diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-07-15 12:45:17 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-07-20 09:17:10 +1000 |
commit | f16d8f4eb86ecc4741c25e5ed87b2ea4c6717a31 (patch) | |
tree | bd839288be389cbfe84852e0a114b3ee77589462 /source3/smbd | |
parent | d7d8a5ed94a2b572b6818008a858f8c6b529dd03 (diff) | |
download | samba-f16d8f4eb86ecc4741c25e5ed87b2ea4c6717a31.tar.gz samba-f16d8f4eb86ecc4741c25e5ed87b2ea4c6717a31.tar.bz2 samba-f16d8f4eb86ecc4741c25e5ed87b2ea4c6717a31.zip |
s3-auth Use struct auth3_session_info outside the auth subsystem
This seperation between the structure used inside the auth modules and
in the wider codebase allows for a gradual migration from struct
auth_serversupplied_info -> struct auth_session_info (from auth.idl)
The idea here is that we keep a clear seperation between the structure
before and after the local groups, local user lookup and the session
key modifications have been processed, as the lack of this seperation
has caused issues in the past.
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/globals.h | 2 | ||||
-rw-r--r-- | source3/smbd/msdfs.c | 4 | ||||
-rw-r--r-- | source3/smbd/password.c | 2 | ||||
-rw-r--r-- | source3/smbd/proto.h | 12 | ||||
-rw-r--r-- | source3/smbd/server_reload.c | 2 | ||||
-rw-r--r-- | source3/smbd/service.c | 14 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 47 | ||||
-rw-r--r-- | source3/smbd/uid.c | 14 |
8 files changed, 64 insertions, 33 deletions
diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index 911a86a15f..c7bf239a36 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -422,7 +422,7 @@ struct smbd_smb2_session { NTSTATUS status; uint64_t vuid; struct auth_ntlmssp_state *auth_ntlmssp_state; - struct auth_serversupplied_info *session_info; + struct auth3_session_info *session_info; DATA_BLOB session_key; bool do_signing; diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c index 4629a39aa3..25a82cdbb0 100644 --- a/source3/smbd/msdfs.c +++ b/source3/smbd/msdfs.c @@ -225,7 +225,7 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx, connection_struct **pconn, int snum, const char *path, - const struct auth_serversupplied_info *session_info, + const struct auth3_session_info *session_info, char **poldcwd) { connection_struct *conn; @@ -266,7 +266,7 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx, conn->sconn->num_tcons_open++; if (session_info != NULL) { - conn->session_info = copy_serverinfo(conn, session_info); + conn->session_info = copy_session_info(conn, session_info); if (conn->session_info == NULL) { DEBUG(0, ("copy_serverinfo failed\n")); TALLOC_FREE(conn); diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 6a3b6ddf2f..f32989da54 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -263,7 +263,7 @@ int register_homes_share(const char *username) int register_existing_vuid(struct smbd_server_connection *sconn, uint16 vuid, - struct auth_serversupplied_info *session_info, + struct auth3_session_info *session_info, DATA_BLOB response_blob, const char *smb_name) { diff --git a/source3/smbd/proto.h b/source3/smbd/proto.h index ae63f0adf2..f3b54e7221 100644 --- a/source3/smbd/proto.h +++ b/source3/smbd/proto.h @@ -478,7 +478,7 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx, connection_struct **pconn, int snum, const char *path, - const struct auth_serversupplied_info *session_info, + const struct auth3_session_info *session_info, char **poldcwd); /* The following definitions come from smbd/negprot.c */ @@ -711,7 +711,7 @@ int register_initial_vuid(struct smbd_server_connection *sconn); int register_homes_share(const char *username); int register_existing_vuid(struct smbd_server_connection *sconn, uint16 vuid, - struct auth_serversupplied_info *session_info, + struct auth3_session_info *session_info, DATA_BLOB response_blob, const char *smb_name); void add_session_user(struct smbd_server_connection *sconn, const char *user); @@ -1009,7 +1009,7 @@ int list_sessions(TALLOC_CTX *mem_ctx, struct sessionid **session_list); /* The following definitions come from smbd/sesssetup.c */ NTSTATUS do_map_to_guest(NTSTATUS status, - struct auth_serversupplied_info **session_info, + struct auth3_session_info **session_info, const char *user, const char *domain); NTSTATUS parse_spnego_mechanisms(TALLOC_CTX *ctx, @@ -1108,10 +1108,10 @@ void reply_transs2(struct smb_request *req); bool change_to_guest(void); bool change_to_user(connection_struct *conn, uint16 vuid); bool change_to_user_by_session(connection_struct *conn, - const struct auth_serversupplied_info *session_info); + const struct auth3_session_info *session_info); bool change_to_root_user(void); bool smbd_change_to_root_user(void); -bool become_authenticated_pipe_user(struct auth_serversupplied_info *session_info); +bool become_authenticated_pipe_user(struct auth3_session_info *session_info); bool unbecome_authenticated_pipe_user(void); void become_root(void); void unbecome_root(void); @@ -1119,7 +1119,7 @@ void smbd_become_root(void); void smbd_unbecome_root(void); bool become_user(connection_struct *conn, uint16 vuid); bool become_user_by_session(connection_struct *conn, - const struct auth_serversupplied_info *session_info); + const struct auth3_session_info *session_info); bool unbecome_user(void); uid_t get_current_uid(connection_struct *conn); gid_t get_current_gid(connection_struct *conn); diff --git a/source3/smbd/server_reload.c b/source3/smbd/server_reload.c index 259a963abf..1242aae673 100644 --- a/source3/smbd/server_reload.c +++ b/source3/smbd/server_reload.c @@ -37,7 +37,7 @@ void reload_printers(struct tevent_context *ev, struct messaging_context *msg_ctx) { - struct auth_serversupplied_info *session_info = NULL; + struct auth3_session_info *session_info = NULL; struct spoolss_PrinterInfo2 *pinfo2 = NULL; int snum; int n_services = lp_numservices(); diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 5c410be02a..c772b8a069 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -373,22 +373,22 @@ static NTSTATUS find_forced_group(bool force_user, } /**************************************************************************** - Create an auth_serversupplied_info structure for a connection_struct + Create an auth3_session_info structure for a connection_struct ****************************************************************************/ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sconn, TALLOC_CTX *mem_ctx, int snum, - struct auth_serversupplied_info *vuid_serverinfo, + struct auth3_session_info *vuid_serverinfo, DATA_BLOB password, - struct auth_serversupplied_info **presult) + struct auth3_session_info **presult) { if (lp_guest_only(snum)) { - return make_server_info_guest(mem_ctx, presult); + return make_session_info_guest(mem_ctx, presult); } if (vuid_serverinfo != NULL) { - struct auth_serversupplied_info *result; + struct auth3_session_info *result; /* * This is the normal security != share case where we have a @@ -414,7 +414,7 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc } } - result = copy_serverinfo(mem_ctx, vuid_serverinfo); + result = copy_session_info(mem_ctx, vuid_serverinfo); if (result == NULL) { return NT_STATUS_NO_MEMORY; } @@ -466,7 +466,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) */ char *fuser; - struct auth_serversupplied_info *forced_serverinfo; + struct auth3_session_info *forced_serverinfo; fuser = talloc_string_sub(conn, lp_force_user(snum), "%S", lp_const_servicename(snum)); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 74d9e1cebf..694c0874f2 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -49,9 +49,9 @@ struct pending_auth_data { on a logon error possibly map the error to success if "map to guest" is set approriately */ -NTSTATUS do_map_to_guest(NTSTATUS status, - struct auth_serversupplied_info **server_info, - const char *user, const char *domain) +static NTSTATUS do_map_to_guest_server_info(NTSTATUS status, + struct auth_serversupplied_info **server_info, + const char *user, const char *domain) { user = user ? user : ""; domain = domain ? domain : ""; @@ -76,6 +76,37 @@ NTSTATUS do_map_to_guest(NTSTATUS status, return status; } +/* + on a logon error possibly map the error to success if "map to guest" + is set approriately +*/ +NTSTATUS do_map_to_guest(NTSTATUS status, + struct auth3_session_info **session_info, + const char *user, const char *domain) +{ + user = user ? user : ""; + domain = domain ? domain : ""; + + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { + if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || + (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { + DEBUG(3,("No such user %s [%s] - using guest account\n", + user, domain)); + status = make_session_info_guest(NULL, session_info); + } + } + + if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { + if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { + DEBUG(3,("Registered username %s for guest access\n", + user)); + status = make_session_info_guest(NULL, session_info); + } + } + + return status; +} + /**************************************************************************** Add the standard 'Samba' signature to the end of the session setup. ****************************************************************************/ @@ -251,7 +282,7 @@ static void reply_spnego_kerberos(struct smb_request *req, int sess_vuid = req->vuid; NTSTATUS ret = NT_STATUS_OK; DATA_BLOB ap_rep, ap_rep_wrapped, response; - struct auth_serversupplied_info *session_info = NULL; + struct auth3_session_info *session_info = NULL; DATA_BLOB session_key = data_blob_null; uint8 tok_id[2]; DATA_BLOB nullblob = data_blob_null; @@ -456,7 +487,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, { bool do_invalidate = true; DATA_BLOB response; - struct auth_serversupplied_info *session_info = NULL; + struct auth3_session_info *session_info = NULL; struct smbd_server_connection *sconn = req->sconn; if (NT_STATUS_IS_OK(nt_status)) { @@ -1297,7 +1328,7 @@ void reply_sesssetup_and_X(struct smb_request *req) const char *primary_domain; struct auth_usersupplied_info *user_info = NULL; struct auth_serversupplied_info *server_info = NULL; - struct auth_serversupplied_info *session_info = NULL; + struct auth3_session_info *session_info = NULL; uint16 smb_flag2 = req->flags2; NTSTATUS nt_status; @@ -1635,8 +1666,8 @@ void reply_sesssetup_and_X(struct smb_request *req) free_user_info(&user_info); if (!NT_STATUS_IS_OK(nt_status)) { - nt_status = do_map_to_guest(nt_status, &server_info, - user, domain); + nt_status = do_map_to_guest_server_info(nt_status, &server_info, + user, domain); } if (!NT_STATUS_IS_OK(nt_status)) { diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 8114144574..5d703e3a18 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -87,7 +87,7 @@ static void free_conn_session_info_if_unused(connection_struct *conn) static bool check_user_ok(connection_struct *conn, uint16_t vuid, - const struct auth_serversupplied_info *session_info, + const struct auth3_session_info *session_info, int snum) { bool valid_vuid = (vuid != UID_FIELD_INVALID); @@ -158,7 +158,7 @@ static bool check_user_ok(connection_struct *conn, * username-based faked one. */ - ent->session_info = copy_serverinfo( + ent->session_info = copy_session_info( conn, conn->force_user ? conn->session_info : session_info); if (ent->session_info == NULL) { @@ -190,7 +190,7 @@ static bool check_user_ok(connection_struct *conn, ****************************************************************************/ static bool change_to_user_internal(connection_struct *conn, - const struct auth_serversupplied_info *session_info, + const struct auth3_session_info *session_info, uint16_t vuid) { int snum; @@ -277,7 +277,7 @@ static bool change_to_user_internal(connection_struct *conn, bool change_to_user(connection_struct *conn, uint16_t vuid) { - const struct auth_serversupplied_info *session_info = NULL; + const struct auth3_session_info *session_info = NULL; user_struct *vuser; int snum = SNUM(conn); @@ -328,7 +328,7 @@ bool change_to_user(connection_struct *conn, uint16_t vuid) } bool change_to_user_by_session(connection_struct *conn, - const struct auth_serversupplied_info *session_info) + const struct auth3_session_info *session_info) { SMB_ASSERT(conn != NULL); SMB_ASSERT(session_info != NULL); @@ -367,7 +367,7 @@ bool smbd_change_to_root_user(void) user. Doesn't modify current_user. ****************************************************************************/ -bool become_authenticated_pipe_user(struct auth_serversupplied_info *session_info) +bool become_authenticated_pipe_user(struct auth3_session_info *session_info) { if (!push_sec_ctx()) return False; @@ -487,7 +487,7 @@ bool become_user(connection_struct *conn, uint16 vuid) } bool become_user_by_session(connection_struct *conn, - const struct auth_serversupplied_info *session_info) + const struct auth3_session_info *session_info) { if (!push_sec_ctx()) return false; |