From ce0a1fa159baab4c4bdaac601d0f56e29a406945 Mon Sep 17 00:00:00 2001 From: Gerald Carter Date: Thu, 10 Nov 2005 20:28:23 +0000 Subject: r11652: Reinstate the netsamlogon_cache in order to work around failed query_user calls. This fixes logons to a member of a Samba domain as a user from a trusted AD domain. As per comments on samba-technical, I still need to add (a) cache the PAC info as werll as NTLM net_user_info_3 (b) expire the cache when the SMB session goes away Both Jeremy and Guenther have signed off on the idea. (This used to be commit 0c2bb5ba7b92d9210e7fa9f7b70aa67dfe9faaf4) --- source3/Makefile.in | 6 +- source3/auth/auth_domain.c | 2 + source3/libsmb/samlogon_cache.c | 247 ++++++++++++++++++++++++++++++++++++++ source3/nsswitch/winbindd.c | 2 + source3/nsswitch/winbindd_cache.c | 38 ++++++ source3/nsswitch/winbindd_pam.c | 8 ++ source3/nsswitch/winbindd_rpc.c | 52 ++++++++ 7 files changed, 353 insertions(+), 2 deletions(-) create mode 100644 source3/libsmb/samlogon_cache.c (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index 09472602c8..6a12b2e25e 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -368,6 +368,8 @@ VFS_CATIA_OBJ = modules/vfs_catia.o PLAINTEXT_AUTH_OBJ = auth/pampass.o auth/pass_check.o +SLCACHE_OBJ = libsmb/samlogon_cache.o + DCUTIL_OBJ = libsmb/namequery_dc.o libsmb/trustdom_cache.o libsmb/trusts_util.o AUTH_BUILTIN_OBJ = auth/auth_builtin.o @@ -381,7 +383,7 @@ AUTH_SCRIPT_OBJ = auth/auth_script.o AUTH_OBJ = auth/auth.o @AUTH_STATIC@ auth/auth_util.o auth/auth_compat.o \ auth/auth_ntlmssp.o \ - $(PLAINTEXT_AUTH_OBJ) $(DCUTIL_OBJ) + $(PLAINTEXT_AUTH_OBJ) $(SLCACHE_OBJ) $(DCUTIL_OBJ) MANGLE_OBJ = smbd/mangle.o smbd/mangle_hash.o smbd/mangle_map.o smbd/mangle_hash2.o @@ -706,7 +708,7 @@ WINBINDD_OBJ = \ $(WINBINDD_OBJ1) $(PASSDB_OBJ) $(GROUPDB_OBJ) \ $(PARAM_OBJ) $(LIB_NONSMBD_OBJ) \ $(LIBSMB_OBJ) $(LIBMSRPC_OBJ) $(RPC_PARSE_OBJ) \ - $(PROFILE_OBJ) $(SMBLDAP_OBJ) \ + $(PROFILE_OBJ) $(SLCACHE_OBJ) $(SMBLDAP_OBJ) \ $(SECRETS_OBJ) $(LIBADS_OBJ) $(KRBCLIENT_OBJ) $(POPT_LIB_OBJ) \ $(DCUTIL_OBJ) $(IDMAP_OBJ) \ $(AFS_OBJ) $(AFS_SETTOKEN_OBJ) diff --git a/source3/auth/auth_domain.c b/source3/auth/auth_domain.c index 94b138e55b..242105a664 100644 --- a/source3/auth/auth_domain.c +++ b/source3/auth/auth_domain.c @@ -252,6 +252,8 @@ static NTSTATUS domain_client_validate(TALLOC_CTX *mem_ctx, domain, server_info, &info3); + + netsamlogon_cache_store( mem_ctx, user_info->smb_name.str, &info3 ); } /* Note - once the cli stream is shutdown the mem_ctx used diff --git a/source3/libsmb/samlogon_cache.c b/source3/libsmb/samlogon_cache.c new file mode 100644 index 0000000000..ceb7b7c35a --- /dev/null +++ b/source3/libsmb/samlogon_cache.c @@ -0,0 +1,247 @@ +/* + Unix SMB/CIFS implementation. + Net_sam_logon info3 helpers + Copyright (C) Alexander Bokovoy 2002. + Copyright (C) Andrew Bartlett 2002. + Copyright (C) Gerald Carter 2003. + Copyright (C) Tim Potter 2003. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +#define NETSAMLOGON_TDB "netsamlogon_cache.tdb" + +static TDB_CONTEXT *netsamlogon_tdb = NULL; + +/*********************************************************************** + open the tdb + ***********************************************************************/ + +BOOL netsamlogon_cache_init(void) +{ + if (!netsamlogon_tdb) { + netsamlogon_tdb = tdb_open_log(lock_path(NETSAMLOGON_TDB), 0, + TDB_DEFAULT, O_RDWR | O_CREAT, 0600); + } + + return (netsamlogon_tdb != NULL); +} + + +/*********************************************************************** + Shutdown samlogon_cache database +***********************************************************************/ + +BOOL netsamlogon_cache_shutdown(void) +{ + if(netsamlogon_tdb) + return (tdb_close(netsamlogon_tdb) == 0); + + return True; +} + +/*********************************************************************** + Clear cache getpwnam and getgroups entries from the winbindd cache +***********************************************************************/ +void netsamlogon_clear_cached_user(TDB_CONTEXT *tdb, NET_USER_INFO_3 *user) +{ + fstring domain; + TDB_DATA key; + BOOL got_tdb = False; + + /* We may need to call this function from smbd which will not have + winbindd_cache.tdb open. Open the tdb if a NULL is passed. */ + + if (!tdb) { + tdb = tdb_open_log(lock_path("winbindd_cache.tdb"), 5000, + TDB_DEFAULT, O_RDWR, 0600); + if (!tdb) { + DEBUG(5, ("netsamlogon_clear_cached_user: failed to open cache\n")); + return; + } + got_tdb = True; + } + + unistr2_to_ascii(domain, &user->uni_logon_dom, sizeof(domain) - 1); + + /* Clear U/DOMAIN/RID cache entry */ + + asprintf(&key.dptr, "U/%s/%d", domain, user->user_rid); + key.dsize = strlen(key.dptr) - 1; /* keys are not NULL terminated */ + + DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key.dptr)); + + tdb_delete(tdb, key); + + SAFE_FREE(key.dptr); + + /* Clear UG/DOMAIN/RID cache entry */ + + asprintf(&key.dptr, "UG/%s/%d", domain, user->user_rid); + key.dsize = strlen(key.dptr) - 1; /* keys are not NULL terminated */ + + DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key.dptr)); + + tdb_delete(tdb, key); + + SAFE_FREE(key.dptr); + + if (got_tdb) + tdb_close(tdb); +} + +/*********************************************************************** + Store a NET_USER_INFO_3 structure in a tdb for later user + username should be in UTF-8 format +***********************************************************************/ + +BOOL netsamlogon_cache_store(TALLOC_CTX *mem_ctx, const char * username, NET_USER_INFO_3 *user) +{ + TDB_DATA data; + fstring keystr; + prs_struct ps; + BOOL result = False; + DOM_SID user_sid; + time_t t = time(NULL); + + + if (!netsamlogon_cache_init()) { + DEBUG(0,("netsamlogon_cache_store: cannot open %s for write!\n", NETSAMLOGON_TDB)); + return False; + } + + sid_copy( &user_sid, &user->dom_sid.sid ); + sid_append_rid( &user_sid, user->user_rid ); + + /* Prepare key as DOMAIN-SID/USER-RID string */ + slprintf(keystr, sizeof(keystr), "%s", sid_string_static(&user_sid)); + + DEBUG(10,("netsamlogon_cache_store: SID [%s]\n", keystr)); + + /* only Samba fills in the username, not sure why NT doesn't */ + /* so we fill it in since winbindd_getpwnam() makes use of it */ + + if ( !user->uni_user_name.buffer ) { + init_unistr2( &user->uni_user_name, username, UNI_STR_TERMINATE ); + init_uni_hdr( &user->hdr_user_name, &user->uni_user_name ); + } + + /* Prepare data */ + + prs_init( &ps, RPC_MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL); + + if ( !prs_uint32( "timestamp", &ps, 0, (uint32*)&t ) ) + return False; + + if ( net_io_user_info3("", user, &ps, 0, 3, 0) ) + { + data.dsize = prs_offset( &ps ); + data.dptr = prs_data_p( &ps ); + + if (tdb_store_bystring(netsamlogon_tdb, keystr, data, TDB_REPLACE) != -1) + result = True; + + prs_mem_free( &ps ); + } + + return result; +} + +/*********************************************************************** + Retrieves a NET_USER_INFO_3 structure from a tdb. Caller must + free the user_info struct (malloc()'d memory) +***********************************************************************/ + +NET_USER_INFO_3* netsamlogon_cache_get( TALLOC_CTX *mem_ctx, const DOM_SID *user_sid) +{ + NET_USER_INFO_3 *user = NULL; + TDB_DATA data, key; + prs_struct ps; + fstring keystr; + uint32 t; + + if (!netsamlogon_cache_init()) { + DEBUG(0,("netsamlogon_cache_store: cannot open %s for write!\n", NETSAMLOGON_TDB)); + return False; + } + + /* Prepare key as DOMAIN-SID/USER-RID string */ + slprintf(keystr, sizeof(keystr), "%s", sid_string_static(user_sid)); + DEBUG(10,("netsamlogon_cache_get: SID [%s]\n", keystr)); + key.dptr = keystr; + key.dsize = strlen(keystr)+1; + data = tdb_fetch( netsamlogon_tdb, key ); + + if ( data.dptr ) { + + if ( (user = SMB_MALLOC_P(NET_USER_INFO_3)) == NULL ) + return NULL; + + prs_init( &ps, 0, mem_ctx, UNMARSHALL ); + prs_give_memory( &ps, data.dptr, data.dsize, True ); + + if ( !prs_uint32( "timestamp", &ps, 0, &t ) ) { + prs_mem_free( &ps ); + return False; + } + + if ( !net_io_user_info3("", user, &ps, 0, 3, 0) ) { + SAFE_FREE( user ); + } + + prs_mem_free( &ps ); + +#if 0 /* The netsamlogon cache needs to hang around. Something about + this feels wrong, but it is the only way we can get all of the + groups. The old universal groups cache didn't expire either. + --jerry */ + { + time_t now = time(NULL); + uint32 time_diff; + + /* is the entry expired? */ + time_diff = now - t; + + if ( (time_diff < 0 ) || (time_diff > lp_winbind_cache_time()) ) { + DEBUG(10,("netsamlogon_cache_get: cache entry expired \n")); + tdb_delete( netsamlogon_tdb, key ); + SAFE_FREE( user ); + } +#endif + } + + return user; +} + +BOOL netsamlogon_cache_have(const DOM_SID *user_sid) +{ + TALLOC_CTX *mem_ctx = talloc_init("netsamlogon_cache_have"); + NET_USER_INFO_3 *user = NULL; + BOOL result; + + if (!mem_ctx) + return False; + + user = netsamlogon_cache_get(mem_ctx, user_sid); + + result = (user != NULL); + + talloc_destroy(mem_ctx); + SAFE_FREE(user); + + return result; +} diff --git a/source3/nsswitch/winbindd.c b/source3/nsswitch/winbindd.c index 7f2f3d780e..60a4e2f6c0 100644 --- a/source3/nsswitch/winbindd.c +++ b/source3/nsswitch/winbindd.c @@ -1063,6 +1063,8 @@ int main(int argc, char **argv) poptFreeContext(pc); + netsamlogon_cache_init(); /* Non-critical */ + init_domain_list(); init_idmap_child(); diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c index 993e6d96e8..83ded01d4e 100644 --- a/source3/nsswitch/winbindd_cache.c +++ b/source3/nsswitch/winbindd_cache.c @@ -1073,6 +1073,18 @@ static NTSTATUS query_user(struct winbindd_domain *domain, centry = wcache_fetch(cache, domain, "U/%s", sid_string_static(user_sid)); + /* If we have an access denied cache entry and a cached info3 in the + samlogon cache then do a query. This will force the rpc back end + to return the info3 data. */ + + if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) && + netsamlogon_cache_have(user_sid)) { + DEBUG(10, ("query_user: cached access denied and have cached info3\n")); + domain->last_status = NT_STATUS_OK; + centry_free(centry); + goto do_query; + } + if (!centry) goto do_query; @@ -1128,6 +1140,18 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, centry = wcache_fetch(cache, domain, "UG/%s", sid_to_string(sid_string, user_sid)); + /* If we have an access denied cache entry and a cached info3 in the + samlogon cache then do a query. This will force the rpc back end + to return the info3 data. */ + + if (NT_STATUS_V(domain->last_status) == NT_STATUS_V(NT_STATUS_ACCESS_DENIED) && + netsamlogon_cache_have(user_sid)) { + DEBUG(10, ("query_user: cached access denied and have cached info3\n")); + domain->last_status = NT_STATUS_OK; + centry_free(centry); + goto do_query; + } + if (!centry) goto do_query; @@ -1401,6 +1425,20 @@ static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf, return 0; } +/* Invalidate the getpwnam and getgroups entries for a winbindd domain */ + +void wcache_invalidate_samlogon(struct winbindd_domain *domain, + NET_USER_INFO_3 *info3) +{ + struct winbind_cache *cache; + + if (!domain) + return; + + cache = get_cache(domain); + netsamlogon_clear_cached_user(cache->tdb, info3); +} + void wcache_invalidate_cache(void) { struct winbindd_domain *domain; diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 3571142c58..d398e41468 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -382,6 +382,9 @@ enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain, } while ( (attempts < 2) && retry ); if (NT_STATUS_IS_OK(result)) { + netsamlogon_cache_store(state->mem_ctx, name_user, &info3); + wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3); + /* Check if the user is in the right group */ if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, &info3, @@ -664,6 +667,11 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain, } while ( (attempts < 2) && retry ); if (NT_STATUS_IS_OK(result)) { + netsamlogon_cache_store(state->mem_ctx, name_user, &info3); + wcache_invalidate_samlogon(find_domain_from_name(name_domain), &info3); + + /* Check if the user is in the right group */ + if (!NT_STATUS_IS_OK(result = check_info3_in_group(state->mem_ctx, &info3, state->request.data.auth_crap.require_membership_of_sid))) { DEBUG(3, ("User %s is not in the required group (%s), so plaintext authentication is rejected\n", diff --git a/source3/nsswitch/winbindd_rpc.c b/source3/nsswitch/winbindd_rpc.c index b3bed2e0be..63e2487700 100644 --- a/source3/nsswitch/winbindd_rpc.c +++ b/source3/nsswitch/winbindd_rpc.c @@ -329,6 +329,7 @@ static NTSTATUS query_user(struct winbindd_domain *domain, SAM_USERINFO_CTR *ctr; fstring sid_string; uint32 user_rid; + NET_USER_INFO_3 *user; struct rpc_pipe_client *cli; DEBUG(3,("rpc: query_user rid=%s\n", @@ -337,6 +338,33 @@ static NTSTATUS query_user(struct winbindd_domain *domain, if (!sid_peek_check_rid(&domain->sid, user_sid, &user_rid)) return NT_STATUS_UNSUCCESSFUL; + /* try netsamlogon cache first */ + + if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL ) + { + + DEBUG(5,("query_user: Cache lookup succeeded for %s\n", + sid_string_static(user_sid))); + + sid_compose(&user_info->user_sid, &domain->sid, user_rid); + sid_compose(&user_info->group_sid, &domain->sid, + user->group_rid); + + user_info->acct_name = unistr2_tdup(mem_ctx, + &user->uni_user_name); + user_info->full_name = unistr2_tdup(mem_ctx, + &user->uni_full_name); + + user_info->homedir = NULL; + user_info->shell = NULL; + + SAFE_FREE(user); + + return NT_STATUS_OK; + } + + /* no cache; hit the wire */ + result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); if (!NT_STATUS_IS_OK(result)) return result; @@ -384,6 +412,7 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, unsigned int i; fstring sid_string; uint32 user_rid; + NET_USER_INFO_3 *user; struct rpc_pipe_client *cli; DEBUG(3,("rpc: lookup_usergroups sid=%s\n", @@ -394,6 +423,29 @@ static NTSTATUS lookup_usergroups(struct winbindd_domain *domain, *num_groups = 0; *user_grpsids = NULL; + + /* so lets see if we have a cached user_info_3 */ + + if ( (user = netsamlogon_cache_get( mem_ctx, user_sid )) != NULL ) + { + DEBUG(5,("query_user: Cache lookup succeeded for %s\n", + sid_string_static(user_sid))); + + *num_groups = user->num_groups; + + (*user_grpsids) = TALLOC_ARRAY(mem_ctx, DOM_SID, *num_groups); + for (i=0;i<(*num_groups);i++) { + sid_copy(&((*user_grpsids)[i]), &domain->sid); + sid_append_rid(&((*user_grpsids)[i]), + user->gids[i].g_rid); + } + + SAFE_FREE(user); + + return NT_STATUS_OK; + } + + /* no cache; hit the wire */ result = cm_connect_sam(domain, mem_ctx, &cli, &dom_pol); if (!NT_STATUS_IS_OK(result)) -- cgit