void scavenger_schedule_disconnected(struct files_struct *fsp)
{
NTSTATUS status;
struct server_id self = messaging_server_id(fsp->conn->sconn->msg_ctx);
struct timeval disconnect_time, until;
uint64_t timeout_usec;
struct scavenger_message msg;
DATA_BLOB msg_blob;
struct server_id_buf tmp;
if (fsp->op == NULL) {
return;
}
nttime_to_timeval(&disconnect_time, fsp->op->global->disconnect_time);
timeout_usec = 1000 * fsp->op->global->durable_timeout_msec;
until = timeval_add(&disconnect_time,
timeout_usec / 1000000,
timeout_usec % 1000000);
ZERO_STRUCT(msg);
msg.file_id = fsp->file_id;
msg.open_persistent_id = fsp->op->global->open_persistent_id;
msg.until = timeval_to_nttime(&until);
DEBUG(10, ("smbd: %s mark file %s as disconnected at %s with timeout "
"at %s in %fs\n",
server_id_str_buf(self, &tmp),
file_id_string_tos(&fsp->file_id),
timeval_string(talloc_tos(), &disconnect_time, true),
timeval_string(talloc_tos(), &until, true),
fsp->op->global->durable_timeout_msec/1000.0));
SMB_ASSERT(server_id_is_disconnected(&fsp->op->global->server_id));
SMB_ASSERT(!server_id_equal(&self, &smbd_scavenger_state->parent_id));
SMB_ASSERT(!smbd_scavenger_state->am_scavenger);
msg_blob = data_blob_const(&msg, sizeof(msg));
DEBUG(10, ("send message to scavenger\n"));
status = messaging_send(smbd_scavenger_state->msg,
smbd_scavenger_state->parent_id,
MSG_SMB_SCAVENGER,
&msg_blob);
if (!NT_STATUS_IS_OK(status)) {
struct server_id_buf tmp1, tmp2;
DEBUG(2, ("Failed to send message to parent smbd %s "
"from %s: %s\n",
server_id_str_buf(smbd_scavenger_state->parent_id,
&tmp1),
server_id_str_buf(self, &tmp2),
nt_errstr(status)));
}
}
/*
perform a LDAP/SASL/SPNEGO/{NTLMSSP,KRB5} bind (just how many layers can
we fit on one socket??)
*/
static ADS_STATUS ads_sasl_spnego_gensec_bind(ADS_STRUCT *ads,
const char *sasl,
enum credentials_use_kerberos krb5_state,
const char *target_service,
const char *target_hostname,
const DATA_BLOB server_blob)
{
DATA_BLOB blob_in = data_blob_null;
DATA_BLOB blob_out = data_blob_null;
int rc;
NTSTATUS nt_status;
ADS_STATUS status;
struct auth_generic_state *auth_generic_state;
bool use_spnego_principal = lp_client_use_spnego_principal();
const char *sasl_list[] = { sasl, NULL };
NTTIME end_nt_time;
struct ads_saslwrap *wrap = &ads->ldap_wrap_data;
nt_status = auth_generic_client_prepare(NULL, &auth_generic_state);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_username(auth_generic_state, ads->auth.user_name))) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_domain(auth_generic_state, ads->auth.realm))) {
return ADS_ERROR_NT(nt_status);
}
if (!NT_STATUS_IS_OK(nt_status = auth_generic_set_password(auth_generic_state, ads->auth.password))) {
return ADS_ERROR_NT(nt_status);
}
if (server_blob.length == 0) {
use_spnego_principal = false;
}
if (krb5_state == CRED_DONT_USE_KERBEROS) {
use_spnego_principal = false;
}
cli_credentials_set_kerberos_state(auth_generic_state->credentials,
krb5_state);
if (target_service != NULL) {
nt_status = gensec_set_target_service(
auth_generic_state->gensec_security,
target_service);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
}
if (target_hostname != NULL) {
nt_status = gensec_set_target_hostname(
auth_generic_state->gensec_security,
target_hostname);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
}
if (target_service != NULL && target_hostname != NULL) {
use_spnego_principal = false;
}
switch (wrap->wrap_type) {
case ADS_SASLWRAP_TYPE_SEAL:
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SEAL);
break;
case ADS_SASLWRAP_TYPE_SIGN:
if (ads->auth.flags & ADS_AUTH_SASL_FORCE) {
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
} else {
/*
* windows servers are broken with sign only,
* so we let the NTLMSSP backend to seal here,
* via GENSEC_FEATURE_LDAP_STYLE.
*/
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_SIGN);
gensec_want_feature(auth_generic_state->gensec_security, GENSEC_FEATURE_LDAP_STYLE);
}
break;
case ADS_SASLWRAP_TYPE_PLAIN:
break;
}
nt_status = auth_generic_client_start_by_sasl(auth_generic_state,
sasl_list);
if (!NT_STATUS_IS_OK(nt_status)) {
return ADS_ERROR_NT(nt_status);
}
rc = LDAP_SASL_BIND_IN_PROGRESS;
nt_status = NT_STATUS_MORE_PROCESSING_REQUIRED;
if (use_spnego_principal) {
blob_in = data_blob_dup_talloc(talloc_tos(), server_blob);
if (blob_in.length == 0) {
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
} else {
blob_in = data_blob_null;
}
blob_out = data_blob_null;
while (true) {
struct berval cred, *scred = NULL;
nt_status = gensec_update(auth_generic_state->gensec_security,
talloc_tos(), blob_in, &blob_out);
data_blob_free(&blob_in);
if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)
&& !NT_STATUS_IS_OK(nt_status))
{
TALLOC_FREE(auth_generic_state);
data_blob_free(&blob_out);
return ADS_ERROR_NT(nt_status);
}
if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_out.length == 0) {
break;
}
cred.bv_val = (char *)blob_out.data;
cred.bv_len = blob_out.length;
scred = NULL;
rc = ldap_sasl_bind_s(ads->ldap.ld, NULL, sasl, &cred, NULL, NULL, &scred);
data_blob_free(&blob_out);
if ((rc != LDAP_SASL_BIND_IN_PROGRESS) && (rc != 0)) {
if (scred) {
ber_bvfree(scred);
}
TALLOC_FREE(auth_generic_state);
return ADS_ERROR(rc);
}
if (scred) {
blob_in = data_blob_talloc(talloc_tos(),
scred->bv_val,
scred->bv_len);
if (blob_in.length != scred->bv_len) {
ber_bvfree(scred);
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
ber_bvfree(scred);
} else {
blob_in = data_blob_null;
}
if (NT_STATUS_IS_OK(nt_status) && rc == 0 && blob_in.length == 0) {
break;
}
}
data_blob_free(&blob_in);
data_blob_free(&blob_out);
if (wrap->wrap_type >= ADS_SASLWRAP_TYPE_SEAL) {
bool ok;
ok = gensec_have_feature(auth_generic_state->gensec_security,
GENSEC_FEATURE_SEAL);
if (!ok) {
DEBUG(0,("The gensec feature sealing request, but unavailable\n"));
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
}
ok = gensec_have_feature(auth_generic_state->gensec_security,
GENSEC_FEATURE_SIGN);
if (!ok) {
DEBUG(0,("The gensec feature signing request, but unavailable\n"));
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
}
} else if (wrap->wrap_type >= ADS_SASLWRAP_TYPE_SIGN) {
bool ok;
ok = gensec_have_feature(auth_generic_state->gensec_security,
GENSEC_FEATURE_SIGN);
if (!ok) {
DEBUG(0,("The gensec feature signing request, but unavailable\n"));
TALLOC_FREE(auth_generic_state);
return ADS_ERROR_NT(NT_STATUS_INVALID_NETWORK_RESPONSE);
}
}
ads->auth.tgs_expire = LONG_MAX;
end_nt_time = gensec_expire_time(auth_generic_state->gensec_security);
if (end_nt_time != GENSEC_EXPIRE_TIME_INFINITY) {
struct timeval tv;
nttime_to_timeval(&tv, end_nt_time);
ads->auth.tgs_expire = tv.tv_sec;
}
if (wrap->wrap_type > ADS_SASLWRAP_TYPE_PLAIN) {
size_t max_wrapped =
gensec_max_wrapped_size(auth_generic_state->gensec_security);
wrap->out.max_unwrapped =
gensec_max_input_size(auth_generic_state->gensec_security);
wrap->out.sig_size = max_wrapped - wrap->out.max_unwrapped;
/*
* Note that we have to truncate this to 0x2C
* (taken from a capture with LDAP unbind), as the
* signature size is not constant for Kerberos with
* arcfour-hmac-md5.
*/
wrap->in.min_wrapped = MIN(wrap->out.sig_size, 0x2C);
wrap->in.max_wrapped = ADS_SASL_WRAPPING_IN_MAX_WRAPPED;
status = ads_setup_sasl_wrapping(wrap, ads->ldap.ld,
&ads_sasl_gensec_ops,
auth_generic_state->gensec_security);
if (!ADS_ERR_OK(status)) {
DEBUG(0, ("ads_setup_sasl_wrapping() failed: %s\n",
ads_errstr(status)));
TALLOC_FREE(auth_generic_state);
return status;
}
/* Only keep the gensec_security element around long-term */
talloc_steal(NULL, auth_generic_state->gensec_security);
}
TALLOC_FREE(auth_generic_state);
return ADS_ERROR(rc);
}
NTSTATUS smbXsrv_open_cleanup(uint64_t persistent_id)
{
NTSTATUS status = NT_STATUS_OK;
TALLOC_CTX *frame = talloc_stackframe();
struct smbXsrv_open_global0 *op = NULL;
TDB_DATA val;
struct db_record *rec;
bool delete_open = false;
uint32_t global_id = persistent_id & UINT32_MAX;
rec = smbXsrv_open_global_fetch_locked(smbXsrv_open_global_db_ctx,
global_id,
frame);
if (rec == NULL) {
status = NT_STATUS_NOT_FOUND;
goto done;
}
val = dbwrap_record_get_value(rec);
if (val.dsize == 0) {
DEBUG(10, ("smbXsrv_open_cleanup[global: 0x%08x] "
"empty record in %s, skipping...\n",
global_id, dbwrap_name(smbXsrv_open_global_db_ctx)));
goto done;
}
status = smbXsrv_open_global_parse_record(talloc_tos(), rec, &op);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("smbXsrv_open_cleanup[global: 0x%08x] "
"failed to read record: %s\n",
global_id, nt_errstr(status)));
goto done;
}
if (server_id_is_disconnected(&op->server_id)) {
struct timeval now, disconnect_time;
int64_t tdiff;
now = timeval_current();
nttime_to_timeval(&disconnect_time, op->disconnect_time);
tdiff = usec_time_diff(&now, &disconnect_time);
delete_open = (tdiff >= 1000*op->durable_timeout_msec);
DEBUG(10, ("smbXsrv_open_cleanup[global: 0x%08x] "
"disconnected at [%s] %us ago with "
"timeout of %us -%s reached\n",
global_id,
nt_time_string(frame, op->disconnect_time),
(unsigned)(tdiff/1000000),
op->durable_timeout_msec / 1000,
delete_open ? "" : " not"));
} else if (!serverid_exists(&op->server_id)) {
struct server_id_buf idbuf;
DEBUG(10, ("smbXsrv_open_cleanup[global: 0x%08x] "
"server[%s] does not exist\n",
global_id,
server_id_str_buf(op->server_id, &idbuf)));
delete_open = true;
}
if (!delete_open) {
goto done;
}
status = dbwrap_record_delete(rec);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("smbXsrv_open_cleanup[global: 0x%08x] "
"failed to delete record"
"from %s: %s\n", global_id,
dbwrap_name(smbXsrv_open_global_db_ctx),
nt_errstr(status)));
goto done;
}
DEBUG(10, ("smbXsrv_open_cleanup[global: 0x%08x] "
"delete record from %s\n",
global_id,
dbwrap_name(smbXsrv_open_global_db_ctx)));
done:
talloc_free(frame);
return status;
}
