summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-07-19 11:57:05 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-07-20 09:17:14 +1000
commit662282106318e3f1f0bbcc7281f49ee5b3727f21 (patch)
tree615737d5c566c5ff5071d9db8227498f689e74f3
parent9d09b66f41cb4ab58bd4a6d83ecebb91805a4b5b (diff)
downloadsamba-662282106318e3f1f0bbcc7281f49ee5b3727f21.tar.gz
samba-662282106318e3f1f0bbcc7281f49ee5b3727f21.tar.bz2
samba-662282106318e3f1f0bbcc7281f49ee5b3727f21.zip
s3-auth Remove seperate guest boolean
Instead, we base our guest calculations on the presence or absense of the authenticated users group in the token, ensuring that we have only one canonical source of this important piece of authorization data Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r--librpc/idl/auth.idl1
-rw-r--r--source3/Makefile.in2
-rw-r--r--source3/auth/auth_util.c5
-rw-r--r--source3/rpc_server/lsa/srv_lsa_nt.c2
-rw-r--r--source3/rpc_server/rpc_handles.c3
-rw-r--r--source3/smbd/lanman.c2
-rw-r--r--source3/smbd/password.c9
-rw-r--r--source3/smbd/service.c10
-rw-r--r--source3/smbd/session.c3
-rw-r--r--source3/smbd/sesssetup.c7
-rw-r--r--source3/smbd/smb2_sesssetup.c9
11 files changed, 31 insertions, 22 deletions
diff --git a/librpc/idl/auth.idl b/librpc/idl/auth.idl
index f1f888c0dd..3b4853b657 100644
--- a/librpc/idl/auth.idl
+++ b/librpc/idl/auth.idl
@@ -65,7 +65,6 @@ interface auth
/* These match exactly the values from the
* auth_serversupplied_info, but should be changed to
* checks involving just the SIDs */
- boolean8 guest;
boolean8 system;
[unique,charset(UTF8),string] char *unix_name;
diff --git a/source3/Makefile.in b/source3/Makefile.in
index 0a72cf579a..51b0a7cb67 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -466,7 +466,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) $(LIBTSOCKET_OBJ) \
lib/ldap_escape.o @CHARSET_STATIC@ \
../libcli/security/secdesc.o ../libcli/security/access_check.o \
../libcli/security/secace.o ../libcli/security/object_tree.o \
- ../libcli/security/sddl.o \
+ ../libcli/security/sddl.o ../libcli/security/session.o \
../libcli/security/secacl.o @PTHREADPOOL_OBJ@ \
lib/fncall.o \
libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index d5ca1a206b..b0deb2c8ab 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -504,7 +504,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- session_info->unix_info->guest = server_info->guest;
session_info->unix_info->system = server_info->system;
if (session_key) {
@@ -993,8 +992,8 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO
/* This element must be provided to convert back to an auth_serversupplied_info */
SMB_ASSERT(src->unix_info);
- dst->guest = src->unix_info->guest;
- dst->system = src->unix_info->system;
+ dst->guest = true;
+ dst->system = false;
/* This element must be provided to convert back to an
* auth_serversupplied_info. This needs to be from hte
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index 8aea353679..5877c7b295 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -2400,7 +2400,7 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
return NT_STATUS_INVALID_PARAMETER;
}
- if (p->session_info->unix_info->guest) {
+ if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) {
/*
* I'm 99% sure this is not the right place to do this,
* global_sid_Anonymous should probably be put into the token
diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
index f3a97b37a2..3500a228d5 100644
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -25,6 +25,7 @@
#include "auth.h"
#include "ntdomain.h"
#include "rpc_server/rpc_ncacn_np.h"
+#include "../libcli/security/security.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_RPC_SRV
@@ -346,7 +347,7 @@ bool pipe_access_check(struct pipes_struct *p)
return True;
}
- if (p->session_info->unix_info->guest) {
+ if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) {
return False;
}
}
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index 4f905cf9b1..292ebf4385 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -5857,7 +5857,7 @@ void api_reply(connection_struct *conn, uint16 vuid,
if (api_commands[i].auth_user && lp_restrict_anonymous()) {
user_struct *user = get_valid_user_struct(req->sconn, vuid);
- if (!user || user->session_info->unix_info->guest) {
+ if (!user || security_session_user_level(user->session_info, NULL) < SECURITY_USER) {
reply_nterror(req, NT_STATUS_ACCESS_DENIED);
return;
}
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index d529dc1a63..e23818f2d1 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -24,6 +24,7 @@
#include "smbd/globals.h"
#include "../librpc/gen_ndr/netlogon.h"
#include "auth.h"
+#include "../libcli/security/security.h"
/* Fix up prototypes for OSX 10.4, where they're missing */
#ifndef HAVE_SETNETGRENT_PROTOTYPE
@@ -269,6 +270,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
{
fstring tmp;
user_struct *vuser;
+ bool guest = security_session_user_level(session_info, NULL) < SECURITY_USER;
vuser = get_partial_auth_user_struct(sconn, vuid);
if (!vuser) {
@@ -294,7 +296,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
vuser->session_info->unix_info->unix_name,
vuser->session_info->unix_info->sanitized_username,
vuser->session_info->info->domain_name,
- vuser->session_info->unix_info->guest ));
+ guest));
DEBUG(3, ("register_existing_vuid: User name: %s\t"
"Real name: %s\n", vuser->session_info->unix_info->unix_name,
@@ -328,13 +330,14 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
vuser->homes_snum = -1;
- if (!vuser->session_info->unix_info->guest) {
+
+ if (!guest) {
vuser->homes_snum = register_homes_share(
vuser->session_info->unix_info->unix_name);
}
if (srv_is_signing_negotiated(sconn) &&
- !vuser->session_info->unix_info->guest) {
+ !guest) {
/* Try and turn on server signing on the first non-guest
* sessionsetup. */
srv_set_signing(sconn,
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 71681aeca2..f1d2ca040d 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -394,8 +394,8 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
* This is the normal security != share case where we have a
* valid vuid from the session setup. */
- if (vuid_serverinfo->unix_info->guest) {
- if (!lp_guest_ok(snum)) {
+ if (security_session_user_level(vuid_serverinfo, NULL) < SECURITY_USER) {
+ if (!lp_guest_ok(snum)) {
DEBUG(2, ("guest user (from session setup) "
"not permitted to access this share "
"(%s)\n", lp_servicename(snum)));
@@ -467,6 +467,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
char *fuser;
struct auth_session_info *forced_serverinfo;
+ bool guest;
fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
lp_const_servicename(snum));
@@ -474,8 +475,11 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
return NT_STATUS_NO_MEMORY;
}
+ guest = security_session_user_level(conn->session_info, NULL) < SECURITY_USER;
+
status = make_session_info_from_username(
- conn, fuser, conn->session_info->unix_info->guest,
+ conn, fuser,
+ guest,
&forced_serverinfo);
if (!NT_STATUS_IS_OK(status)) {
return status;
diff --git a/source3/smbd/session.c b/source3/smbd/session.c
index 9b8d11cc65..10f7defb81 100644
--- a/source3/smbd/session.c
+++ b/source3/smbd/session.c
@@ -33,6 +33,7 @@
#include "session.h"
#include "auth.h"
#include "../lib/tsocket/tsocket.h"
+#include "../libcli/security/security.h"
/********************************************************************
called when a session is created
@@ -53,7 +54,7 @@ bool session_claim(struct smbd_server_connection *sconn, user_struct *vuser)
/* don't register sessions for the guest user - its just too
expensive to go through pam session code for browsing etc */
- if (vuser->session_info->unix_info->guest) {
+ if (security_session_user_level(vuser->session_info, NULL) < SECURITY_USER) {
return True;
}
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b6a3243b85..2df8b435e5 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -35,6 +35,7 @@
#include "auth.h"
#include "messages.h"
#include "smbprofile.h"
+#include "../libcli/security/security.h"
/* For split krb5 SPNEGO blobs. */
struct pending_auth_data {
@@ -441,7 +442,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
SSVAL(req->outbuf, smb_vwv3, 0);
- if (session_info->unix_info->guest) {
+ if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
SSVAL(req->outbuf,smb_vwv2,1);
}
@@ -535,7 +536,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
SSVAL(req->outbuf, smb_vwv3, 0);
- if (session_info->unix_info->guest) {
+ if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
SSVAL(req->outbuf,smb_vwv2,1);
}
}
@@ -1702,7 +1703,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
/* perhaps grab OS version here?? */
}
- if (session_info->unix_info->guest) {
+ if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
SSVAL(req->outbuf,smb_vwv2,1);
}
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 9475ffb363..7a83953256 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -31,6 +31,7 @@
#include "../lib/util/asn1.h"
#include "auth.h"
#include "../lib/tsocket/tsocket.h"
+#include "../libcli/security/security.h"
static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
uint64_t in_session_id,
@@ -253,7 +254,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
session->do_signing = true;
}
- if (session->session_info->unix_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
@@ -280,7 +281,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
session->session_info->unix_info->sanitized_username =
talloc_strdup(session->session_info, tmp);
- if (!session->session_info->unix_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
register_homes_share(session->session_info->unix_info->unix_name);
}
@@ -460,7 +461,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
session->do_signing = true;
}
- if (session->session_info->unix_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
@@ -491,7 +492,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
session->session_info->unix_info->sanitized_username = talloc_strdup(
session->session_info, tmp);
- if (!session->compat_vuser->session_info->unix_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
register_homes_share(session->session_info->unix_info->unix_name);
}