s4-dsdb: create a static system_session context

This patch adds a system_session cache, preventing us from having to
recreate it on every ldb open, and allowing us to detect when the same
session is being used in ldb_wrap

source4/auth/auth.h

@@ -236,7 +236,7 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 			    const char *name_for_logs,
 			    bool allow_domain_trust,
 			    bool password_change);
-struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx);
+struct auth_session_info *system_session(struct loadparm_context *lp_ctx);
 NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
 					   const char *netbios_name,
 					   const char *domain_name,

source4/auth/gensec/schannel_state.c

@@ -48,8 +48,8 @@ struct ldb_context *schannel_db_connect(TALLOC_CTX *mem_ctx, struct tevent_conte
 	existed = file_exist(path);
 	
 	ldb = ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, path, 
-			       system_session(mem_ctx, lp_ctx), 
+			       system_session(lp_ctx), 
-			       NULL, LDB_FLG_NOSYNC, NULL);
+			       NULL, LDB_FLG_NOSYNC);
 	talloc_free(path);
 	if (!ldb) {
 		return NULL;

source4/auth/ntlm/auth_sam.c

@@ -202,7 +202,7 @@ static NTSTATUS authsam_check_password_internals(struct auth_method_context *ctx
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	sam_ctx = samdb_connect(tmp_ctx, ctx->auth_ctx->event_ctx, ctx->auth_ctx->lp_ctx, system_session(mem_ctx, ctx->auth_ctx->lp_ctx));
+	sam_ctx = samdb_connect(tmp_ctx, ctx->auth_ctx->event_ctx, ctx->auth_ctx->lp_ctx, system_session(ctx->auth_ctx->lp_ctx));
 	if (sam_ctx == NULL) {
 		talloc_free(tmp_ctx);
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
@@ -320,7 +320,7 @@ NTSTATUS authsam_get_server_info_principal(TALLOC_CTX *mem_ctx,
 	}
 
 	sam_ctx = samdb_connect(tmp_ctx, auth_context->event_ctx, auth_context->lp_ctx, 
-				system_session(tmp_ctx, auth_context->lp_ctx));
+				system_session(auth_context->lp_ctx));
 	if (sam_ctx == NULL) {
 		talloc_free(tmp_ctx);
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;

source4/auth/pyauth.c

@@ -49,7 +49,7 @@ static PyObject *py_system_session(PyObject *module, PyObject *args)
 	if (lp_ctx == NULL)
 		return NULL;
 
-	session = system_session(NULL, lp_ctx);
+	session = system_session(lp_ctx);
 
 	return PyAuthSession_FromSession(session);
 }

source4/auth/session.h

@@ -35,7 +35,7 @@ struct tevent_context;
 /* Create a security token for a session SYSTEM (the most
  * trusted/prvilaged account), including the local machine account as
  * the off-host credentials */
-struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) ;
+struct auth_session_info *system_session(struct loadparm_context *lp_ctx) ;
 
 /*
  * Create a system session, but with anonymous credentials (so we do

source4/auth/system_session.c

@@ -146,22 +146,37 @@ static NTSTATUS generate_session_info(TALLOC_CTX *mem_ctx,
 }
 
 
+/*
+  prevent the static system session being freed
+ */
+static int system_session_destructor(struct auth_session_info *info)
+{
+	return -1;
+}
 
 /* Create a security token for a session SYSTEM (the most
  * trusted/prvilaged account), including the local machine account as
  * the off-host credentials
  */ 
-_PUBLIC_ struct auth_session_info *system_session(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx) 
+_PUBLIC_ struct auth_session_info *system_session(struct loadparm_context *lp_ctx) 
 {
+	static struct auth_session_info *static_session;
 	NTSTATUS nt_status;
-	struct auth_session_info *session_info = NULL;
+
-	nt_status = auth_system_session_info(mem_ctx,
+	if (static_session) {
+		return static_session;
+	}
+
+	nt_status = auth_system_session_info(talloc_autofree_context(),
 					     lp_ctx,
-					     &session_info);
+					     &static_session);
 	if (!NT_STATUS_IS_OK(nt_status)) {
+		talloc_free(static_session);
+		static_session = NULL;
 		return NULL;
 	}
-	return session_info;
+	talloc_set_destructor(static_session, system_session_destructor);
+	return static_session;
 }
 
 static NTSTATUS _auth_system_session_info(TALLOC_CTX *parent_ctx, 

source4/cldap_server/cldap_server.c

@@ -214,7 +214,7 @@ static void cldapd_task_init(struct task_server *task)
 	}
 
 	cldapd->task = task;
-	cldapd->samctx = samdb_connect(cldapd, task->event_ctx, task->lp_ctx, system_session(cldapd, task->lp_ctx));
+	cldapd->samctx = samdb_connect(cldapd, task->event_ctx, task->lp_ctx, system_session(task->lp_ctx));
 	if (cldapd->samctx == NULL) {
 		task_server_terminate(task, "cldapd failed to open samdb", true);
 		return;

source4/dsdb/samdb/cracknames.c

@@ -1251,7 +1251,7 @@ NTSTATUS crack_name_to_nt4_name(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_OK;
 	}
 
-	ldb = samdb_connect(mem_ctx, ev_ctx, lp_ctx, system_session(mem_ctx, lp_ctx));
+	ldb = samdb_connect(mem_ctx, ev_ctx, lp_ctx, system_session(lp_ctx));
 	if (ldb == NULL) {
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}

source4/kdc/kpasswdd.c

@@ -181,7 +181,7 @@ static bool kpasswdd_change_password(struct kdc_server *kdc,
 	struct samr_DomInfo1 *dominfo;
 	struct ldb_context *samdb;
 
-	samdb = samdb_connect(mem_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, system_session(mem_ctx, kdc->task->lp_ctx));
+	samdb = samdb_connect(mem_ctx, kdc->task->event_ctx, kdc->task->lp_ctx, system_session(kdc->task->lp_ctx));
 	if (!samdb) {
 		return kpasswdd_make_error_reply(kdc, mem_ctx, 
 						KRB5_KPASSWD_HARDERROR,

source4/ldap_server/ldap_server.c

@@ -527,7 +527,7 @@ static NTSTATUS add_socket(struct tevent_context *event_context,
 
 	/* Load LDAP database, but only to read our settings */
 	ldb = samdb_connect(ldap_service, ldap_service->task->event_ctx, 
-			    lp_ctx, system_session(ldap_service, lp_ctx));
+			    lp_ctx, system_session(lp_ctx));
 	if (!ldb) {
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
 	}

source4/lib/ldb/tools/cmdline.c

@@ -229,7 +229,7 @@ struct ldb_cmdline *ldb_cmdline_process(struct ldb_context *ldb,
 	/* Must be after we have processed command line options */
 	gensec_init(cmdline_lp_ctx); 
 	
-	if (ldb_set_opaque(ldb, "sessionInfo", system_session(ldb, cmdline_lp_ctx))) {
+	if (ldb_set_opaque(ldb, "sessionInfo", system_session(cmdline_lp_ctx))) {
 		goto failed;
 	}
 	if (ldb_set_opaque(ldb, "credentials", cmdline_credentials)) {

source4/nbt_server/nbt_server.c

@@ -66,7 +66,7 @@ static void nbtd_task_init(struct task_server *task)
 		return;
 	}
 
-	nbtsrv->sam_ctx = samdb_connect(nbtsrv, task->event_ctx, task->lp_ctx, system_session(nbtsrv, task->lp_ctx));
+	nbtsrv->sam_ctx = samdb_connect(nbtsrv, task->event_ctx, task->lp_ctx, system_session(task->lp_ctx));
 	if (nbtsrv->sam_ctx == NULL) {
 		task_server_terminate(task, "nbtd failed to open samdb", true);
 		return;

source4/ntp_signd/ntp_signd.c

@@ -371,7 +371,7 @@ static void ntp_signd_task_init(struct task_server *task)
 	ntp_signd->task = task;
 
 	/* Must be system to get at the password hashes */
-	ntp_signd->samdb = samdb_connect(ntp_signd, task->event_ctx, task->lp_ctx, system_session(ntp_signd, task->lp_ctx));
+	ntp_signd->samdb = samdb_connect(ntp_signd, task->event_ctx, task->lp_ctx, system_session(task->lp_ctx));
 	if (ntp_signd->samdb == NULL) {
 		task_server_terminate(task, "ntp_signd failed to open samdb", true);
 		return;

source4/ntptr/simple_ldb/ntptr_simple_ldb.c

@@ -44,8 +44,8 @@
  */
 static struct ldb_context *sptr_db_connect(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx, struct loadparm_context *lp_ctx)
 {
-	return ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, lp_spoolss_url(lp_ctx), system_session(mem_ctx, lp_ctx), 
+	return ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, lp_spoolss_url(lp_ctx), system_session(lp_ctx), 
-				NULL, 0, NULL);
+				NULL, 0);
 }
 
 static int sptr_db_search(struct ldb_context *ldb,

source4/param/share_ldb.c

@@ -42,8 +42,8 @@ static NTSTATUS sldb_init(TALLOC_CTX *mem_ctx, const struct share_ops *ops,
 	
 	sdb = ldb_wrap_connect(*ctx, ev_ctx, lp_ctx, 
 			       private_path(*ctx, lp_ctx, "share.ldb"),
-			       system_session(*ctx, lp_ctx),
+			       system_session(lp_ctx),
-			       NULL, 0, NULL);
+			       NULL, 0);
 
 	if (!sdb) {
 		talloc_free(*ctx);

source4/rpc_server/drsuapi/dcesrv_drsuapi.c

@@ -61,7 +61,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C
 	werr = drs_security_level_check(dce_call, NULL);
 	if (W_ERROR_IS_OK(werr)) {
 		DEBUG(2,(__location__ ": doing DsBind with system_session\n"));
-		auth_info = system_session(b_state, dce_call->conn->dce_ctx->lp_ctx);
+		auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
 	} else {
 		auth_info = dce_call->conn->auth_state.session_info;
 	}

source4/rpc_server/lsa/dcesrv_lsa.c

@@ -2273,7 +2273,7 @@ static NTSTATUS dcesrv_lsa_CreateSecret(struct dcesrv_call_state *dce_call, TALL
 		name = &r->in.name.string[2];
 			/* We need to connect to the database as system, as this is one of the rare RPC calls that must read the secrets (and this is denied otherwise) */
 		secret_state->sam_ldb = talloc_reference(secret_state, 
-							 samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(secret_state, dce_call->conn->dce_ctx->lp_ctx))); 
+							 samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx))); 
 		secret_state->global = true;
 
 		if (strlen(name) < 1) {
@@ -2410,7 +2410,7 @@ static NTSTATUS dcesrv_lsa_OpenSecret(struct dcesrv_call_state *dce_call, TALLOC
 		name = &r->in.name.string[2];
 		/* We need to connect to the database as system, as this is one of the rare RPC calls that must read the secrets (and this is denied otherwise) */
 		secret_state->sam_ldb = talloc_reference(secret_state, 
-							 samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(secret_state, dce_call->conn->dce_ctx->lp_ctx))); 
+							 samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx))); 
 		secret_state->global = true;
 
 		if (strlen(name) < 1) {

source4/rpc_server/netlogon/dcerpc_netlogon.c

@@ -129,7 +129,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3(struct dcesrv_call_state *dce_ca
 	}
 
 	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, 
-				system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
+				system_session(dce_call->conn->dce_ctx->lp_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -366,7 +366,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet(struct dcesrv_call_state *dce_call
 							&creds);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
-	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
+	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -404,7 +404,7 @@ static NTSTATUS dcesrv_netr_ServerPasswordSet2(struct dcesrv_call_state *dce_cal
 							&creds);
 	NT_STATUS_NOT_OK_RETURN(nt_status);
 
-	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
+	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -1152,7 +1152,7 @@ static NTSTATUS dcesrv_netr_LogonGetDomainInfo(struct dcesrv_call_state *dce_cal
 
 	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx,
 		dce_call->conn->dce_ctx->lp_ctx,
-		system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
+		system_session(dce_call->conn->dce_ctx->lp_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}

source4/rpc_server/samr/samr_password.c

@@ -61,7 +61,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser(struct dcesrv_call_state *dce_call,
 	}
 
 	/* To change a password we need to open as system */
-	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
+	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -210,7 +210,7 @@ NTSTATUS dcesrv_samr_OemChangePasswordUser2(struct dcesrv_call_state *dce_call,
 	}
 
 	/* To change a password we need to open as system */
-	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
+	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}
@@ -363,7 +363,7 @@ NTSTATUS dcesrv_samr_ChangePasswordUser3(struct dcesrv_call_state *dce_call,
 	}
 
 	/* To change a password we need to open as system */
-	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(mem_ctx, dce_call->conn->dce_ctx->lp_ctx));
+	sam_ctx = samdb_connect(mem_ctx, dce_call->event_ctx, dce_call->conn->dce_ctx->lp_ctx, system_session(dce_call->conn->dce_ctx->lp_ctx));
 	if (sam_ctx == NULL) {
 		return NT_STATUS_INVALID_SYSTEM_SERVICE;
 	}

source4/torture/libnet/libnet_BecomeDC.c

@@ -317,8 +317,8 @@ static NTSTATUS test_apply_schema(struct test_become_dc_state *s,
 	sam_ldb_path = talloc_asprintf(s, "%s/%s", s->targetdir, "private/sam.ldb");
 	DEBUG(0,("Reopen the SAM LDB with system credentials and a already stored schema: %s\n", sam_ldb_path));
 	s->ldb = ldb_wrap_connect(s, s->tctx->ev, s->tctx->lp_ctx, sam_ldb_path,
-				  system_session(s, s->tctx->lp_ctx),
+				  system_session(s->tctx->lp_ctx),
-				  NULL, 0, NULL);
+				  NULL, 0);
 	if (!s->ldb) {
 		DEBUG(0,("Failed to open '%s'\n",
 			sam_ldb_path));
@@ -661,8 +661,8 @@ bool torture_net_become_dc(struct torture_context *torture)
 	sam_ldb_path = talloc_asprintf(s, "%s/%s", s->targetdir, "private/sam.ldb");
 	DEBUG(0,("Reopen the SAM LDB with system credentials and all replicated data: %s\n", sam_ldb_path));
 	s->ldb = ldb_wrap_connect(s, s->tctx->ev, s->lp_ctx, sam_ldb_path,
-				  system_session(s, s->lp_ctx),
+				  system_session(s->lp_ctx),
-				  NULL, 0, NULL);
+				  NULL, 0);
 	if (!s->ldb) {
 		DEBUG(0,("Failed to open '%s'\n",
 			sam_ldb_path));

source4/utils/net/net_vampire.c

@@ -154,7 +154,7 @@ int net_samsync_ldb(struct net_context *ctx, int argc, const char **argv)
 	r.in.binding_string = NULL;
 
 	/* Needed to override the ACLs on ldb */
-	r.in.session_info = system_session(libnetctx, ctx->lp_ctx);
+	r.in.session_info = system_session(ctx->lp_ctx);
 
 	status = libnet_samsync_ldb(libnetctx, libnetctx, &r);
 	if (!NT_STATUS_IS_OK(status)) {

source4/wrepl_server/wrepl_server.c

@@ -40,7 +40,7 @@ static struct ldb_context *wins_config_db_connect(TALLOC_CTX *mem_ctx,
 {
 	return ldb_wrap_connect(mem_ctx, ev_ctx, lp_ctx, private_path(mem_ctx, 
 			        lp_ctx, lp_wins_config_url(lp_ctx)),
-				system_session(mem_ctx, lp_ctx), NULL, 0, NULL);
+				system_session(lp_ctx), NULL, 0);
 }
 
 static uint64_t wins_config_db_get_seqnumber(struct ldb_context *ldb)