diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-07-22 11:33:52 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-08-03 18:48:02 +1000 |
commit | 8a650243b336f5a85ff119aa40c7744542c005e7 (patch) | |
tree | facc17ee6213efcfdb93db401d2ae02813e37b55 | |
parent | 35b309fa0cac9341f364243b03ebfcc80f74198e (diff) | |
download | samba-8a650243b336f5a85ff119aa40c7744542c005e7.tar.gz samba-8a650243b336f5a85ff119aa40c7744542c005e7.tar.bz2 samba-8a650243b336f5a85ff119aa40c7744542c005e7.zip |
s3-auth Move map to guest to directly after the check_password calls
This means we no longer need two different map to guest functions
and have consistent logic with fewer layering violations.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r-- | source3/auth/auth_ntlmssp.c | 4 | ||||
-rw-r--r-- | source3/auth/auth_util.c | 32 | ||||
-rw-r--r-- | source3/auth/proto.h | 4 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 71 | ||||
-rw-r--r-- | source3/smbd/smb2_sesssetup.c | 35 |
5 files changed, 49 insertions, 97 deletions
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 61029bc95d..2157d355d2 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -145,6 +145,10 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, free_user_info(&user_info); if (!NT_STATUS_IS_OK(nt_status)) { + nt_status = do_map_to_guest_server_info(nt_status, + &auth_ntlmssp_state->server_info, + auth_ntlmssp_state->ntlmssp_state->user, + auth_ntlmssp_state->ntlmssp_state->domain); return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a261e39b7b..1621630b87 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1580,3 +1580,35 @@ bool is_trusted_domain(const char* dom_name) return false; } + + +/* + on a logon error possibly map the error to success if "map to guest" + is set approriately +*/ +NTSTATUS do_map_to_guest_server_info(NTSTATUS status, + struct auth_serversupplied_info **server_info, + const char *user, const char *domain) +{ + user = user ? user : ""; + domain = domain ? domain : ""; + + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { + if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || + (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { + DEBUG(3,("No such user %s [%s] - using guest account\n", + user, domain)); + status = make_server_info_guest(NULL, server_info); + } + } + + if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { + if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { + DEBUG(3,("Registered username %s for guest access\n", + user)); + status = make_server_info_guest(NULL, server_info); + } + } + + return status; +} diff --git a/source3/auth/proto.h b/source3/auth/proto.h index d51a3e6444..f2b7875997 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -214,6 +214,10 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, enum auth_password_state password_state); void free_user_info(struct auth_usersupplied_info **user_info); +NTSTATUS do_map_to_guest_server_info(NTSTATUS status, + struct auth_serversupplied_info **server_info, + const char *user, const char *domain); + /* The following definitions come from auth/auth_winbind.c */ NTSTATUS auth_winbind_init(void); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 2df8b435e5..329b8b6aa5 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -46,68 +46,6 @@ struct pending_auth_data { DATA_BLOB partial_data; }; -/* - on a logon error possibly map the error to success if "map to guest" - is set approriately -*/ -static NTSTATUS do_map_to_guest_server_info(NTSTATUS status, - struct auth_serversupplied_info **server_info, - const char *user, const char *domain) -{ - user = user ? user : ""; - domain = domain ? domain : ""; - - if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { - if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || - (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { - DEBUG(3,("No such user %s [%s] - using guest account\n", - user, domain)); - status = make_server_info_guest(NULL, server_info); - } - } - - if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { - if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { - DEBUG(3,("Registered username %s for guest access\n", - user)); - status = make_server_info_guest(NULL, server_info); - } - } - - return status; -} - -/* - on a logon error possibly map the error to success if "map to guest" - is set approriately -*/ -NTSTATUS do_map_to_guest(NTSTATUS status, - struct auth_session_info **session_info, - const char *user, const char *domain) -{ - user = user ? user : ""; - domain = domain ? domain : ""; - - if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { - if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || - (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { - DEBUG(3,("No such user %s [%s] - using guest account\n", - user, domain)); - status = make_session_info_guest(NULL, session_info); - } - } - - if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { - if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { - DEBUG(3,("Registered username %s for guest access\n", - user)); - status = make_session_info_guest(NULL, session_info); - } - } - - return status; -} - /**************************************************************************** Add the standard 'Samba' signature to the end of the session setup. ****************************************************************************/ @@ -494,15 +432,6 @@ static void reply_spnego_ntlmssp(struct smb_request *req, if (NT_STATUS_IS_OK(nt_status)) { nt_status = auth_ntlmssp_steal_session_info(talloc_tos(), (*auth_ntlmssp_state), &session_info); - } else { - /* Note that this session_info won't have a session - * key. But for map to guest, that's exactly the right - * thing - we can't reasonably guess the key the - * client wants, as the password was wrong */ - nt_status = do_map_to_guest(nt_status, - &session_info, - auth_ntlmssp_get_username(*auth_ntlmssp_state), - auth_ntlmssp_get_domain(*auth_ntlmssp_state)); } reply_outbuf(req, 4, 0); diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 7a83953256..511df8639d 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -151,26 +151,6 @@ static int smbd_smb2_session_destructor(struct smbd_smb2_session *session) return 0; } -static NTSTATUS setup_ntlmssp_session_info(struct smbd_smb2_session *session, - NTSTATUS status) -{ - if (NT_STATUS_IS_OK(status)) { - status = auth_ntlmssp_steal_session_info(session, - session->auth_ntlmssp_state, - &session->session_info); - } else { - /* Note that this session_info won't have a session - * key. But for map to guest, that's exactly the right - * thing - we can't reasonably guess the key the - * client wants, as the password was wrong */ - status = do_map_to_guest(status, - &session->session_info, - auth_ntlmssp_get_username(session->auth_ntlmssp_state), - auth_ntlmssp_get_domain(session->auth_ntlmssp_state)); - } - return status; -} - #ifdef HAVE_KRB5 static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, struct smbd_smb2_request *smb2req, @@ -606,11 +586,12 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, status = auth_ntlmssp_update(session->auth_ntlmssp_state, auth, &auth_out); - /* We need to call setup_ntlmssp_session_info() if status==NT_STATUS_OK, - or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED, - as this can trigger map to guest. */ - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - status = setup_ntlmssp_session_info(session, status); + /* If status is NT_STATUS_OK then we need to get the token. + * Map to guest is now internal to auth_ntlmssp */ + if (NT_STATUS_IS_OK(status)) { + status = auth_ntlmssp_steal_session_info(session, + session->auth_ntlmssp_state, + &session->session_info); } if (!NT_STATUS_IS_OK(status) && @@ -689,7 +670,9 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, return status; } - status = setup_ntlmssp_session_info(session, status); + status = auth_ntlmssp_steal_session_info(session, + session->auth_ntlmssp_state, + &session->session_info); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session->auth_ntlmssp_state); |