1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s3: Move the in-memory ccache to the parent

None of this blocks, so there is no reason to keep this in
a winbind child process
This commit is contained in:
Volker Lendecke 2010-04-18 14:14:43 +02:00
parent c04ce964e9
commit 56b4aa3266
7 changed files with 90 additions and 95 deletions

View File

@ -168,6 +168,10 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
{
struct winbindd_domain *domain;
fstring name_domain, name_user;
NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
struct WINBINDD_MEMORY_CREDS *entry;
DATA_BLOB initial, challenge, auth;
uint32 initial_blob_len, challenge_blob_len, extra_len;
/* Ensure null termination */
state->request->data.ccache_ntlm_auth.user[
@ -200,26 +204,6 @@ void winbindd_ccache_ntlm_auth(struct winbindd_cli_state *state)
return;
}
sendto_domain(state, domain);
}
enum winbindd_result winbindd_dual_ccache_ntlm_auth(struct winbindd_domain *domain,
struct winbindd_cli_state *state)
{
NTSTATUS result = NT_STATUS_NOT_SUPPORTED;
struct WINBINDD_MEMORY_CREDS *entry;
DATA_BLOB initial, challenge, auth;
fstring name_domain, name_user;
uint32 initial_blob_len, challenge_blob_len, extra_len;
/* Ensure null termination */
state->request->data.ccache_ntlm_auth.user[
sizeof(state->request->data.ccache_ntlm_auth.user)-1]='\0';
DEBUG(3, ("winbindd_dual_ccache_ntlm_auth: [%5lu]: perform NTLM auth on "
"behalf of user %s (dual)\n", (unsigned long)state->pid,
state->request->data.ccache_ntlm_auth.user));
/* validate blob lengths */
initial_blob_len = state->request->data.ccache_ntlm_auth.initial_blob_len;
challenge_blob_len = state->request->data.ccache_ntlm_auth.challenge_blob_len;
@ -294,13 +278,18 @@ enum winbindd_result winbindd_dual_ccache_ntlm_auth(struct winbindd_domain *doma
data_blob_free(&auth);
process_result:
return NT_STATUS_IS_OK(result) ? WINBINDD_OK : WINBINDD_ERROR;
if (!NT_STATUS_IS_OK(result)) {
request_error(state);
return;
}
request_ok(state);
}
void winbindd_ccache_save(struct winbindd_cli_state *state)
{
struct winbindd_domain *domain;
fstring name_domain, name_user;
NTSTATUS status;
/* Ensure null termination */
state->request->data.ccache_save.user[
@ -323,8 +312,16 @@ void winbindd_ccache_save(struct winbindd_cli_state *state)
return;
}
domain = find_auth_domain(state->request->flags, name_domain);
/*
* The domain is checked here only for compatibility
* reasons. We used to do the winbindd memory ccache for
* ntlm_auth in the domain child. With that code, we had to
* make sure that we do have a domain around to send this
* to. Now we do the memory cache in the parent winbindd,
* where it would not matter if we have a domain or not.
*/
domain = find_auth_domain(state->request->flags, name_domain);
if (domain == NULL) {
DEBUG(5, ("winbindd_ccache_save: can't get domain [%s]\n",
name_domain));
@ -337,24 +334,6 @@ void winbindd_ccache_save(struct winbindd_cli_state *state)
return;
}
sendto_domain(state, domain);
}
enum winbindd_result winbindd_dual_ccache_save(
struct winbindd_domain *domain, struct winbindd_cli_state *state)
{
NTSTATUS status = NT_STATUS_NOT_SUPPORTED;
/* Ensure null termination */
state->request->data.ccache_save.user[
sizeof(state->request->data.ccache_save.user)-1]='\0';
state->request->data.ccache_save.pass[
sizeof(state->request->data.ccache_save.pass)-1]='\0';
DEBUG(3, ("winbindd_dual_ccache_save: [%5lu]: save password of user "
"%s\n", (unsigned long)state->pid,
state->request->data.ccache_save.user));
status = winbindd_add_memory_creds(
state->request->data.ccache_save.user,
state->request->data.ccache_save.uid,
@ -363,8 +342,8 @@ enum winbindd_result winbindd_dual_ccache_save(
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("winbindd_add_memory_creds failed %s\n",
nt_errstr(status)));
return WINBINDD_ERROR;
request_error(state);
return;
}
return WINBINDD_OK;
request_ok(state);
}

View File

@ -62,14 +62,6 @@ static const struct winbindd_child_dispatch_table domain_dispatch_table[] = {
.name = "PAM_CHAUTHTOK",
.struct_cmd = WINBINDD_PAM_CHAUTHTOK,
.struct_fn = winbindd_dual_pam_chauthtok,
},{
.name = "CCACHE_NTLM_AUTH",
.struct_cmd = WINBINDD_CCACHE_NTLMAUTH,
.struct_fn = winbindd_dual_ccache_ntlm_auth,
},{
.name = "CCACHE_SAVE",
.struct_cmd = WINBINDD_CCACHE_SAVE,
.struct_fn = winbindd_dual_ccache_save,
},{
.name = "NDRCMD",
.struct_cmd = WINBINDD_DUAL_NDRCMD,

View File

@ -522,11 +522,11 @@ static void setup_return_cc_name(struct winbindd_cli_state *state, const char *c
#endif
static uid_t get_uid_from_state(struct winbindd_cli_state *state)
uid_t get_uid_from_request(struct winbindd_request *request)
{
uid_t uid;
uid = state->request->data.auth.uid;
uid = request->data.auth.uid;
if (uid < 0) {
DEBUG(1,("invalid uid: '%u'\n", (unsigned int)uid));
@ -535,6 +535,11 @@ static uid_t get_uid_from_state(struct winbindd_cli_state *state)
return uid;
}
static uid_t get_uid_from_state(struct winbindd_cli_state *state)
{
return get_uid_from_request(state->request);
}
/**********************************************************************
Authenticate a user with a clear text password using Kerberos and fill up
ccache if required
@ -1623,30 +1628,12 @@ process_result:
if ((state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) {
/* Store in-memory creds for single-signon using ntlm_auth. */
result = winbindd_add_memory_creds(state->request->data.auth.user,
get_uid_from_state(state),
state->request->data.auth.pass);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("Failed to store memory creds: %s\n", nt_errstr(result)));
goto done;
}
if (lp_winbind_offline_logon()) {
result = winbindd_store_creds(domain,
state->mem_ctx,
state->request->data.auth.user,
state->request->data.auth.pass,
info3, NULL);
if (!NT_STATUS_IS_OK(result)) {
/* Release refcount. */
winbindd_delete_memory_creds(state->request->data.auth.user);
DEBUG(10,("Failed to store creds: %s\n", nt_errstr(result)));
goto done;
}
}
}
@ -2026,26 +2013,6 @@ enum winbindd_result winbindd_dual_pam_chauthtok(struct winbindd_domain *contact
done:
if (NT_STATUS_IS_OK(result) && (state->request->flags & WBFLAG_PAM_CACHED_LOGIN)) {
/* Update the single sign-on memory creds. */
result = winbindd_replace_memory_creds(state->request->data.chauthtok.user,
newpass);
/* When we login from gdm or xdm and password expires,
* we change password, but there are no memory crendentials
* So, winbindd_replace_memory_creds() returns
* NT_STATUS_OBJECT_NAME_NOT_FOUND. This is not a failure.
* --- BoYang
* */
if (NT_STATUS_EQUAL(result, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
result = NT_STATUS_OK;
}
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("Failed to replace memory creds: %s\n", nt_errstr(result)));
goto process_result;
}
if (lp_winbind_offline_logon()) {
result = winbindd_update_creds_by_name(contact_domain,
state->mem_ctx, user,
@ -2152,7 +2119,6 @@ enum winbindd_result winbindd_dual_pam_logoff(struct winbindd_domain *domain,
process_result:
winbindd_delete_memory_creds(state->request->data.logoff.user);
set_auth_errors(state->response, result);

View File

@ -21,6 +21,7 @@
#include "winbindd.h"
struct winbindd_pam_auth_state {
struct winbindd_request *request;
struct winbindd_response *response;
};
@ -43,6 +44,7 @@ struct tevent_req *winbindd_pam_auth_send(TALLOC_CTX *mem_ctx,
if (req == NULL) {
return NULL;
}
state->request = request;
/* Ensure null termination */
request->data.auth.user[sizeof(request->data.auth.user)-1] = '\0';
@ -121,5 +123,23 @@ NTSTATUS winbindd_pam_auth_recv(struct tevent_req *req,
*response = *state->response;
response->result = WINBINDD_PENDING;
state->response = talloc_move(response, &state->response);
return NT_STATUS(response->data.auth.nt_status);
status = NT_STATUS(response->data.auth.nt_status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) {
/* Store in-memory creds for single-signon using ntlm_auth. */
status = winbindd_add_memory_creds(
state->request->data.auth.user,
get_uid_from_request(state->request),
state->request->data.auth.pass);
DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
nt_errstr(status)));
}
return status;
}

View File

@ -21,6 +21,7 @@
#include "winbindd.h"
struct winbindd_pam_chauthtok_state {
struct winbindd_request *request;
struct winbindd_response *response;
};
@ -44,6 +45,7 @@ struct tevent_req *winbindd_pam_chauthtok_send(
if (req == NULL) {
return NULL;
}
state->request = request;
/* Ensure null termination */
request->data.chauthtok.user[
@ -117,5 +119,32 @@ NTSTATUS winbindd_pam_chauthtok_recv(struct tevent_req *req,
*response = *state->response;
response->result = WINBINDD_PENDING;
state->response = talloc_move(response, &state->response);
return NT_STATUS(response->data.auth.nt_status);
status = NT_STATUS(response->data.auth.nt_status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (state->request->flags & WBFLAG_PAM_CACHED_LOGIN) {
/* Update the single sign-on memory creds. */
status = winbindd_replace_memory_creds(
state->request->data.chauthtok.user,
state->request->data.chauthtok.newpass);
DEBUG(10, ("winbindd_replace_memory_creds returned %s\n",
nt_errstr(status)));
/*
* When we login from gdm or xdm and password expires,
* we change password, but there are no memory
* crendentials So, winbindd_replace_memory_creds()
* returns NT_STATUS_OBJECT_NAME_NOT_FOUND. This is
* not a failure. --- BoYang
*/
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
status = NT_STATUS_OK;
}
}
return status;
}

View File

@ -21,6 +21,7 @@
#include "winbindd.h"
struct winbindd_pam_logoff_state {
struct winbindd_request *request;
struct winbindd_response *response;
};
@ -43,6 +44,7 @@ struct tevent_req *winbindd_pam_logoff_send(TALLOC_CTX *mem_ctx,
if (req == NULL) {
return NULL;
}
state->request = request;
/* Ensure null termination */
/* Ensure null termination */
@ -135,5 +137,11 @@ NTSTATUS winbindd_pam_logoff_recv(struct tevent_req *req,
*response = *state->response;
response->result = WINBINDD_PENDING;
state->response = talloc_move(response, &state->response);
return NT_STATUS(response->data.auth.nt_status);
status = NT_STATUS(response->data.auth.nt_status);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
winbindd_delete_memory_creds(state->request->data.logoff.user);
return status;
}

View File

@ -380,6 +380,7 @@ void ndr_print_winbindd_domain(struct ndr_print *ndr,
/* The following definitions come from winbindd/winbindd_pam.c */
bool check_request_flags(uint32_t flags);
uid_t get_uid_from_request(struct winbindd_request *request);
struct winbindd_domain *find_auth_domain(uint8_t flags,
const char *domain_name);
enum winbindd_result winbindd_dual_pam_auth(struct winbindd_domain *domain,