From e627362622344f70cd12ded917fe9d82feb63f1a Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Sat, 26 Aug 2006 02:53:45 +0000 Subject: r17837: Split out the storing of memory cached credentials from the krb5 ticket renewal code. This allows cached credentials to be stored for single sign-on via ntlm_auth for machines in a domain still using NTLM. Also (hopefully) fixes the reference counting problem with pam_logon/logoff so multiple logons/logoffs won't lose cached credentials. This compiles, but I'm intending to test it over the weekend so don't complain too much :-). I also want it in the tree so Coverity can scan it for errors. Guenther, check this over please - I ran through the architecture with Jerry and he's ok with it, but this is modifying your code a lot. Jeremy. (This used to be commit 679eeeb91155dad3942efde6ae9f8d81faf18c5b) --- source3/nsswitch/winbindd_cred_cache.c | 491 +++++++++++++++++++++++---------- 1 file changed, 345 insertions(+), 146 deletions(-) (limited to 'source3/nsswitch/winbindd_cred_cache.c') diff --git a/source3/nsswitch/winbindd_cred_cache.c b/source3/nsswitch/winbindd_cred_cache.c index b56003a469..ceca389825 100644 --- a/source3/nsswitch/winbindd_cred_cache.c +++ b/source3/nsswitch/winbindd_cred_cache.c @@ -2,8 +2,10 @@ Unix SMB/CIFS implementation. Winbind daemon - krb5 credential cache funcions + and in-memory cache functions. Copyright (C) Guenther Deschner 2005 + Copyright (C) Jeremy Allison 2006 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -25,23 +27,13 @@ #undef DBGC_CLASS #define DBGC_CLASS DBGC_WINBIND -#define MAX_CCACHES 10000 +#define MAX_CCACHES 100 static struct WINBINDD_CCACHE_ENTRY *ccache_list; -static TALLOC_CTX *mem_ctx; - -const char *get_ccache_name_by_username(const char *username) -{ - struct WINBINDD_CCACHE_ENTRY *entry; - - for (entry = ccache_list; entry; entry = entry->next) { - if (strequal(entry->username, username)) { - return entry->ccname; - } - } - return NULL; -} +/**************************************************************** + Find an entry by name. +****************************************************************/ struct WINBINDD_CCACHE_ENTRY *get_ccache_by_username(const char *username) { @@ -55,6 +47,10 @@ struct WINBINDD_CCACHE_ENTRY *get_ccache_by_username(const char *username) return NULL; } +/**************************************************************** + How many do we have ? +****************************************************************/ + static int ccache_entry_count(void) { struct WINBINDD_CCACHE_ENTRY *entry; @@ -66,43 +62,9 @@ static int ccache_entry_count(void) return i; } -NTSTATUS remove_ccache_by_ccname(const char *ccname) -{ - struct WINBINDD_CCACHE_ENTRY *entry; - - for (entry = ccache_list; entry; entry = entry->next) { - if (strequal(entry->ccname, ccname)) { - DLIST_REMOVE(ccache_list, entry); - TALLOC_FREE(entry->event); /* unregisters events */ -#ifdef HAVE_MUNLOCK - if (entry->nt_hash) { - size_t len = NT_HASH_LEN + LM_HASH_LEN; - - if (entry->pass) { - len += strlen(entry->pass)+1; - } - -#ifdef DEBUG_PASSWORD - DEBUG(10,("unlocking memory: %p\n", entry->nt_hash)); -#endif - memset(entry->nt_hash, 0, len); - if ((munlock(entry->nt_hash, len)) == -1) { - DEBUG(0,("failed to munlock memory: %s (%d)\n", - strerror(errno), errno)); - return map_nt_error_from_unix(errno); - } -#ifdef DEBUG_PASSWORD - DEBUG(10,("munlocked memory: %p\n", entry->nt_hash)); -#endif - } -#endif /* HAVE_MUNLOCK */ - TALLOC_FREE(entry); - DEBUG(10,("remove_ccache_by_ccname: removed ccache %s\n", ccname)); - return NT_STATUS_OK; - } - } - return NT_STATUS_OBJECT_NAME_NOT_FOUND; -} +/**************************************************************** + Do the work of refreshing the ticket. +****************************************************************/ static void krb5_ticket_refresh_handler(struct timed_event *te, const struct timeval *now, @@ -113,6 +75,7 @@ static void krb5_ticket_refresh_handler(struct timed_event *te, int ret; time_t new_start; struct timeval t; + struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr; DEBUG(10,("krb5_ticket_refresh_handler called\n")); DEBUGADD(10,("event called for: %s, %s\n", entry->ccname, entry->username)); @@ -124,12 +87,12 @@ static void krb5_ticket_refresh_handler(struct timed_event *te, /* Kinit again if we have the user password and we can't renew the old * tgt anymore */ - if ((entry->renew_until < time(NULL)) && (entry->pass != NULL)) { + if ((entry->renew_until < time(NULL)) && cred_ptr && cred_ptr->pass) { set_effective_uid(entry->uid); ret = kerberos_kinit_password_ext(entry->principal_name, - entry->pass, + cred_ptr->pass, 0, /* hm, can we do time correction here ? */ &entry->refresh_time, &entry->renew_until, @@ -171,7 +134,7 @@ done: t = timeval_set(new_start, 0); - entry->event = add_timed_event(mem_ctx, + entry->event = add_timed_event(entry, t, "krb5_ticket_refresh_handler", krb5_ticket_refresh_handler, @@ -180,6 +143,31 @@ done: #endif } +/**************************************************************** + Ensure we're changing the correct entry. +****************************************************************/ + +BOOL ccache_entry_identical(const char *username, uid_t uid, const char *ccname) +{ + struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username); + + if (!entry) { + return False; + } + + if (entry->uid != uid) { + DEBUG(0,("cache_entry_identical: uid's differ: %u != %u\n", + (unsigned int)entry->uid, (unsigned int)uid )); + return False; + } + if (!strcsequal(entry->ccname, ccname)) { + DEBUG(0,("cache_entry_identical: ccnames differ: (cache) %s != (client) %s\n", + entry->ccname, ccname)); + return False; + } + return True; +} + NTSTATUS add_ccache_to_list(const char *princ_name, const char *ccname, const char *service, @@ -192,156 +180,367 @@ NTSTATUS add_ccache_to_list(const char *princ_name, time_t renew_until, BOOL schedule_refresh_event) { - struct WINBINDD_CCACHE_ENTRY *new_entry = NULL; - struct WINBINDD_CCACHE_ENTRY *old_entry = NULL; - NTSTATUS status; + struct WINBINDD_CCACHE_ENTRY *entry = NULL; if ((username == NULL && sid_string == NULL && princ_name == NULL) || - ccname == NULL) { + ccname == NULL || uid < 0) { return NT_STATUS_INVALID_PARAMETER; } - status = init_ccache_list(); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - if (mem_ctx == NULL) { - return NT_STATUS_NO_MEMORY; - } - if (ccache_entry_count() + 1 > MAX_CCACHES) { DEBUG(10,("add_ccache_to_list: max number of ccaches reached\n")); return NT_STATUS_NO_MORE_ENTRIES; } - /* get rid of old entries */ - old_entry = get_ccache_by_username(username); - if (old_entry) { - status = remove_ccache_by_ccname(old_entry->ccname); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(10,("add_ccache_to_list: failed to delete old ccache entry\n")); - return status; + /* Reference count old entries */ + entry = get_ccache_by_username(username); + if (entry) { + /* Check cached entries are identical. */ + if (!ccache_entry_identical(username, uid, ccname)) { + return NT_STATUS_INVALID_PARAMETER; } + entry->ref_count++; + DEBUG(10,("add_ccache_to_list: ref count on entry %s is now %d\n", + username, entry->ref_count)); + return NT_STATUS_OK; } - new_entry = TALLOC_P(mem_ctx, struct WINBINDD_CCACHE_ENTRY); - if (new_entry == NULL) { + entry = TALLOC_P(NULL, struct WINBINDD_CCACHE_ENTRY); + if (!entry) { return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(new_entry); + ZERO_STRUCTP(entry); if (username) { - new_entry->username = talloc_strdup(mem_ctx, username); - NT_STATUS_HAVE_NO_MEMORY(new_entry->username); + entry->username = talloc_strdup(entry, username); + if (!entry->username) { + goto no_mem; + } } if (sid_string) { - new_entry->sid_string = talloc_strdup(mem_ctx, sid_string); - NT_STATUS_HAVE_NO_MEMORY(new_entry->sid_string); + entry->sid_string = talloc_strdup(entry, sid_string); + if (!entry->sid_string) { + goto no_mem; + } } if (princ_name) { - new_entry->principal_name = talloc_strdup(mem_ctx, princ_name); - NT_STATUS_HAVE_NO_MEMORY(new_entry->principal_name); + entry->principal_name = talloc_strdup(entry, princ_name); + if (!entry->principal_name) { + goto no_mem; + } } if (service) { - new_entry->service = talloc_strdup(mem_ctx, service); - NT_STATUS_HAVE_NO_MEMORY(new_entry->service); + entry->service = talloc_strdup(entry, service); + if (!entry->service) { + goto no_mem; + } } - if (pass) { - size_t len = NT_HASH_LEN + LM_HASH_LEN; + entry->ccname = talloc_strdup(entry, ccname); + if (!entry->ccname) { + goto no_mem; + } - /* We only store the plaintext if we're going to - schedule a krb5 refresh. */ + entry->create_time = create_time; + entry->renew_until = renew_until; + entry->uid = uid; - if (schedule_refresh_event) { - len += strlen(pass)+1; - } - - /* new_entry->nt_hash is the base pointer for the block - of memory pointed into by new_entry->lm_hash and - new_entry->pass (if we're storing plaintext). */ + if (schedule_refresh_event && renew_until > 0) { - new_entry->nt_hash = (unsigned char *)TALLOC_ZERO(mem_ctx, len); - NT_STATUS_HAVE_NO_MEMORY(new_entry->nt_hash); + struct timeval t = timeval_set((ticket_end -1 ), 0); - new_entry->lm_hash = new_entry->nt_hash + NT_HASH_LEN; -#ifdef HAVE_MLOCK -#ifdef DEBUG_PASSWORD - DEBUG(10,("mlocking memory: %p\n", new_entry->nt_hash)); -#endif - if ((mlock(new_entry->nt_hash, len)) == -1) { - DEBUG(0,("failed to mlock memory: %s (%d)\n", - strerror(errno), errno)); - return map_nt_error_from_unix(errno); - } - -#ifdef DEBUG_PASSWORD - DEBUG(10,("mlocked memory: %p\n", new_entry->nt_hash)); -#endif -#endif /* HAVE_MLOCK */ + entry->event = add_timed_event(entry, + t, + "krb5_ticket_refresh_handler", + krb5_ticket_refresh_handler, + entry); + } + + DLIST_ADD(ccache_list, entry); + + DEBUG(10,("add_ccache_to_list: added ccache [%s] for user [%s] to the list\n", ccname, username)); - /* Create and store the password hashes. */ - E_md4hash(pass, new_entry->nt_hash); - E_deshash(pass, new_entry->lm_hash); + return NT_STATUS_OK; + + no_mem: + + TALLOC_FREE(entry); + return NT_STATUS_NO_MEMORY; +} + +NTSTATUS remove_ccache(const char *username) +{ + struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username); + + if (!entry) { + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + if (entry->ref_count <= 0) { + DEBUG(0,("remove_ccache: logic error. ref count for user %s = %d\n", + username, entry->ref_count)); + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + entry->ref_count--; + if (entry->ref_count <= 0) { + DLIST_REMOVE(ccache_list, entry); + TALLOC_FREE(entry->event); /* unregisters events */ + TALLOC_FREE(entry); + DEBUG(10,("remove_ccache: removed ccache for user %s\n", username)); + } else { + DEBUG(10,("remove_ccache: entry %s ref count now %d\n", + username, entry->ref_count )); + } + + return NT_STATUS_OK; +} + +/******************************************************************* + In memory credentials cache code. +*******************************************************************/ + +static struct WINBINDD_MEMORY_CREDS *memory_creds_list; + +/*********************************************************** + Find an entry on the list by name. +***********************************************************/ + +static struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username) +{ + struct WINBINDD_MEMORY_CREDS *p; - if (schedule_refresh_event) { - new_entry->pass = (char *)new_entry->lm_hash + LM_HASH_LEN; - memcpy(new_entry->pass, pass, len - NT_HASH_LEN - LM_HASH_LEN); + for (p = memory_creds_list; p; p = p->next) { + if (strequal(p->username, username)) { + return p; } } + return NULL; +} - new_entry->create_time = create_time; - new_entry->renew_until = renew_until; - new_entry->ccname = talloc_strdup(mem_ctx, ccname); - if (new_entry->ccname == NULL) { - return NT_STATUS_NO_MEMORY; +/*********************************************************** + Store the required creds and mlock them. +***********************************************************/ + +static NTSTATUS store_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp, const char *pass, BOOL store_pass) +{ +#if !defined(HAVE_MLOCK) + return NT_STATUS_OK; +#else + /* new_entry->nt_hash is the base pointer for the block + of memory pointed into by new_entry->lm_hash and + new_entry->pass (if we're storing plaintext). */ + + memcredp->len = NT_HASH_LEN + LM_HASH_LEN; + if (pass && store_pass) { + memcredp->len += strlen(pass)+1; } - new_entry->uid = uid; - if (schedule_refresh_event && renew_until > 0) { + memcredp->nt_hash = (unsigned char *)TALLOC_ZERO(memcredp, memcredp->len); + if (!memcredp->nt_hash) { + return NT_STATUS_NO_MEMORY; + } - struct timeval t = timeval_set((ticket_end -1 ), 0); + memcredp->lm_hash = memcredp->nt_hash + NT_HASH_LEN; +#ifdef DEBUG_PASSWORD + DEBUG(10,("mlocking memory: %p\n", memcredp->nt_hash)); +#endif - new_entry->event = add_timed_event(mem_ctx, - t, - "krb5_ticket_refresh_handler", - krb5_ticket_refresh_handler, - new_entry); + if ((mlock(memcredp->nt_hash, memcredp->len)) == -1) { + DEBUG(0,("failed to mlock memory: %s (%d)\n", + strerror(errno), errno)); + return map_nt_error_from_unix(errno); } - DLIST_ADD(ccache_list, new_entry); +#ifdef DEBUG_PASSWORD + DEBUG(10,("mlocked memory: %p\n", memcredp->nt_hash)); +#endif - DEBUG(10,("add_ccache_to_list: added ccache [%s] for user [%s] to the list\n", ccname, username)); + /* Create and store the password hashes. */ + E_md4hash(pass, memcredp->nt_hash); + E_deshash(pass, memcredp->lm_hash); + + if (pass && store_pass) { + memcredp->pass = (char *)memcredp->lm_hash + LM_HASH_LEN; + memcpy(memcredp->pass, pass, memcredp->len - NT_HASH_LEN - LM_HASH_LEN); + } return NT_STATUS_OK; +#endif } -NTSTATUS destroy_ccache_list(void) +/*********************************************************** + Destroy existing creds. +***********************************************************/ + +static NTSTATUS delete_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp) { -#ifdef HAVE_MUNLOCKALL - if ((munlockall()) == -1) { - DEBUG(0,("failed to unlock memory: %s (%d)\n", +#if !defined(HAVE_MUNLOCK) + return NT_STATUS_OK; +#else + if (munlock(memcredp->nt_hash, memcredp->len) == -1) { + DEBUG(0,("failed to munlock memory: %s (%d)\n", strerror(errno), errno)); return map_nt_error_from_unix(errno); } -#endif /* HAVE_MUNLOCKALL */ - return talloc_destroy(mem_ctx) ? NT_STATUS_OK : NT_STATUS_UNSUCCESSFUL; + memset(memcredp->nt_hash, '\0', memcredp->len); + TALLOC_FREE(memcredp->nt_hash); + memcredp->lm_hash = NULL; + memcredp->pass = NULL; + memcredp->len = 0; + return NT_STATUS_OK; +#endif } -NTSTATUS init_ccache_list(void) +/*********************************************************** + Replace the required creds with new ones (password change). +***********************************************************/ + +static NTSTATUS winbindd_replace_memory_creds_internal(struct WINBINDD_MEMORY_CREDS *memcredp, + const char *pass, BOOL store_pass) { - if (ccache_list) { - return NT_STATUS_OK; + NTSTATUS status = delete_memory_creds(memcredp); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + return store_memory_creds(memcredp, pass, store_pass); +} + +/************************************************************* + Store credentials in memory in a list. +*************************************************************/ + +static NTSTATUS winbindd_add_memory_creds_internal(const char *username, const char *pass, BOOL store_pass) +{ + /* Shortcut to ensure we don't store if no mlock. */ +#if !defined(HAVE_MLOCK) || !defined(HAVE_MUNLOCK) + return NT_STATUS_OK; +#else + NTSTATUS status; + struct WINBINDD_MEMORY_CREDS *memcredp = find_memory_creds_by_name(username); + + if (memcredp) { + /* Already exists. Increment the reference count and replace stored creds. */ + memcredp->ref_count++; + DEBUG(10,("winbindd_add_memory_creds_internal: ref count for user %s is now %d\n", + username, memcredp->ref_count )); + return winbindd_replace_memory_creds_internal(memcredp, pass, store_pass); } - mem_ctx = talloc_init("winbindd_ccache_handling"); - if (mem_ctx == NULL) { + memcredp = TALLOC_ZERO_P(NULL, struct WINBINDD_MEMORY_CREDS); + if (!memcredp) { + return NT_STATUS_NO_MEMORY; + } + memcredp->username = talloc_strdup(memcredp, username); + if (!memcredp->username) { + talloc_destroy(memcredp); return NT_STATUS_NO_MEMORY; } - ZERO_STRUCTP(ccache_list); + status = store_memory_creds(memcredp, pass, store_pass); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + memcredp->ref_count = 1; + DLIST_ADD(memory_creds_list, memcredp); + + DEBUG(10,("winbindd_add_memory_creds_internal: added entry for user %s\n", + username )); return NT_STATUS_OK; +#endif +} + +/************************************************************* + Store users credentials in memory. If we also have a + struct WINBINDD_CCACHE_ENTRY for this username with a + refresh timer, then store the plaintext of the password + and associate the new credentials with the struct WINBINDD_CCACHE_ENTRY. +*************************************************************/ + +NTSTATUS winbindd_add_memory_creds(const char *username, const char *pass) +{ + struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username); + BOOL store_pass = False; + NTSTATUS status; + + if (entry && entry->event) { + store_pass = True; + } + + status = winbindd_add_memory_creds_internal(username, pass, store_pass); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + if (entry && store_pass) { + struct WINBINDD_MEMORY_CREDS *memcredp = find_memory_creds_by_name(username); + if (memcredp) { + entry->cred_ptr = memcredp; + } + } + + return status; +} + +/************************************************************* + Decrement the in-memory ref count - delete if zero. +*************************************************************/ + +NTSTATUS winbindd_delete_memory_creds(const char *username) +{ + struct WINBINDD_MEMORY_CREDS *memcredp = find_memory_creds_by_name(username); + NTSTATUS status = NT_STATUS_OK; + + if (!memcredp) { + DEBUG(10,("winbindd_delete_memory_creds: unknown user %s\n", + username )); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + if (memcredp->ref_count <= 0) { + DEBUG(0,("winbindd_delete_memory_creds: logic error. ref count for user %s = %d\n", + username, memcredp->ref_count)); + status = NT_STATUS_INTERNAL_DB_CORRUPTION; + } + + memcredp->ref_count--; + if (memcredp->ref_count <= 0) { + delete_memory_creds(memcredp); + DLIST_REMOVE(memory_creds_list, memcredp); + talloc_destroy(memcredp); + DEBUG(10,("winbindd_delete_memory_creds: deleted entry for user %s\n", + username)); + } else { + DEBUG(10,("winbindd_delete_memory_creds: entry for user %s ref_count now %d\n", + username, memcredp->ref_count)); + } + return status; +} + +/*********************************************************** + Replace the required creds with new ones (password change). +***********************************************************/ + +NTSTATUS winbindd_replace_memory_creds(const char *username, const char *pass) +{ + BOOL store_pass = False; + struct WINBINDD_MEMORY_CREDS *memcredp = find_memory_creds_by_name(username); + + if (!memcredp) { + DEBUG(10,("winbindd_replace_memory_creds: unknown user %s\n", + username )); + return NT_STATUS_OBJECT_NAME_NOT_FOUND; + } + + if (memcredp->len > NT_HASH_LEN + LM_HASH_LEN) { + store_pass = True; + } + + DEBUG(10,("winbindd_replace_memory_creds: replaced creds for user %s\n", + username )); + + return winbindd_replace_memory_creds_internal(memcredp, pass, store_pass); } -- cgit