diff options
-rw-r--r-- | source4/dsdb/samdb/samdb_privilege.c | 5 | ||||
-rw-r--r-- | source4/scripting/ejs/smbcalls_auth.c | 45 | ||||
-rw-r--r-- | webapps/install/provision.esp | 107 | ||||
-rw-r--r-- | webapps/install/vampire.esp | 5 |
4 files changed, 112 insertions, 50 deletions
diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c index 16d34938c6..2313385604 100644 --- a/source4/dsdb/samdb/samdb_privilege.c +++ b/source4/dsdb/samdb/samdb_privilege.c @@ -80,6 +80,11 @@ _PUBLIC_ NTSTATUS samdb_privilege_setup(struct security_token *token) NTSTATUS status; /* Shortcuts to prevent recursion and avoid lookups */ + if (token->user_sid == NULL) { + token->privilege_mask = 0; + return NT_STATUS_OK; + } + if (security_token_is_system(token)) { token->privilege_mask = ~0; return NT_STATUS_OK; diff --git a/source4/scripting/ejs/smbcalls_auth.c b/source4/scripting/ejs/smbcalls_auth.c index 94a74e8e2a..33d7f2cf0e 100644 --- a/source4/scripting/ejs/smbcalls_auth.c +++ b/source4/scripting/ejs/smbcalls_auth.c @@ -27,6 +27,7 @@ #include "scripting/ejs/smbcalls.h" #include "lib/events/events.h" #include "lib/messaging/irpc.h" +#include "libcli/security/security.h" static int ejs_doauth(MprVarHandle eid, TALLOC_CTX *tmp_ctx, struct MprVar *auth, const char *username, @@ -39,6 +40,7 @@ static int ejs_doauth(MprVarHandle eid, struct auth_context *auth_context; struct MprVar *session_info_obj; NTSTATUS nt_status; + bool set; struct smbcalls_context *c; struct event_context *ev; @@ -111,6 +113,32 @@ static int ejs_doauth(MprVarHandle eid, goto done; } + if (security_token_has_nt_authenticated_users(session_info->security_token)) { + mprSetPropertyValue(auth, "user_class", mprString("USER")); + set = true; + } + + if (security_token_has_builtin_administrators(session_info->security_token)) { + mprSetPropertyValue(auth, "user_class", mprString("ADMINISTRATOR")); + set = true; + } + + if (security_token_is_system(session_info->security_token)) { + mprSetPropertyValue(auth, "user_class", mprString("SYSTEM")); + set = true; + } + + if (security_token_is_anonymous(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("Anonymous login not permitted")); + mprSetPropertyValue(auth, "result", mprCreateBoolVar(False)); + goto done; + } + + if (!set) { + mprSetPropertyValue(auth, "report", mprString("Session Info generation failed")); + mprSetPropertyValue(auth, "result", mprCreateBoolVar(False)); + } + session_info_obj = mprInitObject(eid, "session_info", 0, NULL); mprSetPtrChild(session_info_obj, "session_info", session_info); @@ -121,6 +149,23 @@ static int ejs_doauth(MprVarHandle eid, mprSetPropertyValue(auth, "username", mprString(server_info->account_name)); mprSetPropertyValue(auth, "domain", mprString(server_info->domain_name)); + if (security_token_is_system(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("SYSTEM")); + } + + if (security_token_is_anonymous(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("ANONYMOUS")); + } + + if (security_token_has_builtin_administrators(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("ADMINISTRATOR")); + } + + if (security_token_has_nt_authenticated_users(session_info->security_token)) { + mprSetPropertyValue(auth, "report", mprString("USER")); + } + + done: return 0; } diff --git a/webapps/install/provision.esp b/webapps/install/provision.esp index 8caa7391b0..6183722cb4 100644 --- a/webapps/install/provision.esp +++ b/webapps/install/provision.esp @@ -12,70 +12,77 @@ var f = FormObj("Provisioning", 0, 2); var i; var lp = loadparm_init(); -if (lp.get("realm") == "") { - lp.set("realm", lp.get("workgroup") + ".example.com"); -} +if (session.authinfo.user_class == "ADMINISTRATOR" + || session.authinfo.user_class == "SYSTEM") { -var subobj = provision_guess(); -/* Don't supply default password for web interface */ -subobj.ADMINPASS = ""; + if (lp.get("realm") == "") { + lp.set("realm", lp.get("workgroup") + ".example.com"); + } -f.add("REALM", "DNS Domain Name"); -f.add("DOMAIN", "NetBIOS Domain Name"); -f.add("HOSTNAME", "Hostname"); -f.add("ADMINPASS", "Administrator Password", "password"); -f.add("CONFIRM", "Confirm Password", "password"); -f.add("DOMAINSID", "Domain SID"); -f.add("HOSTIP", "Host IP"); -f.add("DEFAULTSITE", "Default Site"); -f.submit[0] = "Provision"; -f.submit[1] = "Cancel"; + var subobj = provision_guess(); + /* Don't supply default password for web interface */ + subobj.ADMINPASS = ""; -if (form['submit'] == "Cancel") { - redirect("/"); -} + f.add("REALM", "DNS Domain Name"); + f.add("DOMAIN", "NetBIOS Domain Name"); + f.add("HOSTNAME", "Hostname"); + f.add("ADMINPASS", "Administrator Password", "password"); + f.add("CONFIRM", "Confirm Password", "password"); + f.add("DOMAINSID", "Domain SID"); + f.add("HOSTIP", "Host IP"); + f.add("DEFAULTSITE", "Default Site"); + f.submit[0] = "Provision"; + f.submit[1] = "Cancel"; -if (form['submit'] == "Provision") { - for (r in form) { - subobj[r] = form[r]; + if (form['submit'] == "Cancel") { + redirect("/"); } -} -for (i=0;i<f.element.length;i++) { - f.element[i].value = subobj[f.element[i].name]; -} + if (form['submit'] == "Provision") { + for (r in form) { + subobj[r] = form[r]; + } + } -if (form['submit'] == "Provision") { + for (i=0;i<f.element.length;i++) { + f.element[i].value = subobj[f.element[i].name]; + } - /* overcome an initially blank smb.conf */ - lp.set("realm", subobj.REALM); - lp.set("workgroup", subobj.DOMAIN); - lp.reload(); - var goodpass = (subobj.CONFIRM == subobj.ADMINPASS); + if (form['submit'] == "Provision") { + + /* overcome an initially blank smb.conf */ + lp.set("realm", subobj.REALM); + lp.set("workgroup", subobj.DOMAIN); + lp.reload(); + var goodpass = (subobj.CONFIRM == subobj.ADMINPASS); - if (!goodpass) { - write("<h3>Passwords don't match. Please try again.</h3>"); - f.display(); - } else if (subobj.ADMINPASS == "") { - write("<h3>You must choose an administrator password. Please try again.</h3>"); - f.display(); - } else if (!provision_validate(subobj, writefln)) { - f.display(); - } else { - var paths = provision_default_paths(subobj); - if (!provision(subobj, writefln, false, paths, - session.authinfo.session_info, session.authinfo.credentials, false)) { - writefln("Provision failed!"); - } else if (!provision_dns(subobj, writefln, paths, - session.authinfo.session_info, session.authinfo.credentials)) { - writefln("DNS Provision failed!"); + if (!goodpass) { + write("<h3>Passwords don't match. Please try again.</h3>"); + f.display(); + } else if (subobj.ADMINPASS == "") { + write("<h3>You must choose an administrator password. Please try again.</h3>"); + f.display(); + } else if (!provision_validate(subobj, writefln)) { + f.display(); } else { - writefln("Provision Complete!"); + var paths = provision_default_paths(subobj); + if (!provision(subobj, writefln, false, paths, + session.authinfo.session_info, session.authinfo.credentials, false)) { + writefln("Provision failed!"); + } else if (!provision_dns(subobj, writefln, paths, + session.authinfo.session_info, session.authinfo.credentials)) { + writefln("DNS Provision failed!"); + } else { + writefln("Provision Complete!"); + } } + } else { + f.display(); } } else { - f.display(); + redirect("/"); } + %> diff --git a/webapps/install/vampire.esp b/webapps/install/vampire.esp index 675bac2ec3..6860b3ac5b 100644 --- a/webapps/install/vampire.esp +++ b/webapps/install/vampire.esp @@ -14,6 +14,11 @@ var f = FormObj("Provisioning", 0, 2); var i; var lp = loadparm_init(); +if (session.authinfo.user_class != "ADMINISTRATOR" + && session.authinfo.user_class != "SYSTEM") { + redirect("/"); +} + if (lp.get("realm") == "") { lp.set("realm", lp.get("workgroup") + ".example.com"); } |