summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-07-22 11:33:52 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-08-03 18:48:02 +1000
commit8a650243b336f5a85ff119aa40c7744542c005e7 (patch)
treefacc17ee6213efcfdb93db401d2ae02813e37b55
parent35b309fa0cac9341f364243b03ebfcc80f74198e (diff)
downloadsamba-8a650243b336f5a85ff119aa40c7744542c005e7.tar.gz
samba-8a650243b336f5a85ff119aa40c7744542c005e7.tar.bz2
samba-8a650243b336f5a85ff119aa40c7744542c005e7.zip
s3-auth Move map to guest to directly after the check_password calls
This means we no longer need two different map to guest functions and have consistent logic with fewer layering violations. Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r--source3/auth/auth_ntlmssp.c4
-rw-r--r--source3/auth/auth_util.c32
-rw-r--r--source3/auth/proto.h4
-rw-r--r--source3/smbd/sesssetup.c71
-rw-r--r--source3/smbd/smb2_sesssetup.c35
5 files changed, 49 insertions, 97 deletions
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 61029bc95d..2157d355d2 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -145,6 +145,10 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
free_user_info(&user_info);
if (!NT_STATUS_IS_OK(nt_status)) {
+ nt_status = do_map_to_guest_server_info(nt_status,
+ &auth_ntlmssp_state->server_info,
+ auth_ntlmssp_state->ntlmssp_state->user,
+ auth_ntlmssp_state->ntlmssp_state->domain);
return nt_status;
}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index a261e39b7b..1621630b87 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1580,3 +1580,35 @@ bool is_trusted_domain(const char* dom_name)
return false;
}
+
+
+/*
+ on a logon error possibly map the error to success if "map to guest"
+ is set approriately
+*/
+NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
+ struct auth_serversupplied_info **server_info,
+ const char *user, const char *domain)
+{
+ user = user ? user : "";
+ domain = domain ? domain : "";
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+ if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
+ (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
+ DEBUG(3,("No such user %s [%s] - using guest account\n",
+ user, domain));
+ status = make_server_info_guest(NULL, server_info);
+ }
+ }
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
+ if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
+ DEBUG(3,("Registered username %s for guest access\n",
+ user));
+ status = make_server_info_guest(NULL, server_info);
+ }
+ }
+
+ return status;
+}
diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index d51a3e6444..f2b7875997 100644
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -214,6 +214,10 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
enum auth_password_state password_state);
void free_user_info(struct auth_usersupplied_info **user_info);
+NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
+ struct auth_serversupplied_info **server_info,
+ const char *user, const char *domain);
+
/* The following definitions come from auth/auth_winbind.c */
NTSTATUS auth_winbind_init(void);
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 2df8b435e5..329b8b6aa5 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -46,68 +46,6 @@ struct pending_auth_data {
DATA_BLOB partial_data;
};
-/*
- on a logon error possibly map the error to success if "map to guest"
- is set approriately
-*/
-static NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
- struct auth_serversupplied_info **server_info,
- const char *user, const char *domain)
-{
- user = user ? user : "";
- domain = domain ? domain : "";
-
- if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
- if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
- (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
- DEBUG(3,("No such user %s [%s] - using guest account\n",
- user, domain));
- status = make_server_info_guest(NULL, server_info);
- }
- }
-
- if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
- if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
- DEBUG(3,("Registered username %s for guest access\n",
- user));
- status = make_server_info_guest(NULL, server_info);
- }
- }
-
- return status;
-}
-
-/*
- on a logon error possibly map the error to success if "map to guest"
- is set approriately
-*/
-NTSTATUS do_map_to_guest(NTSTATUS status,
- struct auth_session_info **session_info,
- const char *user, const char *domain)
-{
- user = user ? user : "";
- domain = domain ? domain : "";
-
- if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
- if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
- (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
- DEBUG(3,("No such user %s [%s] - using guest account\n",
- user, domain));
- status = make_session_info_guest(NULL, session_info);
- }
- }
-
- if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
- if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
- DEBUG(3,("Registered username %s for guest access\n",
- user));
- status = make_session_info_guest(NULL, session_info);
- }
- }
-
- return status;
-}
-
/****************************************************************************
Add the standard 'Samba' signature to the end of the session setup.
****************************************************************************/
@@ -494,15 +432,6 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
if (NT_STATUS_IS_OK(nt_status)) {
nt_status = auth_ntlmssp_steal_session_info(talloc_tos(),
(*auth_ntlmssp_state), &session_info);
- } else {
- /* Note that this session_info won't have a session
- * key. But for map to guest, that's exactly the right
- * thing - we can't reasonably guess the key the
- * client wants, as the password was wrong */
- nt_status = do_map_to_guest(nt_status,
- &session_info,
- auth_ntlmssp_get_username(*auth_ntlmssp_state),
- auth_ntlmssp_get_domain(*auth_ntlmssp_state));
}
reply_outbuf(req, 4, 0);
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 7a83953256..511df8639d 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -151,26 +151,6 @@ static int smbd_smb2_session_destructor(struct smbd_smb2_session *session)
return 0;
}
-static NTSTATUS setup_ntlmssp_session_info(struct smbd_smb2_session *session,
- NTSTATUS status)
-{
- if (NT_STATUS_IS_OK(status)) {
- status = auth_ntlmssp_steal_session_info(session,
- session->auth_ntlmssp_state,
- &session->session_info);
- } else {
- /* Note that this session_info won't have a session
- * key. But for map to guest, that's exactly the right
- * thing - we can't reasonably guess the key the
- * client wants, as the password was wrong */
- status = do_map_to_guest(status,
- &session->session_info,
- auth_ntlmssp_get_username(session->auth_ntlmssp_state),
- auth_ntlmssp_get_domain(session->auth_ntlmssp_state));
- }
- return status;
-}
-
#ifdef HAVE_KRB5
static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
@@ -606,11 +586,12 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
auth,
&auth_out);
- /* We need to call setup_ntlmssp_session_info() if status==NT_STATUS_OK,
- or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED,
- as this can trigger map to guest. */
- if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- status = setup_ntlmssp_session_info(session, status);
+ /* If status is NT_STATUS_OK then we need to get the token.
+ * Map to guest is now internal to auth_ntlmssp */
+ if (NT_STATUS_IS_OK(status)) {
+ status = auth_ntlmssp_steal_session_info(session,
+ session->auth_ntlmssp_state,
+ &session->session_info);
}
if (!NT_STATUS_IS_OK(status) &&
@@ -689,7 +670,9 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
return status;
}
- status = setup_ntlmssp_session_info(session, status);
+ status = auth_ntlmssp_steal_session_info(session,
+ session->auth_ntlmssp_state,
+ &session->session_info);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session->auth_ntlmssp_state);