diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2001-11-08 22:19:01 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2001-11-08 22:19:01 +0000 |
| commit | 55dfb66079333acd8e0aee91c0ee90d0a413a8e6 (patch) | |
| tree | dcd7c178dbb2df6b578123bd9ee7fe78e38e979e | |
| parent | f56a3ea612beded266c614511aa4c451639cbe9a (diff) | |
| download | samba-55dfb66079333acd8e0aee91c0ee90d0a413a8e6.tar.gz samba-55dfb66079333acd8e0aee91c0ee90d0a413a8e6.tar.bz2 samba-55dfb66079333acd8e0aee91c0ee90d0a413a8e6.zip | |
Change to guest logon code.
This changes the way we process guest logons - we now treat them as normal
logons, but set the 'guest' flag. In particular this is needed becouse Win2k
will do an NTLMSSP login with username "", therefore missing our previous guest
connection code - this is getting a pain to do as a special case all over the
shop.
Tridge: We don't seem to be setting a guest bit for NTLMSSP, in either the
anonymous or authenticated case, can you take a look at this?
Also some cleanups in the check_password() code that should make some of the
debugs clearer.
Various other minor cleanups:
- change the session code to just take a vuser, rather than having to do a
vuid lookup on vuser.vuid
- Change some of the global_client_caps linking
- Better debug in authorise_login(): show the vuid.
Andrew Bartlett
(This used to be commit 62f4e4bd0aef9ade653b3f8d575d2864c166ab4d)
| -rw-r--r-- | source3/auth/auth.c | 67 | ||||
| -rw-r--r-- | source3/auth/auth_util.c | 53 | ||||
| -rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 9 | ||||
| -rw-r--r-- | source3/rpc_server/srv_pipe.c | 51 | ||||
| -rw-r--r-- | source3/smbd/auth.c | 67 | ||||
| -rw-r--r-- | source3/smbd/auth_util.c | 53 | ||||
| -rw-r--r-- | source3/smbd/password.c | 18 | ||||
| -rw-r--r-- | source3/smbd/reply.c | 2 | ||||
| -rw-r--r-- | source3/smbd/session.c | 8 | ||||
| -rw-r--r-- | source3/smbd/sesssetup.c | 120 |
10 files changed, 292 insertions, 156 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4d1a566833..67f80afdda 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -63,9 +63,23 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; + const char *pdb_username; - DEBUG(3, ("check_password: Checking password for unmapped user %s\\%s@%s with the new password interface\n", - user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str)); + DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", + user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); + + DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", + user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); + + if (!NT_STATUS_IS_OK(nt_status)) { + nt_status = check_guest_security(user_info, server_info); + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: checking guest-account for user [%s] suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(10, ("check_password: checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } + } /* This needs to be sorted: If it doesn't match, what should we do? */ if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { @@ -75,9 +89,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if (!NT_STATUS_IS_OK(nt_status)) { nt_status = check_rhosts_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (rhosts) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(10, ("check_password: Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -85,9 +99,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_domain_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (domain) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (domain) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -95,9 +109,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_server_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (server) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (server) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -115,32 +129,37 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } - - if (NT_STATUS_IS_OK(nt_status) && !done_pam) { - /* We might not be root if we are an RPC call */ - become_root(); - nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account)); - unbecome_root(); - - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: PAM Account for user %s suceeded\n", user_info->smb_name.str)); - } else { - DEBUG(3, ("check_password: PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + if (NT_STATUS_IS_OK(nt_status)) { + pdb_username = pdb_get_username((*server_info)->sam_account); + if (!done_pam && !(*server_info)->guest) { + /* We might not be root if we are an RPC call */ + become_root(); + nt_status = smb_pam_accountcheck(pdb_username); + unbecome_root(); - } + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", pdb_username)); + } else { + DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status))); + } + } } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", + (*server_info)->guest ? "guest " : "", + user_info->smb_name.str, + user_info->internal_username.str, + pdb_username)); } else { - DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(3, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status))); ZERO_STRUCTP(server_info); } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 421ab3f1e4..cfdf3a6acc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -589,6 +589,27 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, return ret; } +/**************************************************************************** + Create a guest user_info blob, for anonymous authenticaion. +****************************************************************************/ + +BOOL make_user_info_guest(auth_usersupplied_info **user_info) +{ + DATA_BLOB sec_blob = data_blob(NULL, 0); + DATA_BLOB lm_blob = data_blob(NULL, 0); + DATA_BLOB nt_blob = data_blob(NULL, 0); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + uint32 ntlmssp_flags = 0; + + return make_user_info(user_info, + "","", + "","", + "", sec_blob, + nt_blob, lm_blob, + plaintext_blob, + ntlmssp_flags, True); +} + BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); @@ -664,13 +685,19 @@ void free_server_info(auth_serversupplied_info **server_info) Make a server_info struct for a guest user ***************************************************************************/ -void make_server_info_guest(auth_serversupplied_info **server_info) +BOOL make_server_info_guest(auth_serversupplied_info **server_info) { struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); if (pass) { - make_server_info_pw(server_info, pass); + if (!make_server_info_pw(server_info, pass)) { + return False; + } + (*server_info)->guest = True; + return True; } + DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n")); + return False; } /**************************************************************************** @@ -712,3 +739,25 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } + +/**************************************************************************** + Check for a guest logon (username = "") and if so create the required + structure. +****************************************************************************/ + +NTSTATUS check_guest_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + + if (!(user_info->internal_username.str + && *user_info->internal_username.str)) { + if (make_server_info_guest(server_info)) { + nt_status = NT_STATUS_OK; + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } + } + + return nt_status; +} diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 44faefb645..1aa58f5274 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -597,7 +597,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * free_user_info(&user_info); - DEBUG(5, ("_net_sam_logon: exiting with status %s\n", + DEBUG(5, ("_net_sam_logon: check_password returned status %s\n", get_nt_error_msg(status))); /* Check account and password */ @@ -607,6 +607,13 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * return status; } + if (server_info->guest) { + /* We don't like guest domain logons... */ + DEBUG(5,("_net_sam_logon: Attempted domain logon as GUEST denied.\n")); + free_server_info(&server_info); + return NT_STATUS_LOGON_FAILURE; + } + /* This is the point at which, if the login was successful, that the SAM Local Security Authority should record that the user is logged in to the domain. */ diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index a718516baa..e3969f7ea8 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -268,7 +268,8 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm fstring pipe_user_name; fstring domain; fstring wks; - BOOL guest_user = False; + + NTSTATUS nt_status; auth_usersupplied_info *user_info = NULL; auth_serversupplied_info *server_info = NULL; @@ -328,8 +329,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm if((strlen(user_name) == 0) && (ntlmssp_resp->hdr_nt_resp.str_str_len==0)) { - guest_user = True; - + fstrcpy(pipe_user_name, lp_guestaccount(-1)); DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name)); @@ -352,32 +352,25 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm } - if(!guest_user) { - NTSTATUS nt_status; - - if (!make_user_info_netlogon_network(&user_info, - user_name, domain, wks, (uchar*)p->challenge, - lm_owf, lm_pw_len, - nt_owf, nt_pw_len)) { - DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n")); - return False; - } - - nt_status = check_password(user_info, &server_info); - - free_user_info(&user_info); - - p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status); - - if (!p->ntlmssp_auth_validated) { - DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \ + if (!make_user_info_netlogon_network(&user_info, + user_name, domain, wks, (uchar*)p->challenge, + lm_owf, lm_pw_len, + nt_owf, nt_pw_len)) { + DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n")); + return False; + } + + nt_status = check_password(user_info, &server_info); + + free_user_info(&user_info); + + p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status); + + if (!p->ntlmssp_auth_validated) { + DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name )); - free_server_info(&server_info); - return False; - } - } else { - /* This includes a NULLed out first_8_lm_hash */ - make_server_info_guest(&server_info); + free_server_info(&server_info); + return False; } /* @@ -450,7 +443,7 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name /* Create an NT_USER_TOKEN struct for this user. */ p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid, p->pipe_user.ngroups, p->pipe_user.groups, - guest_user, server_info->ptok); + server_info->guest, server_info->ptok); p->ntlmssp_auth_validated = True; diff --git a/source3/smbd/auth.c b/source3/smbd/auth.c index 4d1a566833..67f80afdda 100644 --- a/source3/smbd/auth.c +++ b/source3/smbd/auth.c @@ -63,9 +63,23 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; + const char *pdb_username; - DEBUG(3, ("check_password: Checking password for unmapped user %s\\%s@%s with the new password interface\n", - user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str)); + DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", + user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); + + DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", + user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); + + if (!NT_STATUS_IS_OK(nt_status)) { + nt_status = check_guest_security(user_info, server_info); + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: checking guest-account for user [%s] suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(10, ("check_password: checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } + } /* This needs to be sorted: If it doesn't match, what should we do? */ if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { @@ -75,9 +89,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if (!NT_STATUS_IS_OK(nt_status)) { nt_status = check_rhosts_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (rhosts) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(10, ("check_password: Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -85,9 +99,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_domain_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (domain) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (domain) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -95,9 +109,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_server_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (server) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (server) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -115,32 +129,37 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } - - if (NT_STATUS_IS_OK(nt_status) && !done_pam) { - /* We might not be root if we are an RPC call */ - become_root(); - nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account)); - unbecome_root(); - - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: PAM Account for user %s suceeded\n", user_info->smb_name.str)); - } else { - DEBUG(3, ("check_password: PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + if (NT_STATUS_IS_OK(nt_status)) { + pdb_username = pdb_get_username((*server_info)->sam_account); + if (!done_pam && !(*server_info)->guest) { + /* We might not be root if we are an RPC call */ + become_root(); + nt_status = smb_pam_accountcheck(pdb_username); + unbecome_root(); - } + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", pdb_username)); + } else { + DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status))); + } + } } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", + (*server_info)->guest ? "guest " : "", + user_info->smb_name.str, + user_info->internal_username.str, + pdb_username)); } else { - DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(3, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status))); ZERO_STRUCTP(server_info); } diff --git a/source3/smbd/auth_util.c b/source3/smbd/auth_util.c index 421ab3f1e4..cfdf3a6acc 100644 --- a/source3/smbd/auth_util.c +++ b/source3/smbd/auth_util.c @@ -589,6 +589,27 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, return ret; } +/**************************************************************************** + Create a guest user_info blob, for anonymous authenticaion. +****************************************************************************/ + +BOOL make_user_info_guest(auth_usersupplied_info **user_info) +{ + DATA_BLOB sec_blob = data_blob(NULL, 0); + DATA_BLOB lm_blob = data_blob(NULL, 0); + DATA_BLOB nt_blob = data_blob(NULL, 0); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + uint32 ntlmssp_flags = 0; + + return make_user_info(user_info, + "","", + "","", + "", sec_blob, + nt_blob, lm_blob, + plaintext_blob, + ntlmssp_flags, True); +} + BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); @@ -664,13 +685,19 @@ void free_server_info(auth_serversupplied_info **server_info) Make a server_info struct for a guest user ***************************************************************************/ -void make_server_info_guest(auth_serversupplied_info **server_info) +BOOL make_server_info_guest(auth_serversupplied_info **server_info) { struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); if (pass) { - make_server_info_pw(server_info, pass); + if (!make_server_info_pw(server_info, pass)) { + return False; + } + (*server_info)->guest = True; + return True; } + DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n")); + return False; } /**************************************************************************** @@ -712,3 +739,25 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } + +/**************************************************************************** + Check for a guest logon (username = "") and if so create the required + structure. +****************************************************************************/ + +NTSTATUS check_guest_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + + if (!(user_info->internal_username.str + && *user_info->internal_username.str)) { + if (make_server_info_guest(server_info)) { + nt_status = NT_STATUS_OK; + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } + } + + return nt_status; +} diff --git a/source3/smbd/password.c b/source3/smbd/password.c index f0fec9b796..cbd4d14681 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -66,7 +66,7 @@ void invalidate_vuid(uint16 vuid) if (vuser == NULL) return; - session_yield(vuid); + session_yield(vuser); DLIST_REMOVE(validated_users, vuser); @@ -208,7 +208,7 @@ has been given. vuid is biased by an offset. This allows us to tell random client vuid's (normally zero) from valid vuids. ****************************************************************************/ -int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL guest) +int register_vuid(auth_serversupplied_info *server_info, char *smb_name) { user_struct *vuser = NULL; uid_t *puid; @@ -251,7 +251,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu vuser->vuid = next_vuid; vuser->uid = *puid; vuser->gid = *pgid; - vuser->guest = guest; + vuser->guest = server_info->guest; fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account)); fstrcpy(vuser->user.smb_name, smb_name); fstrcpy(vuser->user.domain, pdb_get_domain(server_info->sam_account)); @@ -260,7 +260,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", (unsigned int)vuser->uid, (unsigned int)vuser->gid, - vuser->user.unix_name, vuser->user.smb_name, vuser->user.domain, guest )); + vuser->user.unix_name, vuser->user.smb_name, vuser->user.domain, vuser->guest )); DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,vuser->user.full_name)); @@ -276,7 +276,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu add_supplementary_nt_login_groups(&vuser->n_groups, &vuser->groups, &server_info->ptok); /* Create an NT_USER_TOKEN struct for this user. */ - vuser->nt_user_token = create_nt_token(vuser->uid, vuser->gid, vuser->n_groups, vuser->groups, guest, server_info->ptok); + vuser->nt_user_token = create_nt_token(vuser->uid, vuser->gid, vuser->n_groups, vuser->groups, vuser->guest, server_info->ptok); DEBUG(3,("uid %d registered to name %s\n",(int)vuser->uid,vuser->user.unix_name)); @@ -285,7 +285,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu DLIST_ADD(validated_users, vuser); - if (!session_claim(vuser->vuid)) { + if (!session_claim(vuser)) { DEBUG(1,("Failed to claim session for vuid=%d\n", vuser->vuid)); invalidate_vuid(vuser->vuid); return -1; @@ -453,8 +453,8 @@ BOOL authorise_login(int snum,char *user, DATA_BLOB password, user_struct *vuser = get_valid_user_struct(vuid); #if DEBUG_PASSWORD - DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n", - user,password.data)); + DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s vuid=%d\n", + user,password.data, vuid)); #endif *guest = False; @@ -501,7 +501,7 @@ BOOL authorise_login(int snum,char *user, DATA_BLOB password, if (user_ok(vuser->user.unix_name,snum) && password_ok(vuser->user.unix_name, password)) { fstrcpy(user, vuser->user.unix_name); - vuser->guest = False; + *guest = False; DEBUG(3,("authorise_login: ACCEPTED: given password with registered user %s\n", user)); ok = True; } diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 9ff74eae05..98898a6551 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -35,10 +35,8 @@ extern char magic_char; extern BOOL case_sensitive; extern BOOL case_preserve; extern BOOL short_case_preserve; -extern userdom_struct current_user_info; extern pstring global_myname; extern int global_oplock_break; -uint32 global_client_caps = 0; unsigned int smb_echo_count = 0; extern fstring remote_machine; diff --git a/source3/smbd/session.c b/source3/smbd/session.c index 60c2a6e54d..9efc3e6b75 100644 --- a/source3/smbd/session.c +++ b/source3/smbd/session.c @@ -32,9 +32,8 @@ extern fstring remote_machine; static TDB_CONTEXT *tdb; /* called when a session is created */ -BOOL session_claim(uint16 vuid) +BOOL session_claim(user_struct *vuser) { - user_struct *vuser = get_valid_user_struct(vuid); int i; TDB_DATA data; struct sessionid sessionid; @@ -47,7 +46,7 @@ BOOL session_claim(uint16 vuid) /* don't register sessions for the guest user - its just too expensive to go through pam session code for browsing etc */ - if (strequal(vuser->user.unix_name,lp_guestaccount(-1))) { + if (vuser->guest) { return True; } @@ -119,9 +118,8 @@ BOOL session_claim(uint16 vuid) } /* called when a session is destroyed */ -void session_yield(uint16 vuid) +void session_yield(user_struct *vuser) { - user_struct *vuser = get_valid_user_struct(vuid); TDB_DATA dbuf; struct sessionid sessionid; TDB_DATA key; diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index c7522b3402..6e6d37c089 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -22,6 +22,8 @@ #include "includes.h" +uint32 global_client_caps = 0; + #if HAVE_KRB5 /**************************************************************************** reply to a session setup spnego negotiate packet for kerberos @@ -339,7 +341,7 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf, return ERROR_NT(nt_status_squash(nt_status)); } - sess_vuid = register_vuid(server_info, user, False); + sess_vuid = register_vuid(server_info, user); free_server_info(&server_info); @@ -370,12 +372,18 @@ static int reply_spnego_anonymous(connection_struct *conn, char *inbuf, char *ou { int sess_vuid; char *p; + auth_usersupplied_info *user_info = NULL; auth_serversupplied_info *server_info = NULL; + NTSTATUS nt_status; + DEBUG(3,("Got anonymous request\n")); - make_server_info_guest(&server_info); - sess_vuid = register_vuid(server_info, lp_guestaccount(-1), True); + make_user_info_guest(&user_info); + + nt_status = check_password(user_info, &server_info); + + sess_vuid = register_vuid(server_info, lp_guestaccount(-1)); free_server_info(&server_info); if (sess_vuid == -1) { @@ -405,7 +413,6 @@ static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,cha { uint8 *p; DATA_BLOB blob1; - extern uint32 global_client_caps; int ret; DEBUG(3,("Doing spnego session setup\n")); @@ -463,14 +470,13 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, DATA_BLOB nt_resp; DATA_BLOB plaintext_password; pstring user; + pstring sub_user; /* Sainitised username for substituion */ fstring domain; fstring native_os; fstring native_lanman; - BOOL guest=False; static BOOL done_sesssetup = False; extern BOOL global_encrypted_passwords_negotiated; extern BOOL global_spnego_negotiated; - extern uint32 global_client_caps; extern int Protocol; extern fstring remote_machine; extern userdom_struct current_user_info; @@ -479,6 +485,8 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, auth_usersupplied_info *user_info = NULL; auth_serversupplied_info *server_info = NULL; + NTSTATUS nt_status; + BOOL doencrypt = global_encrypted_passwords_negotiated; START_PROFILE(SMBsesssetupX); @@ -626,18 +634,20 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, DEBUG(3,("sesssetupX:name=[%s]\\[%s]@[%s]\n", domain, user, remote_machine)); - /* If no username is sent use the guest account */ - if (!*user) { - pstrcpy(user,lp_guestaccount(-1)); - guest = True; - } else { + if (*user) { if (global_spnego_negotiated) { DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt at 'normal' session setup after negotiating spnego.\n")); return ERROR_NT(NT_STATUS_UNSUCCESSFUL); } } - pstrcpy(current_user_info.smb_name,user); + if (*user) { + pstrcpy(sub_user, user); + } else { + pstrcpy(sub_user, lp_guestaccount(-1)); + } + + pstrcpy(current_user_info.smb_name,sub_user); reload_services(True); @@ -648,9 +658,10 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, data_blob_free(&nt_resp); data_blob_clear_free(&plaintext_password); - guest = True; - map_username(user); - add_session_user(user); + map_username(sub_user); + add_session_user(sub_user); + /* Then force it to null for the benfit of the code below */ + *user = 0; } if (done_sesssetup && lp_restrict_anonymous()) { @@ -673,50 +684,45 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, return ERROR_DOS(ERRDOS,ERRnoaccess); } } + + if (!make_user_info_for_reply(&user_info, + user, domain, + lm_resp, nt_resp, + plaintext_password, doencrypt)) { + return ERROR_NT(NT_STATUS_NO_MEMORY); + } - if (!guest) { - NTSTATUS nt_status; - if (!make_user_info_for_reply(&user_info, - user, domain, - lm_resp, nt_resp, - plaintext_password, doencrypt)) { - return ERROR_NT(NT_STATUS_NO_MEMORY); - } - - nt_status = check_password(user_info, &server_info); - - free_user_info(&user_info); - - data_blob_free(&lm_resp); - data_blob_free(&nt_resp); - data_blob_clear_free(&plaintext_password); - - if (!NT_STATUS_IS_OK(nt_status)) { - if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { - if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || - (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { - DEBUG(3,("No such user %s [%s] - using guest account\n",user, domain)); - pstrcpy(user,lp_guestaccount(-1)); - guest = True; - - } - } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { - if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { - pstrcpy(user,lp_guestaccount(-1)); - DEBUG(3,("Registered username %s for guest access\n",user)); - guest = True; - } - /* Match WinXP and don't give the game away */ - return ERROR_NT(NT_STATUS_LOGON_FAILURE); + nt_status = check_password(user_info, &server_info); + + free_user_info(&user_info); + + data_blob_free(&lm_resp); + data_blob_free(&nt_resp); + data_blob_clear_free(&plaintext_password); + + if (!NT_STATUS_IS_OK(nt_status)) { + if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { + if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || + (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { + + DEBUG(3,("No such user %s [%s] - using guest account\n",user, domain)); + make_server_info_guest(&server_info); + nt_status = NT_STATUS_OK; + } + + } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { + if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { + DEBUG(3,("Registered username %s for guest access\n",user)); + make_server_info_guest(&server_info); + nt_status = NT_STATUS_OK; } - - if (!guest) { - free_server_info(&server_info); - return ERROR_NT(nt_status_squash(nt_status)); - } } } + if (!NT_STATUS_IS_OK(nt_status)) { + return ERROR_NT(nt_status_squash(nt_status)); + } + /* it's ok - setup a reply */ if (Protocol < PROTOCOL_NT1) { set_message(outbuf,3,0,True); @@ -731,10 +737,8 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, /* perhaps grab OS version here?? */ } - if (guest) { + if (server_info->guest) { SSVAL(outbuf,smb_vwv2,1); - free_server_info(&server_info); - make_server_info_guest(&server_info); } else { const char *home_dir = pdb_get_homedir(server_info->sam_account); const char *username = pdb_get_username(server_info->sam_account); @@ -747,7 +751,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, /* register the name and uid as being validated, so further connections to a uid can get through without a password, on the same VC */ - sess_vuid = register_vuid(server_info, user, guest); + sess_vuid = register_vuid(server_info, sub_user); free_server_info(&server_info); |