2017-01-24 21:17:38 +01:00
/*
2002-11-26 11:57:30 +00:00
Unix SMB / CIFS implementation .
Trusted domain names cache on top of gencache .
Copyright ( C ) Rafal Szczesniak 2002
2009-07-10 12:12:30 +02:00
2002-11-26 11:57:30 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2002-11-26 11:57:30 +00:00
( at your option ) any later version .
2009-07-10 12:12:30 +02:00
2002-11-26 11:57:30 +00:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2009-07-10 12:12:30 +02:00
2002-11-26 11:57:30 +00:00
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2002-11-26 11:57:30 +00:00
*/
# include "includes.h"
2010-10-12 15:27:50 +11:00
# include "../libcli/security/security.h"
2011-11-02 12:50:34 +01:00
# include "../librpc/gen_ndr/ndr_lsa_c.h"
# include "libsmb/libsmb.h"
# include "rpc_client/cli_pipe.h"
# include "rpc_client/cli_lsarpc.h"
2002-11-26 11:57:30 +00:00
# undef DBGC_CLASS
# define DBGC_CLASS DBGC_ALL /* there's no proper class yet */
# define TDOMKEY_FMT "TDOM / %s"
2003-07-01 03:49:41 +00:00
# define TDOMTSKEY "TDOMCACHE / TIMESTAMP"
2017-01-24 21:35:16 +01:00
# define TRUSTDOM_UPDATE_INTERVAL 600
2002-11-26 11:57:30 +00:00
/**
* @ file trustdom_cache . c
*
* Implementation of trusted domain names cache useful when
* samba acts as domain member server . In such case , caching
* domain names currently trusted gives a performance gain
* because there ' s no need to query PDC each time we need
* list of trusted domains
* */
/**
* Form up trustdom name key . It is based only
* on domain name now .
*
* @ param name trusted domain name
* @ return cache key for use in gencache mechanism
* */
2017-01-24 21:40:42 +01:00
static char * trustdom_cache_key ( TALLOC_CTX * mem_ctx , const char * name )
2002-11-26 11:57:30 +00:00
{
2017-01-24 21:40:42 +01:00
return talloc_asprintf_strupper_m ( mem_ctx , TDOMKEY_FMT , name ) ;
2002-11-26 11:57:30 +00:00
}
/**
* Store trusted domain in gencache as the domain name ( key )
2007-03-20 21:21:04 +00:00
* and trusted domain ' s SID ( value )
2002-11-26 11:57:30 +00:00
*
* @ param name trusted domain name
* @ param alt_name alternative trusted domain name ( used in ADS domains )
* @ param sid trusted domain ' s SID
* @ param timeout cache entry expiration time
* @ return true upon successful value storing or
* false if store attempt failed
* */
2017-01-24 21:17:38 +01:00
2017-01-24 21:35:16 +01:00
bool trustdom_cache_store ( const char * name , const struct dom_sid * sid )
2002-11-26 11:57:30 +00:00
{
2017-01-24 21:35:16 +01:00
char * key ;
2002-11-26 11:57:30 +00:00
fstring sid_string ;
2007-10-18 17:40:25 -07:00
bool ret ;
2002-11-26 11:57:30 +00:00
DEBUG ( 5 , ( " trustdom_store: storing SID %s of domain %s \n " ,
2007-12-15 21:11:36 +01:00
sid_string_dbg ( sid ) , name ) ) ;
2002-11-26 11:57:30 +00:00
2017-01-24 21:40:42 +01:00
key = trustdom_cache_key ( talloc_tos ( ) , name ) ;
2002-11-26 11:57:30 +00:00
/* Generate string representation domain SID */
2007-12-15 22:47:30 +01:00
sid_to_fstring ( sid_string , sid ) ;
2002-11-26 11:57:30 +00:00
2017-01-24 21:35:16 +01:00
ret = gencache_set ( key , sid_string ,
time ( NULL ) + TRUSTDOM_UPDATE_INTERVAL ) ;
2017-01-24 21:40:42 +01:00
TALLOC_FREE ( key ) ;
2004-05-19 21:49:58 +00:00
return ret ;
2002-11-26 11:57:30 +00:00
}
/**
2007-03-20 21:21:04 +00:00
* Fetch trusted domain ' s SID from the gencache .
2002-11-26 11:57:30 +00:00
* This routine can also be used to check whether given
* domain is currently trusted one .
*
* @ param name trusted domain name
* @ param sid trusted domain ' s SID to be returned
* @ return true if entry is found or
* false if has expired / doesn ' t exist
* */
2009-07-10 12:12:30 +02:00
2010-05-21 11:25:01 +10:00
bool trustdom_cache_fetch ( const char * name , struct dom_sid * sid )
2002-11-26 11:57:30 +00:00
{
2004-05-19 21:49:58 +00:00
char * key = NULL , * value = NULL ;
2008-07-11 17:44:25 +02:00
time_t timeout ;
2017-01-24 21:42:51 +01:00
bool ok ;
2002-11-26 11:57:30 +00:00
/* exit now if null pointers were passed as they're required further */
2017-01-24 21:42:51 +01:00
if ( sid = = NULL ) {
return false ;
}
2002-11-26 11:57:30 +00:00
/* prepare a key and get the value */
2017-01-24 21:40:42 +01:00
key = trustdom_cache_key ( talloc_tos ( ) , name ) ;
2017-01-24 21:42:51 +01:00
if ( key = = NULL ) {
return false ;
}
2009-07-10 12:12:30 +02:00
2017-01-24 21:42:51 +01:00
ok = gencache_get ( key , talloc_tos ( ) , & value , & timeout ) ;
TALLOC_FREE ( key ) ;
if ( ! ok ) {
2002-11-26 11:57:30 +00:00
DEBUG ( 5 , ( " no entry for trusted domain %s found. \n " , name ) ) ;
2017-01-24 21:42:51 +01:00
return false ;
2002-11-26 11:57:30 +00:00
}
2017-01-24 21:42:51 +01:00
DEBUG ( 5 , ( " trusted domain %s found (%s) \n " , name , value ) ) ;
2009-07-10 12:12:30 +02:00
2017-01-24 21:42:51 +01:00
/* convert sid string representation into struct dom_sid structure */
ok = string_to_sid ( sid , value ) ;
2013-09-04 08:57:59 +02:00
TALLOC_FREE ( value ) ;
2017-01-24 21:42:51 +01:00
return ok ;
2002-11-26 11:57:30 +00:00
}
2003-07-01 03:49:41 +00:00
/*******************************************************************
2017-01-24 21:17:38 +01:00
fetch the timestamp from the last update
2003-07-01 03:49:41 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2017-01-24 21:30:40 +01:00
static uint32_t trustdom_cache_fetch_timestamp ( void )
2003-07-01 03:49:41 +00:00
{
2004-05-19 21:49:58 +00:00
char * value = NULL ;
2008-07-11 17:44:25 +02:00
time_t timeout ;
2015-04-24 19:22:21 -07:00
uint32_t timestamp ;
2003-07-01 03:49:41 +00:00
2013-09-04 08:57:59 +02:00
if ( ! gencache_get ( TDOMTSKEY , talloc_tos ( ) , & value , & timeout ) ) {
2003-07-01 03:49:41 +00:00
DEBUG ( 5 , ( " no timestamp for trusted domain cache located. \n " ) ) ;
2004-05-19 21:49:58 +00:00
SAFE_FREE ( value ) ;
2003-07-01 03:49:41 +00:00
return 0 ;
2017-01-24 21:17:38 +01:00
}
2003-07-01 03:49:41 +00:00
timestamp = atoi ( value ) ;
2009-07-10 12:12:30 +02:00
2013-09-04 08:57:59 +02:00
TALLOC_FREE ( value ) ;
2003-07-01 03:49:41 +00:00
return timestamp ;
}
/*******************************************************************
2017-01-24 21:17:38 +01:00
store the timestamp from the last update
2003-07-01 03:49:41 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2017-01-24 21:30:40 +01:00
static bool trustdom_cache_store_timestamp ( uint32_t t , time_t timeout )
2003-07-01 03:49:41 +00:00
{
fstring value ;
2003-07-23 12:33:59 +00:00
fstr_sprintf ( value , " %d " , t ) ;
2009-07-10 12:12:30 +02:00
2003-07-01 03:49:41 +00:00
if ( ! gencache_set ( TDOMTSKEY , value , timeout ) ) {
DEBUG ( 5 , ( " failed to set timestamp for trustdom_cache \n " ) ) ;
return False ;
2017-01-24 21:17:38 +01:00
}
2003-07-01 03:49:41 +00:00
return True ;
}
2002-11-26 11:57:30 +00:00
/**
* Delete single trustdom entry . Look at the
* gencache_iterate definition .
*
* */
static void flush_trustdom_name ( const char * key , const char * value , time_t timeout , void * dptr )
{
gencache_del ( key ) ;
DEBUG ( 5 , ( " Deleting entry %s \n " , key ) ) ;
}
/**
* Flush all the trusted domains entries from the cache .
* */
void trustdom_cache_flush ( void )
{
2017-01-24 21:40:42 +01:00
char * key = trustdom_cache_key ( talloc_tos ( ) , " * " ) ;
2017-01-24 21:17:38 +01:00
/*
2002-11-26 11:57:30 +00:00
* iterate through each TDOM cache ' s entry and flush it
* by flush_trustdom_name function
*/
2017-01-24 21:40:42 +01:00
gencache_iterate ( flush_trustdom_name , NULL , key ) ;
TALLOC_FREE ( key ) ;
2002-11-26 11:57:30 +00:00
DEBUG ( 5 , ( " Trusted domains cache flushed \n " ) ) ;
}
2011-11-02 12:50:34 +01:00
/*********************************************************************
Enumerate the list of trusted domains from a DC
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
static bool enumerate_domain_trusts ( TALLOC_CTX * mem_ctx , const char * domain ,
2015-04-24 19:22:21 -07:00
char * * * domain_names , uint32_t * num_domains ,
2011-11-02 12:50:34 +01:00
struct dom_sid * * sids )
{
struct policy_handle pol ;
NTSTATUS status , result ;
fstring dc_name ;
struct sockaddr_storage dc_ss ;
2015-04-24 19:22:21 -07:00
uint32_t enum_ctx = 0 ;
2011-11-02 12:50:34 +01:00
struct cli_state * cli = NULL ;
struct rpc_pipe_client * lsa_pipe = NULL ;
struct lsa_DomainList dom_list ;
int i ;
struct dcerpc_binding_handle * b = NULL ;
* domain_names = NULL ;
* num_domains = 0 ;
* sids = NULL ;
/* lookup a DC first */
if ( ! get_dc_name ( domain , NULL , dc_name , & dc_ss ) ) {
DEBUG ( 3 , ( " enumerate_domain_trusts: can't locate a DC for domain %s \n " ,
domain ) ) ;
return False ;
}
/* setup the anonymous connection */
status = cli_full_connection ( & cli , lp_netbios_name ( ) , dc_name , & dc_ss , 0 , " IPC$ " , " IPC " ,
" " , " " , " " , 0 , Undefined ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
goto done ;
/* open the LSARPC_PIPE */
2013-05-24 13:29:28 +02:00
status = cli_rpc_pipe_open_noauth ( cli , & ndr_table_lsarpc ,
2011-11-02 12:50:34 +01:00
& lsa_pipe ) ;
if ( ! NT_STATUS_IS_OK ( status ) ) {
goto done ;
}
b = lsa_pipe - > binding_handle ;
/* get a handle */
status = rpccli_lsa_open_policy ( lsa_pipe , mem_ctx , True ,
LSA_POLICY_VIEW_LOCAL_INFORMATION , & pol ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
goto done ;
/* Lookup list of trusted domains */
status = dcerpc_lsa_EnumTrustDom ( b , mem_ctx ,
& pol ,
& enum_ctx ,
& dom_list ,
( uint32_t ) - 1 ,
& result ) ;
if ( ! NT_STATUS_IS_OK ( status ) )
goto done ;
if ( ! NT_STATUS_IS_OK ( result ) ) {
status = result ;
goto done ;
}
* num_domains = dom_list . count ;
* domain_names = talloc_zero_array ( mem_ctx , char * , * num_domains ) ;
if ( ! * domain_names ) {
status = NT_STATUS_NO_MEMORY ;
goto done ;
}
* sids = talloc_zero_array ( mem_ctx , struct dom_sid , * num_domains ) ;
if ( ! * sids ) {
status = NT_STATUS_NO_MEMORY ;
goto done ;
}
for ( i = 0 ; i < * num_domains ; i + + ) {
( * domain_names ) [ i ] = discard_const_p ( char , dom_list . domains [ i ] . name . string ) ;
( * sids ) [ i ] = * dom_list . domains [ i ] . sid ;
}
done :
/* cleanup */
if ( cli ) {
DEBUG ( 10 , ( " enumerate_domain_trusts: shutting down connection... \n " ) ) ;
cli_shutdown ( cli ) ;
}
return NT_STATUS_IS_OK ( status ) ;
}
2003-07-01 03:49:41 +00:00
/********************************************************************
2017-01-24 21:17:38 +01:00
update the trustdom_cache if needed
2003-07-01 03:49:41 +00:00
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
void update_trustdom_cache ( void )
{
char * * domain_names ;
2010-05-21 11:25:01 +10:00
struct dom_sid * dom_sids ;
2015-04-24 19:22:21 -07:00
uint32_t num_domains ;
uint32_t last_check ;
2003-07-01 03:49:41 +00:00
int time_diff ;
TALLOC_CTX * mem_ctx = NULL ;
time_t now = time ( NULL ) ;
int i ;
2009-07-10 12:12:30 +02:00
2017-01-24 21:17:38 +01:00
/* get the timestamp. We have to initialise it if the last timestamp == 0 */
if ( ( last_check = trustdom_cache_fetch_timestamp ( ) ) = = 0 )
2003-07-01 03:49:41 +00:00
trustdom_cache_store_timestamp ( 0 , now + TRUSTDOM_UPDATE_INTERVAL ) ;
2005-04-19 19:23:49 +00:00
time_diff = ( int ) ( now - last_check ) ;
2009-07-10 12:12:30 +02:00
2003-07-01 03:49:41 +00:00
if ( ( time_diff > 0 ) & & ( time_diff < TRUSTDOM_UPDATE_INTERVAL ) ) {
DEBUG ( 10 , ( " update_trustdom_cache: not time to update trustdom_cache yet \n " ) ) ;
return ;
}
2007-01-11 23:10:16 +00:00
/* note that we don't lock the timestamp. This prevents this
smbd from blocking all other smbd daemons while we
enumerate the trusted domains */
trustdom_cache_store_timestamp ( now , now + TRUSTDOM_UPDATE_INTERVAL ) ;
2009-07-10 12:12:30 +02:00
2003-07-01 03:49:41 +00:00
if ( ! ( mem_ctx = talloc_init ( " update_trustdom_cache " ) ) ) {
DEBUG ( 0 , ( " update_trustdom_cache: talloc_init() failed! \n " ) ) ;
goto done ;
}
/* get the domains and store them */
2009-07-10 12:12:30 +02:00
2017-01-24 21:17:38 +01:00
if ( enumerate_domain_trusts ( mem_ctx , lp_workgroup ( ) , & domain_names ,
2007-01-11 23:10:16 +00:00
& num_domains , & dom_sids ) ) {
2003-07-01 03:49:41 +00:00
for ( i = 0 ; i < num_domains ; i + + ) {
2017-01-24 21:35:16 +01:00
trustdom_cache_store ( domain_names [ i ] , & dom_sids [ i ] ) ;
2017-01-24 21:17:38 +01:00
}
2007-01-11 23:10:16 +00:00
} else {
/* we failed to fetch the list of trusted domains - restore the old
timestamp */
2017-01-24 21:17:38 +01:00
trustdom_cache_store_timestamp ( last_check ,
2007-01-11 23:10:16 +00:00
last_check + TRUSTDOM_UPDATE_INTERVAL ) ;
2003-07-01 03:49:41 +00:00
}
2017-01-24 21:17:38 +01:00
done :
2003-07-01 03:49:41 +00:00
talloc_destroy ( mem_ctx ) ;
2009-07-10 12:12:30 +02:00
2003-07-01 03:49:41 +00:00
return ;
}