pam_winbind: Create and use a wbclient context

PAM sessions are long running. If we create a pam session a connection
to winbind is established and only closed by the destructor of the
libwbclient library. If we create a wbcContext, we will free it in the
end of the PAM function being called and the socket will be closed. This
decreases the amount of allocated 'winbindd_cli_state' structures in
winbind for every logged in user.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Mar 25 17:45:24 CET 2016 on sn-devel-144

diff --git a/nsswitch/pam_winbind.c b/nsswitch/pam_winbind.c
index 745735fcd2dace4fd003a357bc5041af68cfa6b0..b2e1778c69d85b300e89311ed9e6c594b0f136ce 100644 (file)
--- a/nsswitch/pam_winbind.c
+++ b/nsswitch/pam_winbind.c
@@ -540,6 +540,8 @@ static int _pam_winbind_free_context(struct pwb_context *ctx)
                tiniparser_freedict(ctx->dict);
        }
 
+       wbcCtxFree(ctx->wbc_ctx);
+
        return 0;
 }
 
@@ -575,6 +577,12 @@ static int _pam_winbind_init_context(pam_handle_t *pamh,
        }
        r->ctrl = ctrl_code;
 
+       r->wbc_ctx = wbcCtxCreate();
+       if (r->wbc_ctx == NULL) {
+               TALLOC_FREE(r);
+               return PAM_SYSTEM_ERR;
+       }
+
        *ctx_p = r;
 
        return PAM_SUCCESS;
@@ -1102,7 +1110,11 @@ static bool winbind_name_to_sid_string(struct pwb_context *ctx,
                _pam_log_debug(ctx, LOG_DEBUG,
                               "no sid given, looking up: %s\n", name);
 
-               wbc_status = wbcLookupName("", name, &sid, &type);
+               wbc_status = wbcCtxLookupName(ctx->wbc_ctx,
+                                             "",
+                                             name,
+                                             &sid,
+                                             &type);
                if (!WBC_ERROR_IS_OK(wbc_status)) {
                        _pam_log(ctx, LOG_INFO,
                                 "could not lookup name: %s\n", name);
@@ -1822,7 +1834,11 @@ static int winbind_auth_request(struct pwb_context *ctx,
                }
        }
 
-       wbc_status = wbcLogonUser(&logon, &info, &error, &policy);
+       wbc_status = wbcCtxLogonUser(ctx->wbc_ctx,
+                                    &logon,
+                                    &info,
+                                    &error,
+                                    &policy);
        ret = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
                                          user, "wbcLogonUser");
        wbcFreeMemory(logon.blobs);
@@ -1969,7 +1985,11 @@ static int winbind_chauthtok_request(struct pwb_context *ctx,
        params.new_password.plaintext   = newpass;
        params.flags                    = flags;
 
-       wbc_status = wbcChangeUserPasswordEx(&params, &error, &reject_reason, &policy);
+       wbc_status = wbcCtxChangeUserPasswordEx(ctx->wbc_ctx,
+                                               &params,
+                                               &error,
+                                               &reject_reason,
+                                               &policy);
        ret = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
                                          user, "wbcChangeUserPasswordEx");
 
@@ -2073,7 +2093,7 @@ static int valid_user(struct pwb_context *ctx,
                return 1;
        }
 
-       wbc_status = wbcGetpwnam(user, &wb_pwd);
+       wbc_status = wbcCtxGetpwnam(ctx->wbc_ctx, user, &wb_pwd);
        wbcFreeMemory(wb_pwd);
        if (!WBC_ERROR_IS_OK(wbc_status)) {
                _pam_log(ctx, LOG_DEBUG, "valid_user: wbcGetpwnam gave %s\n",
@@ -2403,7 +2423,7 @@ static char winbind_get_separator(struct pwb_context *ctx)
        wbcErr wbc_status;
        static struct wbcInterfaceDetails *details = NULL;
 
-       wbc_status = wbcInterfaceDetails(&details);
+       wbc_status = wbcCtxInterfaceDetails(ctx->wbc_ctx, &details);
        if (!WBC_ERROR_IS_OK(wbc_status)) {
                _pam_log(ctx, LOG_ERR,
                         "Could not retrieve winbind interface details: %s",
@@ -2458,14 +2478,14 @@ static char* winbind_upn_to_username(struct pwb_context *ctx,
 
        /* Convert the UPN to a SID */
 
-       wbc_status = wbcLookupName(domain, name, &sid, &type);
+       wbc_status = wbcCtxLookupName(ctx->wbc_ctx, domain, name, &sid, &type);
        if (!WBC_ERROR_IS_OK(wbc_status)) {
                return NULL;
        }
 
        /* Convert the the SID back to the sAMAccountName */
 
-       wbc_status = wbcLookupSid(&sid, &domain, &name, &type);
+       wbc_status = wbcCtxLookupSid(ctx->wbc_ctx, &sid, &domain, &name, &type);
        if (!WBC_ERROR_IS_OK(wbc_status)) {
                return NULL;
        }
@@ -2570,7 +2590,7 @@ static int _pam_delete_cred(pam_handle_t *pamh, int flags,
                        goto out;
                }
 
-               wbc_status = wbcLogoffUserEx(&logoff, &error);
+               wbc_status = wbcCtxLogoffUserEx(ctx->wbc_ctx, &logoff, &error);
                retval = wbc_auth_error_to_pam_error(ctx, error, wbc_status,
                                                     user, "wbcLogoffUser");
                wbcFreeMemory(error);

diff --git a/nsswitch/pam_winbind.h b/nsswitch/pam_winbind.h
index 13542b2968f002dba0b99139563a020969dce895..6b65c462eaa6d7474de87a5462e3def86e1b451c 100644 (file)
--- a/nsswitch/pam_winbind.h
+++ b/nsswitch/pam_winbind.h
@@ -213,6 +213,7 @@ struct pwb_context {
        const char **argv;
        struct tiniparser_dictionary *dict;
        uint32_t ctrl;
+       struct wbcContext *wbc_ctx;
 };
 
 #ifndef TALLOC_FREE