static bool printing_subsystem_queue_tasks(struct tevent_context *ev_ctx,
struct messaging_context *msg_ctx)
{
if (!(event_add_idle(ev_ctx, NULL,
timeval_set(SMBD_HOUSEKEEPING_INTERVAL, 0),
"print_queue_housekeeping",
print_queue_housekeeping,
msg_ctx))) {
DEBUG(0, ("Could not add print_queue_housekeeping event\n"));
return false;
}
return true;
}
/*
* Initialize the sm_lock struct before passing it to ifs_createfile.
*/
static void smlock_init(connection_struct *conn, struct sm_lock *sml,
bool isexe, uint32_t access_mask, uint32_t share_access,
uint32_t create_options)
{
sml->sm_type.doc = false;
sml->sm_type.isexe = isexe;
sml->sm_type.statonly = is_stat_open(access_mask);
sml->sm_type.access_mask = access_mask;
sml->sm_type.share_access = share_access;
/*
* private_options was previously used for DENY_DOS/DENY_FCB checks in
* the kernel, but are now properly handled by fcb_or_dos_open. In
* these cases, ifs_createfile will return a sharing violation, which
* gives fcb_or_dos_open the chance to open a duplicate file handle.
*/
sml->sm_type.private_options = 0;
/* 1 second delay is handled in onefs_open.c by deferring the open */
sml->sm_timeout = timeval_set(0, 0);
}
static int net_g_lock_do(struct net_context *c, int argc, const char **argv)
{
struct net_g_lock_do_state state;
const char *name, *cmd;
int timeout;
NTSTATUS status;
if (argc != 3) {
d_printf("Usage: net g_lock do <lockname> <timeout> "
"<command>\n");
return -1;
}
name = argv[0];
timeout = atoi(argv[1]);
cmd = argv[2];
state.cmd = cmd;
state.result = -1;
status = g_lock_do(name, G_LOCK_WRITE,
timeval_set(timeout / 1000, timeout % 1000),
net_g_lock_do_fn, &state);
if (!NT_STATUS_IS_OK(status)) {
d_fprintf(stderr, "ERROR: g_lock_do failed: %s\n",
nt_errstr(status));
goto done;
}
if (state.result == -1) {
d_fprintf(stderr, "ERROR: system() returned %s\n",
strerror(errno));
goto done;
}
d_fprintf(stderr, "command returned %d\n", state.result);
done:
return state.result;
}
static BOOL irix_oplock_msg_waiting(fd_set *fds)
{
int selrtn;
fd_set myfds;
struct timeval to;
if (oplock_pipe_read == -1)
return False;
if (fds) {
return FD_ISSET(oplock_pipe_read, fds);
}
/* Do a zero-time select. We just need to find out if there
* are any outstanding messages. We use sys_select_intr as
* we need to ignore any signals. */
FD_ZERO(&myfds);
FD_SET(oplock_pipe_read, &myfds);
to = timeval_set(0, 0);
selrtn = sys_select_intr(oplock_pipe_read+1,&myfds,NULL,NULL,&to);
return (selrtn == 1) ? True : False;
}
NTSTATUS add_ccache_to_list(const char *princ_name,
const char *ccname,
const char *service,
const char *username,
const char *pass,
const char *realm,
uid_t uid,
time_t create_time,
time_t ticket_end,
time_t renew_until,
bool postponed_request)
{
struct WINBINDD_CCACHE_ENTRY *entry = NULL;
struct timeval t;
NTSTATUS ntret;
#ifdef HAVE_KRB5
int ret;
#endif
if ((username == NULL && princ_name == NULL) ||
ccname == NULL || uid < 0) {
return NT_STATUS_INVALID_PARAMETER;
}
if (ccache_entry_count() + 1 > MAX_CCACHES) {
DEBUG(10,("add_ccache_to_list: "
"max number of ccaches reached\n"));
return NT_STATUS_NO_MORE_ENTRIES;
}
/* If it is cached login, destroy krb5 ticket
* to avoid surprise. */
#ifdef HAVE_KRB5
if (postponed_request) {
/* ignore KRB5_FCC_NOFILE error here */
ret = ads_kdestroy(ccname);
if (ret == KRB5_FCC_NOFILE) {
ret = 0;
}
if (ret) {
DEBUG(0, ("add_ccache_to_list: failed to destroy "
"user krb5 ccache %s with %s\n", ccname,
error_message(ret)));
return krb5_to_nt_status(ret);
}
DEBUG(10, ("add_ccache_to_list: successfully destroyed "
"krb5 ccache %s for user %s\n", ccname,
username));
}
#endif
/* Reference count old entries */
entry = get_ccache_by_username(username);
if (entry) {
/* Check cached entries are identical. */
if (!ccache_entry_identical(username, uid, ccname)) {
return NT_STATUS_INVALID_PARAMETER;
}
entry->ref_count++;
DEBUG(10,("add_ccache_to_list: "
"ref count on entry %s is now %d\n",
username, entry->ref_count));
/* FIXME: in this case we still might want to have a krb5 cred
* event handler created - gd
* Add ticket refresh handler here */
if (!lp_winbind_refresh_tickets() || renew_until <= 0) {
return NT_STATUS_OK;
}
if (!entry->event) {
if (postponed_request) {
t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0);
add_krb5_ticket_gain_handler_event(entry, t);
} else {
/* Renew at 1/2 the ticket expiration time */
#if defined(DEBUG_KRB5_TKT_RENEWAL)
t = timeval_set(time(NULL)+30, 0);
#else
t = timeval_set(krb5_event_refresh_time(ticket_end),
0);
#endif
if (!entry->refresh_time) {
entry->refresh_time = t.tv_sec;
}
entry->event = tevent_add_timer(winbind_event_context(),
entry,
t,
krb5_ticket_refresh_handler,
entry);
}
if (!entry->event) {
ntret = remove_ccache(username);
if (!NT_STATUS_IS_OK(ntret)) {
DEBUG(0, ("add_ccache_to_list: Failed to remove krb5 "
"ccache %s for user %s\n", entry->ccname,
entry->username));
DEBUG(0, ("add_ccache_to_list: error is %s\n",
nt_errstr(ntret)));
return ntret;
}
return NT_STATUS_NO_MEMORY;
}
DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n"));
}
/*
* If we're set up to renew our krb5 tickets, we must
* cache the credentials in memory for the ticket
* renew function (or increase the reference count
* if we're logging in more than once). Fix inspired
* by patch from Ian Gordon <*****@*****.**>
* for bugid #9098.
*/
ntret = winbindd_add_memory_creds(username, uid, pass);
DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
nt_errstr(ntret)));
return NT_STATUS_OK;
}
entry = talloc(NULL, struct WINBINDD_CCACHE_ENTRY);
if (!entry) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCTP(entry);
if (username) {
entry->username = talloc_strdup(entry, username);
if (!entry->username) {
goto no_mem;
}
}
if (princ_name) {
entry->principal_name = talloc_strdup(entry, princ_name);
if (!entry->principal_name) {
goto no_mem;
}
}
if (service) {
entry->service = talloc_strdup(entry, service);
if (!entry->service) {
goto no_mem;
}
}
entry->ccname = talloc_strdup(entry, ccname);
if (!entry->ccname) {
goto no_mem;
}
entry->realm = talloc_strdup(entry, realm);
if (!entry->realm) {
goto no_mem;
}
entry->create_time = create_time;
entry->renew_until = renew_until;
entry->uid = uid;
entry->ref_count = 1;
if (!lp_winbind_refresh_tickets() || renew_until <= 0) {
goto add_entry;
}
if (postponed_request) {
t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0);
add_krb5_ticket_gain_handler_event(entry, t);
} else {
/* Renew at 1/2 the ticket expiration time */
#if defined(DEBUG_KRB5_TKT_RENEWAL)
t = timeval_set(time(NULL)+30, 0);
#else
t = timeval_set(krb5_event_refresh_time(ticket_end), 0);
#endif
if (entry->refresh_time == 0) {
entry->refresh_time = t.tv_sec;
}
entry->event = tevent_add_timer(winbind_event_context(),
entry,
t,
krb5_ticket_refresh_handler,
entry);
}
if (!entry->event) {
goto no_mem;
}
DEBUG(10,("add_ccache_to_list: added krb5_ticket handler\n"));
add_entry:
DLIST_ADD(ccache_list, entry);
DEBUG(10,("add_ccache_to_list: "
"added ccache [%s] for user [%s] to the list\n",
ccname, username));
if (entry->event) {
/*
* If we're set up to renew our krb5 tickets, we must
* cache the credentials in memory for the ticket
* renew function. Fix inspired by patch from
* Ian Gordon <*****@*****.**> for
* bugid #9098.
*/
ntret = winbindd_add_memory_creds(username, uid, pass);
DEBUG(10, ("winbindd_add_memory_creds returned: %s\n",
nt_errstr(ntret)));
}
return NT_STATUS_OK;
no_mem:
TALLOC_FREE(entry);
return NT_STATUS_NO_MEMORY;
}
static void krb5_ticket_gain_handler(struct tevent_context *event_ctx,
struct tevent_timer *te,
struct timeval now,
void *private_data)
{
struct WINBINDD_CCACHE_ENTRY *entry =
talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
#ifdef HAVE_KRB5
int ret;
struct timeval t;
struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr;
struct winbindd_domain *domain = NULL;
#endif
DEBUG(10,("krb5_ticket_gain_handler called\n"));
DEBUGADD(10,("event called for: %s, %s\n",
entry->ccname, entry->username));
TALLOC_FREE(entry->event);
#ifdef HAVE_KRB5
if (!cred_ptr || !cred_ptr->pass) {
DEBUG(10,("krb5_ticket_gain_handler: no memory creds\n"));
return;
}
if ((domain = find_domain_from_name(entry->realm)) == NULL) {
DEBUG(0,("krb5_ticket_gain_handler: unknown domain\n"));
return;
}
if (!domain->online) {
goto retry_later;
}
set_effective_uid(entry->uid);
ret = kerberos_kinit_password_ext(entry->principal_name,
cred_ptr->pass,
0, /* hm, can we do time correction here ? */
&entry->refresh_time,
&entry->renew_until,
entry->ccname,
False, /* no PAC required anymore */
True,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL);
gain_root_privilege();
if (ret) {
DEBUG(3,("krb5_ticket_gain_handler: "
"could not kinit: %s\n",
error_message(ret)));
/* evil. If we cannot do it, destroy any the __maybe__
* __existing__ ticket */
ads_kdestroy(entry->ccname);
goto retry_later;
}
DEBUG(10,("krb5_ticket_gain_handler: "
"successful kinit for: %s in ccache: %s\n",
entry->principal_name, entry->ccname));
goto got_ticket;
retry_later:
#if defined(DEBUG_KRB5_TKT_RENEWAL)
t = timeval_set(time(NULL) + 30, 0);
#else
t = timeval_current_ofs(MAX(30, lp_winbind_cache_time()), 0);
#endif
add_krb5_ticket_gain_handler_event(entry, t);
return;
got_ticket:
#if defined(DEBUG_KRB5_TKT_RENEWAL)
t = timeval_set(time(NULL) + 30, 0);
#else
t = timeval_set(krb5_event_refresh_time(entry->refresh_time), 0);
#endif
if (entry->refresh_time == 0) {
entry->refresh_time = t.tv_sec;
}
entry->event = tevent_add_timer(winbind_event_context(),
entry,
t,
krb5_ticket_refresh_handler,
entry);
return;
#endif
}
static void krb5_ticket_refresh_handler(struct tevent_context *event_ctx,
struct tevent_timer *te,
struct timeval now,
void *private_data)
{
struct WINBINDD_CCACHE_ENTRY *entry =
talloc_get_type_abort(private_data, struct WINBINDD_CCACHE_ENTRY);
#ifdef HAVE_KRB5
int ret;
time_t new_start;
time_t expire_time = 0;
struct WINBINDD_MEMORY_CREDS *cred_ptr = entry->cred_ptr;
#endif
DEBUG(10,("krb5_ticket_refresh_handler called\n"));
DEBUGADD(10,("event called for: %s, %s\n",
entry->ccname, entry->username));
TALLOC_FREE(entry->event);
#ifdef HAVE_KRB5
/* Kinit again if we have the user password and we can't renew the old
* tgt anymore
* NB
* This happens when machine are put to sleep for a very long time. */
if (entry->renew_until < time(NULL)) {
rekinit:
if (cred_ptr && cred_ptr->pass) {
set_effective_uid(entry->uid);
ret = kerberos_kinit_password_ext(entry->principal_name,
cred_ptr->pass,
0, /* hm, can we do time correction here ? */
&entry->refresh_time,
&entry->renew_until,
entry->ccname,
False, /* no PAC required anymore */
True,
WINBINDD_PAM_AUTH_KRB5_RENEW_TIME,
NULL);
gain_root_privilege();
if (ret) {
DEBUG(3,("krb5_ticket_refresh_handler: "
"could not re-kinit: %s\n",
error_message(ret)));
/* destroy the ticket because we cannot rekinit
* it, ignore error here */
ads_kdestroy(entry->ccname);
/* Don't break the ticket refresh chain: retry
* refreshing ticket sometime later when KDC is
* unreachable -- BoYang. More error code handling
* here?
* */
if ((ret == KRB5_KDC_UNREACH)
|| (ret == KRB5_REALM_CANT_RESOLVE)) {
#if defined(DEBUG_KRB5_TKT_RENEWAL)
new_start = time(NULL) + 30;
#else
new_start = time(NULL) +
MAX(30, lp_winbind_cache_time());
#endif
add_krb5_ticket_gain_handler_event(entry,
timeval_set(new_start, 0));
return;
}
TALLOC_FREE(entry->event);
return;
}
DEBUG(10,("krb5_ticket_refresh_handler: successful re-kinit "
"for: %s in ccache: %s\n",
entry->principal_name, entry->ccname));
#if defined(DEBUG_KRB5_TKT_RENEWAL)
new_start = time(NULL) + 30;
#else
/* The tkt should be refreshed at one-half the period
from now to the expiration time */
expire_time = entry->refresh_time;
new_start = krb5_event_refresh_time(entry->refresh_time);
#endif
goto done;
} else {
/* can this happen?
* No cached credentials
* destroy ticket and refresh chain
* */
ads_kdestroy(entry->ccname);
TALLOC_FREE(entry->event);
return;
}
}
set_effective_uid(entry->uid);
ret = smb_krb5_renew_ticket(entry->ccname,
entry->principal_name,
entry->service,
&new_start);
#if defined(DEBUG_KRB5_TKT_RENEWAL)
new_start = time(NULL) + 30;
#else
expire_time = new_start;
new_start = krb5_event_refresh_time(new_start);
#endif
gain_root_privilege();
if (ret) {
DEBUG(3,("krb5_ticket_refresh_handler: "
"could not renew tickets: %s\n",
error_message(ret)));
/* maybe we are beyond the renewing window */
/* evil rises here, we refresh ticket failed,
* but the ticket might be expired. Therefore,
* When we refresh ticket failed, destory the
* ticket */
ads_kdestroy(entry->ccname);
/* avoid breaking the renewal chain: retry in
* lp_winbind_cache_time() seconds when the KDC was not
* available right now.
* the return code can be KRB5_REALM_CANT_RESOLVE.
* More error code handling here? */
if ((ret == KRB5_KDC_UNREACH)
|| (ret == KRB5_REALM_CANT_RESOLVE)) {
#if defined(DEBUG_KRB5_TKT_RENEWAL)
new_start = time(NULL) + 30;
#else
new_start = time(NULL) +
MAX(30, lp_winbind_cache_time());
#endif
/* ticket is destroyed here, we have to regain it
* if it is possible */
add_krb5_ticket_gain_handler_event(entry,
timeval_set(new_start, 0));
return;
}
/* This is evil, if the ticket was already expired.
* renew ticket function returns KRB5KRB_AP_ERR_TKT_EXPIRED.
* But there is still a chance that we can rekinit it.
*
* This happens when user login in online mode, and then network
* down or something cause winbind goes offline for a very long time,
* and then goes online again. ticket expired, renew failed.
* This happens when machine are put to sleep for a long time,
* but shorter than entry->renew_util.
* NB
* Looks like the KDC is reachable, we want to rekinit as soon as
* possible instead of waiting some time later. */
if ((ret == KRB5KRB_AP_ERR_TKT_EXPIRED)
|| (ret == KRB5_FCC_NOFILE)) goto rekinit;
return;
}
done:
/* in cases that ticket will be unrenewable soon, we don't try to renew ticket
* but try to regain ticket if it is possible */
if (entry->renew_until && expire_time
&& (entry->renew_until <= expire_time)) {
/* try to regain ticket 10 seconds before expiration */
expire_time -= 10;
add_krb5_ticket_gain_handler_event(entry,
timeval_set(expire_time, 0));
return;
}
if (entry->refresh_time == 0) {
entry->refresh_time = new_start;
}
entry->event = tevent_add_timer(winbind_event_context(), entry,
timeval_set(new_start, 0),
krb5_ticket_refresh_handler,
entry);
#endif
}
