summaryrefslogtreecommitdiff
path: root/source3/winbindd/winbindd_sid.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/winbindd/winbindd_sid.c')
-rw-r--r--source3/winbindd/winbindd_sid.c97
1 files changed, 78 insertions, 19 deletions
diff --git a/source3/winbindd/winbindd_sid.c b/source3/winbindd/winbindd_sid.c
index 0e8e6ca00b..ce34dadf4c 100644
--- a/source3/winbindd/winbindd_sid.c
+++ b/source3/winbindd/winbindd_sid.c
@@ -159,14 +159,19 @@ static void sid2uid_recv(void *private_data, bool success, uid_t uid)
{
struct winbindd_cli_state *state =
talloc_get_type_abort(private_data, struct winbindd_cli_state);
+ struct dom_sid sid;
+
+ string_to_sid(&sid, state->request.data.sid);
if (!success) {
DEBUG(5, ("Could not convert sid %s\n",
state->request.data.sid));
+ idmap_cache_set_sid2uid(&sid, -1);
request_error(state);
return;
}
+ idmap_cache_set_sid2uid(&sid, uid);
state->response.data.uid = uid;
request_ok(state);
}
@@ -180,34 +185,40 @@ static void sid2uid_lookupsid_recv( void *private_data, bool success,
talloc_get_type_abort(private_data, struct winbindd_cli_state);
DOM_SID sid;
+ if (!string_to_sid(&sid, state->request.data.sid)) {
+ DEBUG(1, ("sid2uid_lookupsid_recv: Could not get convert sid "
+ "%s from string\n", state->request.data.sid));
+ request_error(state);
+ return;
+ }
+
if (!success) {
DEBUG(5, ("sid2uid_lookupsid_recv Could not convert get sid type for %s\n",
state->request.data.sid));
- request_error(state);
- return;
+ goto fail;
}
if ( (type!=SID_NAME_USER) && (type!=SID_NAME_COMPUTER) ) {
DEBUG(5,("sid2uid_lookupsid_recv: Sid %s is not a user or a computer.\n",
state->request.data.sid));
- request_error(state);
- return;
+ goto fail;
}
- if (!string_to_sid(&sid, state->request.data.sid)) {
- DEBUG(1, ("sid2uid_lookupsid_recv: Could not get convert sid %s from string\n",
- state->request.data.sid));
- request_error(state);
- return;
- }
-
/* always use the async interface (may block) */
winbindd_sid2uid_async(state->mem_ctx, &sid, sid2uid_recv, state);
+ return;
+
+ fail:
+ idmap_cache_set_sid2uid(&sid, -1);
+ request_error(state);
+ return;
}
void winbindd_sid_to_uid(struct winbindd_cli_state *state)
{
DOM_SID sid;
+ uid_t uid;
+ bool expired;
/* Ensure null termination */
state->request.data.sid[sizeof(state->request.data.sid)-1]='\0';
@@ -222,10 +233,29 @@ void winbindd_sid_to_uid(struct winbindd_cli_state *state)
return;
}
+ if (idmap_cache_find_sid2uid(&sid, &uid, &expired)) {
+ DEBUG(10, ("idmap_cache_find_sid2uid found %d%s\n",
+ (int)uid, expired ? " (expired)": ""));
+ if (expired && IS_DOMAIN_ONLINE(find_our_domain())) {
+ DEBUG(10, ("revalidating expired entry\n"));
+ goto backend;
+ }
+ if (uid == -1) {
+ DEBUG(10, ("Returning negative cache entry\n"));
+ request_error(state);
+ return;
+ }
+ DEBUG(10, ("Returning positive cache entry\n"));
+ state->response.data.uid = uid;
+ request_ok(state);
+ return;
+ }
+
/* Validate the SID as a user. Hopefully this will hit cache.
Needed to prevent DoS by exhausting the uid allocation
range from random SIDs. */
+ backend:
winbindd_lookupsid_async( state->mem_ctx, &sid, sid2uid_lookupsid_recv, state );
}
@@ -411,30 +441,59 @@ void winbindd_set_hwm(struct winbindd_cli_state *state)
/* Convert a uid to a sid */
-static void uid2sid_recv(void *private_data, bool success, const char *sid)
+static void uid2sid_recv(void *private_data, bool success, const char *sidstr)
{
struct winbindd_cli_state *state =
(struct winbindd_cli_state *)private_data;
+ struct dom_sid sid;
- if (success) {
- DEBUG(10,("uid2sid: uid %lu has sid %s\n",
- (unsigned long)(state->request.data.uid), sid));
- fstrcpy(state->response.data.sid.sid, sid);
- state->response.data.sid.type = SID_NAME_USER;
- request_ok(state);
+ if (!success || !string_to_sid(&sid, sidstr)) {
+ ZERO_STRUCT(sid);
+ idmap_cache_set_sid2uid(&sid, state->request.data.uid);
+ request_error(state);
return;
}
- request_error(state);
+ DEBUG(10,("uid2sid: uid %lu has sid %s\n",
+ (unsigned long)(state->request.data.uid), sidstr));
+
+ idmap_cache_set_sid2uid(&sid, state->request.data.uid);
+ fstrcpy(state->response.data.sid.sid, sidstr);
+ state->response.data.sid.type = SID_NAME_USER;
+ request_ok(state);
return;
}
void winbindd_uid_to_sid(struct winbindd_cli_state *state)
{
+ struct dom_sid sid;
+ bool expired;
+
DEBUG(3, ("[%5lu]: uid to sid %lu\n", (unsigned long)state->pid,
(unsigned long)state->request.data.uid));
+ if (idmap_cache_find_uid2sid(state->request.data.uid, &sid,
+ &expired)) {
+ DEBUG(10, ("idmap_cache_find_uid2sid found %d%s\n",
+ (int)state->request.data.uid,
+ expired ? " (expired)": ""));
+ if (expired && IS_DOMAIN_ONLINE(find_our_domain())) {
+ DEBUG(10, ("revalidating expired entry\n"));
+ goto backend;
+ }
+ if (is_null_sid(&sid)) {
+ DEBUG(10, ("Returning negative cache entry\n"));
+ request_error(state);
+ return;
+ }
+ DEBUG(10, ("Returning positive cache entry\n"));
+ sid_to_fstring(state->response.data.sid.sid, &sid);
+ request_ok(state);
+ return;
+ }
+
/* always go via the async interface (may block) */
+ backend:
winbindd_uid2sid_async(state->mem_ctx, state->request.data.uid, uid2sid_recv, state);
}