[Samba] User's groups issue
Jeremy Allison
jra at samba.org
Wed Aug 27 23:23:25 GMT 2008
On Wed, Aug 27, 2008 at 03:55:04PM -0700, Jeremy Allison wrote:
>
> Hmmmm. Ok, *looks* right but may not be :-).
>
> Looking closely at winbindd/winbindd_pam.c I find :
>
> netsamlogon_cache_store(name_user, info3);
> wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
>
> in two places (on successful logon). wcache_invalidate_samlogon()
> calls netsamlogon_clear_cached_user() which is meant to scrub the
> "UG/<sid>" and "U/<sid>" entries from the winbindd cache, not
> delete the netsamlogon cache entry.
>
> If we change to your code the wcache_invalidate_samlogon()
> call would call netsamlogon_clear_cached_user() which would delete
> the entry just added by netsamlogon_cache_store(), making these
> two calls essentially a no-op.
>
> Now I'm pretty sure wcache_invalidate_samlogon() should do
> the deletion of the "UG/<sid>" and "U/<sid>" entries from the winbindd
> cache itself, rather than leaving that code inside samlogon_cache.c
> (where it is now) - especially as the reason for it being
> there (might be called by smbd) is no longer valid.
>
> But as I said, making the function look the way you have it
> appears to never store anything inside NETSAMLOGON_TDB
> (as we add then delete again).
>
> How are you testing this ?
Ok, here is a modified version of your patch that
moved the invalidation of "UG/<sid>" and "U/<sid>" entries from the
winbindd cache into winbindd_cache.c, where they belong (IMHO),
and modifies the order to call wcache_invalidate_samlogon()
*before* netsamlogon_cache_store() in winbindd/winbindd_pam.c.
Note that as netsamlogon_cache_store() actually does a TDB_REPLACE
the actual call to netsamlogon_clear_cached_user() doesn't really
do anything (and could be commented out). netsamlogon_clear_cached_user
is only ever called from this one pleace (wcache_invalidate_samlogon())
in this modified patch, and as mentioned above is not really relevent.
Jerry + Ephi, please comment. (Patch applies to current 3-2-test git
tree but is just as relevent for 3.0.x and 3.3.x).
Jeremy.
-------------- next part --------------
diff --git a/source/libsmb/samlogon_cache.c b/source/libsmb/samlogon_cache.c
index 2d2588f..4abe5bb 100644
--- a/source/libsmb/samlogon_cache.c
+++ b/source/libsmb/samlogon_cache.c
@@ -59,48 +59,30 @@ bool netsamlogon_cache_shutdown(void)
Clear cache getpwnam and getgroups entries from the winbindd cache
***********************************************************************/
-void netsamlogon_clear_cached_user(TDB_CONTEXT *tdb, struct netr_SamInfo3 *info3)
+void netsamlogon_clear_cached_user(struct netr_SamInfo3 *info3)
{
- bool got_tdb = false;
- DOM_SID sid;
- fstring key_str, sid_string;
-
- /* We may need to call this function from smbd which will not have
- winbindd_cache.tdb open. Open the tdb if a NULL is passed. */
-
- if (!tdb) {
- tdb = tdb_open_log(lock_path("winbindd_cache.tdb"),
- WINBINDD_CACHE_TDB_DEFAULT_HASH_SIZE,
- TDB_DEFAULT, O_RDWR, 0600);
- if (!tdb) {
- DEBUG(5, ("netsamlogon_clear_cached_user: failed to open cache\n"));
- return;
- }
- got_tdb = true;
- }
-
- sid_copy(&sid, info3->base.domain_sid);
- sid_append_rid(&sid, info3->base.rid);
-
- /* Clear U/SID cache entry */
-
- fstr_sprintf(key_str, "U/%s", sid_to_fstring(sid_string, &sid));
-
- DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key_str));
-
- tdb_delete(tdb, string_tdb_data(key_str));
+ DOM_SID user_sid;
+ fstring keystr, tmp;
- /* Clear UG/SID cache entry */
+ if (!info3) {
+ return;
+ }
- fstr_sprintf(key_str, "UG/%s", sid_to_fstring(sid_string, &sid));
+ if (!netsamlogon_cache_init()) {
+ DEBUG(0,("netsamlogon_clear_cached_user: cannot open "
+ "%s for write!\n",
+ NETSAMLOGON_TDB));
+ return;
+ }
+ sid_copy(&user_sid, info3->base.domain_sid);
+ sid_append_rid(&user_sid, info3->base.rid);
- DEBUG(10, ("netsamlogon_clear_cached_user: clearing %s\n", key_str));
+ /* Prepare key as DOMAIN-SID/USER-RID string */
+ slprintf(keystr, sizeof(keystr), "%s", sid_to_fstring(tmp, &user_sid));
- tdb_delete(tdb, string_tdb_data(key_str));
+ DEBUG(10,("netsamlogon_clear_cached_user: SID [%s]\n", keystr));
- if (got_tdb) {
- tdb_close(tdb);
- }
+ tdb_delete_bystring(netsamlogon_tdb, keystr);
}
/***********************************************************************
diff --git a/source/winbindd/winbindd_cache.c b/source/winbindd/winbindd_cache.c
index 3b2b9aa..ac8fc10 100644
--- a/source/winbindd/winbindd_cache.c
+++ b/source/winbindd/winbindd_cache.c
@@ -2265,6 +2265,8 @@ static int traverse_fn(TDB_CONTEXT *the_tdb, TDB_DATA kbuf, TDB_DATA dbuf,
void wcache_invalidate_samlogon(struct winbindd_domain *domain,
struct netr_SamInfo3 *info3)
{
+ DOM_SID sid;
+ fstring key_str, sid_string;
struct winbind_cache *cache;
/* dont clear cached U/SID and UG/SID entries when we want to logon
@@ -2278,7 +2280,21 @@ void wcache_invalidate_samlogon(struct winbindd_domain *domain,
return;
cache = get_cache(domain);
- netsamlogon_clear_cached_user(cache->tdb, info3);
+
+ sid_copy(&sid, info3->base.domain_sid);
+ sid_append_rid(&sid, info3->base.rid);
+
+ /* Clear U/SID cache entry */
+ fstr_sprintf(key_str, "U/%s", sid_to_fstring(sid_string, &sid));
+ DEBUG(10, ("wcache_invalidate_samlogon: clearing %s\n", key_str));
+ tdb_delete(cache->tdb, string_tdb_data(key_str));
+
+ /* Clear UG/SID cache entry */
+ fstr_sprintf(key_str, "UG/%s", sid_to_fstring(sid_string, &sid));
+ DEBUG(10, ("wcache_invalidate_samlogon: clearing %s\n", key_str));
+ tdb_delete(cache->tdb, string_tdb_data(key_str));
+
+ netsamlogon_clear_cached_user(info3);
}
bool wcache_invalidate_cache(void)
diff --git a/source/winbindd/winbindd_pam.c b/source/winbindd/winbindd_pam.c
index ce6a256..90849b5 100644
--- a/source/winbindd/winbindd_pam.c
+++ b/source/winbindd/winbindd_pam.c
@@ -1599,8 +1599,8 @@ process_result:
goto done;
}
- netsamlogon_cache_store(name_user, info3);
wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
+ netsamlogon_cache_store(name_user, info3);
/* save name_to_sid info as early as possible (only if
this is our primary domain so we don't invalidate
@@ -1941,8 +1941,8 @@ enum winbindd_result winbindd_dual_pam_auth_crap(struct winbindd_domain *domain,
if (NT_STATUS_IS_OK(result)) {
- netsamlogon_cache_store(name_user, info3);
wcache_invalidate_samlogon(find_domain_from_name(name_domain), info3);
+ netsamlogon_cache_store(name_user, info3);
/* Check if the user is in the right group */
More information about the samba-technical
mailing list