n", ads_errstr(status))); - + } return status; } diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c index 7d1fd0d1a8..61fd54da1d 100644 --- a/source3/libads/sasl.c +++ b/source3/libads/sasl.c @@ -147,7 +147,8 @@ static ADS_STATUS ads_sasl_spnego_krb5_bind(ADS_STRUCT *ads, const char *princip DATA_BLOB session_key = data_blob(NULL, 0); int rc; - rc = spnego_gen_negTokenTarg(principal, ads->auth.time_offset, &blob, &session_key, 0); + rc = spnego_gen_negTokenTarg(principal, ads->auth.time_offset, &blob, &session_key, 0, + &ads->auth.tgs_expire); if (rc) { return ADS_ERROR_KRB5(rc); @@ -218,7 +219,7 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) #endif free(OIDs[i]); } - DEBUG(3,("ads_sasl_spnego_bind: got server principal name =%s\n", principal)); + DEBUG(3,("ads_sasl_spnego_bind: got server principal name = %s\n", principal)); #ifdef HAVE_KRB5 if (!(ads->auth.flags & ADS_AUTH_DISABLE_KERBEROS) && @@ -229,6 +230,9 @@ static ADS_STATUS ads_sasl_spnego_bind(ADS_STRUCT *ads) return status; } + DEBUG(10,("ads_sasl_spnego_krb5_bind failed with: %s, " + "calling kinit\n", ads_errstr(status))); + status = ADS_ERROR_KRB5(ads_kinit_password(ads)); if (ADS_ERR_OK(status)) { diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index f29449cfb2..2742d70194 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -554,7 +554,7 @@ static ADS_STATUS cli_session_setup_kerberos(struct cli_state *cli, const char * DEBUG(2,("Doing kerberos session setup\n")); /* generate the encapsulated kerberos5 ticket */ - rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5, 0); + rc = spnego_gen_negTokenTarg(principal, 0, &negTokenTarg, &session_key_krb5, 0, NULL); if (rc) { DEBUG(1, ("spnego_gen_negTokenTarg failed: %s\n", error_message(rc))); diff --git a/source3/libsmb/clikrb5.c b/source3/libsmb/clikrb5.c index 305139e1f4..f06a19b345 100644 --- a/source3/libsmb/clikrb5.c +++ b/source3/libsmb/clikrb5.c @@ -551,7 +551,8 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, const krb5_flags ap_req_options, const char *principal, krb5_ccache ccache, - krb5_data *outbuf) + krb5_data *outbuf, + time_t *expire_time) { krb5_error_code retval; krb5_principal server; @@ -584,6 +585,7 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, } while (!creds_ready && (i < maxtries)) { + if ((retval = krb5_get_credentials(context, 0, ccache, &creds, &credsp))) { DEBUG(1,("ads_krb5_mk_req: krb5_get_credentials failed for %s (%s)\n", @@ -599,8 +601,9 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, krb5_set_real_time(context, t + time_offset + 1, 0); } - if (!ads_cleanup_expired_creds(context, ccache, credsp)) + if (!ads_cleanup_expired_creds(context, ccache, credsp)) { creds_ready = True; + } i++; } @@ -610,6 +613,10 @@ static krb5_error_code ads_krb5_mk_req(krb5_context context, http_timestring((unsigned)credsp->times.endtime), (unsigned)credsp->times.endtime)); + if (expire_time) { + *expire_time = (time_t)credsp->times.endtime; + } + in_data.length = 0; retval = krb5_mk_req_extended(context, auth_context, ap_req_options, &in_data, credsp, outbuf); @@ -634,7 +641,9 @@ cleanup_princ: */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, - uint32 extra_ap_opts, const char *ccname) + uint32 extra_ap_opts, const char *ccname, + time_t *tgs_expire) + { krb5_error_code retval; krb5_data packet; @@ -678,7 +687,8 @@ int cli_krb5_get_ticket(const char *principal, time_t time_offset, &auth_context, AP_OPTS_USE_SUBKEY | (krb5_flags)extra_ap_opts, principal, - ccdef, &packet))) { + ccdef, &packet, + tgs_expire))) { goto failed; } @@ -1409,7 +1419,7 @@ done: /* this saves a few linking headaches */ int cli_krb5_get_ticket(const char *principal, time_t time_offset, DATA_BLOB *ticket, DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, - const char *ccname) + const char *ccname, time_t *tgs_expire) { DEBUG(0,("NO KERBEROS SUPPORT\n")); return 1; diff --git a/source3/libsmb/clispnego.c b/source3/libsmb/clispnego.c index a01c009b6e..6aca217e25 100644 --- a/source3/libsmb/clispnego.c +++ b/source3/libsmb/clispnego.c @@ -343,7 +343,8 @@ BOOL spnego_parse_krb5_wrap(DATA_BLOB blob, DATA_BLOB *ticket, uint8 tok_id[2]) */ int spnego_gen_negTokenTarg(const char *principal, int time_offset, DATA_BLOB *targ, - DATA_BLOB *session_key_krb5, uint32 extra_ap_opts) + DATA_BLOB *session_key_krb5, uint32 extra_ap_opts, + time_t *expire_time) { int retval; DATA_BLOB tkt, tkt_wrapped; @@ -351,7 +352,8 @@ int spnego_gen_negTokenTarg(const char *principal, int time_offset, /* get a kerberos ticket for the service and extract the session key */ retval = cli_krb5_get_ticket(principal, time_offset, - &tkt, session_key_krb5, extra_ap_opts, NULL); + &tkt, session_key_krb5, extra_ap_opts, NULL, + expire_time); if (retval) return retval; diff --git a/source3/nsswitch/idmap_ad.c b/source3/nsswitch/idmap_ad.c index a0ed084765..fee53a0539 100644 --- a/source3/nsswitch/idmap_ad.c +++ b/source3/nsswitch/idmap_ad.c @@ -64,16 +64,23 @@ static ADS_STRUCT *ad_idmap_cached_connection_internal(void) struct in_addr dc_ip; if (ad_idmap_ads != NULL) { + + time_t expire; + time_t now = time(NULL); + ads = ad_idmap_ads; + expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire); + /* check for a valid structure */ + DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n", + (uint32)expire-(uint32)now, (uint32) expire, (uint32) now)); - DEBUG(7, ("Current tickets expire at %d, time is now %d\n", - (uint32) ads->auth.expire, (uint32) time(NULL))); - if ( ads->config.realm && (ads->auth.expire > time(NULL))) { + if ( ads->config.realm && (expire > time(NULL))) { return ads; } else { /* we own this ADS_STRUCT so make sure it goes away */ + DEBUG(7,("Deleting expired krb5 credential cache\n")); ads->is_mine = True; ads_destroy( &ads ); ads_kdestroy(WINBIND_CCACHE_NAME); diff --git a/source3/nsswitch/winbindd_ads.c b/source3/nsswitch/winbindd_ads.c index f572dd08ff..9c8f23b1cf 100644 --- a/source3/nsswitch/winbindd_ads.c +++ b/source3/nsswitch/winbindd_ads.c @@ -44,17 +44,23 @@ static ADS_STRUCT *ads_cached_connection(struct winbindd_domain *domain) DEBUG(10,("ads_cached_connection\n")); if (domain->private_data) { - ads = (ADS_STRUCT *)domain->private_data; + + time_t expire; + time_t now = time(NULL); /* check for a valid structure */ + ads = (ADS_STRUCT *)domain->private_data; - DEBUG(7, ("Current tickets expire at %d, time is now %d\n", - (uint32) ads->auth.expire, (uint32) time(NULL))); - if ( ads->config.realm && (ads->auth.expire > time(NULL))) { + expire = MIN(ads->auth.tgt_expire, ads->auth.tgs_expire); + + DEBUG(7, ("Current tickets expire in %d seconds (at %d, time is now %d)\n", + (uint32)expire-(uint32)now, (uint32) expire, (uint32) now)); + + if ( ads->config.realm && (expire > now)) { return ads; - } - else { + } else { /* we own this ADS_STRUCT so make sure it goes away */ + DEBUG(7,("Deleting expired krb5 credential cache\n")); ads->is_mine = True; ads_destroy( &ads ); ads_kdestroy("MEMORY:winbind_ccache"); @@ -998,11 +1004,15 @@ static NTSTATUS sequence_number(struct winbindd_domain *domain, uint32 *seq) if (!ADS_ERR_OK(rc)) { - /* its a dead connection ; don't destroy it - through since ads_USN() has already done - that indirectly */ - - domain->private_data = NULL; + /* its a dead connection, destroy it */ + + if (domain->private_data) { + ads = (ADS_STRUCT *)domain->private_data; + ads->is_mine = True; + ads_destroy(&ads); + ads_kdestroy("MEMORY:winbind_ccache"); + domain->private_data = NULL; + } } return ads_ntstatus(rc); } diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index fcaad1fb1f..2a5ca40125 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -598,7 +598,8 @@ static NTSTATUS winbindd_raw_kerberos_login(struct winbindd_domain *domain, &tkt, &session_key_krb5, 0, - cc); + cc, + NULL); if (krb5_ret) { DEBUG(1,("winbindd_raw_kerberos_login: failed to get ticket for %s: %s\n", local_service, error_message(krb5_ret))); diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 467e652ca9..547f300f3a 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -927,7 +927,7 @@ static NTSTATUS create_krb5_auth_bind_req( struct rpc_pipe_client *cli, /* Create the ticket for the service principal and return it in a gss-api wrapped blob. */ ret = cli_krb5_get_ticket(a->service_principal, 0, &tkt, - &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL); + &a->session_key, (uint32)AP_OPTS_MUTUAL_REQUIRED, NULL, NULL); if (ret) { DEBUG(1,("create_krb5_auth_bind_req: cli_krb5_get_ticket for principal %s " diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 28de39c4f4..1e7b361e86 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1424,7 +1424,7 @@ static BOOL manage_client_krb5_init(SPNEGO_DATA spnego) spnego.negTokenInit.mechListMIC.length); principal[spnego.negTokenInit.mechListMIC.length] = '\0'; - retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL); + retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL); if (retval) { @@ -1446,7 +1446,7 @@ static BOOL manage_client_krb5_init(SPNEGO_DATA spnego) return False; } - retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL); + retval = cli_krb5_get_ticket(principal, 0, &tkt, &session_key_krb5, 0, NULL, NULL); if (retval) { DEBUG(10, ("Kinit suceeded, but getting a ticket failed: %s\n", error_message(retval))); |