2 files changed, 164 insertions, 137 deletions

diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index d2059e7e20..6be2989881 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -765,171 +765,182 @@ static char *validate_group(char *group,char *password,int pwlen,int snum)
 	return(NULL);
 }
 
-
-
 /****************************************************************************
-check for authority to login to a service with a given username/password
+ Check for authority to login to a service with a given username/password.
+ Note this is *NOT* used when logging on using sessionsetup_and_X.
 ****************************************************************************/
+
 BOOL authorise_login(int snum,char *user,char *password, int pwlen, 
 		     BOOL *guest,BOOL *force,uint16 vuid)
 {
-  BOOL ok = False;
-  user_struct *vuser = get_valid_user_struct(vuid);
+	BOOL ok = False;
+	user_struct *vuser = get_valid_user_struct(vuid);
 
-  if (lp_security() > SEC_SHARE && !vuser) {
-	  DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
-		   user));
-	  return False;
-  }
-  
-  *guest = False;
-  
 #if DEBUG_PASSWORD
-  DEBUG(100,("checking authorisation on user=%s pass=%s\n",user,password));
+	DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n",
+			user,password));
 #endif
 
-  /* there are several possibilities:
-     1) login as the given user with given password
-     2) login as a previously registered username with the given password
-     3) login as a session list username with the given password
-     4) login as a previously validated user/password pair
-     5) login as the "user =" user with given password
-     6) login as the "user =" user with no password (guest connection)
-     7) login as guest user with no password
+	*guest = False;
+  
+	if (GUEST_ONLY(snum))
+		*force = True;
 
-     if the service is guest_only then steps 1 to 5 are skipped
-  */
+	if (!GUEST_ONLY(snum) && (lp_security() > SEC_SHARE)) {
 
-  if (GUEST_ONLY(snum)) *force = True;
+		/*
+		 * We should just use the given vuid from a sessionsetup_and_X.
+		 */
 
-  if (!(GUEST_ONLY(snum) && GUEST_OK(snum)))
-    {
-      /* check the given username and password */
-      if (!ok && (*user) && user_ok(user,snum)) {
-	ok = password_ok(user,password, pwlen, NULL);
-	if (ok) DEBUG(3,("ACCEPTED: given username password ok\n"));
-      }
+		if (!vuser) {
+			DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
+					user));
+			return False;
+		}
 
-      /* check for a previously registered guest username */
-      if (!ok && (vuser != 0) && vuser->guest) {	  
-	if (user_ok(vuser->user.unix_name,snum) &&
-	    password_ok(vuser->user.unix_name, password, pwlen, NULL)) {
-	  fstrcpy(user, vuser->user.unix_name);
-	  vuser->guest = False;
-	  DEBUG(3,("ACCEPTED: given password with registered user %s\n", user));
-	  ok = True;
+		if (!vuser->guest && user_ok(vuser->user.unix_name,snum)) {
+			fstrcpy(user,vuser->user.unix_name);
+			*guest = False;
+			DEBUG(3,("authorise_login: ACCEPTED: validated uid ok as non-guest \
+(user=%s)\n", user));
+			return True;
+		}
 	}
-      }
-
+ 
+	/* there are several possibilities:
+		1) login as the given user with given password
+		2) login as a previously registered username with the given password
+		3) login as a session list username with the given password
+		4) login as a previously validated user/password pair
+		5) login as the "user =" user with given password
+		6) login as the "user =" user with no password (guest connection)
+		7) login as guest user with no password
+
+		if the service is guest_only then steps 1 to 5 are skipped
+	*/
+
+	if (!(GUEST_ONLY(snum) && GUEST_OK(snum))) {
+		/* check the given username and password */
+		if (!ok && (*user) && user_ok(user,snum)) {
+			ok = password_ok(user,password, pwlen, NULL);
+			if (ok)
+				DEBUG(3,("authorise_login: ACCEPTED: given username (%s) password ok\n",
+						user ));
+		}
 
-      /* now check the list of session users */
-    if (!ok)
-    {
-      char *auser;
-      char *user_list = strdup(session_users);
-      if (!user_list) return(False);
+		/* check for a previously registered guest username */
+		if (!ok && (vuser != 0) && vuser->guest) {	  
+			if (user_ok(vuser->user.unix_name,snum) &&
+					password_ok(vuser->user.unix_name, password, pwlen, NULL)) {
+				fstrcpy(user, vuser->user.unix_name);
+				vuser->guest = False;
+				DEBUG(3,("authorise_login: ACCEPTED: given password with registered user %s\n", user));
+				ok = True;
+			}
+		}
 
-      for (auser=strtok(user_list,LIST_SEP); 
-           !ok && auser; 
-           auser = strtok(NULL,LIST_SEP))
-      {
-        fstring user2;
-        fstrcpy(user2,auser);
-        if (!user_ok(user2,snum)) continue;
+		/* now check the list of session users */
+		if (!ok) {
+			char *auser;
+			char *user_list = strdup(session_users);
+			if (!user_list)
+				return(False);
+
+			for (auser=strtok(user_list,LIST_SEP); !ok && auser;
+									auser = strtok(NULL,LIST_SEP)) {
+				fstring user2;
+				fstrcpy(user2,auser);
+				if (!user_ok(user2,snum))
+					continue;
 		  
-        if (password_ok(user2,password, pwlen, NULL)) {
-          ok = True;
-          fstrcpy(user,user2);
-          DEBUG(3,("ACCEPTED: session list username and given password ok\n"));
-        }
-      }
-      free(user_list);
-    }
+				if (password_ok(user2,password, pwlen, NULL)) {
+					ok = True;
+					fstrcpy(user,user2);
+					DEBUG(3,("authorise_login: ACCEPTED: session list username (%s) \
+and given password ok\n", user));
+				}
+			}
 
-    /* check for a previously validated username/password pair */
-    if (!ok && (lp_security() > SEC_SHARE) &&
-        (vuser != 0) && !vuser->guest &&
-        user_ok(vuser->user.unix_name,snum)) {
-      fstrcpy(user,vuser->user.unix_name);
-      *guest = False;
-      DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
-      ok = True;
-    }
+			free(user_list);
+		}
 
-      /* check for a rhosts entry */
-      if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
-	ok = True;
-	DEBUG(3,("ACCEPTED: hosts equiv or rhosts entry\n"));
-      }
+		/* check for a previously validated username/password pair */
+		if (!ok && (lp_security() > SEC_SHARE) && (vuser != 0) && !vuser->guest &&
+							user_ok(vuser->user.unix_name,snum)) {
+			fstrcpy(user,vuser->user.unix_name);
+			*guest = False;
+			DEBUG(3,("authorise_login: ACCEPTED: validated uid (%s) as non-guest\n",
+				user));
+			ok = True;
+		}
 
-      /* check the user= fields and the given password */
-      if (!ok && lp_username(snum)) {
-	char *auser;
-	pstring user_list;
-	StrnCpy(user_list,lp_username(snum),sizeof(pstring));
+		/* check for a rhosts entry */
+		if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
+			ok = True;
+			DEBUG(3,("authorise_login: ACCEPTED: hosts equiv or rhosts entry for %s\n",
+					user));
+		}
 
-	pstring_sub(user_list,"%S",lp_servicename(snum));
-	  
-	for (auser=strtok(user_list,LIST_SEP);
-	     auser && !ok;
-	     auser = strtok(NULL,LIST_SEP))
-	  {
-	    if (*auser == '@')
-	      {
-		auser = validate_group(auser+1,password,pwlen,snum);
-		if (auser)
-		  {
-		    ok = True;
-		    fstrcpy(user,auser);
-		    DEBUG(3,("ACCEPTED: group username and given password ok\n"));
-		  }
-	      }
-	    else
-	      {
-		fstring user2;
-		fstrcpy(user2,auser);
-		if (user_ok(user2,snum) && 
-		    password_ok(user2,password,pwlen,NULL))
-		  {
-		    ok = True;
-		    fstrcpy(user,user2);
-		    DEBUG(3,("ACCEPTED: user list username and given password ok\n"));
-		  }
-	      }
-	  }
-      }      
-    } /* not guest only */
+		/* check the user= fields and the given password */
+		if (!ok && lp_username(snum)) {
+			char *auser;
+			pstring user_list;
+			StrnCpy(user_list,lp_username(snum),sizeof(pstring));
 
-  /* check for a normal guest connection */
-  if (!ok && GUEST_OK(snum))
-    {
-      fstring guestname;
-      StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
-      if (Get_Pwnam(guestname,True))
-	{
-	  fstrcpy(user,guestname);
-	  ok = True;
-	  DEBUG(3,("ACCEPTED: guest account and guest ok\n"));
+			pstring_sub(user_list,"%S",lp_servicename(snum));
+	  
+			for (auser=strtok(user_list,LIST_SEP); auser && !ok;
+											auser = strtok(NULL,LIST_SEP)) {
+				if (*auser == '@') {
+					auser = validate_group(auser+1,password,pwlen,snum);
+					if (auser) {
+						ok = True;
+						fstrcpy(user,auser);
+						DEBUG(3,("authorise_login: ACCEPTED: group username \
+and given password ok (%s)\n", user));
+					}
+				} else {
+					fstring user2;
+					fstrcpy(user2,auser);
+					if (user_ok(user2,snum) && password_ok(user2,password,pwlen,NULL)) {
+						ok = True;
+						fstrcpy(user,user2);
+						DEBUG(3,("authorise_login: ACCEPTED: user list username \
+and given password ok (%s)\n", user));
+					}
+				}
+			}
+		}
+	} /* not guest only */
+
+	/* check for a normal guest connection */
+	if (!ok && GUEST_OK(snum)) {
+		fstring guestname;
+		StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
+		if (Get_Pwnam(guestname,True)) {
+			fstrcpy(user,guestname);
+			ok = True;
+			DEBUG(3,("authorise_login: ACCEPTED: guest account and guest ok (%s)\n",
+					user));
+		} else {
+			DEBUG(0,("authorise_login: Invalid guest account %s??\n",guestname));
+		}
+		*guest = True;
 	}
-      else
-	DEBUG(0,("Invalid guest account %s??\n",guestname));
-      *guest = True;
-    }
 
-  if (ok && !user_ok(user,snum))
-    {
-      DEBUG(0,("rejected invalid user %s\n",user));
-      ok = False;
-    }
+	if (ok && !user_ok(user,snum)) {
+		DEBUG(0,("authorise_login: rejected invalid user %s\n",user));
+		ok = False;
+	}
 
-  return(ok);
+	return(ok);
 }
 
-
 /****************************************************************************
-read the a hosts.equiv or .rhosts file and check if it
-allows this user from this machine
+ Read the a hosts.equiv or .rhosts file and check if it
+ allows this user from this machine.
 ****************************************************************************/
+
 static BOOL check_user_equiv(char *user, char *remote, char *equiv_file)
 {
   int plus_allowed = 1;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index e0b0cea2d3..cd7b3fe6fe 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -205,6 +205,14 @@ int reply_tcon(connection_struct *conn,
 		pstrcpy(service, p+1);
 	}
 
+    /*
+	 * If the vuid is valid, we should be using that....
+	 */
+
+	if (*user == '\0' && (lp_security() != SEC_SHARE) && validated_username(vuid)) {
+		pstrcpy(user,validated_username(vuid));
+	}
+
 	/*
 	 * Ensure the user and password names are in UNIX codepage format.
 	 */
@@ -247,6 +255,7 @@ int reply_tcon(connection_struct *conn,
 /****************************************************************************
  Reply to a tcon and X.
 ****************************************************************************/
+
 int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize)
 {
 	fstring service;
@@ -298,6 +307,14 @@ int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
 
 	DEBUG(4,("Got device type %s\n",devicename));
 
+    /*
+	 * If the vuid is valid, we should be using that....
+	 */
+
+	if (*user == '\0' && (lp_security() != SEC_SHARE) && validated_username(vuid)) {
+		pstrcpy(user,validated_username(vuid));
+	}
+
 	/*
 	 * Pass the user through the NT -> unix user mapping
 	 * function.
@@ -1066,7 +1083,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
   return chain_reply(inbuf,outbuf,length,bufsize);
 }
 
-
 /****************************************************************************
   reply to a chkpth
 ****************************************************************************/