Change to guest logon code.

This changes the way we process guest logons - we now treat them as normal
logons, but set the 'guest' flag.  In particular this is needed becouse Win2k
will do an NTLMSSP login with username "", therefore missing our previous guest
connection code - this is getting a pain to do as a special case all over the
shop.

Tridge:  We don't seem to be setting a guest bit for NTLMSSP, in either the
anonymous or authenticated case, can you take a look at this?

Also some cleanups in the check_password() code that should make some of the
debugs clearer.

Various other minor cleanups:

 - change the session code to just take a vuser, rather than having to do a
   vuid lookup on vuser.vuid

 - Change some of the global_client_caps linking

 - Better debug in authorise_login(): show the vuid.

Andrew Bartlett
(This used to be commit 62f4e4bd0aef9ade653b3f8d575d2864c166ab4d)

2 files changed, 94 insertions, 26 deletions

diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 4d1a566833..67f80afdda 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -63,9 +63,23 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
 	
 	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
 	BOOL done_pam = False;
+	const char *pdb_username;
 
-	DEBUG(3, ("check_password:  Checking password for unmapped user %s\\%s@%s with the new password interface\n", 
-		  user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str));
+	DEBUG(3, ("check_password:  Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", 
+		  user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str));
+
+	DEBUG(3, ("check_password:  mapped user is: [%s]\\[%s]@[%s]\n", 
+		  user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str));
+
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		nt_status = check_guest_security(user_info, server_info);
+		if (NT_STATUS_IS_OK(nt_status)) {
+			DEBUG(5, ("check_password:  checking guest-account for user [%s] suceeded\n", user_info->smb_name.str));
+		} else {
+			DEBUG(10, ("check_password:  checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+			
+		}		
+	}
 
 	/* This needs to be sorted:  If it doesn't match, what should we do? */
   	if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) {
@@ -75,9 +89,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
 	if (!NT_STATUS_IS_OK(nt_status)) {
 		nt_status = check_rhosts_security(user_info, server_info);
 		if (NT_STATUS_IS_OK(nt_status)) {
-			DEBUG(7, ("check_password:  Password (rhosts) for user %s suceeded\n", user_info->smb_name.str));
+			DEBUG(3, ("check_password:  Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str));
 		} else {
-			DEBUG(5, ("check_password:  Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+			DEBUG(10, ("check_password:  Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
 			
 		}		
 	}
@@ -85,9 +99,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
 	if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) {
 		nt_status = check_domain_security(user_info, server_info);
 		if (NT_STATUS_IS_OK(nt_status)) {
-			DEBUG(7, ("check_password:  Password (domain) for user %s suceeded\n", user_info->smb_name.str));
+			DEBUG(7, ("check_password:  Password (domain) for user [%s] suceeded\n", user_info->smb_name.str));
 		} else {
-			DEBUG(5, ("check_password:  Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+			DEBUG(5, ("check_password:  Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
 			
 		}		
 	}
@@ -95,9 +109,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
 	if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) {
 		nt_status = check_server_security(user_info, server_info);
 		if (NT_STATUS_IS_OK(nt_status)) {
-			DEBUG(7, ("check_password:  Password (server) for user %s suceeded\n", user_info->smb_name.str));
+			DEBUG(7, ("check_password:  Password (server) for user [%s] suceeded\n", user_info->smb_name.str));
 		} else {
-			DEBUG(5, ("check_password:  Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+			DEBUG(5, ("check_password:  Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
 			
 		}		
 	}
@@ -115,32 +129,37 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
 		}
 		
 		if (NT_STATUS_IS_OK(nt_status)) {
-			DEBUG(7, ("check_password:  Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str));
+			DEBUG(7, ("check_password:  Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str));
 		} else {
-			DEBUG(5, ("check_password:  Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+			DEBUG(5, ("check_password:  Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
 			
 		}		
 	}
 
-
-	if (NT_STATUS_IS_OK(nt_status) && !done_pam) {
-		/* We might not be root if we are an RPC call */
-		become_root();
-		nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account));
-		unbecome_root();
-	
-		if (NT_STATUS_IS_OK(nt_status)) {
-			DEBUG(5, ("check_password:  PAM Account for user %s suceeded\n", user_info->smb_name.str));
-		} else {
-			DEBUG(3, ("check_password:  PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+	if (NT_STATUS_IS_OK(nt_status)) {
+		pdb_username = pdb_get_username((*server_info)->sam_account);
+		if (!done_pam && !(*server_info)->guest) {
+			/* We might not be root if we are an RPC call */
+			become_root();
+			nt_status = smb_pam_accountcheck(pdb_username);
+			unbecome_root();
 			
-		}		
+			if (NT_STATUS_IS_OK(nt_status)) {
+				DEBUG(5, ("check_password:  PAM Account for user [%s] suceeded\n", pdb_username));
+			} else {
+				DEBUG(3, ("check_password:  PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status)));
+			} 
+		}
 	}
 
 	if (NT_STATUS_IS_OK(nt_status)) {
-		DEBUG(5, ("check_password:  Password for smb user %s suceeded\n", user_info->smb_name.str));
+		DEBUG(3, ("check_password:  %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", 
+			  (*server_info)->guest ? "guest " : "", 
+			  user_info->smb_name.str, 
+			  user_info->internal_username.str, 
+			  pdb_username));
 	} else {
-		DEBUG(3, ("check_password:  Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+		DEBUG(3, ("check_password:  Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status)));
 		ZERO_STRUCTP(server_info);
 	}		
 
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 421ab3f1e4..cfdf3a6acc 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -589,6 +589,27 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
 	return ret;
 }
 
+/****************************************************************************
+ Create a guest user_info blob, for anonymous authenticaion.
+****************************************************************************/
+
+BOOL make_user_info_guest(auth_usersupplied_info **user_info) 
+{
+	DATA_BLOB sec_blob = data_blob(NULL, 0);
+	DATA_BLOB lm_blob = data_blob(NULL, 0);
+	DATA_BLOB nt_blob = data_blob(NULL, 0);
+	DATA_BLOB plaintext_blob = data_blob(NULL, 0);
+	uint32 ntlmssp_flags = 0;
+
+	return make_user_info(user_info, 
+			      "","", 
+			      "","", 
+			      "", sec_blob, 
+			      nt_blob, lm_blob,
+			      plaintext_blob, 
+			      ntlmssp_flags, True);
+}
+
 BOOL make_server_info(auth_serversupplied_info **server_info) 
 {
 	*server_info = malloc(sizeof(**server_info));
@@ -664,13 +685,19 @@ void free_server_info(auth_serversupplied_info **server_info)
  Make a server_info struct for a guest user 
 ***************************************************************************/
 
-void make_server_info_guest(auth_serversupplied_info **server_info) 
+BOOL make_server_info_guest(auth_serversupplied_info **server_info) 
 {
 	struct passwd *pass = sys_getpwnam(lp_guestaccount(-1));
 	
 	if (pass) {
-		make_server_info_pw(server_info, pass);
+		if (!make_server_info_pw(server_info, pass)) {
+			return False;
+		}
+		(*server_info)->guest = True;
+		return True;
 	}
+	DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n")); 
+	return False;
 }
 
 /****************************************************************************
@@ -712,3 +739,25 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken)
 
 	return token;
 }
+
+/****************************************************************************
+ Check for a guest logon (username = "") and if so create the required 
+ structure.
+****************************************************************************/
+
+NTSTATUS check_guest_security(const auth_usersupplied_info *user_info, 
+			      auth_serversupplied_info **server_info)
+{
+	NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+
+	if (!(user_info->internal_username.str 
+	      && *user_info->internal_username.str)) { 
+		if (make_server_info_guest(server_info)) {
+			nt_status = NT_STATUS_OK;
+		} else {
+			nt_status = NT_STATUS_NO_SUCH_USER;
+		}
+	}
+
+	return nt_status;
+}