[Samba] User's groups issue

Jeremy Allison jra at samba.org
Wed Aug 27 23:23:25 GMT 2008 

On Wed, Aug 27, 2008 at 03:55:04PM -0700, Jeremy Allison wrote:
> 
> Hmmmm. Ok, *looks* right but may not be :-).
> 
> Looking closely at winbindd/winbindd_pam.c I find :
> 
>                 netsamlogon_cache_store(name_user, info3);
>                 wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
> 
> in two places (on successful logon). wcache_invalidate_samlogon()
> calls netsamlogon_clear_cached_user() which is meant to scrub the
> "UG/<sid>" and "U/<sid>" entries from the winbindd cache, not
> delete the netsamlogon cache entry.
> 
> If we change to your code the wcache_invalidate_samlogon()
> call would call netsamlogon_clear_cached_user() which would delete
> the entry just added by netsamlogon_cache_store(), making these
> two calls essentially a no-op.
> 
> Now I'm pretty sure wcache_invalidate_samlogon() should do
> the deletion of the "UG/<sid>" and "U/<sid>" entries from the winbindd
> cache itself, rather than leaving that code inside samlogon_cache.c
> (where it is now) - especially as the reason for it being
> there (might be called by smbd) is no longer valid.
> 
> But as I said, making the function look the way you have it
> appears to never store anything inside NETSAMLOGON_TDB
> (as we add then delete again).
> 
> How are you testing this ?

Ok, here is a modified version of your patch that
moved the invalidation of "UG/<sid>" and "U/<sid>" entries from the
winbindd cache into winbindd_cache.c, where they belong (IMHO),
and modifies the order to call wcache_invalidate_samlogon()
*before* netsamlogon_cache_store() in winbindd/winbindd_pam.c.

Note that as netsamlogon_cache_store() actually does a TDB_REPLACE
the actual call to netsamlogon_clear_cached_user() doesn't really
do anything (and could be commented out). netsamlogon_clear_cached_user
is only ever called from this one pleace (wcache_invalidate_samlogon())
in this modified patch, and as mentioned above is not really relevent.

Jerry + Ephi, please comment. (Patch applies to current 3-2-test git
tree but is just as relevent for 3.0.x and 3.3.x).

Jeremy.
-------------- next part --------------
diff --git a/source/libsmb/samlogon_cache.c b/source/libsmb/samlogon_cache.c
index 2d2588f..4abe5bb 100644
--- a/source/libsmb/samlogon_cache.c
+++ b/source/libsmb/samlogon_cache.c
@@ -59,48 +59,30 @@ bool netsamlogon_cache_shutdown(void)
  Clear cache getpwnam and getgroups entries from the winbindd cache
 ***********************************************************************/
 
-void netsamlogon_clear_cached_user(TDB_CONTEXT *tdb, struct netr_SamInfo3 *info3)
+void netsamlogon_clear_cached_user(struct netr_SamInfo3 *info3)
 {
-	bool got_tdb = false;
-	DOM_SID sid;
-	fstring key_str, sid_string;
-
-	/* We may need to call this function from smbd which will not have
-	   winbindd_cache.tdb open.  Open the tdb if a NULL is passed. */
-
-	if (!tdb) {
-		tdb = tdb_open_log(lock_path("winbindd_cache.tdb"),
-				   WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
-				   TDB_DEFAULT, O_RDWR, 0600);
-		if (!tdb) {
-			DEBUG(5, ("netsamlogon_clear_cached_user: failed to open cache\n"));
-			return;
-		}
-		got_tdb = true;
-	}
-
-	sid_copy(&sid, info3->base.domain_sid);
-	sid_append_rid(&sid, info3->base.rid);
-
-	/* Clear U/SID cache entry */
-
-	fstr_sprintf(key_str, "U/%s", sid_to_fstring(sid_string, &sid));
-
-	DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key_str));
-
-	tdb_delete(tdb, string_tdb_data(key_str));
+	DOM_SID	user_sid;
+	fstring keystr, tmp;
 
-	/* Clear UG/SID cache entry */
+	if (!info3) {
+		return;
+	}
 
-	fstr_sprintf(key_str, "UG/%s", sid_to_fstring(sid_string, &sid));
+	if (!netsamlogon_cache_init()) {
+		DEBUG(0,("netsamlogon_clear_cached_user: cannot open "
+			"%s for write!\n",
+			NETSAMLOGON_TDB));
+		return;
+	}
+	sid_copy(&user_sid, info3->base.domain_sid);
+	sid_append_rid(&user_sid, info3->base.rid);
 
-	DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key_str));
+	/* Prepare key as DOMAIN-SID/USER-RID string */
+	slprintf(keystr, sizeof(keystr), "%s", sid_to_fstring(tmp, &user_sid));
 
-	tdb_delete(tdb, string_tdb_data(key_str));
+	DEBUG(10,("netsamlogon_clear_cached_user: SID [%s]\n", keystr));
 
-	if (got_tdb) {
-		tdb_close(tdb);
-	}
+	tdb_delete_bystring(netsamlogon_tdb, keystr);
 }
 
 /***********************************************************************
diff --git a/source/winbindd/winbindd_cache.c b/source/winbindd/winbindd_cache.c
index 3b2b9aa..ac8fc10 100644
--- a/source/winbindd/winbindd_cache.c
+++ b/source/winbindd/winbindd_cache.c
@@ -2265,6 +2265,8 @@ static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
 void wcache_invalidate_samlogon(struct winbindd_domain *domain, 
 				struct netr_SamInfo3 *info3)
 {
+        DOM_SID sid;
+        fstring key_str, sid_string;
 	struct winbind_cache *cache;
 
 	/* dont clear cached U/SID and UG/SID entries when we want to logon
@@ -2278,7 +2280,21 @@ void wcache_invalidate_samlogon(struct winbindd_domain *domain,
 		return;
 
 	cache = get_cache(domain);
-	netsamlogon_clear_cached_user(cache->tdb, info3);
+
+	sid_copy(&sid, info3->base.domain_sid);
+	sid_append_rid(&sid, info3->base.rid);
+
+	/* Clear U/SID cache entry */
+	fstr_sprintf(key_str, "U/%s", sid_to_fstring(sid_string, &sid));
+	DEBUG(10, ("wcache_invalidate_samlogon: clearing %s\n", key_str));
+	tdb_delete(cache->tdb, string_tdb_data(key_str));
+
+	/* Clear UG/SID cache entry */
+	fstr_sprintf(key_str, "UG/%s", sid_to_fstring(sid_string, &sid));
+	DEBUG(10, ("wcache_invalidate_samlogon: clearing %s\n", key_str));
+	tdb_delete(cache->tdb, string_tdb_data(key_str));
+
+	netsamlogon_clear_cached_user(info3);
 }
 
 bool wcache_invalidate_cache(void)
diff --git a/source/winbindd/winbindd_pam.c b/source/winbindd/winbindd_pam.c
index ce6a256..90849b5 100644
--- a/source/winbindd/winbindd_pam.c
+++ b/source/winbindd/winbindd_pam.c
@@ -1599,8 +1599,8 @@ process_result:
 			goto done;
 		}
 
-		netsamlogon_cache_store(name_user, info3);
 		wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
+		netsamlogon_cache_store(name_user, info3);
 
 		/* save name_to_sid info as early as possible (only if
 		   this is our primary domain so we don't invalidate
@@ -1941,8 +1941,8 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
 
 	if (NT_STATUS_IS_OK(result)) {
 
-		netsamlogon_cache_store(name_user, info3);
 		wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
+		netsamlogon_cache_store(name_user, info3);
 
 		/* Check if the user is in the right group */

More information about the samba-technical mailing list