diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2001-11-08 22:19:01 +0000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2001-11-08 22:19:01 +0000 |
| commit | 55dfb66079333acd8e0aee91c0ee90d0a413a8e6 (patch) | |
| tree | dcd7c178dbb2df6b578123bd9ee7fe78e38e979e /source3/auth/auth.c | |
| parent | f56a3ea612beded266c614511aa4c451639cbe9a (diff) | |
| download | samba-55dfb66079333acd8e0aee91c0ee90d0a413a8e6.tar.gz samba-55dfb66079333acd8e0aee91c0ee90d0a413a8e6.tar.bz2 samba-55dfb66079333acd8e0aee91c0ee90d0a413a8e6.zip | |
Change to guest logon code.
This changes the way we process guest logons - we now treat them as normal
logons, but set the 'guest' flag. In particular this is needed becouse Win2k
will do an NTLMSSP login with username "", therefore missing our previous guest
connection code - this is getting a pain to do as a special case all over the
shop.
Tridge: We don't seem to be setting a guest bit for NTLMSSP, in either the
anonymous or authenticated case, can you take a look at this?
Also some cleanups in the check_password() code that should make some of the
debugs clearer.
Various other minor cleanups:
- change the session code to just take a vuser, rather than having to do a
vuid lookup on vuser.vuid
- Change some of the global_client_caps linking
- Better debug in authorise_login(): show the vuid.
Andrew Bartlett
(This used to be commit 62f4e4bd0aef9ade653b3f8d575d2864c166ab4d)
Diffstat (limited to 'source3/auth/auth.c')
| -rw-r--r-- | source3/auth/auth.c | 67 |
1 files changed, 43 insertions, 24 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4d1a566833..67f80afdda 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -63,9 +63,23 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; + const char *pdb_username; - DEBUG(3, ("check_password: Checking password for unmapped user %s\\%s@%s with the new password interface\n", - user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str)); + DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", + user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); + + DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", + user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); + + if (!NT_STATUS_IS_OK(nt_status)) { + nt_status = check_guest_security(user_info, server_info); + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: checking guest-account for user [%s] suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(10, ("check_password: checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } + } /* This needs to be sorted: If it doesn't match, what should we do? */ if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { @@ -75,9 +89,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if (!NT_STATUS_IS_OK(nt_status)) { nt_status = check_rhosts_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (rhosts) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(10, ("check_password: Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -85,9 +99,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_domain_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (domain) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (domain) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -95,9 +109,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_server_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (server) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (server) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -115,32 +129,37 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } - - if (NT_STATUS_IS_OK(nt_status) && !done_pam) { - /* We might not be root if we are an RPC call */ - become_root(); - nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account)); - unbecome_root(); - - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: PAM Account for user %s suceeded\n", user_info->smb_name.str)); - } else { - DEBUG(3, ("check_password: PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + if (NT_STATUS_IS_OK(nt_status)) { + pdb_username = pdb_get_username((*server_info)->sam_account); + if (!done_pam && !(*server_info)->guest) { + /* We might not be root if we are an RPC call */ + become_root(); + nt_status = smb_pam_accountcheck(pdb_username); + unbecome_root(); - } + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", pdb_username)); + } else { + DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status))); + } + } } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", + (*server_info)->guest ? "guest " : "", + user_info->smb_name.str, + user_info->internal_username.str, + pdb_username)); } else { - DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(3, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status))); ZERO_STRUCTP(server_info); } |