nsssrv_cmd.c revision e61587a5d620310c09f226f43c9bb3008481bbe3
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin/*
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin SSSD
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin NSS Responder
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin Copyright (C) Simo Sorce <ssorce@redhat.com> 2008
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin This program is free software; you can redistribute it and/or modify
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin it under the terms of the GNU General Public License as published by
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin the Free Software Foundation; either version 3 of the License, or
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin (at your option) any later version.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin This program is distributed in the hope that it will be useful,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin but WITHOUT ANY WARRANTY; without even the implied warranty of
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin GNU General Public License for more details.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin You should have received a copy of the GNU General Public License
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin along with this program. If not, see <http://www.gnu.org/licenses/>.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin*/
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin#include "util/util.h"
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin#include "util/sss_nss.h"
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin#include "responder/nss/nsssrv.h"
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin#include "responder/nss/nsssrv_private.h"
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin#include "responder/nss/nsssrv_netgroup.h"
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin#include "responder/nss/nsssrv_services.h"
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin#include "responder/nss/nsssrv_mmap_cache.h"
a7818b8de55671a82b0863d27665713f265af7aeigalic#include "responder/common/negcache.h"
a7818b8de55671a82b0863d27665713f265af7aeigalic#include "confdb/confdb.h"
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin#include "db/sysdb.h"
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin#include <time.h>
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstatic int nss_cmd_send_error(struct nss_cmd_ctx *cmdctx, int err)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return sss_cmd_send_error(cmdctx->cctx, err);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstatic int nss_cmd_send_empty(struct nss_cmd_ctx *cmdctx)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct cli_ctx *cctx = cmdctx->cctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return sss_cmd_send_empty(cctx, cmdctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinint nss_cmd_done(struct nss_cmd_ctx *cmdctx, int ret)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin switch (ret) {
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl case EOK:
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl /* all fine, just return here */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin break;
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin case ENOENT:
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = nss_cmd_send_empty(cmdctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return EFAULT;
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl }
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl break;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin case EAGAIN:
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* async processing, just return here */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin break;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin case EFAULT:
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* very bad error */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return EFAULT;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin default:
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = nss_cmd_send_error(cmdctx, ret);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return EFAULT;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin sss_cmd_done(cmdctx->cctx, cmdctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin break;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return EOK;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin/***************************
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * Enumeration procedures *
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ***************************/
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinerrno_t nss_setent_add_ref(TALLOC_CTX *memctx,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct getent_ctx *getent_ctx,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct tevent_req *req)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return setent_add_ref(memctx, getent_ctx, &getent_ctx->reqs, req);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinvoid nss_setent_notify_error(struct getent_ctx *getent_ctx, errno_t ret)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
fa299b341c4a4ad05338ac60c23b0a0e5a3474e1chrisd return setent_notify(&getent_ctx->reqs, ret);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinvoid nss_setent_notify_done(struct getent_ctx *getent_ctx)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return setent_notify_done(&getent_ctx->reqs);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstruct setent_ctx {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct cli_ctx *client;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct nss_ctx *nctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct nss_dom_ctx *dctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct getent_ctx *getent_ctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin};
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin/****************************************************************************
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * PASSWD db related functions
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ***************************************************************************/
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinvoid nss_update_pw_memcache(struct nss_ctx *nctx)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sss_domain_info *dom;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct ldb_result *res;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin uint64_t exp;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sized_string key;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin const char *id;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin time_t now;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin int ret;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin int i;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin now = time(NULL);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin for (dom = nctx->rctx->domains; dom != NULL; dom = dom->next) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = sysdb_enumpwent(nctx, dom->sysdb, &res);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret != EOK) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(SSSDBG_CRIT_FAILURE,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ("Failed to enumerate users for domain [%s]\n", dom->name));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin continue;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin for (i = 0; i < res->count; i++) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin exp = ldb_msg_find_attr_as_uint64(res->msgs[i],
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin SYSDB_CACHE_EXPIRE, 0);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (exp >= now) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin continue;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* names require more manipulation (build up fqname conditionally),
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * but uidNumber is unique and always resolvable too, so we use
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * that to update the cache, as it points to the same entry */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin id = ldb_msg_find_attr_as_string(res->msgs[i], SYSDB_UIDNUM, NULL);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!id) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(SSSDBG_CRIT_FAILURE,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ("Failed to find uidNumber in %s.\n",
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ldb_dn_get_linearized(res->msgs[i]->dn)));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin continue;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin to_sized_string(&key, id);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = sss_mmap_cache_pw_invalidate(nctx->pwd_mc_ctx, &key);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret != EOK && ret != ENOENT) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(SSSDBG_CRIT_FAILURE,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ("Internal failure in memory cache code: %d [%s]\n",
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret, strerror(ret)));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstatic gid_t get_gid_override(struct ldb_message *msg,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sss_domain_info *dom)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return dom->override_gid ?
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dom->override_gid :
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstatic const char *get_homedir_override(TALLOC_CTX *mem_ctx,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct ldb_message *msg,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct nss_ctx *nctx,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sss_domain_info *dom,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin const char *name,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin uint32_t uid)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin const char *homedir;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* Check whether we are unconditionally overriding the server
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * for home directory locations.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin */
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl if (dom->override_homedir) {
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl return expand_homedir_template(mem_ctx, dom->override_homedir,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin name, uid, dom->name);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin } else if (nctx->override_homedir) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return expand_homedir_template(mem_ctx, nctx->override_homedir,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin name, uid, dom->name);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin homedir = ldb_msg_find_attr_as_string(msg, SYSDB_HOMEDIR, NULL);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!homedir || *homedir == '\0') {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* In the case of a NULL or empty homedir, check to see if
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * we have a fallback homedir to use.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (dom->fallback_homedir) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return expand_homedir_template(mem_ctx, dom->fallback_homedir,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin name, uid, dom->name);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin } else if (nctx->fallback_homedir) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return expand_homedir_template(mem_ctx, nctx->fallback_homedir,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin name, uid, dom->name);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* Return the value we got from the provider */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return talloc_strdup(mem_ctx, homedir);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstatic const char *get_shell_override(TALLOC_CTX *mem_ctx,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct ldb_message *msg,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct nss_ctx *nctx,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sss_domain_info *dom)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin const char *user_shell;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin int i;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* Check whether we are unconditionally overriding the server
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * for the login shell.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin */
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl if (dom->override_shell) {
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl return dom->override_shell;
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl } else if (nctx->override_shell) {
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl return nctx->override_shell;
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin user_shell = ldb_msg_find_attr_as_string(msg, SYSDB_SHELL, NULL);
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl if (!user_shell) {
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl /* Check whether there is a default shell specified */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (dom->default_shell) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return talloc_strdup(mem_ctx, dom->default_shell);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin } else if (nctx->default_shell) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return talloc_strdup(mem_ctx, nctx->default_shell);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return NULL;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!nctx->allowed_shells && !nctx->vetoed_shells) return talloc_strdup(mem_ctx, user_shell);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (nctx->vetoed_shells) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin for (i=0; nctx->vetoed_shells[i]; i++) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (strcmp(nctx->vetoed_shells[i], user_shell) == 0) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(5, ("The shell '%s' is vetoed. "
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl "Using fallback\n", user_shell));
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl return talloc_strdup(mem_ctx, nctx->shell_fallback);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (nctx->etc_shells) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin for (i=0; nctx->etc_shells[i]; i++) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (strcmp(user_shell, nctx->etc_shells[i]) == 0) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(9, ("Shell %s found in /etc/shells\n",
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin nctx->etc_shells[i]));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin break;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (nctx->etc_shells[i]) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(9, ("Using original shell '%s'\n", user_shell));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return talloc_strdup(mem_ctx, user_shell);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (nctx->allowed_shells) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin for (i=0; nctx->allowed_shells[i]; i++) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (strcmp(nctx->allowed_shells[i], user_shell) == 0) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(5, ("The shell '%s' is allowed but does not exist. "
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin "Using fallback\n", user_shell));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return talloc_strdup(mem_ctx, nctx->shell_fallback);
08cf4a15275e4cb65a424b3a1db5410bfb51085cjim }
08cf4a15275e4cb65a424b3a1db5410bfb51085cjim }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(5, ("The shell '%s' is not allowed and does not exist.\n",
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin user_shell));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return talloc_strdup(mem_ctx, NOLOGIN_SHELL);
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl}
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstatic int fill_pwent(struct sss_packet *packet,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sss_domain_info *dom,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct nss_ctx *nctx,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin bool filter_users, bool pw_mmap_cache,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct ldb_message **msgs,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin int *count)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct ldb_message *msg;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin uint8_t *body;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin const char *tmpstr;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin const char *orig_name;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sized_string name;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sized_string gecos;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sized_string homedir;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sized_string shell;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sized_string pwfield;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sized_string fullname;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin uint32_t uid;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin uint32_t gid;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin size_t rsize, rp, blen;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin size_t dom_len = 0;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin int delim = 1;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin int i, ret, num, t;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin bool add_domain = dom->fqnames;
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl const char *domain = dom->name;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin const char *namefmt;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin bool packet_initialized = false;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin int ncret;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin TALLOC_CTX *tmp_ctx = NULL;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin namefmt = dom->names->fq_fmt;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (add_domain) dom_len = strlen(domain);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin to_sized_string(&pwfield, nctx->pwfield);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin rp = 2*sizeof(uint32_t);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin num = 0;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin for (i = 0; i < *count; i++) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin talloc_zfree(tmp_ctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin tmp_ctx = talloc_new(NULL);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin msg = msgs[i];
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin orig_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin uid = ldb_msg_find_attr_as_uint64(msg, SYSDB_UIDNUM, 0);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin gid = get_gid_override(msg, dom);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!orig_name || !uid || !gid) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(SSSDBG_OP_FAILURE, ("Incomplete user object for %s[%llu]! Skipping\n",
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin orig_name?orig_name:"<NULL>", (unsigned long long int)uid));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin continue;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (filter_users) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ncret = sss_ncache_check_user(nctx->ncache,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin nctx->neg_timeout,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dom, orig_name);
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl if (ncret == EEXIST) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(4, ("User [%s@%s] filtered out! (negative cache)\n",
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl orig_name, domain));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin continue;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!packet_initialized) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* first 2 fields (len and reserved), filled up later */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = sss_packet_grow(packet, 2*sizeof(uint32_t));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret != EOK) return ret;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin packet_initialized = true;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin tmpstr = sss_get_cased_name(tmp_ctx, orig_name, dom->case_sensitive);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (tmpstr == NULL) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(SSSDBG_CRIT_FAILURE,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ("sss_get_cased_name failed, skipping\n"));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin continue;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin to_sized_string(&name, tmpstr);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin tmpstr = ldb_msg_find_attr_as_string(msg, SYSDB_GECOS, NULL);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!tmpstr) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin to_sized_string(&gecos, "");
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin } else {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin to_sized_string(&gecos, tmpstr);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin tmpstr = get_homedir_override(tmp_ctx, msg, nctx, dom, name.str, uid);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!tmpstr) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin to_sized_string(&homedir, "/");
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin } else {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin to_sized_string(&homedir, tmpstr);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin tmpstr = get_shell_override(tmp_ctx, msg, nctx, dom);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!tmpstr) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin to_sized_string(&shell, "");
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin } else {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin to_sized_string(&shell, tmpstr);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin rsize = 2 * sizeof(uint32_t) + name.len + gecos.len +
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin homedir.len + shell.len + pwfield.len;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (add_domain) rsize += delim + dom_len;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = sss_packet_grow(packet, rsize);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret != EOK) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin num = 0;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin goto done;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin sss_packet_get_body(packet, &body, &blen);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin SAFEALIGN_SET_UINT32(&body[rp], uid, &rp);
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen SAFEALIGN_SET_UINT32(&body[rp], gid, &rp);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (add_domain) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = snprintf((char *)&body[rp],
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin name.len + delim + dom_len,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin namefmt, name.str, domain);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret >= (name.len + delim + dom_len)) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* need more space, got creative with the print format ? */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin t = ret - (name.len + delim + dom_len) + 1;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = sss_packet_grow(packet, t);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret != EOK) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin num = 0;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin goto done;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin delim += t;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin sss_packet_get_body(packet, &body, &blen);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* retry */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = snprintf((char *)&body[rp],
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin name.len + delim + dom_len,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin namefmt, name.str, domain);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen if (ret != name.len + delim + dom_len - 1) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(1, ("Failed to generate a fully qualified name for user "
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin "[%s] in [%s]! Skipping user.\n", name.str, domain));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin continue;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin } else {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin memcpy(&body[rp], name.str, name.len);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin to_sized_string(&fullname, (const char *)&body[rp]);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin rp += fullname.len;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin memcpy(&body[rp], pwfield.str, pwfield.len);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin rp += pwfield.len;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin memcpy(&body[rp], gecos.str, gecos.len);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin rp += gecos.len;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin memcpy(&body[rp], homedir.str, homedir.len);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin rp += homedir.len;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin memcpy(&body[rp], shell.str, shell.len);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin rp += shell.len;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen num++;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (pw_mmap_cache && nctx->pwd_mc_ctx) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = sss_mmap_cache_pw_store(nctx->pwd_mc_ctx,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin &fullname, &pwfield,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin uid, gid,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin &gecos, &homedir, &shell);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret != EOK && ret != ENOMEM) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(1, ("Failed to store user %s(%s) in mmap cache!",
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin name.str, domain));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin talloc_zfree(tmp_ctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrindone:
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin *count = i;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* if there are no results just return ENOENT,
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen * let the caller decide if this is the last packet or not */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!packet_initialized) return ENOENT;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin sss_packet_get_body(packet, &body, &blen);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ((uint32_t *)body)[0] = num; /* num results */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ((uint32_t *)body)[1] = 0; /* reserved */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return EOK;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstatic int nss_cmd_getpw_send_reply(struct nss_dom_ctx *dctx, bool filter)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct cli_ctx *cctx = cmdctx->cctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct nss_ctx *nctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin int ret;
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen int i;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = sss_packet_new(cctx->creq, 0,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin sss_packet_get_cmd(cctx->creq->in),
ff4eeb709e3f992376253f506c5d23361bc369ffnilgun &cctx->creq->out);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret != EOK) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return EFAULT;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin i = dctx->res->count;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = fill_pwent(cctx->creq->out,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dctx->domain,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin nctx, filter, true,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dctx->res->msgs, &i);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return ret;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin sss_packet_set_error(cctx->creq->out, EOK);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin sss_cmd_done(cctx, cmdctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return EOK;
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstatic void nsssrv_dp_send_acct_req_done(struct tevent_req *req);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin/* FIXME: do not check res->count, but get in a msgs and check in parent */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin/* FIXME: do not sss_cmd_done, but return error and let parent do it */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinerrno_t check_cache(struct nss_dom_ctx *dctx,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct nss_ctx *nctx,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct ldb_result *res,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin int req_type,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin const char *opt_name,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin uint32_t opt_id,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin sss_dp_callback_t callback,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin void *pvt)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin errno_t ret;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct cli_ctx *cctx = cmdctx->cctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct tevent_req *req = NULL;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct dp_callback_ctx *cb_ctx = NULL;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin uint64_t cacheExpire = 0;
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* when searching for a user or netgroup, more than one reply is a
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * db error
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if ((req_type == SSS_DP_USER || req_type == SSS_DP_NETGR) &&
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin (res->count > 1)) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(1, ("getpwXXX call returned more than one result!"
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin " DB Corrupted?\n"));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = nss_cmd_send_error(cmdctx, ENOENT);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret != EOK) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin NSS_CMD_FATAL_ERROR_CODE(cctx, ENOENT);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin sss_cmd_done(cctx, cmdctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return ENOENT;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* if we have any reply let's check cache validity */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (res->count > 0) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (req_type == SSS_DP_INITGROUPS) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin cacheExpire = ldb_msg_find_attr_as_uint64(res->msgs[0],
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl SYSDB_INITGR_EXPIRE, 1);
016241a6ee9c7b02ff94f30f90e705012ea08e41jsl }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (cacheExpire == 0) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin cacheExpire = ldb_msg_find_attr_as_uint64(res->msgs[0],
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin SYSDB_CACHE_EXPIRE, 0);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* if we have any reply let's check cache validity */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = sss_cmd_check_cache(res->msgs[0], nctx->cache_refresh_percent,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin cacheExpire);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret == EOK) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(SSSDBG_TRACE_FUNC, ("Cached entry is valid, returning..\n"));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return EOK;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin } else if (ret != EAGAIN && ret != ENOENT) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(SSSDBG_CRIT_FAILURE, ("Error checking cache: %d\n", ret));
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen goto error;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin } else {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* No replies */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = ENOENT;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* EAGAIN (off band) or ENOENT (cache miss) -> check cache */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret == EAGAIN) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* No callback required
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * This was an out-of-band update. We'll return EOK
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * so the calling function can return the cached entry
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * immediately.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(SSSDBG_TRACE_FUNC,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ("Performing midpoint cache update on [%s]\n", opt_name));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin req = sss_dp_get_account_send(cctx, cctx->rctx, dctx->domain, true,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin req_type, opt_name, opt_id, NULL);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!req) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(SSSDBG_CRIT_FAILURE,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ("Out of memory sending out-of-band data provider "
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin "request\n"));
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen /* This is non-fatal, so we'll continue here */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin } else {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(SSSDBG_TRACE_FUNC, ("Updating cache out-of-band\n"));
08cf4a15275e4cb65a424b3a1db5410bfb51085cjim }
08cf4a15275e4cb65a424b3a1db5410bfb51085cjim
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* We don't need to listen for a reply, so we will free the
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * request here.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin talloc_zfree(req);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin } else {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* This is a cache miss. Or the cache is expired.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * We need to get the updated user information before returning it.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* dont loop forever :-) */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dctx->check_provider = false;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* keep around current data in case backend is offline */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (res->count) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dctx->res = talloc_steal(dctx, res);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen req = sss_dp_get_account_send(cctx, cctx->rctx, dctx->domain, true,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin req_type, opt_name, opt_id, NULL);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!req) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(SSSDBG_CRIT_FAILURE,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ("Out of memory sending data provider request\n"));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = ENOMEM;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin goto error;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin cb_ctx = talloc_zero(dctx, struct dp_callback_ctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if(!cb_ctx) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin talloc_zfree(req);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = ENOMEM;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin goto error;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin cb_ctx->callback = callback;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin cb_ctx->ptr = pvt;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin cb_ctx->cctx = dctx->cmdctx->cctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin cb_ctx->mem_ctx = dctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin tevent_req_set_callback(req, nsssrv_dp_send_acct_req_done, cb_ctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return EAGAIN;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return EOK;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinerror:
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = nss_cmd_send_error(cmdctx, ret);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret != EOK) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin NSS_CMD_FATAL_ERROR_CODE(cctx, ret);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin sss_cmd_done(cctx, cmdctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return EOK;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin}
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstatic void nsssrv_dp_send_acct_req_done(struct tevent_req *req)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct dp_callback_ctx *cb_ctx =
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin tevent_req_callback_data(req, struct dp_callback_ctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin errno_t ret;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dbus_uint16_t err_maj;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dbus_uint32_t err_min;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin char *err_msg;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = sss_dp_get_account_recv(cb_ctx->mem_ctx, req,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin &err_maj, &err_min,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin &err_msg);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin talloc_zfree(req);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret != EOK) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin NSS_CMD_FATAL_ERROR(cb_ctx->cctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin cb_ctx->callback(err_maj, err_min, err_msg, cb_ctx->ptr);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin}
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstatic void nss_cmd_getpwnam_dp_callback(uint16_t err_maj, uint32_t err_min,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin const char *err_msg, void *ptr);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin/* search for a user.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * Returns:
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * ENOENT, if user is definitely not found
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * EAGAIN, if user is beeing fetched from backend via async operations
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * EOK, if found
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * anything else on a fatal error
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrinstatic int nss_cmd_getpwnam_search(struct nss_dom_ctx *dctx)
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin{
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sss_domain_info *dom = dctx->domain;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct cli_ctx *cctx = cmdctx->cctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin char *name = NULL;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sized_string delete_usrname;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct sysdb_ctx *sysdb;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin struct nss_ctx *nctx;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin int ret;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin while (dom) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* if it is a domainless search, skip domains that require fully
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * qualified names instead */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin while (dom && cmdctx->check_next && dom->fqnames) {
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen dom = dom->next;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!dom) break;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (dom != dctx->domain) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* make sure we reset the check_provider flag when we check
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * a new domain */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dctx->check_provider = NEED_CHECK_PROVIDER(dom->provider);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* make sure to update the dctx if we changed domain */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dctx->domain = dom;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin talloc_free(name);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin name = sss_get_cased_name(cmdctx, cmdctx->name, dom->case_sensitive);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (!name) return ENOMEM;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* verify this user has not yet been negatively cached,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * or has been permanently filtered */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin ret = sss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dom, name);
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* if neg cached, return we didn't find it */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (ret == EEXIST) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(2, ("User [%s] does not exist in [%s]! (negative cache)\n",
32d8ef43efe6077a8c34efb5c34bbaa5742ca2bfrbowen name, dom->name));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* if a multidomain search, try with next */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin if (cmdctx->check_next) {
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin dom = dom->next;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin continue;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin /* There are no further domains or this was a
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin * fully-qualified user request.
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin */
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin return ENOENT;
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin }
50039065d571fe01fd458a3f031c995a1fd53c22rbowen
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin DEBUG(4, ("Requesting info for [%s@%s]\n", name, dom->name));
d9b843d090f14405079b4a61a493316cd3f1e5b9minfrin
sysdb = dom->sysdb;
if (sysdb == NULL) {
DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n"));
return EIO;
}
/* if this is a subdomain we need to search for the fully qualified
* name in the database */
ret = sysdb_subdom_getpwnam(cmdctx, sysdb, name, &dctx->res);
if (ret != EOK) {
DEBUG(1, ("Failed to make request to our cache!\n"));
return EIO;
}
if (dctx->res->count > 1) {
DEBUG(0, ("getpwnam call returned more than one result !?!\n"));
return ENOENT;
}
if (dctx->res->count == 0 && !dctx->check_provider) {
/* set negative cache only if not result of cache check */
ret = sss_ncache_set_user(nctx->ncache, false, dom, name);
if (ret != EOK) {
return ret;
}
/* if a multidomain search, try with next */
if (cmdctx->check_next) {
dom = dom->next;
if (dom) continue;
}
DEBUG(2, ("No results for getpwnam call\n"));
/* User not found in ldb -> delete user from memory cache. */
to_sized_string(&delete_usrname, name);
ret = sss_mmap_cache_pw_invalidate(nctx->pwd_mc_ctx,
&delete_usrname);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Internal failure in memory cache code: %d [%s]\n",
ret, strerror(ret)));
}
return ENOENT;
}
/* if this is a caching provider (or if we haven't checked the cache
* yet) then verify that the cache is uptodate */
if (dctx->check_provider) {
ret = check_cache(dctx, nctx, dctx->res,
SSS_DP_USER, name, 0,
nss_cmd_getpwnam_dp_callback,
dctx);
if (ret != EOK) {
/* Anything but EOK means we should reenter the mainloop
* because we may be refreshing the cache
*/
return ret;
}
}
/* One result found */
DEBUG(6, ("Returning info for user [%s@%s]\n", name, dom->name));
return EOK;
}
DEBUG(SSSDBG_MINOR_FAILURE,
("No matching domain found for [%s], fail!\n", cmdctx->name));
return ENOENT;
}
static void nss_cmd_getpwnam_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr)
{
struct nss_dom_ctx *dctx = talloc_get_type(ptr, struct nss_dom_ctx);
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct cli_ctx *cctx = cmdctx->cctx;
int ret;
if (err_maj) {
DEBUG(2, ("Unable to get information from Data Provider\n"
"Error: %u, %u, %s\n"
"Will try to return what we have in cache\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
if (dctx->res && dctx->res->count == 1) {
ret = nss_cmd_getpw_send_reply(dctx, false);
goto done;
}
/* no previous results, just loop to next domain if possible */
if (dctx->domain->next && cmdctx->check_next) {
dctx->domain = dctx->domain->next;
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
} else {
/* nothing available */
ret = ENOENT;
goto done;
}
}
/* ok the backend returned, search to see if we have updated results */
ret = nss_cmd_getpwnam_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getpw_send_reply(dctx, false);
}
done:
ret = nss_cmd_done(cmdctx, ret);
if (ret) {
NSS_CMD_FATAL_ERROR(cctx);
}
}
static void nss_cmd_getpwnam_cb(struct tevent_req *req);
static int nss_cmd_getpwnam(struct cli_ctx *cctx)
{
struct tevent_req *req;
struct nss_cmd_ctx *cmdctx;
struct nss_dom_ctx *dctx;
const char *rawname;
char *domname;
uint8_t *body;
size_t blen;
int ret;
cmdctx = talloc_zero(cctx, struct nss_cmd_ctx);
if (!cmdctx) {
return ENOMEM;
}
cmdctx->cctx = cctx;
dctx = talloc_zero(cmdctx, struct nss_dom_ctx);
if (!dctx) {
ret = ENOMEM;
goto done;
}
dctx->cmdctx = cmdctx;
/* get user name to query */
sss_packet_get_body(cctx->creq->in, &body, &blen);
/* if not terminated fail */
if (body[blen -1] != '\0') {
ret = EINVAL;
goto done;
}
/* If the body isn't valid UTF-8, fail */
if (!sss_utf8_check(body, blen -1)) {
ret = EINVAL;
goto done;
}
rawname = (const char *)body;
domname = NULL;
ret = sss_parse_name_for_domains(cmdctx, cctx->rctx->domains,
cctx->rctx->default_domain, rawname,
&domname, &cmdctx->name);
if (ret == EAGAIN) {
req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, domname);
if (req == NULL) {
ret = ENOMEM;
} else {
dctx->rawname = rawname;
tevent_req_set_callback(req, nss_cmd_getpwnam_cb, dctx);
ret = EAGAIN;
}
goto done;
} if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Invalid name received [%s]\n", rawname));
ret = ENOENT;
goto done;
}
DEBUG(4, ("Requesting info for [%s] from [%s]\n",
cmdctx->name, domname?domname:"<ALL>"));
if (domname) {
dctx->domain = responder_get_domain(dctx, cctx->rctx, domname);
if (!dctx->domain) {
ret = ENOENT;
goto done;
}
} else {
/* this is a multidomain search */
dctx->rawname = rawname;
dctx->domain = cctx->rctx->domains;
cmdctx->check_next = true;
if (cctx->rctx->get_domains_last_call.tv_sec == 0) {
req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, false, NULL);
if (req == NULL) {
ret = ENOMEM;
} else {
tevent_req_set_callback(req, nss_cmd_getpwnam_cb, dctx);
ret = EAGAIN;
}
goto done;
}
}
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
/* ok, find it ! */
ret = nss_cmd_getpwnam_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getpw_send_reply(dctx, false);
}
done:
return nss_cmd_done(cmdctx, ret);
}
static void nss_cmd_getpwnam_cb(struct tevent_req *req)
{
struct nss_dom_ctx *dctx = tevent_req_callback_data(req, struct nss_dom_ctx);
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct cli_ctx *cctx = cmdctx->cctx;
char *domname = NULL;
const char *rawname = dctx->rawname;
errno_t ret;
ret = sss_dp_get_domains_recv(req);
talloc_free(req);
if (ret != EOK) {
goto done;
}
ret = sss_parse_name_for_domains(cmdctx, cctx->rctx->domains,
cctx->rctx->default_domain, rawname,
&domname, &cmdctx->name);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Invalid name received [%s]\n", rawname));
ret = ENOENT;
goto done;
}
DEBUG(SSSDBG_TRACE_FUNC, ("Requesting info for [%s] from [%s]\n",
cmdctx->name, domname?domname:"<ALL>"));
if (domname) {
dctx->domain = responder_get_domain(dctx, cctx->rctx, domname);
if (dctx->domain == NULL) {
ret = ENOENT;
goto done;
}
} else {
/* this is a multidomain search */
dctx->domain = cctx->rctx->domains;
cmdctx->check_next = true;
}
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
/* ok, find it ! */
ret = nss_cmd_getpwnam_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getpw_send_reply(dctx, false);
}
done:
nss_cmd_done(cmdctx, ret);
}
static void nss_cmd_getpwuid_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr);
/* search for a uid.
* Returns:
* ENOENT, if uid is definitely not found
* EAGAIN, if uid is beeing fetched from backend via async operations
* EOK, if found
* anything else on a fatal error
*/
struct sss_domain_info *get_next_dom_or_subdom(struct sss_domain_info *dom)
{
/* Note that we don't know if the dom is a domain or a subdomain,
* therefore:
*
* If it is a subdomain and it doesn't have any siblings (subdomains
* of the same primary domain), return next primary domain
*/
if (dom->next == NULL && dom->parent != NULL) {
return dom->parent->next;
}
/* If it's primary domain, the next returned should be its first
* subdomain */
if (dom->subdomains != NULL) {
return dom->subdomains[0];
}
/* Any other scenario */
return dom->next;
}
static int nss_cmd_getpwuid_search(struct nss_dom_ctx *dctx)
{
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct sss_domain_info *dom = dctx->domain;
struct cli_ctx *cctx = cmdctx->cctx;
struct sysdb_ctx *sysdb;
struct nss_ctx *nctx;
int ret;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
while (dom) {
/* check that the uid is valid for this domain */
if ((dom->id_min && (cmdctx->id < dom->id_min)) ||
(dom->id_max && (cmdctx->id > dom->id_max))) {
DEBUG(4, ("Uid [%lu] does not exist in domain [%s]! "
"(id out of range)\n",
(unsigned long)cmdctx->id, dom->name));
if (cmdctx->check_next) {
dom = get_next_dom_or_subdom(dom);
continue;
}
return ENOENT;
}
if (dom != dctx->domain) {
/* make sure we reset the check_provider flag when we check
* a new domain */
dctx->check_provider = NEED_CHECK_PROVIDER(dom->provider);
}
/* make sure to update the dctx if we changed domain */
dctx->domain = dom;
DEBUG(4, ("Requesting info for [%d@%s]\n", cmdctx->id, dom->name));
sysdb = dom->sysdb;
if (sysdb == NULL) {
DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n"));
return EIO;
}
ret = sysdb_getpwuid(cmdctx, sysdb, cmdctx->id, &dctx->res);
if (ret != EOK) {
DEBUG(1, ("Failed to make request to our cache!\n"));
return EIO;
}
if (dctx->res->count > 1) {
DEBUG(0, ("getpwuid call returned more than one result !?!\n"));
return ENOENT;
}
if (dctx->res->count == 0 && !dctx->check_provider) {
/* if a multidomain search, try with next */
if (cmdctx->check_next) {
dom = get_next_dom_or_subdom(dom);
continue;
}
DEBUG(2, ("No results for getpwuid call\n"));
/* set negative cache only if not result of cache check */
ret = sss_ncache_set_uid(nctx->ncache, false, cmdctx->id);
if (ret != EOK) {
return ret;
}
return ENOENT;
}
/* if this is a caching provider (or if we haven't checked the cache
* yet) then verify that the cache is uptodate */
if (dctx->check_provider) {
ret = check_cache(dctx, nctx, dctx->res,
SSS_DP_USER, NULL, cmdctx->id,
nss_cmd_getpwuid_dp_callback,
dctx);
if (ret != EOK) {
/* Anything but EOK means we should reenter the mainloop
* because we may be refreshing the cache
*/
return ret;
}
}
/* One result found */
DEBUG(6, ("Returning info for uid [%d@%s]\n", cmdctx->id, dom->name));
return EOK;
}
DEBUG(2, ("No matching domain found for [%d], fail!\n", cmdctx->id));
return ENOENT;
}
static void nss_cmd_getpwuid_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr)
{
struct nss_dom_ctx *dctx = talloc_get_type(ptr, struct nss_dom_ctx);
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct cli_ctx *cctx = cmdctx->cctx;
int ret;
if (err_maj) {
DEBUG(2, ("Unable to get information from Data Provider\n"
"Error: %u, %u, %s\n"
"Will try to return what we have in cache\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
if (dctx->res && dctx->res->count == 1) {
ret = nss_cmd_getpw_send_reply(dctx, true);
goto done;
}
/* no previous results, just loop to next domain if possible */
if (dctx->domain->next && cmdctx->check_next) {
dctx->domain = dctx->domain->next;
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
} else {
/* nothing available */
ret = ENOENT;
goto done;
}
}
/* ok the backend returned, search to see if we have updated results */
ret = nss_cmd_getpwuid_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getpw_send_reply(dctx, true);
}
done:
ret = nss_cmd_done(cmdctx, ret);
if (ret) {
NSS_CMD_FATAL_ERROR(cctx);
}
}
static void nss_cmd_getpwuid_cb(struct tevent_req *req);
static int nss_cmd_getpwuid(struct cli_ctx *cctx)
{
struct nss_cmd_ctx *cmdctx;
struct nss_dom_ctx *dctx;
struct nss_ctx *nctx;
uint8_t *body;
size_t blen;
int ret;
struct tevent_req *req;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
cmdctx = talloc_zero(cctx, struct nss_cmd_ctx);
if (!cmdctx) {
return ENOMEM;
}
cmdctx->cctx = cctx;
dctx = talloc_zero(cmdctx, struct nss_dom_ctx);
if (!dctx) {
ret = ENOMEM;
goto done;
}
dctx->cmdctx = cmdctx;
/* get uid to query */
sss_packet_get_body(cctx->creq->in, &body, &blen);
if (blen != sizeof(uint32_t)) {
ret = EINVAL;
goto done;
}
cmdctx->id = *((uint32_t *)body);
ret = sss_ncache_check_uid(nctx->ncache, nctx->neg_timeout, cmdctx->id);
if (ret == EEXIST) {
DEBUG(3, ("Uid [%lu] does not exist! (negative cache)\n",
(unsigned long)cmdctx->id));
ret = ENOENT;
goto done;
}
/* uid searches are always multidomain */
dctx->domain = cctx->rctx->domains;
cmdctx->check_next = true;
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
if (cctx->rctx->get_domains_last_call.tv_sec == 0) {
req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, false, NULL);
if (req == NULL) {
ret = ENOMEM;
} else {
tevent_req_set_callback(req, nss_cmd_getpwuid_cb, dctx);
ret = EAGAIN;
}
goto done;
}
/* ok, find it ! */
ret = nss_cmd_getpwuid_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getpw_send_reply(dctx, true);
}
done:
return nss_cmd_done(cmdctx, ret);
}
static void nss_cmd_getpwuid_cb(struct tevent_req *req)
{
struct nss_dom_ctx *dctx = tevent_req_callback_data(req, struct nss_dom_ctx);
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
errno_t ret;
ret = sss_dp_get_domains_recv(req);
talloc_free(req);
if (ret != EOK) {
goto done;
}
/* ok, find it ! */
ret = nss_cmd_getpwuid_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getpw_send_reply(dctx, true);
}
done:
nss_cmd_done(cmdctx, ret);
}
/* to keep it simple at this stage we are retrieving the
* full enumeration again for each request for each process
* and we also block on setpwent() for the full time needed
* to retrieve the data. And endpwent() frees all the data.
* Next steps are:
* - use an nsssrv wide cache with data already structured
* so that it can be immediately returned (see nscd way)
* - use mutexes so that setpwent() can return immediately
* even if the data is still being fetched
* - make getpwent() wait on the mutex
*
* Alternatively:
* - use a smarter search mechanism that keeps track of the
* last user searched and return the next X users doing
* an alphabetic sort and starting from the user following
* the last returned user.
*/
static int nss_cmd_getpwent_immediate(struct nss_cmd_ctx *cmdctx);
struct tevent_req * nss_cmd_setpwent_send(TALLOC_CTX *mem_ctx,
struct cli_ctx *client);
static void nss_cmd_setpwent_done(struct tevent_req *req);
static int nss_cmd_setpwent(struct cli_ctx *cctx)
{
struct nss_cmd_ctx *cmdctx;
struct tevent_req *req;
errno_t ret = EOK;
cmdctx = talloc_zero(cctx, struct nss_cmd_ctx);
if (!cmdctx) {
return ENOMEM;
}
cmdctx->cctx = cctx;
req = nss_cmd_setpwent_send(cmdctx, cctx);
if (!req) {
DEBUG(0, ("Fatal error calling nss_cmd_setpwent_send\n"));
ret = EIO;
goto done;
}
tevent_req_set_callback(req, nss_cmd_setpwent_done, cmdctx);
done:
return nss_cmd_done(cmdctx, ret);
}
static errno_t nss_cmd_setpwent_step(struct setent_step_ctx *step_ctx);
struct tevent_req *nss_cmd_setpwent_send(TALLOC_CTX *mem_ctx,
struct cli_ctx *client)
{
errno_t ret;
struct nss_ctx *nctx;
struct tevent_req *req;
struct setent_ctx *state;
struct sss_domain_info *dom;
struct setent_step_ctx *step_ctx;
DEBUG(4, ("Received setpwent request\n"));
nctx = talloc_get_type(client->rctx->pvt_ctx, struct nss_ctx);
/* Reset the read pointers */
client->pwent_dom_idx = 0;
client->pwent_cur = 0;
req = tevent_req_create(mem_ctx, &state, struct setent_ctx);
if (!req) {
DEBUG(0, ("Could not create tevent request for setpwent\n"));
return NULL;
}
state->nctx = nctx;
state->client = client;
state->dctx = talloc_zero(state, struct nss_dom_ctx);
if (!state->dctx) {
ret = ENOMEM;
goto error;
}
/* check if enumeration is enabled in any domain */
for (dom = client->rctx->domains; dom; dom = dom->next) {
if (dom->enumerate != 0) break;
}
state->dctx->domain = dom;
if (state->dctx->domain == NULL) {
DEBUG(2, ("Enumeration disabled on all domains!\n"));
ret = ENOENT;
goto error;
}
state->dctx->check_provider =
NEED_CHECK_PROVIDER(state->dctx->domain->provider);
/* Is the result context already available */
if (state->nctx->pctx) {
if (state->nctx->pctx->ready) {
/* All of the necessary data is in place
* We can return now, getpwent requests will work at this point
*/
tevent_req_done(req);
tevent_req_post(req, state->nctx->rctx->ev);
}
else {
/* Object is still being constructed
* Register for notification when it's
* ready.
*/
ret = nss_setent_add_ref(state, state->nctx->pctx, req);
if (ret != EOK) {
talloc_free(req);
return NULL;
}
}
return req;
}
/* Create a new result context
* We are creating it on the nss_ctx so that it doesn't
* go away if the original request does. We will delete
* it when the refcount goes to zero;
*/
state->nctx->pctx = talloc_zero(nctx, struct getent_ctx);
if (!state->nctx->pctx) {
ret = ENOMEM;
goto error;
}
state->getent_ctx = nctx->pctx;
/* Add a callback reference for ourselves */
ret = nss_setent_add_ref(state, state->nctx->pctx, req);
if (ret) goto error;
/* ok, start the searches */
step_ctx = talloc_zero(state->getent_ctx, struct setent_step_ctx);
if (!step_ctx) {
ret = ENOMEM;
goto error;
}
/* Steal the dom_ctx onto the step_ctx so it doesn't go out of scope if
* this request is canceled while other requests are in-progress.
*/
step_ctx->dctx = talloc_steal(step_ctx, state->dctx);
step_ctx->nctx = state->nctx;
step_ctx->getent_ctx = state->getent_ctx;
step_ctx->rctx = client->rctx;
step_ctx->cctx = client;
step_ctx->returned_to_mainloop = false;
ret = nss_cmd_setpwent_step(step_ctx);
if (ret != EOK && ret != EAGAIN) goto error;
if (ret == EOK) {
tevent_req_post(req, client->rctx->ev);
}
return req;
error:
tevent_req_error(req, ret);
tevent_req_post(req, client->rctx->ev);
return req;
}
static void nss_cmd_setpwent_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr);
static void setpwent_result_timeout(struct tevent_context *ev,
struct tevent_timer *te,
struct timeval current_time,
void *pvt);
/* nss_cmd_setpwent_step returns
* EOK if everything is done and the request needs to be posted explicitly
* EAGAIN if the caller can safely return to the main loop
*/
static errno_t nss_cmd_setpwent_step(struct setent_step_ctx *step_ctx)
{
errno_t ret;
struct sss_domain_info *dom = step_ctx->dctx->domain;
struct resp_ctx *rctx = step_ctx->rctx;
struct nss_dom_ctx *dctx = step_ctx->dctx;
struct getent_ctx *pctx = step_ctx->getent_ctx;
struct nss_ctx *nctx = step_ctx->nctx;
struct sysdb_ctx *sysdb;
struct ldb_result *res;
struct timeval tv;
struct tevent_timer *te;
struct tevent_req *dpreq;
struct dp_callback_ctx *cb_ctx;
while (dom) {
while (dom && dom->enumerate == 0) {
dom = dom->next;
}
if (!dom) break;
if (dom != dctx->domain) {
/* make sure we reset the check_provider flag when we check
* a new domain */
dctx->check_provider = NEED_CHECK_PROVIDER(dom->provider);
}
/* make sure to update the dctx if we changed domain */
dctx->domain = dom;
DEBUG(6, ("Requesting info for domain [%s]\n", dom->name));
sysdb = dom->sysdb;
if (sysdb == NULL) {
DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n"));
return EIO;
}
/* if this is a caching provider (or if we haven't checked the cache
* yet) then verify that the cache is uptodate */
if (dctx->check_provider) {
step_ctx->returned_to_mainloop = true;
/* Only do this once per provider */
dctx->check_provider = false;
dpreq = sss_dp_get_account_send(step_ctx, rctx, dctx->domain, true,
SSS_DP_USER, NULL, 0, NULL);
if (!dpreq) {
DEBUG(SSSDBG_MINOR_FAILURE,
("Enum Cache refresh for domain [%s] failed."
" Trying to return what we have in cache!\n",
dom->name));
} else {
cb_ctx = talloc_zero(step_ctx, struct dp_callback_ctx);
if(!cb_ctx) {
talloc_zfree(dpreq);
return ENOMEM;
}
cb_ctx->callback = nss_cmd_setpwent_dp_callback;
cb_ctx->ptr = step_ctx;
cb_ctx->cctx = step_ctx->cctx;
cb_ctx->mem_ctx = step_ctx;
tevent_req_set_callback(dpreq, nsssrv_dp_send_acct_req_done, cb_ctx);
return EAGAIN;
}
}
ret = sysdb_enumpwent(dctx, sysdb, &res);
if (ret != EOK) {
DEBUG(1, ("Enum from cache failed, skipping domain [%s]\n",
dom->name));
dom = dom->next;
continue;
}
if (res->count == 0) {
DEBUG(4, ("Domain [%s] has no users, skipping.\n", dom->name));
dom = dom->next;
continue;
}
nctx->pctx->doms = talloc_realloc(pctx, pctx->doms,
struct dom_ctx, pctx->num +1);
if (!pctx->doms) {
talloc_free(pctx);
nctx->pctx = NULL;
return ENOMEM;
}
nctx->pctx->doms[pctx->num].domain = dctx->domain;
nctx->pctx->doms[pctx->num].res = talloc_steal(pctx->doms, res);
nctx->pctx->num++;
/* do not reply until all domain searches are done */
dom = dom->next;
}
/* We've finished all our lookups
* The result object is now safe to read.
*/
nctx->pctx->ready = true;
/* Set up a lifetime timer for this result object
* We don't want this result object to outlive the
* enum cache refresh timeout
*/
tv = tevent_timeval_current_ofs(nctx->enum_cache_timeout, 0);
te = tevent_add_timer(rctx->ev, nctx->pctx, tv,
setpwent_result_timeout, nctx);
if (!te) {
DEBUG(0, ("Could not set up life timer for setpwent result object. "
"Entries may become stale.\n"));
}
/* Notify the waiting clients */
nss_setent_notify_done(nctx->pctx);
if (step_ctx->returned_to_mainloop) {
return EAGAIN;
} else {
return EOK;
}
}
static void setpwent_result_timeout(struct tevent_context *ev,
struct tevent_timer *te,
struct timeval current_time,
void *pvt)
{
struct nss_ctx *nctx = talloc_get_type(pvt, struct nss_ctx);
DEBUG(1, ("setpwent result object has expired. Cleaning up.\n"));
/* Free the passwd enumeration context.
* If additional getpwent requests come in, they will invoke
* an implicit setpwent and refresh the result object.
*/
talloc_zfree(nctx->pctx);
}
static void nss_cmd_setpwent_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr)
{
struct setent_step_ctx *step_ctx =
talloc_get_type(ptr, struct setent_step_ctx);
int ret;
if (err_maj) {
DEBUG(2, ("Unable to get information from Data Provider\n"
"Error: %u, %u, %s\n"
"Will try to return what we have in cache\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
}
ret = nss_cmd_setpwent_step(step_ctx);
if (ret != EOK && ret != EAGAIN) {
/* Notify any waiting processes of failure */
nss_setent_notify_error(step_ctx->nctx->pctx, ret);
}
}
static errno_t nss_cmd_setpwent_recv(struct tevent_req *req)
{
TEVENT_REQ_RETURN_ON_ERROR(req);
return EOK;
}
static void nss_cmd_setpwent_done(struct tevent_req *req)
{
errno_t ret;
struct nss_cmd_ctx *cmdctx =
tevent_req_callback_data(req, struct nss_cmd_ctx);
ret = nss_cmd_setpwent_recv(req);
talloc_zfree(req);
if (ret == EOK || ret == ENOENT) {
/* Either we succeeded or no domains were eligible */
ret = sss_packet_new(cmdctx->cctx->creq, 0,
sss_packet_get_cmd(cmdctx->cctx->creq->in),
&cmdctx->cctx->creq->out);
if (ret == EOK) {
sss_cmd_done(cmdctx->cctx, cmdctx);
return;
}
}
/* Something bad happened */
nss_cmd_done(cmdctx, ret);
}
static void nss_cmd_implicit_setpwent_done(struct tevent_req *req);
static int nss_cmd_getpwent(struct cli_ctx *cctx)
{
struct nss_ctx *nctx;
struct nss_cmd_ctx *cmdctx;
struct tevent_req *req;
DEBUG(4, ("Requesting info for all accounts\n"));
cmdctx = talloc_zero(cctx, struct nss_cmd_ctx);
if (!cmdctx) {
return ENOMEM;
}
cmdctx->cctx = cctx;
/* Save the current index and cursor locations
* If we end up calling setpwent implicitly, because the response object
* expired and has to be recreated, we want to resume from the same
* location.
*/
cmdctx->saved_dom_idx = cctx->pwent_dom_idx;
cmdctx->saved_cur = cctx->pwent_cur;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
if(!nctx->pctx || !nctx->pctx->ready) {
/* Make sure we invoke setpwent if it hasn't been run or is still
* processing from another client
*/
req = nss_cmd_setpwent_send(cctx, cctx);
if (!req) {
return EIO;
}
tevent_req_set_callback(req, nss_cmd_implicit_setpwent_done, cmdctx);
return EOK;
}
return nss_cmd_getpwent_immediate(cmdctx);
}
static int nss_cmd_retpwent(struct cli_ctx *cctx, int num);
static int nss_cmd_getpwent_immediate(struct nss_cmd_ctx *cmdctx)
{
struct cli_ctx *cctx = cmdctx->cctx;
uint8_t *body;
size_t blen;
uint32_t num;
int ret;
/* get max num of entries to return in one call */
sss_packet_get_body(cctx->creq->in, &body, &blen);
if (blen != sizeof(uint32_t)) {
return EINVAL;
}
num = *((uint32_t *)body);
/* create response packet */
ret = sss_packet_new(cctx->creq, 0,
sss_packet_get_cmd(cctx->creq->in),
&cctx->creq->out);
if (ret != EOK) {
return ret;
}
ret = nss_cmd_retpwent(cctx, num);
sss_packet_set_error(cctx->creq->out, ret);
sss_cmd_done(cctx, cmdctx);
return EOK;
}
static int nss_cmd_retpwent(struct cli_ctx *cctx, int num)
{
struct nss_ctx *nctx;
struct getent_ctx *pctx;
struct ldb_message **msgs = NULL;
struct dom_ctx *pdom = NULL;
int n = 0;
int ret = ENOENT;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
if (!nctx->pctx) goto none;
pctx = nctx->pctx;
while (ret == ENOENT) {
if (cctx->pwent_dom_idx >= pctx->num) break;
pdom = &pctx->doms[cctx->pwent_dom_idx];
n = pdom->res->count - cctx->pwent_cur;
if (n <= 0 && (cctx->pwent_dom_idx+1 < pctx->num)) {
cctx->pwent_dom_idx++;
pdom = &pctx->doms[cctx->pwent_dom_idx];
n = pdom->res->count;
cctx->pwent_cur = 0;
}
if (!n) break;
if (n < 0) {
DEBUG(SSSDBG_CRIT_FAILURE, ("BUG: Negative difference"
"[%d - %d = %d]\n", pdom->res->count, cctx->pwent_cur, n));
DEBUG(SSSDBG_CRIT_FAILURE, ("Domain: %d (total %d)\n",
cctx->pwent_dom_idx, pctx->num));
break;
}
if (n > num) n = num;
msgs = &(pdom->res->msgs[cctx->pwent_cur]);
ret = fill_pwent(cctx->creq->out, pdom->domain, nctx,
true, false, msgs, &n);
cctx->pwent_cur += n;
}
none:
if (ret == ENOENT) {
ret = sss_cmd_empty_packet(cctx->creq->out);
}
return ret;
}
static void nss_cmd_implicit_setpwent_done(struct tevent_req *req)
{
errno_t ret;
struct nss_cmd_ctx *cmdctx =
tevent_req_callback_data(req, struct nss_cmd_ctx);
ret = nss_cmd_setpwent_recv(req);
talloc_zfree(req);
/* ENOENT is acceptable, as it just means that there were no entries
* to be returned. This will be handled gracefully in nss_cmd_retpwent
* later.
*/
if (ret != EOK && ret != ENOENT) {
DEBUG(0, ("Implicit setpwent failed with unexpected error [%d][%s]\n",
ret, strerror(ret)));
NSS_CMD_FATAL_ERROR(cmdctx);
}
/* Restore the saved index and cursor locations */
cmdctx->cctx->pwent_dom_idx = cmdctx->saved_dom_idx;
cmdctx->cctx->pwent_cur = cmdctx->saved_cur;
ret = nss_cmd_getpwent_immediate(cmdctx);
if (ret != EOK) {
DEBUG(0, ("Immediate retrieval failed with unexpected error "
"[%d][%s]\n", ret, strerror(ret)));
NSS_CMD_FATAL_ERROR(cmdctx);
}
}
static int nss_cmd_endpwent(struct cli_ctx *cctx)
{
struct nss_ctx *nctx;
int ret;
DEBUG(4, ("Terminating request info for all accounts\n"));
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
/* create response packet */
ret = sss_packet_new(cctx->creq, 0,
sss_packet_get_cmd(cctx->creq->in),
&cctx->creq->out);
if (ret != EOK) {
return ret;
}
if (nctx->pctx == NULL) goto done;
/* Reset the indices so that subsequent requests start at zero */
cctx->pwent_dom_idx = 0;
cctx->pwent_cur = 0;
done:
sss_cmd_done(cctx, NULL);
return EOK;
}
/****************************************************************************
* GROUP db related functions
***************************************************************************/
void nss_update_gr_memcache(struct nss_ctx *nctx)
{
struct sss_domain_info *dom;
struct ldb_result *res;
uint64_t exp;
struct sized_string key;
const char *id;
time_t now;
int ret;
int i;
now = time(NULL);
for (dom = nctx->rctx->domains; dom != NULL; dom = dom->next) {
ret = sysdb_enumgrent(nctx, dom->sysdb, &res);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Failed to enumerate users for domain [%s]\n", dom->name));
continue;
}
for (i = 0; i < res->count; i++) {
exp = ldb_msg_find_attr_as_uint64(res->msgs[i],
SYSDB_CACHE_EXPIRE, 0);
if (exp >= now) {
continue;
}
/* names require more manipulation (build up fqname conditionally),
* but uidNumber is unique and always resolvable too, so we use
* that to update the cache, as it points to the same entry */
id = ldb_msg_find_attr_as_string(res->msgs[i], SYSDB_GIDNUM, NULL);
if (!id) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Failed to find gidNumber in %s.\n",
ldb_dn_get_linearized(res->msgs[i]->dn)));
continue;
}
to_sized_string(&key, id);
ret = sss_mmap_cache_gr_invalidate(nctx->grp_mc_ctx, &key);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Internal failure in memory cache code: %d [%s]\n",
ret, strerror(ret)));
}
}
}
}
#define GID_ROFFSET 0
#define MNUM_ROFFSET sizeof(uint32_t)
#define STRS_ROFFSET 2*sizeof(uint32_t)
static int fill_members(struct sss_packet *packet,
struct sss_domain_info *dom,
struct nss_ctx *nctx,
struct ldb_message_element *el,
size_t *_rzero,
size_t *_rsize,
int *_memnum)
{
int i, ret = EOK;
int memnum = *_memnum;
size_t rzero= *_rzero;
size_t rsize = *_rsize;
char *tmpstr;
struct sized_string name;
const char *namefmt = dom->names->fq_fmt;
TALLOC_CTX *tmp_ctx = NULL;
size_t delim;
size_t dom_len;
uint8_t *body;
size_t blen;
const char *domain = dom->name;
bool add_domain = dom->fqnames;
if (add_domain) {
delim = 1;
dom_len = strlen(domain);
} else {
delim = 0;
dom_len = 0;
}
tmp_ctx = talloc_new(NULL);
if (tmp_ctx == NULL) {
return ENOMEM;
}
sss_packet_get_body(packet, &body, &blen);
for (i = 0; i < el->num_values; i++) {
tmpstr = sss_get_cased_name(tmp_ctx, (char *)el->values[i].data,
dom->case_sensitive);
if (tmpstr == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
("sss_get_cased_name failed, skipping\n"));
continue;
}
if (nctx->filter_users_in_groups) {
ret = sss_ncache_check_user(nctx->ncache,
nctx->neg_timeout,
dom, tmpstr);
if (ret == EEXIST) {
DEBUG(SSSDBG_TRACE_FUNC, ("Group [%s] member [%s@%s] filtered out!"
" (negative cache)\n",
(char *)&body[rzero+STRS_ROFFSET],
tmpstr, domain));
continue;
}
}
to_sized_string(&name, tmpstr);
if (add_domain) {
ret = sss_packet_grow(packet, name.len + delim + dom_len);
} else {
ret = sss_packet_grow(packet, name.len);
}
if (ret != EOK) {
goto done;
}
sss_packet_get_body(packet, &body, &blen);
if (add_domain) {
ret = snprintf((char *)&body[rzero + rsize],
name.len + delim + dom_len,
namefmt, name.str, domain);
if (ret >= (name.len + delim + dom_len)) {
/* need more space,
* got creative with the print format ? */
int t = ret - name.len + delim + dom_len + 1;
ret = sss_packet_grow(packet, t);
if (ret != EOK) {
goto done;
}
sss_packet_get_body(packet, &body, &blen);
delim += t;
/* retry */
ret = snprintf((char *)&body[rzero + rsize],
name.len + delim + dom_len,
namefmt, name.str, domain);
}
if (ret != name.len + delim + dom_len - 1) {
DEBUG(SSSDBG_OP_FAILURE, ("Failed to generate a fully qualified name"
" for member [%s@%s] of group [%s]!"
" Skipping\n", name.str, domain,
(char *)&body[rzero+STRS_ROFFSET]));
/* reclaim space */
ret = sss_packet_shrink(packet, name.len + delim + dom_len);
if (ret != EOK) {
goto done;
}
continue;
}
} else {
memcpy(&body[rzero + rsize], name.str, name.len);
}
if (add_domain) {
rsize += name.len + delim + dom_len;
} else {
rsize += name.len;
}
memnum++;
}
ret = 0;
done:
*_memnum = memnum;
*_rzero = rzero;
*_rsize = rsize;
talloc_zfree(tmp_ctx);
return ret;
}
static int fill_grent(struct sss_packet *packet,
struct sss_domain_info *dom,
struct nss_ctx *nctx,
bool filter_groups, bool gr_mmap_cache,
struct ldb_message **msgs,
int *count)
{
struct ldb_message *msg;
struct ldb_message_element *el;
uint8_t *body;
size_t blen;
uint32_t gid;
const char *tmpstr;
const char *orig_name;
struct sized_string name;
struct sized_string pwfield;
struct sized_string fullname;
size_t delim;
size_t dom_len;
int i = 0;
int ret, num, memnum;
size_t rzero, rsize;
bool add_domain = dom->fqnames;
const char *domain = dom->name;
const char *namefmt;
TALLOC_CTX *tmp_ctx = NULL;
namefmt = dom->names->fq_fmt;
if (add_domain) {
delim = 1;
dom_len = strlen(domain);
} else {
delim = 0;
dom_len = 0;
}
to_sized_string(&pwfield, nctx->pwfield);
num = 0;
/* first 2 fields (len and reserved), filled up later */
ret = sss_packet_grow(packet, 2*sizeof(uint32_t));
if (ret != EOK) {
goto done;
}
sss_packet_get_body(packet, &body, &blen);
rzero = 2*sizeof(uint32_t);
rsize = 0;
for (i = 0; i < *count; i++) {
talloc_zfree(tmp_ctx);
tmp_ctx = talloc_new(NULL);
msg = msgs[i];
/* new group */
if (!ldb_msg_check_string_attribute(msg, "objectClass",
SYSDB_GROUP_CLASS)) {
DEBUG(1, ("Wrong object (%s) found on stack!\n",
ldb_dn_get_linearized(msg->dn)));
continue;
}
/* new result starts at end of previous result */
rzero += rsize;
rsize = 0;
/* find group name/gid */
orig_name = ldb_msg_find_attr_as_string(msg, SYSDB_NAME, NULL);
gid = ldb_msg_find_attr_as_uint64(msg, SYSDB_GIDNUM, 0);
if (!orig_name || !gid) {
DEBUG(2, ("Incomplete group object for %s[%llu]! Skipping\n",
orig_name?orig_name:"<NULL>", (unsigned long long int)gid));
continue;
}
if (filter_groups) {
ret = sss_ncache_check_group(nctx->ncache,
nctx->neg_timeout, dom, orig_name);
if (ret == EEXIST) {
DEBUG(4, ("Group [%s@%s] filtered out! (negative cache)\n",
orig_name, domain));
continue;
}
}
tmpstr = sss_get_cased_name(tmp_ctx, orig_name, dom->case_sensitive);
if (tmpstr == NULL) {
DEBUG(SSSDBG_CRIT_FAILURE,
("sss_get_cased_name failed, skipping\n"));
continue;
}
to_sized_string(&name, tmpstr);
/* fill in gid and name and set pointer for number of members */
rsize = STRS_ROFFSET + name.len + pwfield.len; /* name\0x\0 */
if (add_domain) rsize += delim + dom_len;
ret = sss_packet_grow(packet, rsize);
if (ret != EOK) {
num = 0;
goto done;
}
sss_packet_get_body(packet, &body, &blen);
/* 0-3: 32bit number gid */
SAFEALIGN_SET_UINT32(&body[rzero+GID_ROFFSET], gid, NULL);
/* 4-7: 32bit unsigned number of members */
SAFEALIGN_SET_UINT32(&body[rzero+MNUM_ROFFSET], 0, NULL);
/* 8-X: sequence of strings (name, passwd, mem..) */
if (add_domain) {
ret = snprintf((char *)&body[rzero+STRS_ROFFSET],
name.len + delim + dom_len,
namefmt, name.str, domain);
if (ret >= (name.len + delim + dom_len)) {
/* need more space, got creative with the print format ? */
int t = ret - (name.len + delim + dom_len) + 1;
ret = sss_packet_grow(packet, t);
if (ret != EOK) {
num = 0;
goto done;
}
sss_packet_get_body(packet, &body, &blen);
rsize += t;
delim += t;
/* retry */
ret = snprintf((char *)&body[rzero+STRS_ROFFSET],
name.len + delim + dom_len,
namefmt, name.str, domain);
}
if (ret != name.len + delim + dom_len - 1) {
DEBUG(1, ("Failed to generate a fully qualified name for"
" group [%s] in [%s]! Skipping\n", name.str, domain));
/* reclaim space */
ret = sss_packet_shrink(packet, rsize);
if (ret != EOK) {
num = 0;
goto done;
}
rsize = 0;
continue;
}
} else {
memcpy(&body[rzero+STRS_ROFFSET], name.str, name.len);
}
to_sized_string(&fullname, (const char *)&body[rzero+STRS_ROFFSET]);
/* group passwd field */
memcpy(&body[rzero+STRS_ROFFSET + fullname.len],
pwfield.str, pwfield.len);
memnum = 0;
if (!dom->ignore_group_members) {
el = ldb_msg_find_element(msg, SYSDB_MEMBERUID);
if (el) {
ret = fill_members(packet, dom, nctx, el, &rzero, &rsize,
&memnum);
if (ret != EOK) {
num = 0;
goto done;
}
sss_packet_get_body(packet, &body, &blen);
}
el = ldb_msg_find_element(msg, SYSDB_GHOST);
if (el) {
ret = fill_members(packet, dom, nctx, el, &rzero, &rsize,
&memnum);
if (ret != EOK) {
num = 0;
goto done;
}
sss_packet_get_body(packet, &body, &blen);
}
}
if (memnum) {
/* set num of members */
SAFEALIGN_SET_UINT32(&body[rzero+MNUM_ROFFSET], memnum, NULL);
}
num++;
if (gr_mmap_cache && nctx->grp_mc_ctx) {
/* body was reallocated, so fullname might be pointing to
* where body used to be, not where it is */
to_sized_string(&fullname, (const char *)&body[rzero+STRS_ROFFSET]);
ret = sss_mmap_cache_gr_store(nctx->grp_mc_ctx,
&fullname, &pwfield, gid, memnum,
(char *)&body[rzero] + STRS_ROFFSET +
fullname.len + pwfield.len,
rsize - STRS_ROFFSET -
fullname.len - pwfield.len);
if (ret != EOK && ret != ENOMEM) {
DEBUG(SSSDBG_OP_FAILURE,
("Failed to store group %s(%s) in mmap cache!",
name.str, domain));
}
}
continue;
}
talloc_zfree(tmp_ctx);
done:
*count = i;
if (num == 0) {
/* if num is 0 most probably something went wrong,
* reset packet and return ENOENT */
ret = sss_packet_set_size(packet, 0);
if (ret != EOK) return ret;
return ENOENT;
}
((uint32_t *)body)[0] = num; /* num results */
((uint32_t *)body)[1] = 0; /* reserved */
return EOK;
}
static int nss_cmd_getgr_send_reply(struct nss_dom_ctx *dctx, bool filter)
{
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct cli_ctx *cctx = cmdctx->cctx;
struct nss_ctx *nctx;
int ret;
int i;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
ret = sss_packet_new(cctx->creq, 0,
sss_packet_get_cmd(cctx->creq->in),
&cctx->creq->out);
if (ret != EOK) {
return EFAULT;
}
i = dctx->res->count;
ret = fill_grent(cctx->creq->out,
dctx->domain,
nctx, filter, true,
dctx->res->msgs, &i);
if (ret) {
return ret;
}
sss_packet_set_error(cctx->creq->out, EOK);
sss_cmd_done(cctx, cmdctx);
return EOK;
}
static void nss_cmd_getgrnam_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr);
/* search for a group.
* Returns:
* ENOENT, if group is definitely not found
* EAGAIN, if group is beeing fetched from backend via async operations
* EOK, if found
* anything else on a fatal error
*/
static int nss_cmd_getgrnam_search(struct nss_dom_ctx *dctx)
{
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct sss_domain_info *dom = dctx->domain;
struct cli_ctx *cctx = cmdctx->cctx;
char *name = NULL;
struct sized_string delete_grpname;
struct sysdb_ctx *sysdb;
struct nss_ctx *nctx;
int ret;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
while (dom) {
/* if it is a domainless search, skip domains that require fully
* qualified names instead */
while (dom && cmdctx->check_next && dom->fqnames) {
dom = dom->next;
}
if (!dom) break;
if (dom != dctx->domain) {
/* make sure we reset the check_provider flag when we check
* a new domain */
dctx->check_provider = NEED_CHECK_PROVIDER(dom->provider);
}
/* make sure to update the dctx if we changed domain */
dctx->domain = dom;
talloc_free(name);
name = sss_get_cased_name(dctx, cmdctx->name, dom->case_sensitive);
if (!name) return ENOMEM;
/* verify this group has not yet been negatively cached,
* or has been permanently filtered */
ret = sss_ncache_check_group(nctx->ncache, nctx->neg_timeout,
dom, name);
/* if neg cached, return we didn't find it */
if (ret == EEXIST) {
DEBUG(2, ("Group [%s] does not exist in [%s]! (negative cache)\n",
name, dom->name));
/* if a multidomain search, try with next */
if (cmdctx->check_next) {
dom = dom->next;
continue;
}
/* There are no further domains or this was a
* fully-qualified user request.
*/
return ENOENT;
}
DEBUG(4, ("Requesting info for [%s@%s]\n", name, dom->name));
sysdb = dom->sysdb;
if (sysdb == NULL) {
DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n"));
return EIO;
}
/* if this is a subdomain we need to search for the fully qualified
* name in the database */
ret = sysdb_subdom_getgrnam(cmdctx, sysdb, name, &dctx->res);
if (ret != EOK) {
DEBUG(1, ("Failed to make request to our cache!\n"));
return EIO;
}
if (dctx->res->count > 1) {
DEBUG(0, ("getgrnam call returned more than one result !?!\n"));
return ENOENT;
}
if (dctx->res->count == 0 && !dctx->check_provider) {
/* set negative cache only if not result of cache check */
ret = sss_ncache_set_group(nctx->ncache, false, dom, name);
if (ret != EOK) {
return ret;
}
/* if a multidomain search, try with next */
if (cmdctx->check_next) {
dom = dom->next;
if (dom) continue;
}
DEBUG(2, ("No results for getgrnam call\n"));
/* Group not found in ldb -> delete group from memory cache. */
to_sized_string(&delete_grpname, name);
ret = sss_mmap_cache_gr_invalidate(nctx->grp_mc_ctx,
&delete_grpname);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Internal failure in memory cache code: %d [%s]\n",
ret, strerror(ret)));
}
return ENOENT;
}
/* if this is a caching provider (or if we haven't checked the cache
* yet) then verify that the cache is uptodate */
if (dctx->check_provider) {
ret = check_cache(dctx, nctx, dctx->res,
SSS_DP_GROUP, name, 0,
nss_cmd_getgrnam_dp_callback,
dctx);
if (ret != EOK) {
/* Anything but EOK means we should reenter the mainloop
* because we may be refreshing the cache
*/
return ret;
}
}
/* One result found */
DEBUG(6, ("Returning info for group [%s@%s]\n", name, dom->name));
return EOK;
}
DEBUG(SSSDBG_MINOR_FAILURE,
("No matching domain found for [%s], fail!\n", cmdctx->name));
return ENOENT;
}
static void nss_cmd_getgrnam_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr)
{
struct nss_dom_ctx *dctx = talloc_get_type(ptr, struct nss_dom_ctx);
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct cli_ctx *cctx = cmdctx->cctx;
int ret;
if (err_maj) {
DEBUG(2, ("Unable to get information from Data Provider\n"
"Error: %u, %u, %s\n"
"Will try to return what we have in cache\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
if (dctx->res && dctx->res->count == 1) {
ret = nss_cmd_getgr_send_reply(dctx, false);
goto done;
}
/* no previous results, just loop to next domain if possible */
if (dctx->domain->next && cmdctx->check_next) {
dctx->domain = dctx->domain->next;
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
} else {
/* nothing available */
ret = ENOENT;
goto done;
}
}
/* ok the backend returned, search to see if we have updated results */
ret = nss_cmd_getgrnam_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getgr_send_reply(dctx, false);
}
done:
ret = nss_cmd_done(cmdctx, ret);
if (ret) {
NSS_CMD_FATAL_ERROR(cctx);
}
}
static void nss_cmd_getgrnam_cb(struct tevent_req *req);
static int nss_cmd_getgrnam(struct cli_ctx *cctx)
{
struct tevent_req *req;
struct nss_cmd_ctx *cmdctx;
struct nss_dom_ctx *dctx;
const char *rawname;
char *domname;
uint8_t *body;
size_t blen;
int ret;
cmdctx = talloc_zero(cctx, struct nss_cmd_ctx);
if (!cmdctx) {
return ENOMEM;
}
cmdctx->cctx = cctx;
dctx = talloc_zero(cmdctx, struct nss_dom_ctx);
if (!dctx) {
ret = ENOMEM;
goto done;
}
dctx->cmdctx = cmdctx;
/* get user name to query */
sss_packet_get_body(cctx->creq->in, &body, &blen);
/* if not terminated fail */
if (body[blen -1] != '\0') {
ret = EINVAL;
goto done;
}
/* If the body isn't valid UTF-8, fail */
if (!sss_utf8_check(body, blen -1)) {
ret = EINVAL;
goto done;
}
rawname = (const char *)body;
domname = NULL;
ret = sss_parse_name_for_domains(cmdctx, cctx->rctx->domains,
cctx->rctx->default_domain, rawname,
&domname, &cmdctx->name);
if (ret == EAGAIN) {
req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, domname);
if (req == NULL) {
ret = ENOMEM;
} else {
dctx->rawname = rawname;
tevent_req_set_callback(req, nss_cmd_getgrnam_cb, dctx);
ret = EAGAIN;
}
goto done;
} else if (ret != EOK) {
DEBUG(2, ("Invalid name received [%s]\n", rawname));
ret = ENOENT;
goto done;
}
DEBUG(4, ("Requesting info for [%s] from [%s]\n",
cmdctx->name, domname?domname:"<ALL>"));
if (domname) {
dctx->domain = responder_get_domain(dctx, cctx->rctx, domname);
if (!dctx->domain) {
ret = ENOENT;
goto done;
}
} else {
/* this is a multidomain search */
dctx->rawname = rawname;
dctx->domain = cctx->rctx->domains;
cmdctx->check_next = true;
if (cctx->rctx->get_domains_last_call.tv_sec == 0) {
req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, false, NULL);
if (req == NULL) {
ret = ENOMEM;
} else {
tevent_req_set_callback(req, nss_cmd_getgrnam_cb, dctx);
ret = EAGAIN;
}
goto done;
}
}
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
/* ok, find it ! */
ret = nss_cmd_getgrnam_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getgr_send_reply(dctx, false);
}
done:
return nss_cmd_done(cmdctx, ret);
}
static void nss_cmd_getgrnam_cb(struct tevent_req *req)
{
struct nss_dom_ctx *dctx = tevent_req_callback_data(req, struct nss_dom_ctx);
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct cli_ctx *cctx = cmdctx->cctx;
char *domname = NULL;
const char *rawname = dctx->rawname;
errno_t ret;
ret = sss_dp_get_domains_recv(req);
talloc_free(req);
if (ret != EOK) {
goto done;
}
ret = sss_parse_name_for_domains(cmdctx, cctx->rctx->domains,
cctx->rctx->default_domain, rawname,
&domname, &cmdctx->name);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Invalid name received [%s]\n", rawname));
ret = ENOENT;
goto done;
}
DEBUG(SSSDBG_TRACE_FUNC, ("Requesting info for [%s] from [%s]\n",
cmdctx->name, domname?domname:"<ALL>"));
if (domname) {
dctx->domain = responder_get_domain(dctx, cctx->rctx, domname);
if (!dctx->domain) {
ret = ENOENT;
goto done;
}
} else {
/* this is a multidomain search */
dctx->domain = cctx->rctx->domains;
cmdctx->check_next = true;
}
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
/* ok, find it ! */
ret = nss_cmd_getgrnam_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getgr_send_reply(dctx, false);
}
done:
nss_cmd_done(cmdctx, ret);
}
static void nss_cmd_getgrgid_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr);
/* search for a gid.
* Returns:
* ENOENT, if gid is definitely not found
* EAGAIN, if gid is beeing fetched from backend via async operations
* EOK, if found
* anything else on a fatal error
*/
static int nss_cmd_getgrgid_search(struct nss_dom_ctx *dctx)
{
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct sss_domain_info *dom = dctx->domain;
struct cli_ctx *cctx = cmdctx->cctx;
struct sysdb_ctx *sysdb;
struct nss_ctx *nctx;
int ret;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
while (dom) {
/* check that the gid is valid for this domain */
if ((dom->id_min && (cmdctx->id < dom->id_min)) ||
(dom->id_max && (cmdctx->id > dom->id_max))) {
DEBUG(4, ("Gid [%lu] does not exist in domain [%s]! "
"(id out of range)\n",
(unsigned long)cmdctx->id, dom->name));
if (cmdctx->check_next) {
dom = get_next_dom_or_subdom(dom);
continue;
}
return ENOENT;
}
if (dom != dctx->domain) {
/* make sure we reset the check_provider flag when we check
* a new domain */
dctx->check_provider = NEED_CHECK_PROVIDER(dom->provider);
}
/* make sure to update the dctx if we changed domain */
dctx->domain = dom;
DEBUG(4, ("Requesting info for [%d@%s]\n", cmdctx->id, dom->name));
sysdb = dom->sysdb;
if (sysdb == NULL) {
DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n"));
return EIO;
}
ret = sysdb_getgrgid(cmdctx, sysdb, cmdctx->id, &dctx->res);
if (ret != EOK) {
DEBUG(1, ("Failed to make request to our cache!\n"));
return EIO;
}
if (dctx->res->count > 1) {
DEBUG(0, ("getgrgid call returned more than one result !?!\n"));
return ENOENT;
}
if (dctx->res->count == 0 && !dctx->check_provider) {
/* if a multidomain search, try with next */
if (cmdctx->check_next) {
dom = get_next_dom_or_subdom(dom);
continue;
}
DEBUG(2, ("No results for getgrgid call\n"));
/* set negative cache only if not result of cache check */
ret = sss_ncache_set_gid(nctx->ncache, false, cmdctx->id);
if (ret != EOK) {
return ret;
}
return ENOENT;
}
/* if this is a caching provider (or if we haven't checked the cache
* yet) then verify that the cache is uptodate */
if (dctx->check_provider) {
ret = check_cache(dctx, nctx, dctx->res,
SSS_DP_GROUP, NULL, cmdctx->id,
nss_cmd_getgrgid_dp_callback,
dctx);
if (ret != EOK) {
/* Anything but EOK means we should reenter the mainloop
* because we may be refreshing the cache
*/
return ret;
}
}
/* One result found */
DEBUG(6, ("Returning info for gid [%d@%s]\n", cmdctx->id, dom->name));
return EOK;
}
DEBUG(2, ("No matching domain found for [%d], fail!\n", cmdctx->id));
return ENOENT;
}
static void nss_cmd_getgrgid_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr)
{
struct nss_dom_ctx *dctx = talloc_get_type(ptr, struct nss_dom_ctx);
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct cli_ctx *cctx = cmdctx->cctx;
int ret;
if (err_maj) {
DEBUG(2, ("Unable to get information from Data Provider\n"
"Error: %u, %u, %s\n"
"Will try to return what we have in cache\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
if (dctx->res && dctx->res->count == 1) {
ret = nss_cmd_getgr_send_reply(dctx, true);
goto done;
}
/* no previous results, just loop to next domain if possible */
if (dctx->domain->next && cmdctx->check_next) {
dctx->domain = dctx->domain->next;
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
} else {
/* nothing available */
ret = ENOENT;
goto done;
}
}
/* ok the backend returned, search to see if we have updated results */
ret = nss_cmd_getgrgid_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getgr_send_reply(dctx, true);
}
done:
ret = nss_cmd_done(cmdctx, ret);
if (ret) {
NSS_CMD_FATAL_ERROR(cctx);
}
}
static void nss_cmd_getgrgid_cb(struct tevent_req *req);
static int nss_cmd_getgrgid(struct cli_ctx *cctx)
{
struct nss_cmd_ctx *cmdctx;
struct nss_dom_ctx *dctx;
struct nss_ctx *nctx;
uint8_t *body;
size_t blen;
int ret;
struct tevent_req *req;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
cmdctx = talloc_zero(cctx, struct nss_cmd_ctx);
if (!cmdctx) {
return ENOMEM;
}
cmdctx->cctx = cctx;
dctx = talloc_zero(cmdctx, struct nss_dom_ctx);
if (!dctx) {
ret = ENOMEM;
goto done;
}
dctx->cmdctx = cmdctx;
/* get uid to query */
sss_packet_get_body(cctx->creq->in, &body, &blen);
if (blen != sizeof(uint32_t)) {
ret = EINVAL;
goto done;
}
cmdctx->id = *((uint32_t *)body);
ret = sss_ncache_check_gid(nctx->ncache, nctx->neg_timeout, cmdctx->id);
if (ret == EEXIST) {
DEBUG(3, ("Gid [%lu] does not exist! (negative cache)\n",
(unsigned long)cmdctx->id));
ret = ENOENT;
goto done;
}
/* gid searches are always multidomain */
dctx->domain = cctx->rctx->domains;
cmdctx->check_next = true;
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
if (cctx->rctx->get_domains_last_call.tv_sec == 0) {
req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, false, NULL);
if (req == NULL) {
ret = ENOMEM;
} else {
tevent_req_set_callback(req, nss_cmd_getgrgid_cb, dctx);
ret = EAGAIN;
}
goto done;
}
/* ok, find it ! */
ret = nss_cmd_getgrgid_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getgr_send_reply(dctx, true);
}
done:
return nss_cmd_done(cmdctx, ret);
}
static void nss_cmd_getgrgid_cb(struct tevent_req *req)
{
struct nss_dom_ctx *dctx = tevent_req_callback_data(req, struct nss_dom_ctx);
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
errno_t ret;
ret = sss_dp_get_domains_recv(req);
talloc_free(req);
if (ret != EOK) {
goto done;
}
/* ok, find it ! */
ret = nss_cmd_getgrgid_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_getgr_send_reply(dctx, true);
}
done:
nss_cmd_done(cmdctx, ret);
}
/* to keep it simple at this stage we are retrieving the
* full enumeration again for each request for each process
* and we also block on setgrent() for the full time needed
* to retrieve the data. And endgrent() frees all the data.
* Next steps are:
* - use and nsssrv wide cache with data already structured
* so that it can be immediately returned (see nscd way)
* - use mutexes so that setgrent() can return immediately
* even if the data is still being fetched
* - make getgrent() wait on the mutex
*/
struct tevent_req *nss_cmd_setgrent_send(TALLOC_CTX *mem_ctx,
struct cli_ctx *client);
static void nss_cmd_setgrent_done(struct tevent_req *req);
static int nss_cmd_setgrent(struct cli_ctx *cctx)
{
struct nss_cmd_ctx *cmdctx;
struct tevent_req *req;
errno_t ret = EOK;
cmdctx = talloc_zero(cctx, struct nss_cmd_ctx);
if (!cmdctx) {
return ENOMEM;
}
cmdctx->cctx = cctx;
req = nss_cmd_setgrent_send(cmdctx, cctx);
if (!req) {
DEBUG(0, ("Fatal error calling nss_cmd_setgrent_send\n"));
ret = EIO;
goto done;
}
tevent_req_set_callback(req, nss_cmd_setgrent_done, cmdctx);
done:
return nss_cmd_done(cmdctx, ret);
}
static errno_t nss_cmd_setgrent_step(struct setent_step_ctx *step_ctx);
struct tevent_req *nss_cmd_setgrent_send(TALLOC_CTX *mem_ctx,
struct cli_ctx *client)
{
errno_t ret;
struct nss_ctx *nctx;
struct tevent_req *req;
struct setent_ctx *state;
struct sss_domain_info *dom;
struct setent_step_ctx *step_ctx;
DEBUG(4, ("Received setgrent request\n"));
nctx = talloc_get_type(client->rctx->pvt_ctx, struct nss_ctx);
/* Reset the read pointers */
client->grent_dom_idx = 0;
client->grent_cur = 0;
req = tevent_req_create(mem_ctx, &state, struct setent_ctx);
if (!req) {
DEBUG(0, ("Could not create tevent request for setgrent\n"));
return NULL;
}
state->nctx = nctx;
state->client = client;
state->dctx = talloc_zero(state, struct nss_dom_ctx);
if (!state->dctx) {
ret = ENOMEM;
goto error;
}
/* check if enumeration is enabled in any domain */
for (dom = client->rctx->domains; dom; dom = dom->next) {
if (dom->enumerate != 0) break;
}
state->dctx->domain = dom;
if (state->dctx->domain == NULL) {
DEBUG(2, ("Enumeration disabled on all domains!\n"));
ret = ENOENT;
goto error;
}
state->dctx->check_provider =
NEED_CHECK_PROVIDER(state->dctx->domain->provider);
/* Is the result context already available */
if (state->nctx->gctx) {
if (state->nctx->gctx->ready) {
/* All of the necessary data is in place
* We can return now, getgrent requests will work at this point
*/
tevent_req_done(req);
tevent_req_post(req, state->nctx->rctx->ev);
}
else {
/* Object is still being constructed
* Register for notification when it's
* ready.
*/
ret = nss_setent_add_ref(state, state->nctx->gctx, req);
if (ret != EOK) {
talloc_free(req);
return NULL;
}
}
return req;
}
/* Create a new result context
* We are creating it on the nss_ctx so that it doesn't
* go away if the original request does. We will delete
* it when the refcount goes to zero;
*/
state->nctx->gctx = talloc_zero(nctx, struct getent_ctx);
if (!state->nctx->gctx) {
ret = ENOMEM;
goto error;
}
state->getent_ctx = nctx->gctx;
/* Add a callback reference for ourselves */
ret = nss_setent_add_ref(state, state->nctx->gctx, req);
if (ret) goto error;
/* ok, start the searches */
step_ctx = talloc_zero(state->getent_ctx, struct setent_step_ctx);
if (!step_ctx) {
ret = ENOMEM;
goto error;
}
/* Steal the dom_ctx onto the step_ctx so it doesn't go out of scope if
* this request is canceled while other requests are in-progress.
*/
step_ctx->dctx = talloc_steal(step_ctx, state->dctx);
step_ctx->nctx = state->nctx;
step_ctx->getent_ctx = state->getent_ctx;
step_ctx->rctx = client->rctx;
step_ctx->cctx = client;
step_ctx->returned_to_mainloop = false;
ret = nss_cmd_setgrent_step(step_ctx);
if (ret != EOK && ret != EAGAIN) goto error;
if (ret == EOK) {
tevent_req_post(req, client->rctx->ev);
}
return req;
error:
tevent_req_error(req, ret);
tevent_req_post(req, client->rctx->ev);
return req;
}
static void nss_cmd_setgrent_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr);
static void setgrent_result_timeout(struct tevent_context *ev,
struct tevent_timer *te,
struct timeval current_time,
void *pvt);
/* nss_cmd_setgrent_step returns
* EOK if everything is done and the request needs to be posted explicitly
* EAGAIN if the caller can safely return to the main loop
*/
static errno_t nss_cmd_setgrent_step(struct setent_step_ctx *step_ctx)
{
errno_t ret;
struct sss_domain_info *dom = step_ctx->dctx->domain;
struct resp_ctx *rctx = step_ctx->rctx;
struct nss_dom_ctx *dctx = step_ctx->dctx;
struct getent_ctx *gctx = step_ctx->getent_ctx;
struct nss_ctx *nctx = step_ctx->nctx;
struct sysdb_ctx *sysdb;
struct ldb_result *res;
struct timeval tv;
struct tevent_timer *te;
struct tevent_req *dpreq;
struct dp_callback_ctx *cb_ctx;
while (dom) {
while (dom && dom->enumerate == 0) {
dom = dom->next;
}
if (!dom) break;
if (dom != dctx->domain) {
/* make sure we reset the check_provider flag when we check
* a new domain */
dctx->check_provider = NEED_CHECK_PROVIDER(dom->provider);
}
/* make sure to update the dctx if we changed domain */
dctx->domain = dom;
DEBUG(6, ("Requesting info for domain [%s]\n", dom->name));
sysdb = dom->sysdb;
if (sysdb == NULL) {
DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n"));
return EIO;
}
/* if this is a caching provider (or if we haven't checked the cache
* yet) then verify that the cache is uptodate */
if (dctx->check_provider) {
step_ctx->returned_to_mainloop = true;
/* Only do this once per provider */
dctx->check_provider = false;
dpreq = sss_dp_get_account_send(step_ctx, rctx, dctx->domain, true,
SSS_DP_GROUP, NULL, 0, NULL);
if (!dpreq) {
DEBUG(SSSDBG_MINOR_FAILURE,
("Enum Cache refresh for domain [%s] failed."
" Trying to return what we have in cache!\n",
dom->name));
} else {
cb_ctx = talloc_zero(step_ctx, struct dp_callback_ctx);
if(!cb_ctx) {
talloc_zfree(dpreq);
return ENOMEM;
}
cb_ctx->callback = nss_cmd_setgrent_dp_callback;
cb_ctx->ptr = step_ctx;
cb_ctx->cctx = step_ctx->cctx;
cb_ctx->mem_ctx = step_ctx;
tevent_req_set_callback(dpreq, nsssrv_dp_send_acct_req_done, cb_ctx);
return EAGAIN;
}
}
ret = sysdb_enumgrent(dctx, sysdb, &res);
if (ret != EOK) {
DEBUG(1, ("Enum from cache failed, skipping domain [%s]\n",
dom->name));
dom = dom->next;
continue;
}
if (res->count == 0) {
DEBUG(4, ("Domain [%s] has no groups, skipping.\n", dom->name));
dom = dom->next;
continue;
}
nctx->gctx->doms = talloc_realloc(gctx, gctx->doms,
struct dom_ctx, gctx->num +1);
if (!gctx->doms) {
talloc_free(gctx);
nctx->gctx = NULL;
return ENOMEM;
}
nctx->gctx->doms[gctx->num].domain = dctx->domain;
nctx->gctx->doms[gctx->num].res = talloc_steal(gctx->doms, res);
nctx->gctx->num++;
/* do not reply until all domain searches are done */
dom = dom->next;
}
/* We've finished all our lookups
* The result object is now safe to read.
*/
nctx->gctx->ready = true;
/* Set up a lifetime timer for this result object
* We don't want this result object to outlive the
* enum cache refresh timeout
*/
tv = tevent_timeval_current_ofs(nctx->enum_cache_timeout, 0);
te = tevent_add_timer(rctx->ev, nctx->gctx, tv,
setgrent_result_timeout, nctx);
if (!te) {
DEBUG(0, ("Could not set up life timer for setgrent result object. "
"Entries may become stale.\n"));
}
/* Notify the waiting clients */
nss_setent_notify_done(nctx->gctx);
if (step_ctx->returned_to_mainloop) {
return EAGAIN;
} else {
return EOK;
}
}
static void setgrent_result_timeout(struct tevent_context *ev,
struct tevent_timer *te,
struct timeval current_time,
void *pvt)
{
struct nss_ctx *nctx = talloc_get_type(pvt, struct nss_ctx);
DEBUG(1, ("setgrent result object has expired. Cleaning up.\n"));
/* Free the group enumeration context.
* If additional getgrent requests come in, they will invoke
* an implicit setgrent and refresh the result object.
*/
talloc_zfree(nctx->gctx);
}
static void nss_cmd_setgrent_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr)
{
struct setent_step_ctx *step_ctx =
talloc_get_type(ptr, struct setent_step_ctx);
int ret;
if (err_maj) {
DEBUG(2, ("Unable to get information from Data Provider\n"
"Error: %u, %u, %s\n"
"Will try to return what we have in cache\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
}
ret = nss_cmd_setgrent_step(step_ctx);
if (ret != EOK && ret != EAGAIN) {
/* Notify any waiting processes of failure */
nss_setent_notify_error(step_ctx->nctx->gctx, ret);
}
}
static errno_t nss_cmd_setgrent_recv(struct tevent_req *req)
{
TEVENT_REQ_RETURN_ON_ERROR(req);
return EOK;
}
static void nss_cmd_setgrent_done(struct tevent_req *req)
{
errno_t ret;
struct nss_cmd_ctx *cmdctx =
tevent_req_callback_data(req, struct nss_cmd_ctx);
ret = nss_cmd_setgrent_recv(req);
talloc_zfree(req);
if (ret == EOK || ret == ENOENT) {
/* Either we succeeded or no domains were eligible */
ret = sss_packet_new(cmdctx->cctx->creq, 0,
sss_packet_get_cmd(cmdctx->cctx->creq->in),
&cmdctx->cctx->creq->out);
if (ret == EOK) {
sss_cmd_done(cmdctx->cctx, cmdctx);
return;
}
}
/* Something bad happened */
nss_cmd_done(cmdctx, ret);
}
static int nss_cmd_retgrent(struct cli_ctx *cctx, int num)
{
struct nss_ctx *nctx;
struct getent_ctx *gctx;
struct ldb_message **msgs = NULL;
struct dom_ctx *gdom = NULL;
int n = 0;
int ret = ENOENT;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
if (!nctx->gctx) goto none;
gctx = nctx->gctx;
while (ret == ENOENT) {
if (cctx->grent_dom_idx >= gctx->num) break;
gdom = &gctx->doms[cctx->grent_dom_idx];
n = gdom->res->count - cctx->grent_cur;
if (n <= 0 && (cctx->grent_dom_idx+1 < gctx->num)) {
cctx->grent_dom_idx++;
gdom = &gctx->doms[cctx->grent_dom_idx];
n = gdom->res->count;
cctx->grent_cur = 0;
}
if (!n) break;
if (n > num) n = num;
msgs = &(gdom->res->msgs[cctx->grent_cur]);
ret = fill_grent(cctx->creq->out,
gdom->domain,
nctx, true, false, msgs, &n);
cctx->grent_cur += n;
}
none:
if (ret == ENOENT) {
ret = sss_cmd_empty_packet(cctx->creq->out);
}
return ret;
}
static int nss_cmd_getgrent_immediate(struct nss_cmd_ctx *cmdctx)
{
struct cli_ctx *cctx = cmdctx->cctx;
uint8_t *body;
size_t blen;
uint32_t num;
int ret;
/* get max num of entries to return in one call */
sss_packet_get_body(cctx->creq->in, &body, &blen);
if (blen != sizeof(uint32_t)) {
return EINVAL;
}
num = *((uint32_t *)body);
/* create response packet */
ret = sss_packet_new(cctx->creq, 0,
sss_packet_get_cmd(cctx->creq->in),
&cctx->creq->out);
if (ret != EOK) {
return ret;
}
ret = nss_cmd_retgrent(cctx, num);
sss_packet_set_error(cctx->creq->out, ret);
sss_cmd_done(cctx, cmdctx);
return EOK;
}
static void nss_cmd_implicit_setgrent_done(struct tevent_req *req);
static int nss_cmd_getgrent(struct cli_ctx *cctx)
{
struct nss_ctx *nctx;
struct nss_cmd_ctx *cmdctx;
struct tevent_req *req;
DEBUG(4, ("Requesting info for all groups\n"));
cmdctx = talloc_zero(cctx, struct nss_cmd_ctx);
if (!cmdctx) {
return ENOMEM;
}
cmdctx->cctx = cctx;
/* Save the current index and cursor locations
* If we end up calling setgrent implicitly, because the response object
* expired and has to be recreated, we want to resume from the same
* location.
*/
cmdctx->saved_dom_idx = cctx->grent_dom_idx;
cmdctx->saved_cur = cctx->grent_cur;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
if(!nctx->gctx || !nctx->gctx->ready) {
/* Make sure we invoke setgrent if it hasn't been run or is still
* processing from another client
*/
req = nss_cmd_setgrent_send(cctx, cctx);
if (!req) {
return EIO;
}
tevent_req_set_callback(req, nss_cmd_implicit_setgrent_done, cmdctx);
return EOK;
}
return nss_cmd_getgrent_immediate(cmdctx);
}
static errno_t nss_cmd_setgrent_recv(struct tevent_req *req);
static void nss_cmd_implicit_setgrent_done(struct tevent_req *req)
{
errno_t ret;
struct nss_cmd_ctx *cmdctx =
tevent_req_callback_data(req, struct nss_cmd_ctx);
ret = nss_cmd_setgrent_recv(req);
talloc_zfree(req);
/* ENOENT is acceptable, as it just means that there were no entries
* to be returned. This will be handled gracefully in nss_cmd_retpwent
* later.
*/
if (ret != EOK && ret != ENOENT) {
DEBUG(0, ("Implicit setgrent failed with unexpected error [%d][%s]\n",
ret, strerror(ret)));
NSS_CMD_FATAL_ERROR(cmdctx);
}
/* Restore the saved index and cursor locations */
cmdctx->cctx->grent_dom_idx = cmdctx->saved_dom_idx;
cmdctx->cctx->grent_cur = cmdctx->saved_cur;
ret = nss_cmd_getgrent_immediate(cmdctx);
if (ret != EOK) {
DEBUG(0, ("Immediate retrieval failed with unexpected error "
"[%d][%s]\n", ret, strerror(ret)));
NSS_CMD_FATAL_ERROR(cmdctx);
}
}
static int nss_cmd_endgrent(struct cli_ctx *cctx)
{
struct nss_ctx *nctx;
int ret;
DEBUG(4, ("Terminating request info for all groups\n"));
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
/* create response packet */
ret = sss_packet_new(cctx->creq, 0,
sss_packet_get_cmd(cctx->creq->in),
&cctx->creq->out);
if (ret != EOK) {
return ret;
}
if (nctx->gctx == NULL) goto done;
/* Reset the indices so that subsequent requests start at zero */
cctx->grent_dom_idx = 0;
cctx->grent_cur = 0;
done:
sss_cmd_done(cctx, NULL);
return EOK;
}
void nss_update_initgr_memcache(struct nss_ctx *nctx,
const char *name, const char *domain,
int gnum, uint32_t *groups)
{
struct sss_domain_info *dom;
struct ldb_result *res;
bool changed = false;
uint32_t id;
uint32_t gids[gnum];
int ret;
int i, j;
if (gnum == 0) {
/* there are no groups to invalidate in any case, just return */
return;
}
for (dom = nctx->rctx->domains; dom != NULL; dom = dom->next) {
if (strcasecmp(dom->name, domain) == 0) {
break;
}
}
if (dom == NULL) {
DEBUG(SSSDBG_OP_FAILURE,
("Unknown domain (%s) requested by provider\n", domain));
return;
}
ret = sysdb_initgroups(NULL, dom->sysdb, name, &res);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Failed to make request to our cache! [%d][%s]\n",
ret, strerror(ret)));
return;
}
/* copy, we need the original intact in case we need to invalidate
* all the original groups */
memcpy(gids, groups, gnum * sizeof(uint32_t));
if (ret == ENOENT || res->count == 0) {
changed = true;
} else {
/* we skip the first entry, it's the user itself */
for (i = 1; i < res->count; i++) {
id = ldb_msg_find_attr_as_uint(res->msgs[i], SYSDB_GIDNUM, 0);
if (id == 0) {
/* probably non-posix group, skip */
continue;
}
for (j = 0; j < gnum; j++) {
if (gids[j] == id) {
gids[j] = 0;
break;
}
}
if (j >= gnum) {
/* we couldn't find a match, this means the groups have
* changed after the refresh */
changed = true;
break;
}
}
if (!changed) {
for (j = 0; j < gnum; j++) {
if (gids[j] != 0) {
/* we found an un-cleared groups, this means the groups
* have changed after the refresh (some got deleted) */
changed = true;
break;
}
}
}
}
if (changed) {
for (i = 0; i < gnum; i++) {
id = groups[i];
ret = sss_mmap_cache_gr_invalidate_gid(nctx->grp_mc_ctx, id);
if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_CRIT_FAILURE,
("Internal failure in memory cache code: %d [%s]\n",
ret, strerror(ret)));
}
}
}
}
/* FIXME: what about mpg, should we return the user's GID ? */
/* FIXME: should we filter out GIDs ? */
static int fill_initgr(struct sss_packet *packet, struct ldb_result *res)
{
uint8_t *body;
size_t blen;
gid_t gid;
int ret, i, num, bindex;
int skipped = 0;
const char *posix;
if (res->count == 0) {
return ENOENT;
}
/* one less, the first one is the user entry */
num = res->count -1;
ret = sss_packet_grow(packet, (2 + res->count) * sizeof(uint32_t));
if (ret != EOK) {
return ret;
}
sss_packet_get_body(packet, &body, &blen);
/* skip first entry, it's the user entry */
bindex = 0;
for (i = 0; i < num; i++) {
gid = ldb_msg_find_attr_as_uint64(res->msgs[i + 1], SYSDB_GIDNUM, 0);
posix = ldb_msg_find_attr_as_string(res->msgs[i + 1], SYSDB_POSIX, NULL);
if (!gid) {
if (posix && strcmp(posix, "FALSE") == 0) {
skipped++;
continue;
} else {
DEBUG(1, ("Incomplete group object for initgroups! Aborting\n"));
return EFAULT;
}
}
((uint32_t *)body)[2 + bindex] = gid;
bindex++;
}
((uint32_t *)body)[0] = num-skipped; /* num results */
((uint32_t *)body)[1] = 0; /* reserved */
return EOK;
}
static int nss_cmd_initgr_send_reply(struct nss_dom_ctx *dctx)
{
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct cli_ctx *cctx = cmdctx->cctx;
int ret;
ret = sss_packet_new(cctx->creq, 0,
sss_packet_get_cmd(cctx->creq->in),
&cctx->creq->out);
if (ret != EOK) {
return EFAULT;
}
ret = fill_initgr(cctx->creq->out, dctx->res);
if (ret) {
return ret;
}
sss_packet_set_error(cctx->creq->out, EOK);
sss_cmd_done(cctx, cmdctx);
return EOK;
}
static void nss_cmd_initgroups_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr);
static int nss_cmd_initgroups_search(struct nss_dom_ctx *dctx)
{
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct sss_domain_info *dom = dctx->domain;
struct cli_ctx *cctx = cmdctx->cctx;
char *name = NULL;
struct sysdb_ctx *sysdb;
struct nss_ctx *nctx;
int ret;
nctx = talloc_get_type(cctx->rctx->pvt_ctx, struct nss_ctx);
while (dom) {
/* if it is a domainless search, skip domains that require fully
* qualified names instead */
while (dom && cmdctx->check_next && dom->fqnames) {
dom = dom->next;
}
if (!dom) break;
if (dom != dctx->domain) {
/* make sure we reset the check_provider flag when we check
* a new domain */
dctx->check_provider = NEED_CHECK_PROVIDER(dom->provider);
}
/* make sure to update the dctx if we changed domain */
dctx->domain = dom;
talloc_free(name);
name = sss_get_cased_name(dctx, cmdctx->name, dom->case_sensitive);
if (!name) return ENOMEM;
/* verify this user has not yet been negatively cached,
* or has been permanently filtered */
ret = sss_ncache_check_user(nctx->ncache, nctx->neg_timeout,
dom, name);
/* if neg cached, return we didn't find it */
if (ret == EEXIST) {
DEBUG(2, ("User [%s] does not exist in [%s]! (negative cache)\n",
name, dom->name));
/* if a multidomain search, try with next */
if (cmdctx->check_next) {
dom = dom->next;
continue;
}
/* There are no further domains or this was a
* fully-qualified user request.
*/
return ENOENT;
}
DEBUG(4, ("Requesting info for [%s@%s]\n", name, dom->name));
sysdb = dom->sysdb;
if (sysdb == NULL) {
DEBUG(0, ("Fatal: Sysdb CTX not found for this domain!\n"));
return EIO;
}
ret = sysdb_initgroups(cmdctx, sysdb, name, &dctx->res);
if (ret != EOK) {
DEBUG(1, ("Failed to make request to our cache! [%d][%s]\n",
ret, strerror(ret)));
return EIO;
}
if (dctx->res->count == 0 && !dctx->check_provider) {
/* set negative cache only if not result of cache check */
ret = sss_ncache_set_user(nctx->ncache, false, dom, name);
if (ret != EOK) {
return ret;
}
/* if a multidomain search, try with next */
if (cmdctx->check_next) {
dom = dom->next;
if (dom) continue;
}
DEBUG(2, ("No results for initgroups call\n"));
return ENOENT;
}
/* if this is a caching provider (or if we haven't checked the cache
* yet) then verify that the cache is uptodate */
if (dctx->check_provider) {
ret = check_cache(dctx, nctx, dctx->res,
SSS_DP_INITGROUPS, name, 0,
nss_cmd_initgroups_dp_callback,
dctx);
if (ret != EOK) {
/* Anything but EOK means we should reenter the mainloop
* because we may be refreshing the cache
*/
return ret;
}
}
DEBUG(6, ("Initgroups for [%s@%s] completed\n", name, dom->name));
return EOK;
}
DEBUG(SSSDBG_MINOR_FAILURE,
("No matching domain found for [%s], fail!\n", cmdctx->name));
return ENOENT;
}
static void nss_cmd_initgroups_dp_callback(uint16_t err_maj, uint32_t err_min,
const char *err_msg, void *ptr)
{
struct nss_dom_ctx *dctx = talloc_get_type(ptr, struct nss_dom_ctx);
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct cli_ctx *cctx = cmdctx->cctx;
int ret;
if (err_maj) {
DEBUG(2, ("Unable to get information from Data Provider\n"
"Error: %u, %u, %s\n"
"Will try to return what we have in cache\n",
(unsigned int)err_maj, (unsigned int)err_min, err_msg));
if (dctx->res && dctx->res->count != 0) {
ret = nss_cmd_initgr_send_reply(dctx);
goto done;
}
/* no previous results, just loop to next domain if possible */
if (dctx->domain->next && cmdctx->check_next) {
dctx->domain = dctx->domain->next;
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
} else {
/* nothing available */
ret = ENOENT;
goto done;
}
}
/* ok the backend returned, search to see if we have updated results */
ret = nss_cmd_initgroups_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_initgr_send_reply(dctx);
}
done:
ret = nss_cmd_done(cmdctx, ret);
if (ret) {
NSS_CMD_FATAL_ERROR(cctx);
}
}
/* for now, if we are online, try to always query the backend */
static void nss_cmd_initgroups_cb(struct tevent_req *req);
static int nss_cmd_initgroups(struct cli_ctx *cctx)
{
struct tevent_req *req;
struct nss_cmd_ctx *cmdctx;
struct nss_dom_ctx *dctx;
const char *rawname;
char *domname;
uint8_t *body;
size_t blen;
int ret;
cmdctx = talloc_zero(cctx, struct nss_cmd_ctx);
if (!cmdctx) {
return ENOMEM;
}
cmdctx->cctx = cctx;
dctx = talloc_zero(cmdctx, struct nss_dom_ctx);
if (!dctx) {
ret = ENOMEM;
goto done;
}
dctx->cmdctx = cmdctx;
/* get user name to query */
sss_packet_get_body(cctx->creq->in, &body, &blen);
/* if not terminated fail */
if (body[blen -1] != '\0') {
ret = EINVAL;
goto done;
}
/* If the body isn't valid UTF-8, fail */
if (!sss_utf8_check(body, blen -1)) {
ret = EINVAL;
goto done;
}
rawname = (const char *)body;
domname = NULL;
ret = sss_parse_name_for_domains(cmdctx, cctx->rctx->domains,
cctx->rctx->default_domain, rawname,
&domname, &cmdctx->name);
if (ret == EAGAIN) {
req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, true, domname);
if (req == NULL) {
ret = ENOMEM;
} else {
dctx->rawname = rawname;
tevent_req_set_callback(req, nss_cmd_initgroups_cb, dctx);
ret = EAGAIN;
}
goto done;
} else if (ret != EOK) {
DEBUG(2, ("Invalid name received [%s]\n", rawname));
ret = ENOENT;
goto done;
}
DEBUG(4, ("Requesting info for [%s] from [%s]\n",
cmdctx->name, domname?domname:"<ALL>"));
if (domname) {
dctx->domain = responder_get_domain(dctx, cctx->rctx, domname);
if (!dctx->domain) {
ret = ENOENT;
goto done;
}
} else {
/* this is a multidomain search */
dctx->rawname = rawname;
dctx->domain = cctx->rctx->domains;
cmdctx->check_next = true;
if (cctx->rctx->get_domains_last_call.tv_sec == 0) {
req = sss_dp_get_domains_send(cctx->rctx, cctx->rctx, false, NULL);
if (req == NULL) {
ret = ENOMEM;
} else {
tevent_req_set_callback(req, nss_cmd_initgroups_cb, dctx);
ret = EAGAIN;
}
goto done;
}
}
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
/* ok, find it ! */
ret = nss_cmd_initgroups_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_initgr_send_reply(dctx);
}
done:
return nss_cmd_done(cmdctx, ret);
}
static void nss_cmd_initgroups_cb(struct tevent_req *req)
{
struct nss_dom_ctx *dctx = tevent_req_callback_data(req, struct nss_dom_ctx);
struct nss_cmd_ctx *cmdctx = dctx->cmdctx;
struct cli_ctx *cctx = cmdctx->cctx;
char *domname = NULL;
const char *rawname = dctx->rawname;
errno_t ret;
ret = sss_dp_get_domains_recv(req);
talloc_free(req);
if (ret != EOK) {
goto done;
}
ret = sss_parse_name_for_domains(cmdctx, cctx->rctx->domains,
cctx->rctx->default_domain, rawname,
&domname, &cmdctx->name);
if (ret != EOK) {
DEBUG(SSSDBG_OP_FAILURE, ("Invalid name received [%s]\n", rawname));
ret = ENOENT;
goto done;
}
DEBUG(SSSDBG_TRACE_FUNC, ("Requesting info for [%s] from [%s]\n",
cmdctx->name, domname?domname:"<ALL>"));
if (domname) {
dctx->domain = responder_get_domain(dctx, cctx->rctx, domname);
if (!dctx->domain) {
ret = ENOENT;
goto done;
}
} else {
/* this is a multidomain search */
dctx->domain = cctx->rctx->domains;
cmdctx->check_next = true;
}
dctx->check_provider = NEED_CHECK_PROVIDER(dctx->domain->provider);
/* ok, find it ! */
ret = nss_cmd_initgroups_search(dctx);
if (ret == EOK) {
/* we have results to return */
ret = nss_cmd_initgr_send_reply(dctx);
}
done:
nss_cmd_done(cmdctx, ret);
}
struct cli_protocol_version *register_cli_protocol_version(void)
{
static struct cli_protocol_version nss_cli_protocol_version[] = {
{1, "2008-09-05", "initial version, \\0 terminated strings"},
{0, NULL, NULL}
};
return nss_cli_protocol_version;
}
static struct sss_cmd_table nss_cmds[] = {
{SSS_GET_VERSION, sss_cmd_get_version},
{SSS_NSS_GETPWNAM, nss_cmd_getpwnam},
{SSS_NSS_GETPWUID, nss_cmd_getpwuid},
{SSS_NSS_SETPWENT, nss_cmd_setpwent},
{SSS_NSS_GETPWENT, nss_cmd_getpwent},
{SSS_NSS_ENDPWENT, nss_cmd_endpwent},
{SSS_NSS_GETGRNAM, nss_cmd_getgrnam},
{SSS_NSS_GETGRGID, nss_cmd_getgrgid},
{SSS_NSS_SETGRENT, nss_cmd_setgrent},
{SSS_NSS_GETGRENT, nss_cmd_getgrent},
{SSS_NSS_ENDGRENT, nss_cmd_endgrent},
{SSS_NSS_INITGR, nss_cmd_initgroups},
{SSS_NSS_SETNETGRENT, nss_cmd_setnetgrent},
{SSS_NSS_GETNETGRENT, nss_cmd_getnetgrent},
{SSS_NSS_ENDNETGRENT, nss_cmd_endnetgrent},
{SSS_NSS_GETSERVBYNAME, nss_cmd_getservbyname},
{SSS_NSS_GETSERVBYPORT, nss_cmd_getservbyport},
{SSS_NSS_SETSERVENT, nss_cmd_setservent},
{SSS_NSS_GETSERVENT, nss_cmd_getservent},
{SSS_NSS_ENDSERVENT, nss_cmd_endservent},
{SSS_CLI_NULL, NULL}
};
struct sss_cmd_table *get_nss_cmds(void) {
return nss_cmds;
}
int nss_cmd_execute(struct cli_ctx *cctx)
{
enum sss_cli_command cmd;
int i;
cmd = sss_packet_get_cmd(cctx->creq->in);
for (i = 0; nss_cmds[i].cmd != SSS_CLI_NULL; i++) {
if (cmd == nss_cmds[i].cmd) {
return nss_cmds[i].fn(cctx);
}
}
return EINVAL;
}