1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-25 23:21:54 +03:00
samba-mirror/source3/nsswitch/winbindd_cred_cache.c
2007-10-10 12:01:04 -05:00

669 lines
18 KiB
C

/*
Unix SMB/CIFS implementation.
Winbind daemon - krb5 credential cache functions
and in-memory cache functions.
Copyright (C) Guenther Deschner 2005-2006
Copyright (C) Jeremy Allison 2006
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "includes.h"
#include "winbindd.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_WINBIND
#define MAX_CCACHES 100
static struct WINBINDD_CCACHE_ENTRY *ccache_list;
/****************************************************************
Find an entry by name.
****************************************************************/
static struct WINBINDD_CCACHE_ENTRY *get_ccache_by_username(const char *username)
{
struct WINBINDD_CCACHE_ENTRY *entry;
for (entry = ccache_list; entry; entry = entry->next) {
if (strequal(entry->username, username)) {
return entry;
}
}
return NULL;
}
/****************************************************************
How many do we have ?
****************************************************************/
static int ccache_entry_count(void)
{
struct WINBINDD_CCACHE_ENTRY *entry;
int i = 0;
for (entry = ccache_list; entry; entry = entry->next) {
i++;
}
return i;
}
/****************************************************************
Do the work of refreshing the ticket.
****************************************************************/
static void krb5_ticket_refresh_handler(struct timed_event *te,
const struct timeval *now,
void *private_data)
{
struct WINBINDD_CCACHE_ENTRY *entry =
talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
#ifdef HAVE_KRB5
int ret;
time_t new_start;
struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr;
#endif
DEBUG(10,("krb5_ticket_refresh_handler called\n"));
DEBUGADD(10,("event called for: %s, %s\n", entry->ccname, entry->username));
TALLOC_FREE(entry->event);
#ifdef HAVE_KRB5
/* Kinit again if we have the user password and we can't renew the old
* tgt anymore */
if ((entry->renew_until < time(NULL)) && cred_ptr && cred_ptr->pass) {
set_effective_uid(entry->uid);
ret = kerberos_kinit_password_ext(entry->principal_name,
cred_ptr->pass,
0, /* hm, can we do time correction here ? */
&entry->refresh_time,
&entry->renew_until,
entry->ccname,
False, /* no PAC required anymore */
True,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
gain_root_privilege();
if (ret) {
DEBUG(3,("krb5_ticket_refresh_handler: could not re-kinit: %s\n",
error_message(ret)));
TALLOC_FREE(entry->event);
return;
}
DEBUG(10,("krb5_ticket_refresh_handler: successful re-kinit "
"for: %s in ccache: %s\n",
entry->principal_name, entry->ccname));
new_start = entry->refresh_time;
goto done;
}
set_effective_uid(entry->uid);
ret = smb_krb5_renew_ticket(entry->ccname,
entry->principal_name,
entry->service,
&new_start);
gain_root_privilege();
if (ret) {
DEBUG(3,("krb5_ticket_refresh_handler: could not renew tickets: %s\n",
error_message(ret)));
/* maybe we are beyond the renewing window */
/* avoid breaking the renewal chain: retry in lp_winbind_cache_time()
* seconds when the KDC was not available right now. */
if (ret == KRB5_KDC_UNREACH) {
new_start = time(NULL) + MAX(30, lp_winbind_cache_time());
goto done;
}
return;
}
done:
entry->event = add_timed_event(entry,
timeval_set(new_start, 0),
"krb5_ticket_refresh_handler",
krb5_ticket_refresh_handler,
entry);
#endif
}
/****************************************************************
Do the work of regaining a ticket when coming from offline auth.
****************************************************************/
static void krb5_ticket_gain_handler(struct timed_event *te,
const struct timeval *now,
void *private_data)
{
struct WINBINDD_CCACHE_ENTRY *entry =
talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
#ifdef HAVE_KRB5
int ret;
time_t new_start;
struct timeval t;
struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr;
struct winbindd_domain *domain = NULL;
#endif
DEBUG(10,("krb5_ticket_gain_handler called\n"));
DEBUGADD(10,("event called for: %s, %s\n", entry->ccname, entry->username));
TALLOC_FREE(entry->event);
#ifdef HAVE_KRB5
if (!cred_ptr || !cred_ptr->pass) {
DEBUG(10,("krb5_ticket_gain_handler: no memory creds\n"));
return;
}
if ((domain = find_domain_from_name(entry->realm)) == NULL) {
DEBUG(0,("krb5_ticket_gain_handler: unknown domain\n"));
return;
}
if (domain->online) {
set_effective_uid(entry->uid);
ret = kerberos_kinit_password_ext(entry->principal_name,
cred_ptr->pass,
0, /* hm, can we do time correction here ? */
&entry->refresh_time,
&entry->renew_until,
entry->ccname,
False, /* no PAC required anymore */
True,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME);
gain_root_privilege();
if (ret) {
DEBUG(3,("krb5_ticket_gain_handler: could not kinit: %s\n",
error_message(ret)));
goto retry_later;
}
DEBUG(10,("krb5_ticket_gain_handler: successful kinit for: %s in ccache: %s\n",
entry->principal_name, entry->ccname));
new_start = entry->refresh_time;
goto got_ticket;
}
retry_later:
entry->event = add_timed_event(entry,
timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0),
"krb5_ticket_gain_handler",
krb5_ticket_gain_handler,
entry);
return;
got_ticket:
#if 0 /* TESTING */
t = timeval_set(time(NULL) + 30, 0);
#else
t = timeval_set(new_start, 0);
#endif /* TESTING */
entry->event = add_timed_event(entry,
t,
"krb5_ticket_refresh_handler",
krb5_ticket_refresh_handler,
entry);
return;
#endif
}
/****************************************************************
Ensure we're changing the correct entry.
****************************************************************/
BOOL ccache_entry_identical(const char *username, uid_t uid, const char *ccname)
{
struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
if (!entry) {
return False;
}
if (entry->uid != uid) {
DEBUG(0,("cache_entry_identical: uid's differ: %u != %u\n",
(unsigned int)entry->uid, (unsigned int)uid ));
return False;
}
if (!strcsequal(entry->ccname, ccname)) {
DEBUG(0,("cache_entry_identical: ccnames differ: (cache) %s != (client) %s\n",
entry->ccname, ccname));
return False;
}
return True;
}
NTSTATUS add_ccache_to_list(const char *princ_name,
const char *ccname,
const char *service,
const char *username,
const char *realm,
uid_t uid,
time_t create_time,
time_t ticket_end,
time_t renew_until,
BOOL schedule_refresh_event,
BOOL postponed_request)
{
struct WINBINDD_CCACHE_ENTRY *entry = NULL;
if ((username == NULL && princ_name == NULL) || ccname == NULL || uid < 0) {
return NT_STATUS_INVALID_PARAMETER;
}
if (ccache_entry_count() + 1 > MAX_CCACHES) {
DEBUG(10,("add_ccache_to_list: max number of ccaches reached\n"));
return NT_STATUS_NO_MORE_ENTRIES;
}
/* Reference count old entries */
entry = get_ccache_by_username(username);
if (entry) {
/* Check cached entries are identical. */
if (!ccache_entry_identical(username, uid, ccname)) {
return NT_STATUS_INVALID_PARAMETER;
}
entry->ref_count++;
DEBUG(10,("add_ccache_to_list: ref count on entry %s is now %d\n",
username, entry->ref_count));
return NT_STATUS_OK;
}
entry = TALLOC_P(NULL, struct WINBINDD_CCACHE_ENTRY);
if (!entry) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCTP(entry);
if (username) {
entry->username = talloc_strdup(entry, username);
if (!entry->username) {
goto no_mem;
}
}
if (princ_name) {
entry->principal_name = talloc_strdup(entry, princ_name);
if (!entry->principal_name) {
goto no_mem;
}
}
if (service) {
entry->service = talloc_strdup(entry, service);
if (!entry->service) {
goto no_mem;
}
}
entry->ccname = talloc_strdup(entry, ccname);
if (!entry->ccname) {
goto no_mem;
}
entry->realm = talloc_strdup(entry, realm);
if (!entry->realm) {
goto no_mem;
}
entry->create_time = create_time;
entry->renew_until = renew_until;
entry->uid = uid;
entry->ref_count = 1;
if (schedule_refresh_event && renew_until > 0) {
if (postponed_request) {
entry->event = add_timed_event(entry,
timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0),
"krb5_ticket_gain_handler",
krb5_ticket_gain_handler,
entry);
} else {
entry->event = add_timed_event(entry,
timeval_set((ticket_end - 1), 0),
"krb5_ticket_refresh_handler",
krb5_ticket_refresh_handler,
entry);
}
if (!entry->event) {
goto no_mem;
}
DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n"));
}
DLIST_ADD(ccache_list, entry);
DEBUG(10,("add_ccache_to_list: added ccache [%s] for user [%s] to the list\n", ccname, username));
return NT_STATUS_OK;
no_mem:
TALLOC_FREE(entry);
return NT_STATUS_NO_MEMORY;
}
NTSTATUS remove_ccache(const char *username)
{
struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
if (!entry) {
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
if (entry->ref_count <= 0) {
DEBUG(0,("remove_ccache: logic error. ref count for user %s = %d\n",
username, entry->ref_count));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
entry->ref_count--;
if (entry->ref_count <= 0) {
DLIST_REMOVE(ccache_list, entry);
TALLOC_FREE(entry->event); /* unregisters events */
TALLOC_FREE(entry);
DEBUG(10,("remove_ccache: removed ccache for user %s\n", username));
} else {
DEBUG(10,("remove_ccache: entry %s ref count now %d\n",
username, entry->ref_count ));
}
return NT_STATUS_OK;
}
/*******************************************************************
In memory credentials cache code.
*******************************************************************/
static struct WINBINDD_MEMORY_CREDS *memory_creds_list;
/***********************************************************
Find an entry on the list by name.
***********************************************************/
struct WINBINDD_MEMORY_CREDS *find_memory_creds_by_name(const char *username)
{
struct WINBINDD_MEMORY_CREDS *p;
for (p = memory_creds_list; p; p = p->next) {
if (strequal(p->username, username)) {
return p;
}
}
return NULL;
}
/***********************************************************
Store the required creds and mlock them.
***********************************************************/
static NTSTATUS store_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp, const char *pass)
{
#if !defined(HAVE_MLOCK)
return NT_STATUS_OK;
#else
/* new_entry->nt_hash is the base pointer for the block
of memory pointed into by new_entry->lm_hash and
new_entry->pass (if we're storing plaintext). */
memcredp->len = NT_HASH_LEN + LM_HASH_LEN;
if (pass) {
memcredp->len += strlen(pass)+1;
}
memcredp->nt_hash = (unsigned char *)TALLOC_ZERO(memcredp, memcredp->len);
if (!memcredp->nt_hash) {
return NT_STATUS_NO_MEMORY;
}
memcredp->lm_hash = memcredp->nt_hash + NT_HASH_LEN;
#ifdef DEBUG_PASSWORD
DEBUG(10,("mlocking memory: %p\n", memcredp->nt_hash));
#endif
if ((mlock(memcredp->nt_hash, memcredp->len)) == -1) {
DEBUG(0,("failed to mlock memory: %s (%d)\n",
strerror(errno), errno));
return map_nt_error_from_unix(errno);
}
#ifdef DEBUG_PASSWORD
DEBUG(10,("mlocked memory: %p\n", memcredp->nt_hash));
#endif
/* Create and store the password hashes. */
E_md4hash(pass, memcredp->nt_hash);
E_deshash(pass, memcredp->lm_hash);
if (pass) {
memcredp->pass = (char *)memcredp->lm_hash + LM_HASH_LEN;
memcpy(memcredp->pass, pass, memcredp->len - NT_HASH_LEN - LM_HASH_LEN);
}
return NT_STATUS_OK;
#endif
}
/***********************************************************
Destroy existing creds.
***********************************************************/
static NTSTATUS delete_memory_creds(struct WINBINDD_MEMORY_CREDS *memcredp)
{
#if !defined(HAVE_MUNLOCK)
return NT_STATUS_OK;
#else
if (munlock(memcredp->nt_hash, memcredp->len) == -1) {
DEBUG(0,("failed to munlock memory: %s (%d)\n",
strerror(errno), errno));
return map_nt_error_from_unix(errno);
}
memset(memcredp->nt_hash, '\0', memcredp->len);
TALLOC_FREE(memcredp->nt_hash);
memcredp->lm_hash = NULL;
memcredp->pass = NULL;
memcredp->len = 0;
return NT_STATUS_OK;
#endif
}
/***********************************************************
Replace the required creds with new ones (password change).
***********************************************************/
static NTSTATUS winbindd_replace_memory_creds_internal(struct WINBINDD_MEMORY_CREDS *memcredp,
const char *pass)
{
NTSTATUS status = delete_memory_creds(memcredp);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return store_memory_creds(memcredp, pass);
}
/*************************************************************
Store credentials in memory in a list.
*************************************************************/
static NTSTATUS winbindd_add_memory_creds_internal(const char *username, uid_t uid, const char *pass)
{
/* Shortcut to ensure we don't store if no mlock. */
#if !defined(HAVE_MLOCK) || !defined(HAVE_MUNLOCK)
return NT_STATUS_OK;
#else
NTSTATUS status;
struct WINBINDD_MEMORY_CREDS *memcredp = find_memory_creds_by_name(username);
if (uid == (uid_t)-1) {
DEBUG(0,("winbindd_add_memory_creds_internal: invalid uid for user %s.\n",
username ));
return NT_STATUS_INVALID_PARAMETER;
}
if (memcredp) {
/* Already exists. Increment the reference count and replace stored creds. */
if (uid != memcredp->uid) {
DEBUG(0,("winbindd_add_memory_creds_internal: uid %u for user %s doesn't "
"match stored uid %u. Replacing.\n",
(unsigned int)uid, username, (unsigned int)memcredp->uid ));
memcredp->uid = uid;
}
memcredp->ref_count++;
DEBUG(10,("winbindd_add_memory_creds_internal: ref count for user %s is now %d\n",
username, memcredp->ref_count ));
return winbindd_replace_memory_creds_internal(memcredp, pass);
}
memcredp = TALLOC_ZERO_P(NULL, struct WINBINDD_MEMORY_CREDS);
if (!memcredp) {
return NT_STATUS_NO_MEMORY;
}
memcredp->username = talloc_strdup(memcredp, username);
if (!memcredp->username) {
talloc_destroy(memcredp);
return NT_STATUS_NO_MEMORY;
}
status = store_memory_creds(memcredp, pass);
if (!NT_STATUS_IS_OK(status)) {
talloc_destroy(memcredp);
return status;
}
memcredp->uid = uid;
memcredp->ref_count = 1;
DLIST_ADD(memory_creds_list, memcredp);
DEBUG(10,("winbindd_add_memory_creds_internal: added entry for user %s\n",
username ));
return NT_STATUS_OK;
#endif
}
/*************************************************************
Store users credentials in memory. If we also have a
struct WINBINDD_CCACHE_ENTRY for this username with a
refresh timer, then store the plaintext of the password
and associate the new credentials with the struct WINBINDD_CCACHE_ENTRY.
*************************************************************/
NTSTATUS winbindd_add_memory_creds(const char *username, uid_t uid, const char *pass)
{
struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
NTSTATUS status;
status = winbindd_add_memory_creds_internal(username, uid, pass);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
if (entry) {
struct WINBINDD_MEMORY_CREDS *memcredp = find_memory_creds_by_name(username);
if (memcredp) {
entry->cred_ptr = memcredp;
}
}
return status;
}
/*************************************************************
Decrement the in-memory ref count - delete if zero.
*************************************************************/
NTSTATUS winbindd_delete_memory_creds(const char *username)
{
struct WINBINDD_MEMORY_CREDS *memcredp = find_memory_creds_by_name(username);
struct WINBINDD_CCACHE_ENTRY *entry = get_ccache_by_username(username);
NTSTATUS status = NT_STATUS_OK;
if (!memcredp) {
DEBUG(10,("winbindd_delete_memory_creds: unknown user %s\n",
username ));
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
if (memcredp->ref_count <= 0) {
DEBUG(0,("winbindd_delete_memory_creds: logic error. ref count for user %s = %d\n",
username, memcredp->ref_count));
status = NT_STATUS_INTERNAL_DB_CORRUPTION;
}
memcredp->ref_count--;
if (memcredp->ref_count <= 0) {
delete_memory_creds(memcredp);
DLIST_REMOVE(memory_creds_list, memcredp);
talloc_destroy(memcredp);
DEBUG(10,("winbindd_delete_memory_creds: deleted entry for user %s\n",
username));
} else {
DEBUG(10,("winbindd_delete_memory_creds: entry for user %s ref_count now %d\n",
username, memcredp->ref_count));
}
if (entry) {
entry->cred_ptr = NULL; /* Ensure we have no dangling references to this. */
}
return status;
}
/***********************************************************
Replace the required creds with new ones (password change).
***********************************************************/
NTSTATUS winbindd_replace_memory_creds(const char *username, const char *pass)
{
struct WINBINDD_MEMORY_CREDS *memcredp = find_memory_creds_by_name(username);
if (!memcredp) {
DEBUG(10,("winbindd_replace_memory_creds: unknown user %s\n",
username ));
return NT_STATUS_OBJECT_NAME_NOT_FOUND;
}
DEBUG(10,("winbindd_replace_memory_creds: replaced creds for user %s\n",
username ));
return winbindd_replace_memory_creds_internal(memcredp, pass);
}