r11652: Reinstate the netsamlogon_cache in order to work

around failed query_user calls.  This fixes
logons to a member of a Samba domain as a user from a
trusted AD domain.

As per comments on samba-technical, I still need to add

(a) cache the PAC info as werll as NTLM net_user_info_3
(b) expire the cache when the SMB session goes away

Both Jeremy and Guenther have signed off on the idea.
(This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4)

7 files changed, 353 insertions, 2 deletions

diff --git a/source3/Makefile.in b/source3/Makefile.in
index 09472602c8..6a12b2e25e 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -368,6 +368,8 @@ VFS_CATIA_OBJ = modules/vfs_catia.o
 
 PLAINTEXT_AUTH_OBJ = auth/pampass.o auth/pass_check.o
 
+SLCACHE_OBJ = libsmb/samlogon_cache.o
+
 DCUTIL_OBJ  = libsmb/namequery_dc.o libsmb/trustdom_cache.o libsmb/trusts_util.o
 
 AUTH_BUILTIN_OBJ = auth/auth_builtin.o
@@ -381,7 +383,7 @@ AUTH_SCRIPT_OBJ = auth/auth_script.o
 
 AUTH_OBJ = auth/auth.o @AUTH_STATIC@ auth/auth_util.o auth/auth_compat.o \
 	   auth/auth_ntlmssp.o \
-	   $(PLAINTEXT_AUTH_OBJ) $(DCUTIL_OBJ)
+	   $(PLAINTEXT_AUTH_OBJ) $(SLCACHE_OBJ) $(DCUTIL_OBJ)
 
 MANGLE_OBJ = smbd/mangle.o smbd/mangle_hash.o smbd/mangle_map.o smbd/mangle_hash2.o
 
@@ -706,7 +708,7 @@ WINBINDD_OBJ = \
 		$(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \
 		$(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \
 		$(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \
-		$(PROFILE_OBJ) $(SMBLDAP_OBJ) \
+		$(PROFILE_OBJ) $(SLCACHE_OBJ) $(SMBLDAP_OBJ) \
 		$(SECRETS_OBJ) $(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) \
 		$(DCUTIL_OBJ) $(IDMAP_OBJ) \
 		$(AFS_OBJ) $(AFS_SETTOKEN_OBJ)
diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c
index 94b138e55b..242105a664 100644
--- a/source3/auth/auth_domain.c
+++ b/source3/auth/auth_domain.c
@@ -252,6 +252,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx,
 						domain,
 						server_info,
 						&info3);
+
+		netsamlogon_cache_store( mem_ctx, user_info->smb_name.str, &info3 );
 	}
 
 	/* Note - once the cli stream is shutdown the mem_ctx used
diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c
new file mode 100644
index 0000000000..ceb7b7c35a
--- /dev/null
+++ b/source3/libsmb/samlogon_cache.c
@@ -0,0 +1,247 @@
+/* 
+   Unix SMB/CIFS implementation.
+   Net_sam_logon info3 helpers
+   Copyright (C) Alexander Bokovoy              2002.
+   Copyright (C) Andrew Bartlett                2002.
+   Copyright (C) Gerald Carter			2003.
+   Copyright (C) Tim Potter			2003.
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+#define NETSAMLOGON_TDB	"netsamlogon_cache.tdb"
+
+static TDB_CONTEXT *netsamlogon_tdb = NULL;
+
+/***********************************************************************
+ open the tdb
+ ***********************************************************************/
+ 
+BOOL netsamlogon_cache_init(void)
+{
+	if (!netsamlogon_tdb) {
+		netsamlogon_tdb = tdb_open_log(lock_path(NETSAMLOGON_TDB), 0,
+						   TDB_DEFAULT, O_RDWR | O_CREAT, 0600);
+	}
+
+	return (netsamlogon_tdb != NULL);
+}
+
+
+/***********************************************************************
+ Shutdown samlogon_cache database
+***********************************************************************/
+
+BOOL netsamlogon_cache_shutdown(void)
+{
+	if(netsamlogon_tdb)
+		return (tdb_close(netsamlogon_tdb) == 0);
+		
+	return True;
+}
+
+/***********************************************************************
+ Clear cache getpwnam and getgroups entries from the winbindd cache
+***********************************************************************/
+void netsamlogon_clear_cached_user(TDB_CONTEXT *tdb, NET_USER_INFO_3 *user)
+{
+	fstring domain;
+	TDB_DATA key;
+	BOOL got_tdb = False;
+
+	/* We may need to call this function from smbd which will not have
+           winbindd_cache.tdb open.  Open the tdb if a NULL is passed. */
+
+	if (!tdb) {
+		tdb = tdb_open_log(lock_path("winbindd_cache.tdb"), 5000,
+				   TDB_DEFAULT, O_RDWR, 0600);
+		if (!tdb) {
+			DEBUG(5, ("netsamlogon_clear_cached_user: failed to open cache\n"));
+			return;
+		}
+		got_tdb = True;
+	}
+
+	unistr2_to_ascii(domain, &user->uni_logon_dom, sizeof(domain) - 1);
+
+	/* Clear U/DOMAIN/RID cache entry */
+
+	asprintf(&key.dptr, "U/%s/%d", domain, user->user_rid);
+	key.dsize = strlen(key.dptr) - 1; /* keys are not NULL terminated */
+
+	DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key.dptr));
+
+	tdb_delete(tdb, key);
+
+	SAFE_FREE(key.dptr);
+
+	/* Clear UG/DOMAIN/RID cache entry */
+
+	asprintf(&key.dptr, "UG/%s/%d", domain, user->user_rid);
+	key.dsize = strlen(key.dptr) - 1; /* keys are not NULL terminated */
+
+	DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key.dptr));
+
+	tdb_delete(tdb, key);
+
+	SAFE_FREE(key.dptr);
+
+	if (got_tdb)
+		tdb_close(tdb);
+}
+
+/***********************************************************************
+ Store a NET_USER_INFO_3 structure in a tdb for later user 
+ username should be in UTF-8 format
+***********************************************************************/
+
+BOOL netsamlogon_cache_store(TALLOC_CTX *mem_ctx, const char * username, NET_USER_INFO_3 *user)
+{
+	TDB_DATA 	data;
+        fstring 	keystr;
+	prs_struct 	ps;
+	BOOL 		result = False;
+	DOM_SID		user_sid;
+	time_t		t = time(NULL);
+	
+
+	if (!netsamlogon_cache_init()) {
+		DEBUG(0,("netsamlogon_cache_store: cannot open %s for write!\n", NETSAMLOGON_TDB));
+		return False;
+	}
+
+	sid_copy( &user_sid, &user->dom_sid.sid );
+	sid_append_rid( &user_sid, user->user_rid );
+
+	/* Prepare key as DOMAIN-SID/USER-RID string */
+	slprintf(keystr, sizeof(keystr), "%s", sid_string_static(&user_sid));
+
+	DEBUG(10,("netsamlogon_cache_store: SID [%s]\n", keystr));
+	
+	/* only Samba fills in the username, not sure why NT doesn't */
+	/* so we fill it in since winbindd_getpwnam() makes use of it */
+	
+	if ( !user->uni_user_name.buffer ) {
+		init_unistr2( &user->uni_user_name, username, UNI_STR_TERMINATE );
+		init_uni_hdr( &user->hdr_user_name, &user->uni_user_name );
+	}
+		
+	/* Prepare data */
+	
+	prs_init( &ps, RPC_MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
+	
+	if ( !prs_uint32( "timestamp", &ps, 0, (uint32*)&t ) )
+		return False;
+	
+	if ( net_io_user_info3("", user, &ps, 0, 3, 0) ) 
+	{
+		data.dsize = prs_offset( &ps );
+		data.dptr = prs_data_p( &ps );
+
+		if (tdb_store_bystring(netsamlogon_tdb, keystr, data, TDB_REPLACE) != -1)
+			result = True;
+		
+		prs_mem_free( &ps );
+	}
+		
+	return result;
+}
+
+/***********************************************************************
+ Retrieves a NET_USER_INFO_3 structure from a tdb.  Caller must 
+ free the user_info struct (malloc()'d memory)
+***********************************************************************/
+
+NET_USER_INFO_3* netsamlogon_cache_get( TALLOC_CTX *mem_ctx, const DOM_SID *user_sid)
+{
+	NET_USER_INFO_3	*user = NULL;
+	TDB_DATA 	data, key;
+	prs_struct	ps;
+        fstring 	keystr;
+	uint32		t;
+	
+	if (!netsamlogon_cache_init()) {
+		DEBUG(0,("netsamlogon_cache_store: cannot open %s for write!\n", NETSAMLOGON_TDB));
+		return False;
+	}
+
+	/* Prepare key as DOMAIN-SID/USER-RID string */
+	slprintf(keystr, sizeof(keystr), "%s", sid_string_static(user_sid));
+	DEBUG(10,("netsamlogon_cache_get: SID [%s]\n", keystr));
+	key.dptr = keystr;
+	key.dsize = strlen(keystr)+1;
+	data = tdb_fetch( netsamlogon_tdb, key );
+	
+	if ( data.dptr ) {
+		
+		if ( (user = SMB_MALLOC_P(NET_USER_INFO_3)) == NULL )
+			return NULL;
+			
+		prs_init( &ps, 0, mem_ctx, UNMARSHALL );
+		prs_give_memory( &ps, data.dptr, data.dsize, True );
+		
+		if ( !prs_uint32( "timestamp", &ps, 0, &t ) ) {
+			prs_mem_free( &ps );
+			return False;
+		}
+		
+		if ( !net_io_user_info3("", user, &ps, 0, 3, 0) ) {
+			SAFE_FREE( user );
+		}
+			
+		prs_mem_free( &ps );
+
+#if 0	/* The netsamlogon cache needs to hang around.  Something about 
+	   this feels wrong, but it is the only way we can get all of the
+	   groups.  The old universal groups cache didn't expire either.
+	   --jerry */
+	{
+		time_t		now = time(NULL);
+		uint32		time_diff;
+	   
+		/* is the entry expired? */
+		time_diff = now - t;
+		
+		if ( (time_diff < 0 ) || (time_diff > lp_winbind_cache_time()) ) {
+			DEBUG(10,("netsamlogon_cache_get: cache entry expired \n"));
+			tdb_delete( netsamlogon_tdb, key );
+			SAFE_FREE( user );
+		}
+#endif
+	}
+	
+	return user;
+}
+
+BOOL netsamlogon_cache_have(const DOM_SID *user_sid)
+{
+	TALLOC_CTX *mem_ctx = talloc_init("netsamlogon_cache_have");
+	NET_USER_INFO_3 *user = NULL;
+	BOOL result;
+
+	if (!mem_ctx)
+		return False;
+
+	user = netsamlogon_cache_get(mem_ctx, user_sid);
+
+	result = (user != NULL);
+
+	talloc_destroy(mem_ctx);
+	SAFE_FREE(user);
+
+	return result;
+}
diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c
index 7f2f3d780e..60a4e2f6c0 100644
--- a/source3/nsswitch/winbindd.c
+++ b/source3/nsswitch/winbindd.c
@@ -1063,6 +1063,8 @@ int main(int argc, char **argv)
 	
 	poptFreeContext(pc);
 
+	netsamlogon_cache_init(); /* Non-critical */
+	
 	init_domain_list();
 
 	init_idmap_child();
diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c
index 993e6d96e8..83ded01d4e 100644
--- a/source3/nsswitch/winbindd_cache.c
+++ b/source3/nsswitch/winbindd_cache.c
@@ -1073,6 +1073,18 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 
 	centry = wcache_fetch(cache, domain, "U/%s", sid_string_static(user_sid));
 	
+	/* If we have an access denied cache entry and a cached info3 in the
+           samlogon cache then do a query.  This will force the rpc back end
+           to return the info3 data. */
+
+	if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) &&
+	    netsamlogon_cache_have(user_sid)) {
+		DEBUG(10, ("query_user: cached access denied and have cached info3\n"));
+		domain->last_status = NT_STATUS_OK;
+		centry_free(centry);
+		goto do_query;
+	}
+	
 	if (!centry)
 		goto do_query;
 
@@ -1128,6 +1140,18 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
 
 	centry = wcache_fetch(cache, domain, "UG/%s", sid_to_string(sid_string, user_sid));
 	
+	/* If we have an access denied cache entry and a cached info3 in the
+           samlogon cache then do a query.  This will force the rpc back end
+           to return the info3 data. */
+
+	if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) &&
+	    netsamlogon_cache_have(user_sid)) {
+		DEBUG(10, ("query_user: cached access denied and have cached info3\n"));
+		domain->last_status = NT_STATUS_OK;
+		centry_free(centry);
+		goto do_query;
+	}
+	
 	if (!centry)
 		goto do_query;
 
@@ -1401,6 +1425,20 @@ static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
 	return 0;
 }
 
+/* Invalidate the getpwnam and getgroups entries for a winbindd domain */
+
+void wcache_invalidate_samlogon(struct winbindd_domain *domain, 
+				NET_USER_INFO_3 *info3)
+{
+	struct winbind_cache *cache;
+	
+	if (!domain)
+		return;
+
+	cache = get_cache(domain);
+	netsamlogon_clear_cached_user(cache->tdb, info3);
+}
+
 void wcache_invalidate_cache(void)
 {
 	struct winbindd_domain *domain;
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index 3571142c58..d398e41468 100644
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -382,6 +382,9 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,
 	} while ( (attempts < 2) && retry );
 
 	if (NT_STATUS_IS_OK(result)) {
+		netsamlogon_cache_store(state->mem_ctx, name_user, &info3);
+		wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
+
 		/* Check if the user is in the right group */
 
 		if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, &info3,
@@ -664,6 +667,11 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 	} while ( (attempts < 2) && retry );
 
 	if (NT_STATUS_IS_OK(result)) {
+		netsamlogon_cache_store(state->mem_ctx, name_user, &info3);
+		wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3);
+
+		/* Check if the user is in the right group */
+
 		if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, &info3,
 							state->request.data.auth_crap.require_membership_of_sid))) {
 			DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n",
diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c
index b3bed2e0be..63e2487700 100644
--- a/source3/nsswitch/winbindd_rpc.c
+++ b/source3/nsswitch/winbindd_rpc.c
@@ -329,6 +329,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 	SAM_USERINFO_CTR *ctr;
 	fstring sid_string;
 	uint32 user_rid;
+	NET_USER_INFO_3 *user;
 	struct rpc_pipe_client *cli;
 
 	DEBUG(3,("rpc: query_user rid=%s\n",
@@ -337,6 +338,33 @@ static NTSTATUS query_user(struct winbindd_domain *domain,
 	if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid))
 		return NT_STATUS_UNSUCCESSFUL;
 	
+	/* try netsamlogon cache first */
+			
+	if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL ) 
+	{
+				
+		DEBUG(5,("query_user: Cache lookup succeeded for %s\n", 
+			sid_string_static(user_sid)));
+
+		sid_compose(&user_info->user_sid, &domain->sid, user_rid);
+		sid_compose(&user_info->group_sid, &domain->sid,
+			    user->group_rid);
+				
+		user_info->acct_name = unistr2_tdup(mem_ctx,
+						    &user->uni_user_name);
+		user_info->full_name = unistr2_tdup(mem_ctx,
+						    &user->uni_full_name);
+		
+		user_info->homedir = NULL;
+		user_info->shell = NULL;
+						
+		SAFE_FREE(user);
+				
+		return NT_STATUS_OK;
+	}
+	
+	/* no cache; hit the wire */
+		
 	result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
 	if (!NT_STATUS_IS_OK(result))
 		return result;
@@ -384,6 +412,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
 	unsigned int i;
 	fstring sid_string;
 	uint32 user_rid;
+	NET_USER_INFO_3 *user;
 	struct rpc_pipe_client *cli;
 
 	DEBUG(3,("rpc: lookup_usergroups sid=%s\n",
@@ -394,6 +423,29 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain,
 
 	*num_groups = 0;
 	*user_grpsids = NULL;
+
+	/* so lets see if we have a cached user_info_3 */
+	
+	if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL )
+	{
+		DEBUG(5,("query_user: Cache lookup succeeded for %s\n", 
+			sid_string_static(user_sid)));
+			
+		*num_groups = user->num_groups;
+				
+		(*user_grpsids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_groups);
+		for (i=0;i<(*num_groups);i++) {
+			sid_copy(&((*user_grpsids)[i]), &domain->sid);
+			sid_append_rid(&((*user_grpsids)[i]),
+				       user->gids[i].g_rid);
+		}
+				
+		SAFE_FREE(user);
+				
+		return NT_STATUS_OK;
+	}
+
+	/* no cache; hit the wire */
 	
 	result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol);
 	if (!NT_STATUS_IS_OK(result))