summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2001-06-22 00:57:59 +0000
committerJeremy Allison <jra@samba.org>2001-06-22 00:57:59 +0000
commit100a54e221dd0712ab37daa5359b202d0a059090 (patch)
tree9d23a24097d7dbbeea9fa8918875305d47780220
parent6fdffd9b6c6150793d86114f18c2239a53625e73 (diff)
downloadsamba-100a54e221dd0712ab37daa5359b202d0a059090.tar.gz
samba-100a54e221dd0712ab37daa5359b202d0a059090.tar.bz2
samba-100a54e221dd0712ab37daa5359b202d0a059090.zip
Andrew - please look this over. I've fixed a long standing (maybe 4-5
years old) bug when chainging a sessionsetup_and_X and tcon together. The wrong username was being entered into the tdb, even though the correct user was used for accessing files. This is related to the fact that authorise_login() is not used for sessionsetup, but only for tcon auths. Jeremy. (This used to be commit 0187cd6aef7586d7ad4bdc70c50f3f2e7c69519c)
-rw-r--r--source3/smbd/password.c283
-rw-r--r--source3/smbd/reply.c18
2 files changed, 164 insertions, 137 deletions
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index d2059e7e20..6be2989881 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -765,171 +765,182 @@ static char *validate_group(char *group,char *password,int pwlen,int snum)
return(NULL);
}
-
-
/****************************************************************************
-check for authority to login to a service with a given username/password
+ Check for authority to login to a service with a given username/password.
+ Note this is *NOT* used when logging on using sessionsetup_and_X.
****************************************************************************/
+
BOOL authorise_login(int snum,char *user,char *password, int pwlen,
BOOL *guest,BOOL *force,uint16 vuid)
{
- BOOL ok = False;
- user_struct *vuser = get_valid_user_struct(vuid);
+ BOOL ok = False;
+ user_struct *vuser = get_valid_user_struct(vuid);
- if (lp_security() > SEC_SHARE && !vuser) {
- DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
- user));
- return False;
- }
-
- *guest = False;
-
#if DEBUG_PASSWORD
- DEBUG(100,("checking authorisation on user=%s pass=%s\n",user,password));
+ DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n",
+ user,password));
#endif
- /* there are several possibilities:
- 1) login as the given user with given password
- 2) login as a previously registered username with the given password
- 3) login as a session list username with the given password
- 4) login as a previously validated user/password pair
- 5) login as the "user =" user with given password
- 6) login as the "user =" user with no password (guest connection)
- 7) login as guest user with no password
+ *guest = False;
+
+ if (GUEST_ONLY(snum))
+ *force = True;
- if the service is guest_only then steps 1 to 5 are skipped
- */
+ if (!GUEST_ONLY(snum) && (lp_security() > SEC_SHARE)) {
- if (GUEST_ONLY(snum)) *force = True;
+ /*
+ * We should just use the given vuid from a sessionsetup_and_X.
+ */
- if (!(GUEST_ONLY(snum) && GUEST_OK(snum)))
- {
- /* check the given username and password */
- if (!ok && (*user) && user_ok(user,snum)) {
- ok = password_ok(user,password, pwlen, NULL);
- if (ok) DEBUG(3,("ACCEPTED: given username password ok\n"));
- }
+ if (!vuser) {
+ DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
+ user));
+ return False;
+ }
- /* check for a previously registered guest username */
- if (!ok && (vuser != 0) && vuser->guest) {
- if (user_ok(vuser->user.unix_name,snum) &&
- password_ok(vuser->user.unix_name, password, pwlen, NULL)) {
- fstrcpy(user, vuser->user.unix_name);
- vuser->guest = False;
- DEBUG(3,("ACCEPTED: given password with registered user %s\n", user));
- ok = True;
+ if (!vuser->guest && user_ok(vuser->user.unix_name,snum)) {
+ fstrcpy(user,vuser->user.unix_name);
+ *guest = False;
+ DEBUG(3,("authorise_login: ACCEPTED: validated uid ok as non-guest \
+(user=%s)\n", user));
+ return True;
+ }
}
- }
-
+
+ /* there are several possibilities:
+ 1) login as the given user with given password
+ 2) login as a previously registered username with the given password
+ 3) login as a session list username with the given password
+ 4) login as a previously validated user/password pair
+ 5) login as the "user =" user with given password
+ 6) login as the "user =" user with no password (guest connection)
+ 7) login as guest user with no password
+
+ if the service is guest_only then steps 1 to 5 are skipped
+ */
+
+ if (!(GUEST_ONLY(snum) && GUEST_OK(snum))) {
+ /* check the given username and password */
+ if (!ok && (*user) && user_ok(user,snum)) {
+ ok = password_ok(user,password, pwlen, NULL);
+ if (ok)
+ DEBUG(3,("authorise_login: ACCEPTED: given username (%s) password ok\n",
+ user ));
+ }
- /* now check the list of session users */
- if (!ok)
- {
- char *auser;
- char *user_list = strdup(session_users);
- if (!user_list) return(False);
+ /* check for a previously registered guest username */
+ if (!ok && (vuser != 0) && vuser->guest) {
+ if (user_ok(vuser->user.unix_name,snum) &&
+ password_ok(vuser->user.unix_name, password, pwlen, NULL)) {
+ fstrcpy(user, vuser->user.unix_name);
+ vuser->guest = False;
+ DEBUG(3,("authorise_login: ACCEPTED: given password with registered user %s\n", user));
+ ok = True;
+ }
+ }
- for (auser=strtok(user_list,LIST_SEP);
- !ok && auser;
- auser = strtok(NULL,LIST_SEP))
- {
- fstring user2;
- fstrcpy(user2,auser);
- if (!user_ok(user2,snum)) continue;
+ /* now check the list of session users */
+ if (!ok) {
+ char *auser;
+ char *user_list = strdup(session_users);
+ if (!user_list)
+ return(False);
+
+ for (auser=strtok(user_list,LIST_SEP); !ok && auser;
+ auser = strtok(NULL,LIST_SEP)) {
+ fstring user2;
+ fstrcpy(user2,auser);
+ if (!user_ok(user2,snum))
+ continue;
- if (password_ok(user2,password, pwlen, NULL)) {
- ok = True;
- fstrcpy(user,user2);
- DEBUG(3,("ACCEPTED: session list username and given password ok\n"));
- }
- }
- free(user_list);
- }
+ if (password_ok(user2,password, pwlen, NULL)) {
+ ok = True;
+ fstrcpy(user,user2);
+ DEBUG(3,("authorise_login: ACCEPTED: session list username (%s) \
+and given password ok\n", user));
+ }
+ }
- /* check for a previously validated username/password pair */
- if (!ok && (lp_security() > SEC_SHARE) &&
- (vuser != 0) && !vuser->guest &&
- user_ok(vuser->user.unix_name,snum)) {
- fstrcpy(user,vuser->user.unix_name);
- *guest = False;
- DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
- ok = True;
- }
+ free(user_list);
+ }
- /* check for a rhosts entry */
- if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
- ok = True;
- DEBUG(3,("ACCEPTED: hosts equiv or rhosts entry\n"));
- }
+ /* check for a previously validated username/password pair */
+ if (!ok && (lp_security() > SEC_SHARE) && (vuser != 0) && !vuser->guest &&
+ user_ok(vuser->user.unix_name,snum)) {
+ fstrcpy(user,vuser->user.unix_name);
+ *guest = False;
+ DEBUG(3,("authorise_login: ACCEPTED: validated uid (%s) as non-guest\n",
+ user));
+ ok = True;
+ }
- /* check the user= fields and the given password */
- if (!ok && lp_username(snum)) {
- char *auser;
- pstring user_list;
- StrnCpy(user_list,lp_username(snum),sizeof(pstring));
+ /* check for a rhosts entry */
+ if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
+ ok = True;
+ DEBUG(3,("authorise_login: ACCEPTED: hosts equiv or rhosts entry for %s\n",
+ user));
+ }
- pstring_sub(user_list,"%S",lp_servicename(snum));
-
- for (auser=strtok(user_list,LIST_SEP);
- auser && !ok;
- auser = strtok(NULL,LIST_SEP))
- {
- if (*auser == '@')
- {
- auser = validate_group(auser+1,password,pwlen,snum);
- if (auser)
- {
- ok = True;
- fstrcpy(user,auser);
- DEBUG(3,("ACCEPTED: group username and given password ok\n"));
- }
- }
- else
- {
- fstring user2;
- fstrcpy(user2,auser);
- if (user_ok(user2,snum) &&
- password_ok(user2,password,pwlen,NULL))
- {
- ok = True;
- fstrcpy(user,user2);
- DEBUG(3,("ACCEPTED: user list username and given password ok\n"));
- }
- }
- }
- }
- } /* not guest only */
+ /* check the user= fields and the given password */
+ if (!ok && lp_username(snum)) {
+ char *auser;
+ pstring user_list;
+ StrnCpy(user_list,lp_username(snum),sizeof(pstring));
- /* check for a normal guest connection */
- if (!ok && GUEST_OK(snum))
- {
- fstring guestname;
- StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
- if (Get_Pwnam(guestname,True))
- {
- fstrcpy(user,guestname);
- ok = True;
- DEBUG(3,("ACCEPTED: guest account and guest ok\n"));
+ pstring_sub(user_list,"%S",lp_servicename(snum));
+
+ for (auser=strtok(user_list,LIST_SEP); auser && !ok;
+ auser = strtok(NULL,LIST_SEP)) {
+ if (*auser == '@') {
+ auser = validate_group(auser+1,password,pwlen,snum);
+ if (auser) {
+ ok = True;
+ fstrcpy(user,auser);
+ DEBUG(3,("authorise_login: ACCEPTED: group username \
+and given password ok (%s)\n", user));
+ }
+ } else {
+ fstring user2;
+ fstrcpy(user2,auser);
+ if (user_ok(user2,snum) && password_ok(user2,password,pwlen,NULL)) {
+ ok = True;
+ fstrcpy(user,user2);
+ DEBUG(3,("authorise_login: ACCEPTED: user list username \
+and given password ok (%s)\n", user));
+ }
+ }
+ }
+ }
+ } /* not guest only */
+
+ /* check for a normal guest connection */
+ if (!ok && GUEST_OK(snum)) {
+ fstring guestname;
+ StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
+ if (Get_Pwnam(guestname,True)) {
+ fstrcpy(user,guestname);
+ ok = True;
+ DEBUG(3,("authorise_login: ACCEPTED: guest account and guest ok (%s)\n",
+ user));
+ } else {
+ DEBUG(0,("authorise_login: Invalid guest account %s??\n",guestname));
+ }
+ *guest = True;
}
- else
- DEBUG(0,("Invalid guest account %s??\n",guestname));
- *guest = True;
- }
- if (ok && !user_ok(user,snum))
- {
- DEBUG(0,("rejected invalid user %s\n",user));
- ok = False;
- }
+ if (ok && !user_ok(user,snum)) {
+ DEBUG(0,("authorise_login: rejected invalid user %s\n",user));
+ ok = False;
+ }
- return(ok);
+ return(ok);
}
-
/****************************************************************************
-read the a hosts.equiv or .rhosts file and check if it
-allows this user from this machine
+ Read the a hosts.equiv or .rhosts file and check if it
+ allows this user from this machine.
****************************************************************************/
+
static BOOL check_user_equiv(char *user, char *remote, char *equiv_file)
{
int plus_allowed = 1;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index e0b0cea2d3..cd7b3fe6fe 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -205,6 +205,14 @@ int reply_tcon(connection_struct *conn,
pstrcpy(service, p+1);
}
+ /*
+ * If the vuid is valid, we should be using that....
+ */
+
+ if (*user == '\0' && (lp_security() != SEC_SHARE) && validated_username(vuid)) {
+ pstrcpy(user,validated_username(vuid));
+ }
+
/*
* Ensure the user and password names are in UNIX codepage format.
*/
@@ -247,6 +255,7 @@ int reply_tcon(connection_struct *conn,
/****************************************************************************
Reply to a tcon and X.
****************************************************************************/
+
int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize)
{
fstring service;
@@ -298,6 +307,14 @@ int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
DEBUG(4,("Got device type %s\n",devicename));
+ /*
+ * If the vuid is valid, we should be using that....
+ */
+
+ if (*user == '\0' && (lp_security() != SEC_SHARE) && validated_username(vuid)) {
+ pstrcpy(user,validated_username(vuid));
+ }
+
/*
* Pass the user through the NT -> unix user mapping
* function.
@@ -1066,7 +1083,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
return chain_reply(inbuf,outbuf,length,bufsize);
}
-
/****************************************************************************
reply to a chkpth
****************************************************************************/