diff options
| author | Sumit Bose <sbose@redhat.com> | 2016-02-08 15:01:19 +0100 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-04-13 10:43:19 +0200 |
| commit | d0d7de66c9494621c1bc12384e41e5e38a77fbeb (patch) | |
| tree | b34fe827e9f6ec3bba217e4eaeb0ec6c4716b152 | |
| parent | c371993cce13edb9185a5f0db76fbee03f0edc04 (diff) | |
| download | sssd-d0d7de66c9494621c1bc12384e41e5e38a77fbeb.tar.gz sssd-d0d7de66c9494621c1bc12384e41e5e38a77fbeb.tar.xz sssd-d0d7de66c9494621c1bc12384e41e5e38a77fbeb.zip | |
PAC: only save PAC blob into the cache
Resolves https://fedorahosted.org/sssd/ticket/2158
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
| -rw-r--r-- | Makefile.am | 2 | ||||
| -rw-r--r-- | src/confdb/confdb.h | 1 | ||||
| -rw-r--r-- | src/config/SSSDConfig/__init__.py.in | 1 | ||||
| -rw-r--r-- | src/config/etc/sssd.api.conf | 1 | ||||
| -rw-r--r-- | src/db/sysdb.h | 2 | ||||
| -rw-r--r-- | src/man/sssd.conf.5.xml | 13 | ||||
| -rw-r--r-- | src/responder/pac/pacsrv.c | 26 | ||||
| -rw-r--r-- | src/responder/pac/pacsrv.h | 47 | ||||
| -rw-r--r-- | src/responder/pac/pacsrv_cmd.c | 964 | ||||
| -rw-r--r-- | src/responder/pac/pacsrv_utils.c | 478 |
10 files changed, 106 insertions, 1429 deletions
diff --git a/Makefile.am b/Makefile.am index 4d7a74779..85c125668 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1182,7 +1182,7 @@ endif sssd_pac_SOURCES = \ src/responder/pac/pacsrv.c \ src/responder/pac/pacsrv_cmd.c \ - src/responder/pac/pacsrv_utils.c \ + src/providers/ad/ad_pac_common.c \ $(SSSD_RESPONDER_OBJ) sssd_pac_CFLAGS = \ $(AM_CFLAGS) \ diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index e6789c866..c478ef097 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -147,6 +147,7 @@ /* PAC */ #define CONFDB_PAC_CONF_ENTRY "config/pac" +#define CONFDB_PAC_LIFETIME "pac_lifetime" /* InfoPipe */ #define CONFDB_IFP_CONF_ENTRY "config/ifp" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 65e5e655d..1a0893cbc 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -108,6 +108,7 @@ option_strings = { # [pac] 'allowed_uids': _('List of UIDs or user names allowed to access the PAC responder'), + 'pac_lifetime': _('How long the PAC data is considered valid'), # [ifp] 'allowed_uids': _('List of UIDs or user names allowed to access the InfoPipe responder'), diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index baa15539c..a15f2bd05 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -83,6 +83,7 @@ ca_db = str, None, false # PAC responder allowed_uids = str, None, false user_attributes = str, None, false +pac_lifetime = int, None, false [ifp] # InfoPipe responder diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 4b2feffd0..11b680f3f 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -117,6 +117,8 @@ #define SYSDB_PRIMARY_GROUP "ADPrimaryGroupID" #define SYSDB_PRIMARY_GROUP_GIDNUM "origPrimaryGroupGidNumber" #define SYSDB_SID_STR "objectSIDString" +#define SYSDB_PAC_BLOB "pacBlob" +#define SYSDB_PAC_BLOB_EXPIRE "pacBlobExpireTimestamp" #define SYSDB_UPN "userPrincipalName" #define SYSDB_CANONICAL_UPN "canonicalUserPrincipalName" #define SYSDB_CCACHE_FILE "ccacheFile" diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 6bef9335f..09db9cd32 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1199,6 +1199,19 @@ pam_account_locked_message = Account locked, please contact help desk. </para> </listitem> </varlistentry> + <varlistentry> + <term>pac_lifetime (integer)</term> + <listitem> + <para> + Lifetime of the PAC entry in seconds. As long as the + PAC is valid the PAC data can be used to determine + the group memberships of a user. + </para> + <para> + Default: 300 + </para> + </listitem> + </varlistentry> </variablelist> </refsect2> diff --git a/src/responder/pac/pacsrv.c b/src/responder/pac/pacsrv.c index 20a5702e1..683dca7b9 100644 --- a/src/responder/pac/pacsrv.c +++ b/src/responder/pac/pacsrv.c @@ -195,6 +195,32 @@ int pac_process_init(TALLOC_CTX *mem_ctx, } responder_set_fd_limit(fd_limit); + /* Set up the negative cache */ + ret = confdb_get_int(pac_ctx->rctx->cdb, CONFDB_NSS_CONF_ENTRY, + CONFDB_NSS_ENTRY_NEG_TIMEOUT, 15, + &pac_ctx->neg_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to setup negative cache timeout.\n"); + goto fail; + } + + ret = sss_ncache_init(pac_ctx, &pac_ctx->ncache); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to initializing negative cache\n"); + goto fail; + } + + ret = confdb_get_int(pac_ctx->rctx->cdb, CONFDB_PAC_CONF_ENTRY, + CONFDB_PAC_LIFETIME, 300, + &pac_ctx->pac_lifetime); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to setup negative cache timeout.\n"); + goto fail; + } + ret = schedule_get_domains_task(rctx, rctx->ev, rctx, NULL); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, "schedule_get_domains_tasks failed.\n"); diff --git a/src/responder/pac/pacsrv.h b/src/responder/pac/pacsrv.h index bda95eb0f..3d9f07dcb 100644 --- a/src/responder/pac/pacsrv.h +++ b/src/responder/pac/pacsrv.h @@ -24,63 +24,22 @@ #include "config.h" -#include <stdbool.h> -#include <util/data_blob.h> -#include <ndr.h> -#include <gen_ndr/krb5pac.h> -#include <gen_ndr/ndr_krb5pac.h> - -#include <stdint.h> -#include <sys/un.h> -#include <talloc.h> -#include <tevent.h> -#include <ldb.h> -#include <dbus/dbus.h> - -#include "sbus/sssd_dbus.h" #include "responder/common/responder_packet.h" #include "responder/common/responder.h" #include "responder/common/responder_sbus.h" #include "lib/idmap/sss_idmap.h" -#include "util/sss_nss.h" -#include "db/sysdb.h" - -#define PAC_PACKET_MAX_RECV_SIZE 1024 - -struct getent_ctx; -struct dom_sid; struct pac_ctx { struct resp_ctx *rctx; struct sss_idmap_ctx *idmap_ctx; struct dom_sid *my_dom_sid; struct local_mapping_ranges *range_map; -}; + int pac_lifetime; -struct grp_info { - char *orig_dn; - struct ldb_dn *dn; + int neg_timeout; + struct sss_nc_ctx *ncache; }; struct sss_cmd_table *get_pac_cmds(void); -errno_t get_sids_from_pac(TALLOC_CTX *mem_ctx, - struct pac_ctx *pac_ctx, - struct PAC_LOGON_INFO *logon_info, - char **_user_sid_str, - char **_primary_group_sid_str, - hash_table_t **_sid_table); - -errno_t get_data_from_pac(TALLOC_CTX *mem_ctx, - uint8_t *pac_blob, size_t pac_len, - struct PAC_LOGON_INFO **_logon_info); - -errno_t get_pwd_from_pac(TALLOC_CTX *mem_ctx, - struct sss_domain_info *dom, - char *user_sid_str, - char *primary_group_sid_str, - hash_table_t *sid_table, - struct PAC_LOGON_INFO *logon_info, - struct passwd **_pwd, - struct sysdb_attrs **_attrs); #endif /* __PACSRV_H__ */ diff --git a/src/responder/pac/pacsrv_cmd.c b/src/responder/pac/pacsrv_cmd.c index 64c02e81c..bebd6ba19 100644 --- a/src/responder/pac/pacsrv_cmd.c +++ b/src/responder/pac/pacsrv_cmd.c @@ -3,7 +3,7 @@ PAC Responder - Copyright (C) Sumit Bose <sbose@redhat.com> 2012 + Copyright (C) Sumit Bose <sbose@redhat.com> 2012, 2016 Jan Zeleny <jzeleny@redhat.com> 2012 This program is free software; you can redistribute it and/or modify @@ -22,8 +22,11 @@ #include "util/util.h" #include "responder/pac/pacsrv.h" +#include "responder/common/responder_cache_req.h" #include "confdb/confdb.h" +#include "providers/ad/ad_pac.h" + static errno_t pac_cmd_done(struct cli_ctx *cctx, int cmd_ret) { int ret; @@ -52,50 +55,20 @@ struct pac_req_ctx { struct cli_ctx *cctx; struct pac_ctx *pac_ctx; const char *domain_name; - const char *user_name; struct sss_domain_info *dom; - struct PAC_LOGON_INFO *logon_info; - struct dom_sid2 *domain_sid; - - size_t del_grp_count; - struct grp_info *del_grp_list; + uint8_t *blob; + size_t blen; - size_t add_sid_count; - char **add_sids; + struct PAC_LOGON_INFO *logon_info; - hash_table_t *sid_table; char *user_sid_str; char *user_dom_sid_str; - char *primary_group_sid_str; }; -static errno_t pac_resolve_sids_next(struct pac_req_ctx *pr_ctx); -static void pac_lookup_sids_done(struct tevent_req *req); -static struct tevent_req *pac_lookup_sids_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct pac_req_ctx *pr_ctx, - struct pac_ctx *pac_ctx, - hash_table_t *sid_table); -static errno_t pac_lookup_sids_recv(struct tevent_req *req); -static void pac_add_user_next(struct pac_req_ctx *pr_ctx); +static errno_t pac_resolve_user_sid_next(struct pac_req_ctx *pr_ctx); +static void pac_resolve_user_sid_done(struct tevent_req *req); static void pac_get_domains_done(struct tevent_req *req); -static errno_t pac_user_get_grp_info(TALLOC_CTX *mem_ctx, - struct pac_req_ctx *pr_ctx, - size_t *_del_grp_count, - struct grp_info **_del_grp_list, - size_t *_add_sid_count, - char ***_add_sids); -static errno_t save_pac_user(struct pac_req_ctx *pr_ctx); -static void pac_get_group_done(struct tevent_req *subreq); -static errno_t pac_save_memberships_next(struct tevent_req *req); -static errno_t pac_store_membership(struct pac_req_ctx *pr_ctx, - struct ldb_dn *user_dn, - const char *grp_sid_str, - struct sss_domain_info *grp_dom); -struct tevent_req *pac_save_memberships_send(struct pac_req_ctx *pr_ctx); -static void pac_save_memberships_done(struct tevent_req *req); - static errno_t pac_add_pac_user(struct cli_ctx *cctx) { @@ -115,6 +88,8 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx) } pr_ctx->cctx = cctx; + pr_ctx->blob = body; + pr_ctx->blen = blen; pr_ctx->pac_ctx = talloc_get_type(cctx->rctx->pvt_ctx, struct pac_ctx); if (pr_ctx->pac_ctx == NULL) { @@ -122,10 +97,10 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx) return EINVAL; } - ret = get_data_from_pac(pr_ctx, body, blen, - &pr_ctx->logon_info); + ret = ad_get_data_from_pac(pr_ctx, body, blen, + &pr_ctx->logon_info); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "get_data_from_pac failed.\n"); + DEBUG(SSSDBG_OP_FAILURE, "ad_get_data_from_pac failed.\n"); goto done; } @@ -136,22 +111,6 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx) goto done; } - if (pr_ctx->logon_info->info3.base.account_name.string == NULL) { - ret = EINVAL; - DEBUG(SSSDBG_FATAL_FAILURE, "Missing account name in PAC.\n"); - goto done; - } - - /* To be compatible with winbind based lookups we have to use lower case - * names only, effectively making the domain case-insenvitive. */ - pr_ctx->user_name = sss_tc_utf8_str_tolower(pr_ctx, - pr_ctx->logon_info->info3.base.account_name.string); - if (pr_ctx->user_name == NULL) { - ret = ENOMEM; - DEBUG(SSSDBG_FATAL_FAILURE, "sss_tc_utf8_str_tolower failed.\n"); - goto done; - } - err = sss_idmap_smb_sid_to_sid(pr_ctx->pac_ctx->idmap_ctx, pr_ctx->logon_info->info3.base.domain_sid, &pr_ctx->user_dom_sid_str); @@ -163,6 +122,15 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx) talloc_steal(pr_ctx, pr_ctx->user_dom_sid_str); + pr_ctx->user_sid_str = talloc_asprintf(pr_ctx, "%s-%"PRIu32, + pr_ctx->user_dom_sid_str, + pr_ctx->logon_info->info3.base.rid); + if (pr_ctx->user_sid_str == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + ret = responder_get_domain_by_id(cctx->rctx, pr_ctx->user_dom_sid_str, &pr_ctx->dom); if (ret == EAGAIN || ret == ENOENT) { @@ -180,7 +148,7 @@ static errno_t pac_add_pac_user(struct cli_ctx *cctx) goto done; } - ret = pac_resolve_sids_next(pr_ctx); + ret = pac_resolve_user_sid_next(pr_ctx); done: if (ret != EAGAIN) { @@ -211,7 +179,7 @@ static void pac_get_domains_done(struct tevent_req *req) goto done; } - ret = pac_resolve_sids_next(pr_ctx); + ret = pac_resolve_user_sid_next(pr_ctx); done: if (ret != EAGAIN) { @@ -220,28 +188,26 @@ done: pac_cmd_done(cctx, ret); } -static errno_t pac_resolve_sids_next(struct pac_req_ctx *pr_ctx) +static errno_t pac_resolve_user_sid_next(struct pac_req_ctx *pr_ctx) { int ret; struct tevent_req *req; + const char *pw_attrs[] = SYSDB_PW_ATTRS; - ret = get_sids_from_pac(pr_ctx, pr_ctx->pac_ctx, pr_ctx->logon_info, - &pr_ctx->user_sid_str, - &pr_ctx->primary_group_sid_str, - &pr_ctx->sid_table); - if (ret != 0) { - DEBUG(SSSDBG_OP_FAILURE, "get_sids_from_pac failed.\n"); - return ret; - } - req = pac_lookup_sids_send(pr_ctx, pr_ctx->cctx->ev, pr_ctx, - pr_ctx->pac_ctx, pr_ctx->sid_table); + req = cache_req_object_by_sid_send(pr_ctx, pr_ctx->cctx->ev, + pr_ctx->cctx->rctx, + pr_ctx->pac_ctx->ncache, + pr_ctx->pac_ctx->neg_timeout, + 0, pr_ctx->dom->name, + pr_ctx->user_sid_str, + pw_attrs); if (req == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "pac_lookup_sids_send failed.\n"); + DEBUG(SSSDBG_OP_FAILURE, "cache_req_object_by_sid_send failed.\n"); return ENOMEM; } - tevent_req_set_callback(req, pac_lookup_sids_done, pr_ctx); + tevent_req_set_callback(req, pac_resolve_user_sid_done, pr_ctx); ret = EAGAIN; @@ -249,21 +215,17 @@ static errno_t pac_resolve_sids_next(struct pac_req_ctx *pr_ctx) return ret; } -static void pac_lookup_sids_done(struct tevent_req *req) +static void pac_resolve_user_sid_done(struct tevent_req *req) { - struct pac_req_ctx *pr_ctx = tevent_req_callback_data(req, struct pac_req_ctx); + struct pac_req_ctx *pr_ctx = tevent_req_callback_data(req, + struct pac_req_ctx); struct cli_ctx *cctx = pr_ctx->cctx; errno_t ret; - unsigned long count; - hash_entry_t *entries; - hash_key_t key; - hash_value_t value; - size_t c; struct sss_domain_info *dom; - uint64_t id; - struct ldb_result *msg; + struct ldb_result *res; + struct sysdb_attrs *user_attrs; - ret = pac_lookup_sids_recv(req); + ret = cache_req_object_by_sid_recv(pr_ctx, req, &res, &dom); talloc_zfree(req); if (ret != EOK) { @@ -272,858 +234,48 @@ static void pac_lookup_sids_done(struct tevent_req *req) return; } - key.type = HASH_KEY_STRING; - value.type = HASH_VALUE_ULONG; - - ret = hash_entries(pr_ctx->sid_table, &count, &entries); - if (ret != HASH_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "hash_entries failed [%d][%s].\n", - ret, hash_error_string(ret)); - talloc_free(pr_ctx); - pac_cmd_done(cctx, ret); - return; - } - - for (c = 0; c < count; c++) { - if (entries[c].value.ul == 0) { - ret =responder_get_domain_by_id(cctx->rctx, - entries[c].key.str, &dom); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "No domain found for SID [%s].\n", - entries[c].key.str); - continue; - } - - msg = NULL; - ret = sysdb_search_object_by_sid(pr_ctx, dom, entries[c].key.str, - NULL, &msg); - if (ret == ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, "No entry found for SID [%s].\n", - entries[c].key.str); - continue; - } else if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "sysdb_search_object_by_sid failed.\n"); - continue; - } - - if (msg->count > 1) { - DEBUG(SSSDBG_CRIT_FAILURE, "More then one result returned " \ - "for SID [%s].\n", - entries[c].key.str); - talloc_free(msg); - pac_cmd_done(cctx, EINVAL); - return; - } - - id = ldb_msg_find_attr_as_uint64(msg->msgs[0], - SYSDB_UIDNUM, 0); - if (id == 0) { - id = ldb_msg_find_attr_as_uint64(msg->msgs[0], - SYSDB_GIDNUM, 0); - } - - if (id == 0) { - DEBUG(SSSDBG_OP_FAILURE, "No ID found in entry.\n"); - talloc_free(msg); - continue; - } - - key.str = entries[c].key.str; - value.ul = id; - - ret = hash_enter(pr_ctx->sid_table, &key, &value); - if (ret != HASH_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed [%d][%s].\n", - ret, hash_error_string(ret)); - continue; - } - talloc_free(msg); - } - } - - pac_add_user_next(pr_ctx); -} - -static void pac_add_user_next(struct pac_req_ctx *pr_ctx) -{ - int ret; - struct tevent_req *req; - struct cli_ctx *cctx = pr_ctx->cctx; - - ret = save_pac_user(pr_ctx); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "save_pac_user failed.\n"); - goto done; - } - - ret = pac_user_get_grp_info(pr_ctx, pr_ctx, &pr_ctx->del_grp_count, - &pr_ctx->del_grp_list, - &pr_ctx->add_sid_count, &pr_ctx->add_sids); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "pac_user_get_grp_info failed.\n"); - goto done; - } - - req = pac_save_memberships_send(pr_ctx); - if (req == NULL) { - ret = ENOMEM; - goto done; - } - - tevent_req_set_callback(req, pac_save_memberships_done, pr_ctx); - - ret = EAGAIN; - -done: - if (ret != EAGAIN) { - talloc_free(pr_ctx); - } - pac_cmd_done(cctx, ret); -} - -static errno_t pac_user_get_grp_info(TALLOC_CTX *mem_ctx, - struct pac_req_ctx *pr_ctx, - size_t *_del_grp_count, - struct grp_info **_del_grp_list, - size_t *_add_sid_count, - char ***_add_sids) -{ - struct sysdb_ctx *sysdb; - int ret; - TALLOC_CTX *tmp_ctx = NULL; - struct ldb_result *res = NULL; - size_t c; - const char *tmp_str; - - size_t add_sid_count = 0; - char **add_sids = NULL; - - size_t del_idx; - size_t del_grp_count = 0; - struct grp_info *del_grp_list = NULL; - - const char *cur_sid; - hash_key_t key; - hash_value_t value; - - struct hash_iter_context_t *iter = NULL; - hash_entry_t *entry; - - sysdb = pr_ctx->dom->sysdb; - if (sysdb == NULL) { - ret = EINVAL; - DEBUG(SSSDBG_FATAL_FAILURE, "Fatal: Sysdb CTX not found for this domain!\n"); - goto done; - } - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - ret = ENOMEM; - DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); - goto done; - } - - ret = sysdb_initgroups(tmp_ctx, pr_ctx->dom, pr_ctx->user_name, &res); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_initgroups failed.\n"); - goto done; - } - - if (res->count == 0) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_initgroups did not found [%s].\n", - pr_ctx->user_name); - ret = ENOENT; - goto done; - } - - /* First result is the user entry then the groups follow */ - if (res->count > 1) { - del_grp_count = res->count - 1; - del_grp_list = talloc_zero_array(tmp_ctx, struct grp_info, - del_grp_count); - if (del_grp_list == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); - ret = ENOMEM; - goto done; - } - del_idx = 0; - - key.type = HASH_KEY_STRING; - - for (c = 0; c < (res->count - 1); c++) { - cur_sid = ldb_msg_find_attr_as_string(res->msgs[c + 1], - SYSDB_SID_STR, NULL); - if (cur_sid == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing SID in group entry.\n"); - ret = EINVAL; - goto done; - } - - key.str = discard_const(cur_sid); - ret = hash_lookup(pr_ctx->sid_table, &key, &value); - if (ret == HASH_SUCCESS) { - DEBUG(SSSDBG_TRACE_ALL, "User [%s] already member of group " \ - "with SID [%s].\n", - pr_ctx->user_name, cur_sid); - - ret = hash_delete(pr_ctx->sid_table, &key); - if (ret != HASH_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "Failed to remove hash entry.\n"); - ret = EIO; - goto done; - } - } else if (ret == HASH_ERROR_KEY_NOT_FOUND) { - DEBUG(SSSDBG_TRACE_INTERNAL, "Group with SID [%s] is not in " \ - "the PAC anymore, membership " \ - "must be removed.\n", cur_sid); - - tmp_str = ldb_msg_find_attr_as_string(res->msgs[c + 1], - SYSDB_ORIG_DN, NULL); - if (tmp_str != NULL) { - del_grp_list[del_idx].orig_dn = talloc_strdup(del_grp_list, - tmp_str); - if (del_grp_list[del_idx].orig_dn == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); - ret = ENOMEM; - goto done; - } - } - - del_grp_list[del_idx].dn = ldb_dn_copy(del_grp_list, - res->msgs[c + 1]->dn); - if (del_grp_list[del_idx].dn == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "ldb_dn_copy failed.\n"); - ret = ENOMEM; - goto done; - } - - del_idx++; - } - } - del_grp_count = del_idx; - } - - add_sid_count = hash_count(pr_ctx->sid_table); - if (add_sid_count > 0) { - add_sids = talloc_array(tmp_ctx, char *, add_sid_count); - if (add_sids == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_array failed.\n"); - ret = ENOMEM; - goto done; - } - - iter = new_hash_iter_context(pr_ctx->sid_table); - c = 0; - while ((entry = iter->next(iter)) != NULL) { - if (strcmp(entry->key.str, pr_ctx->user_sid_str) != 0) { - add_sids[c] = talloc_strdup(add_sids, entry->key.str); - if (add_sids[c] == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); - ret = ENOMEM; - goto done; - } - DEBUG(SSSDBG_TRACE_ALL, "SID [%s] added to add_sids " \ - "list.\n", entry->key.str); - c++; - } - } - add_sid_count = c; - } - - - *_del_grp_count = del_grp_count; - *_del_grp_list = talloc_steal(mem_ctx, del_grp_list); - *_add_sid_count = add_sid_count; - *_add_sids = talloc_steal(mem_ctx, add_sids); - - ret = EOK; - -done: - talloc_free(iter); - talloc_free(tmp_ctx); - - return ret; -} - -static errno_t save_pac_user(struct pac_req_ctx *pr_ctx) -{ - struct sysdb_ctx *sysdb; - int ret; - const char *attrs[] = {SYSDB_NAME, SYSDB_NAME_ALIAS, SYSDB_UIDNUM, - SYSDB_GIDNUM, SYSDB_GECOS, SYSDB_HOMEDIR, - SYSDB_SHELL, SYSDB_ORIG_DN, SYSDB_CACHEDPWD, NULL}; - struct ldb_message *msg; - struct passwd *pwd = NULL; - TALLOC_CTX *tmp_ctx = NULL; - struct sysdb_attrs *user_attrs = NULL; - - sysdb = pr_ctx->dom->sysdb; - if (sysdb == NULL) { + if (res->count != 1) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Expected only 1 result for SID lookup, got [%ud].\n", + res->count); ret = EINVAL; - DEBUG(SSSDBG_FATAL_FAILURE, "Fatal: Sysdb CTX not found for this domain!\n"); goto done; } - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { + user_attrs = sysdb_new_attrs(pr_ctx); + if (user_attrs == NULL) { + DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); ret = ENOMEM; - DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); goto done; } - ret = get_pwd_from_pac(tmp_ctx, pr_ctx->dom, pr_ctx->user_sid_str, - pr_ctx->primary_group_sid_str, pr_ctx->sid_table, - pr_ctx->logon_info, &pwd, &user_attrs); + ret = sysdb_attrs_add_mem(user_attrs, SYSDB_PAC_BLOB, pr_ctx->blob, + pr_ctx->blen); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "get_pwd_from_pac failed.\n"); - goto done; - } - - ret = sysdb_search_user_by_uid(tmp_ctx, pr_ctx->dom, pwd->pw_uid, attrs, - &msg); - if (ret == ENOENT) { - if (pwd->pw_gid == 0 && !pr_ctx->dom->mpg) { - DEBUG(SSSDBG_CRIT_FAILURE, "Primary group RID from the PAC " - "cannot be translated into a GID for " - "user [%s]. Typically this happens " - "when UIDs and GIDs are read from AD " - "and the primary AD group does not " - "have a GID assigned. Make sure the " - "user is created by the ID provider " - "before GSSAPI based authentication " - "is used in this case.\n", - pwd->pw_name); - ret = EINVAL; - goto done; - } - - ret = sysdb_store_user(pr_ctx->dom, pwd->pw_name, NULL, - pwd->pw_uid, pwd->pw_gid, pwd->pw_gecos, - pwd->pw_dir, - pwd->pw_shell, NULL, user_attrs, NULL, - pr_ctx->dom->user_timeout, 0); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_store_user failed [%d][%s].\n", - ret, strerror(ret)); - goto done; - } - } else if (ret != EOK && ret != ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_id failed.\n"); - goto done; - } - - ret = EOK; - -done: - talloc_free(tmp_ctx); - return ret; -} - -struct pac_save_memberships_state { - size_t sid_iter; - struct ldb_dn *user_dn; - - struct pac_req_ctx *pr_ctx; -}; - -static errno_t -pac_save_memberships_delete(struct pac_save_memberships_state *state); - -struct tevent_req *pac_save_memberships_send(struct pac_req_ctx *pr_ctx) -{ - struct pac_save_memberships_state *state; - struct sss_domain_info *dom = pr_ctx->dom; - struct tevent_req *req; - errno_t ret; - char *dom_name = NULL; - struct ldb_message *msg; - - req = tevent_req_create(pr_ctx, &state, struct pac_save_memberships_state); - if (req == NULL) { - return NULL; - } - - state->sid_iter = 0; - - dom_name = sss_get_domain_name(state, pr_ctx->user_name, dom); - if (dom_name == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_sprintf failed.\n"); - ret = ENOMEM; + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_mem failed"); goto done; } - ret = sysdb_search_user_by_name(state, dom, dom_name, NULL, &msg); + ret = sysdb_attrs_add_time_t(user_attrs, SYSDB_PAC_BLOB_EXPIRE, + (time(NULL) + pr_ctx->pac_ctx->pac_lifetime)); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_search_user_by_name failed " \ - "[%d][%s].\n", ret, strerror(ret)); + DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_time_t failed"); goto done; } - state->user_dn = msg->dn; - state->pr_ctx = pr_ctx; - - ret = pac_save_memberships_delete(state); + ret = sysdb_set_entry_attr(dom->sysdb, res->msgs[0]->dn, user_attrs, + SYSDB_MOD_REP); if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "pac_save_memberships_delete failed.\n"); + DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n"); goto done; } - ret = pac_save_memberships_next(req); - if (ret == EOK) { - tevent_req_done(req); - tevent_req_post(req, pr_ctx->cctx->ev); - } - done: - talloc_free(dom_name); - if (ret != EOK && ret != EAGAIN) { - tevent_req_error(req, ret); - tevent_req_post(req, pr_ctx->cctx->ev); - } - - return req; -} - -static errno_t -pac_save_memberships_delete(struct pac_save_memberships_state *state) -{ - int ret; - int sret; - size_t c; - struct pac_req_ctx *pr_ctx; - bool in_transaction = false; - TALLOC_CTX *tmp_ctx; - struct sysdb_attrs *user_attrs = NULL; - - pr_ctx = state->pr_ctx; - - if (pr_ctx->del_grp_count == 0) { - return EOK; - } - - if (pr_ctx->del_grp_list == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing group list.\n"); - return EINVAL; - } - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_new failed.\n"); - return ENOMEM; - } - - ret = sysdb_transaction_start(pr_ctx->dom->sysdb); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_transaction_start failed.\n"); - goto done; - } - in_transaction = true; - - for (c = 0; c < pr_ctx->del_grp_count; c++) { - /* If there is a failure for one group we still try to remove the - * remaining groups. */ - ret = sysdb_mod_group_member(pr_ctx->dom, state->user_dn, - pr_ctx->del_grp_list[c].dn, - LDB_FLAG_MOD_DELETE); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_mod_group_member failed for " \ - "user [%s] and group[%s].\n", - ldb_dn_get_linearized(state->user_dn), - ldb_dn_get_linearized( - pr_ctx->del_grp_list[c].dn)); - continue; - } - - if (pr_ctx->del_grp_list[c].orig_dn != NULL) { - user_attrs = sysdb_new_attrs(tmp_ctx); - if (user_attrs == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); - continue; - } - - ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, - pr_ctx->del_grp_list[c].orig_dn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n"); - continue; - } - - ret = sysdb_set_entry_attr(pr_ctx->dom->sysdb, state->user_dn, user_attrs, - LDB_FLAG_MOD_DELETE); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n"); - continue; - } - talloc_free(user_attrs); - } - } - - ret = sysdb_transaction_commit(pr_ctx->dom->sysdb); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_transaction_commit failed.\n"); - goto done; - } - in_transaction = false; - - ret = EOK; -done: - if (in_transaction) { - sret = sysdb_transaction_cancel(pr_ctx->dom->sysdb); - if (sret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_transaction_cancel failed.\n"); - } - } - - talloc_free(tmp_ctx); - - return ret; -} - -static errno_t pac_save_memberships_next(struct tevent_req *req) -{ - errno_t ret; - char *sid; - struct sss_domain_info *grp_dom; - struct tevent_req *subreq; - struct pac_save_memberships_state *state; - struct pac_req_ctx *pr_ctx; - - state = tevent_req_data(req, struct pac_save_memberships_state); - pr_ctx = state->pr_ctx; - - if (pr_ctx->add_sid_count == 0) { - return EOK; - } - - if (pr_ctx->add_sids == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing list of SIDs.\n"); - return EINVAL; - } - - while (state->sid_iter < pr_ctx->add_sid_count) { - sid = pr_ctx->add_sids[state->sid_iter]; - ret = responder_get_domain_by_id(pr_ctx->pac_ctx->rctx, sid, &grp_dom); - if (ret != EOK) { - DEBUG(SSSDBG_MINOR_FAILURE, "responder_get_domain_by_id failed, " \ - "will try next group\n"); - state->sid_iter++; - continue; - } - - ret = pac_store_membership(state->pr_ctx, state->user_dn, sid, grp_dom); - if (ret == EOK) { - state->sid_iter++; - continue; - } else if (ret == ENOENT) { - subreq = sss_dp_get_account_send(state, pr_ctx->cctx->rctx, - grp_dom, true, - SSS_DP_SECID, sid, 0, NULL); - if (subreq == NULL) { - ret = ENOMEM; - goto done; - } - tevent_req_set_callback(subreq, pac_get_group_done, req); - - return EAGAIN; - } else { - DEBUG(SSSDBG_OP_FAILURE, "pac_store_membership failed, " - "trying next group.\n"); - state->sid_iter++; - continue; - } - } - - ret = EOK; -done: - return ret; -} - -static void pac_get_group_done(struct tevent_req *subreq) -{ - struct tevent_req *req; - struct pac_save_memberships_state *state; - - req = tevent_req_callback_data(subreq, struct tevent_req); - state = tevent_req_data(req, struct pac_save_memberships_state); - - errno_t ret; - dbus_uint16_t err_maj; - dbus_uint32_t err_min; - char *err_msg; - char *sid; - struct sss_domain_info *grp_dom; - struct pac_req_ctx *pr_ctx = state->pr_ctx; - - ret = sss_dp_get_account_recv(req, subreq, - &err_maj, &err_min, - &err_msg); - talloc_zfree(subreq); - talloc_zfree(err_msg); - if (ret != EOK) { - goto error; - } - - sid = pr_ctx->add_sids[state->sid_iter]; - ret = responder_get_domain_by_id(pr_ctx->pac_ctx->rctx,sid, &grp_dom); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "responder_get_domain_by_id failed.\n"); - goto error; - } - - ret = pac_store_membership(state->pr_ctx, state->user_dn, sid, grp_dom); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "pac_store_membership failed, " - "trying next group.\n"); - } - state->sid_iter++; - - ret = pac_save_memberships_next(req); - if (ret == EOK) { - tevent_req_done(req); - } else if (ret != EAGAIN) { - goto error; - } - - return; - -error: - tevent_req_error(req, ret); -} - -static errno_t -pac_store_membership(struct pac_req_ctx *pr_ctx, - struct ldb_dn *user_dn, - const char *grp_sid_str, - struct sss_domain_info *grp_dom) -{ - TALLOC_CTX *tmp_ctx; - struct sysdb_attrs *user_attrs; - struct ldb_result *group; - errno_t ret; - const char *orig_group_dn; - const char *group_attrs[] = { SYSDB_ORIG_DN, SYSDB_OBJECTCLASS, NULL }; - const char *oc; - - tmp_ctx = talloc_new(NULL); - if (tmp_ctx == NULL) { - return ENOMEM; - } - - ret = sysdb_search_object_by_sid(tmp_ctx, grp_dom, grp_sid_str, - group_attrs, &group); - if (ret == ENOENT) { - DEBUG(SSSDBG_OP_FAILURE, "Unexpected number of groups returned.\n"); - goto done; - } else if (ret != EOK) { - DEBUG(SSSDBG_TRACE_INTERNAL, - "sysdb_search_object_by_sid for SID [%s] failed [%d][%s].\n", - grp_sid_str, ret, strerror(ret)); - goto done; - } - - if (group->count != 1) { - DEBUG(SSSDBG_OP_FAILURE, "Unexpected number of groups returned.\n"); - ret = EINVAL; - goto done; - } - - oc = ldb_msg_find_attr_as_string(group->msgs[0], SYSDB_OBJECTCLASS, NULL); - if (oc == NULL || strcmp(oc, SYSDB_GROUP_CLASS) != 0) { - DEBUG(SSSDBG_OP_FAILURE, "Return object does not have group " \ - "objectclass.\n"); - ret = EINVAL; - goto done; - } - - DEBUG(SSSDBG_TRACE_ALL, "Adding user [%s] to group [%s][%s].\n", - ldb_dn_get_linearized(user_dn), grp_sid_str, - ldb_dn_get_linearized(group->msgs[0]->dn)); - ret = sysdb_mod_group_member(grp_dom, user_dn, group->msgs[0]->dn, - LDB_FLAG_MOD_ADD); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_mod_group_member failed user [%s] " \ - "group [%s].\n", - ldb_dn_get_linearized(user_dn), - ldb_dn_get_linearized(group->msgs[0]->dn)); - goto done; - } - - orig_group_dn = ldb_msg_find_attr_as_string(group->msgs[0], SYSDB_ORIG_DN, - NULL); - if (orig_group_dn != NULL) { - DEBUG(SSSDBG_TRACE_ALL, "Adding original group DN [%s] to user [%s].\n", - orig_group_dn, - ldb_dn_get_linearized(user_dn)); - user_attrs = sysdb_new_attrs(tmp_ctx); - if (user_attrs == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); - ret = ENOMEM; - goto done; - } - - ret = sysdb_attrs_add_string(user_attrs, SYSDB_ORIG_MEMBEROF, - orig_group_dn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n"); - goto done; - } - - ret = sysdb_set_entry_attr(pr_ctx->dom->sysdb, user_dn, user_attrs, - LDB_FLAG_MOD_ADD); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_set_entry_attr failed.\n"); - goto done; - } - } else { - DEBUG(SSSDBG_MINOR_FAILURE, "Original DN not available for group " \ - "[%s][%s].\n", grp_sid_str, - ldb_dn_get_linearized(group->msgs[0]->dn)); - } - -done: - talloc_free(tmp_ctx); - return ret; -} - -static errno_t pac_save_memberships_recv(struct tevent_req *subreq) -{ - TEVENT_REQ_RETURN_ON_ERROR(subreq); - - return EOK; -} - -static void pac_save_memberships_done(struct tevent_req *req) -{ - struct pac_req_ctx *pr_ctx = tevent_req_callback_data(req, struct pac_req_ctx); - struct cli_ctx *cctx = pr_ctx->cctx; - errno_t ret; - - ret = pac_save_memberships_recv(req); - talloc_zfree(req); - talloc_free(pr_ctx); pac_cmd_done(cctx, ret); -} - -struct pac_lookup_sids_state { - struct pac_ctx *pac_ctx; - struct pac_req_ctx *pr_ctx; - hash_table_t *sid_table; - struct hash_iter_context_t *iter; -}; - -static errno_t pac_lookup_sids_next(struct tevent_req *req); -static void pac_lookup_sids_next_done(struct tevent_req *subreq); - -static struct tevent_req *pac_lookup_sids_send(TALLOC_CTX *mem_ctx, - struct tevent_context *ev, - struct pac_req_ctx *pr_ctx, - struct pac_ctx *pac_ctx, - hash_table_t *sid_table) -{ - struct tevent_req *req; - struct pac_lookup_sids_state *state; - int ret; - - req = tevent_req_create(mem_ctx, &state, struct pac_lookup_sids_state); - if (req == NULL) { - return NULL; - } - - state->pac_ctx = pac_ctx; - state->pr_ctx = pr_ctx; - state->sid_table = sid_table; - state->iter = talloc_steal(state, new_hash_iter_context(state->sid_table)); - - ret = pac_lookup_sids_next(req); - - if (ret != EAGAIN) { - if (ret == EOK) { - tevent_req_done(req); - } else { - tevent_req_error(req, ret); - } - tevent_req_post(req, ev); - } - - return req; -} - - -static errno_t pac_lookup_sids_next(struct tevent_req *req) -{ - struct pac_lookup_sids_state *state; - state = tevent_req_data(req, struct pac_lookup_sids_state); - hash_entry_t *entry; - struct tevent_req *subreq; - struct sss_domain_info *dom; - int ret; - - while ((entry = state->iter->next(state->iter)) != NULL) { - if (entry->value.ul == 0) { - ret = responder_get_domain_by_id(state->pac_ctx->rctx, - entry->key.str, &dom); - if (ret == EOK && dom != NULL) { - subreq = sss_dp_get_account_send(state, - state->pr_ctx->cctx->rctx, - dom, true, - SSS_DP_SECID, entry->key.str, - 0, NULL); - if (subreq == NULL) { - return ENOMEM; - } - tevent_req_set_callback(subreq, pac_lookup_sids_next_done, req); - return EAGAIN; - } - } - } - - return EOK; -} - -static void pac_lookup_sids_next_done(struct tevent_req *subreq) -{ - struct tevent_req *req; - - req = tevent_req_callback_data(subreq, struct tevent_req); - - errno_t ret; - dbus_uint16_t err_maj; - dbus_uint32_t err_min; - char *err_msg; - - ret = sss_dp_get_account_recv(req, subreq, - &err_maj, &err_min, - &err_msg); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Unable to get information from Data Provider\n" - "dp_error: [%u], errno: [%u], error_msg: [%s]\n", - (unsigned int)err_maj, (unsigned int)err_min, - err_msg ? err_msg : "none"); - } - - talloc_zfree(subreq); - talloc_zfree(err_msg); - /* Errors during individual lookups are ignored. */ - - ret = pac_lookup_sids_next(req); - if (ret == EOK) { - tevent_req_done(req); - } else if (ret != EAGAIN) { - tevent_req_error(req, ret); - } - return; } -static errno_t pac_lookup_sids_recv(struct tevent_req *req) -{ - TEVENT_REQ_RETURN_ON_ERROR(req); - - return EOK; -} struct cli_protocol_version *register_cli_protocol_version(void) { diff --git a/src/responder/pac/pacsrv_utils.c b/src/responder/pac/pacsrv_utils.c deleted file mode 100644 index 8d7da341c..000000000 --- a/src/responder/pac/pacsrv_utils.c +++ /dev/null @@ -1,478 +0,0 @@ -/* - SSSD - - PAC Responder - utility finctions - - Copyright (C) Sumit Bose <sbose@redhat.com> 2012 - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ -#include <sys/types.h> -#include <stdbool.h> -#include <util/data_blob.h> -#include <gen_ndr/security.h> - -#include "util/util.h" -#include "responder/pac/pacsrv.h" - -errno_t get_sids_from_pac(TALLOC_CTX *mem_ctx, - struct pac_ctx *pac_ctx, - struct PAC_LOGON_INFO *logon_info, - char **_user_sid_str, - char **_primary_group_sid_str, - hash_table_t **_sid_table) -{ - int ret; - size_t s; - struct netr_SamInfo3 *info3; - struct sss_domain_info *user_dom; - struct sss_domain_info *group_dom; - char *sid_str = NULL; - char *msid_str = NULL; - char *user_dom_sid_str = NULL; - size_t user_dom_sid_str_len; - enum idmap_error_code err; - hash_table_t *sid_table = NULL; - hash_key_t key; - hash_value_t value; - char *rid_start; - struct ldb_result *msg = NULL; - char *user_sid_str = NULL; - char *primary_group_sid_str = NULL; - - if (pac_ctx == NULL || logon_info == NULL || _sid_table == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "Missing parameter.\n"); - return EINVAL; - } - - info3 = &logon_info->info3; - - ret = sss_hash_create(mem_ctx, - info3->sidcount + info3->base.groups.count + 2, - &sid_table); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sss_hash_create failed.\n"); - goto done; - } - - key.type = HASH_KEY_STRING; - value.type = HASH_VALUE_ULONG; - - err = sss_idmap_smb_sid_to_sid(pac_ctx->idmap_ctx, info3->base.domain_sid, - &user_dom_sid_str); - if (err != IDMAP_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "sss_idmap_smb_sid_to_sid failed.\n"); - ret = EFAULT; - goto done; - } - - ret = responder_get_domain_by_id(pac_ctx->rctx, user_dom_sid_str, - &user_dom); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "responder_get_domain_by_id failed.\n"); - ret = EINVAL; - goto done; - } - - user_dom_sid_str_len = strlen(user_dom_sid_str); - sid_str = talloc_zero_size(mem_ctx, user_dom_sid_str_len + 12); - if (sid_str == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_zero_size failed.\n"); - ret = ENOMEM; - goto done; - } - rid_start = sid_str + user_dom_sid_str_len; - - memcpy(sid_str, user_dom_sid_str, user_dom_sid_str_len); - - memset(rid_start, '\0', 12); - ret = snprintf(rid_start, 12, "-%lu", - (unsigned long) info3->base.rid); - if (ret < 0 || ret > 12) { - DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n"); - ret = EIO; - goto done; - } - - user_sid_str = talloc_strdup(mem_ctx, sid_str); - if (user_sid_str == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); - ret = ENOMEM; - goto done; - } - - key.str = sid_str; - value.ul = 0; - - ret = sysdb_search_object_by_sid(mem_ctx, user_dom, sid_str, NULL, &msg); - if (ret == EOK && msg->count == 1) { - value.ul = ldb_msg_find_attr_as_uint64(msg->msgs[0], SYSDB_UIDNUM, 0); - } - talloc_zfree(msg); - - ret = hash_enter(sid_table, &key, &value); - if (ret != HASH_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed [%d][%s].\n", - ret, hash_error_string(ret)); - ret = EIO; - goto done; - } - - - memset(rid_start, '\0', 12); - ret = snprintf(rid_start, 12, "-%lu", - (unsigned long) info3->base.primary_gid); - if (ret < 0 || ret > 12) { - DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n"); - ret = EIO; - goto done; - } - - primary_group_sid_str = talloc_strdup(mem_ctx, sid_str); - if (primary_group_sid_str == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); - ret = ENOMEM; - goto done; - } - - key.str = sid_str; - value.ul = 0; - - ret = sysdb_search_object_by_sid(mem_ctx, user_dom, sid_str, NULL, &msg); - if (ret == EOK && msg->count == 1) { - value.ul = ldb_msg_find_attr_as_uint64(msg->msgs[0], SYSDB_GIDNUM, 0); - } - talloc_zfree(msg); - - ret = hash_enter(sid_table, &key, &value); - if (ret != HASH_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed [%d][%s].\n", - ret, hash_error_string(ret)); - ret = EIO; - goto done; - } - - - for (s = 0; s < info3->base.groups.count; s++) { - memset(rid_start, '\0', 12); - ret = snprintf(rid_start, 12, "-%lu", - (unsigned long) info3->base.groups.rids[s].rid); - if (ret < 0 || ret > 12) { - DEBUG(SSSDBG_OP_FAILURE, "snprintf failed.\n"); - ret = EIO; - goto done; - } - - key.str = sid_str; - value.ul = 0; - - ret = sysdb_search_object_by_sid(mem_ctx, user_dom, sid_str, - NULL, &msg); - if (ret == EOK && msg->count == 1) { - value.ul = ldb_msg_find_attr_as_uint64(msg->msgs[0], - SYSDB_GIDNUM, 0); - } - talloc_zfree(msg); - - ret = hash_enter(sid_table, &key, &value); - if (ret != HASH_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed [%d][%s].\n", - ret, hash_error_string(ret)); - ret = EIO; - goto done; - } - - } - - for(s = 0; s < info3->sidcount; s++) { - err = sss_idmap_smb_sid_to_sid(pac_ctx->idmap_ctx, info3->sids[s].sid, - &msid_str); - if (err != IDMAP_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "sss_idmap_smb_sid_to_sid failed.\n"); - ret = EFAULT; - goto done; - } - - key.str = msid_str; - value.ul = 0; - - ret = responder_get_domain_by_id(pac_ctx->rctx, msid_str, &group_dom); - if (ret == EOK) { - ret = sysdb_search_object_by_sid(mem_ctx, group_dom, msid_str, - NULL, &msg); - if (ret == EOK && msg->count == 1 ) { - value.ul = ldb_msg_find_attr_as_uint64(msg->msgs[0], - SYSDB_GIDNUM, 0); - } - talloc_zfree(msg); - } - - ret = hash_enter(sid_table, &key, &value); - sss_idmap_free_sid(pac_ctx->idmap_ctx, msid_str); - if (ret != HASH_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "hash_enter failed [%d][%s].\n", - ret, hash_error_string(ret)); - ret = EIO; - goto done; - } - } - - ret = EOK; - -done: - talloc_free(sid_str); - sss_idmap_free_sid(pac_ctx->idmap_ctx, user_dom_sid_str); - - if (ret == EOK) { - *_sid_table = sid_table; - *_user_sid_str = user_sid_str; - *_primary_group_sid_str = primary_group_sid_str; - } else { - hash_destroy(sid_table); - talloc_free(user_sid_str); - talloc_free(primary_group_sid_str); - } - - return ret; -} - -/** - * Extract the PAC logon data from an NDR blob. - */ -errno_t get_data_from_pac(TALLOC_CTX *mem_ctx, - uint8_t *pac_blob, size_t pac_len, - struct PAC_LOGON_INFO **_logon_info) -{ - DATA_BLOB blob; - struct ndr_pull *ndr_pull; - struct PAC_DATA *pac_data; - enum ndr_err_code ndr_err; - size_t c; - int ret; - - blob.data = pac_blob; - blob.length = pac_len; - - ndr_pull = ndr_pull_init_blob(&blob, mem_ctx); - if (ndr_pull == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "ndr_pull_init_blob failed.\n"); - return ENOMEM; - } - ndr_pull->flags |= LIBNDR_FLAG_REF_ALLOC; /* FIXME: is this really needed ? */ - - pac_data = talloc_zero(mem_ctx, struct PAC_DATA); - if (pac_data == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); - return ENOMEM; - } - - ndr_err = ndr_pull_PAC_DATA(ndr_pull, NDR_SCALARS|NDR_BUFFERS, pac_data); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - DEBUG(SSSDBG_OP_FAILURE, "ndr_pull_PAC_DATA failed [%d]\n", ndr_err); - return EBADMSG; - } - - for(c = 0; c < pac_data->num_buffers; c++) { - if (pac_data->buffers[c].type == PAC_TYPE_LOGON_INFO) { - *_logon_info = pac_data->buffers[c].info->logon_info.info; - - return EOK; - } - } - - ret = EINVAL; - - talloc_free(pac_data); - return ret; -} - -/** - * Fill up the passwd struct with data from the PAC logon info - */ -errno_t get_pwd_from_pac(TALLOC_CTX *mem_ctx, - struct sss_domain_info *dom, - char *user_sid_str, - char *primary_group_sid_str, - hash_table_t *sid_table, - struct PAC_LOGON_INFO *logon_info, - struct passwd **_pwd, - struct sysdb_attrs **_attrs) -{ - struct passwd *pwd = NULL; - struct sysdb_attrs *attrs = NULL; - struct netr_SamBaseInfo *base_info; - int ret; - char *lname; - char *uc_realm; - char *upn; - hash_key_t key; - hash_value_t value; - struct sss_nss_homedir_ctx homedir_ctx; - - pwd = talloc_zero(mem_ctx, struct passwd); - if (pwd == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_zero failed.\n"); - return ENOMEM; - } - - base_info = &logon_info->info3.base; - - if (base_info->account_name.size == 0) { - DEBUG(SSSDBG_OP_FAILURE, "Missing account name in PAC.\n"); - ret = EINVAL; - goto done; - } - if (base_info->rid == 0) { - DEBUG(SSSDBG_OP_FAILURE, "Missing user RID in PAC.\n"); - ret = EINVAL; - goto done; - } - - /* To be compatible with winbind based lookups we have to use lower - * case names only, effectively making the domain case-insenvitive. */ - lname = sss_tc_utf8_str_tolower(pwd, base_info->account_name.string); - if (lname == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "sss_tc_utf8_str_tolower failed.\n"); - ret = ENOMEM; - goto done; - } - - /* Subdomain use fully qualified names */ - pwd->pw_name = sss_get_domain_name(pwd, lname, dom); - if (!pwd->pw_name) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_sprintf failed.\n"); - ret = ENOMEM; - goto done; - } - - key.type = HASH_KEY_STRING; - key.str = user_sid_str; - ret = hash_lookup(sid_table, &key, &value); - if (ret != HASH_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "hash_lookup failed.\n"); - ret = EIO; - goto done; - } - if (value.type != HASH_VALUE_ULONG) { - DEBUG(SSSDBG_OP_FAILURE, "Wrong value type.\n"); - ret = EIO; - goto done; - } - pwd->pw_uid = value.ul; - - if (IS_SUBDOMAIN(dom) || dom->mpg) { - pwd->pw_gid = 0; /* We use MPGs for sub-domains */ - } else { - key.type = HASH_KEY_STRING; - key.str = primary_group_sid_str; - ret = hash_lookup(sid_table, &key, &value); - if (ret != HASH_SUCCESS) { - DEBUG(SSSDBG_OP_FAILURE, "hash_lookup failed.\n"); - ret = EIO; - goto done; - } - if (value.type != HASH_VALUE_ULONG) { - DEBUG(SSSDBG_OP_FAILURE, "Wrong value type.\n"); - ret = EIO; - goto done; - } - pwd->pw_gid = value.ul; - } - - if (base_info->full_name.size != 0) { - pwd->pw_gecos = talloc_strdup(pwd, base_info->full_name.string); - if (pwd->pw_gecos == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_strdup failed.\n"); - ret = ENOMEM; - goto done; - } - } else { - DEBUG(SSSDBG_OP_FAILURE, - "Missing full name in PAC, gecos field will by empty.\n"); - } - - /* Check if there is a special homedir template for sub-domains. If not a - * fallback will be added by the NSS responder. */ - if (IS_SUBDOMAIN(dom) && dom->subdomain_homedir) { - ZERO_STRUCT(homedir_ctx); - - homedir_ctx.username = lname; - homedir_ctx.uid = pwd->pw_uid; - homedir_ctx.domain = dom->name; - homedir_ctx.flatname = dom->flat_name; - homedir_ctx.config_homedir_substr = dom->homedir_substr; - - pwd->pw_dir = expand_homedir_template(pwd, dom->subdomain_homedir, - &homedir_ctx); - if (pwd->pw_dir == NULL) { - ret = ENOMEM; - goto done; - } - } - - pwd->pw_shell = NULL; /* Using default */ - - attrs = sysdb_new_attrs(mem_ctx); - if (attrs == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_new_attrs failed.\n"); - ret = ENOMEM; - goto done; - } - - uc_realm = get_uppercase_realm(mem_ctx, dom->name); - if (uc_realm == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "get_uppercase_realm failed.\n"); - ret = ENOMEM; - goto done; - } - - upn = talloc_asprintf(mem_ctx, "%s@%s", lname, uc_realm); - talloc_free(uc_realm); - if (upn == NULL) { - DEBUG(SSSDBG_OP_FAILURE, "talloc_asprintf failed.\n"); - ret = ENOMEM; - goto done; - } - - ret = sysdb_attrs_add_string(attrs, SYSDB_UPN, upn); - talloc_free(upn); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n"); - goto done; - } - - ret = sysdb_attrs_add_lc_name_alias(attrs, pwd->pw_name); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_lc_name_alias failed.\n"); - goto done; - } - - ret = sysdb_attrs_add_string(attrs, SYSDB_SID_STR, user_sid_str); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_add_string failed.\n"); - goto done; - } - - *_pwd = pwd; - *_attrs = attrs; - - ret = EOK; - -done: - if (ret != EOK) { - talloc_free(pwd); - } - - return ret; -} |