summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/samdb/samdb_privilege.c5
-rw-r--r--source4/scripting/ejs/smbcalls_auth.c45
-rw-r--r--webapps/install/provision.esp107
-rw-r--r--webapps/install/vampire.esp5
4 files changed, 112 insertions, 50 deletions
diff --git a/source4/dsdb/samdb/samdb_privilege.c b/source4/dsdb/samdb/samdb_privilege.c
index 16d34938c6..2313385604 100644
--- a/source4/dsdb/samdb/samdb_privilege.c
+++ b/source4/dsdb/samdb/samdb_privilege.c
@@ -80,6 +80,11 @@ _PUBLIC_ NTSTATUS samdb_privilege_setup(struct security_token *token)
NTSTATUS status;
/* Shortcuts to prevent recursion and avoid lookups */
+ if (token->user_sid == NULL) {
+ token->privilege_mask = 0;
+ return NT_STATUS_OK;
+ }
+
if (security_token_is_system(token)) {
token->privilege_mask = ~0;
return NT_STATUS_OK;
diff --git a/source4/scripting/ejs/smbcalls_auth.c b/source4/scripting/ejs/smbcalls_auth.c
index 94a74e8e2a..33d7f2cf0e 100644
--- a/source4/scripting/ejs/smbcalls_auth.c
+++ b/source4/scripting/ejs/smbcalls_auth.c
@@ -27,6 +27,7 @@
#include "scripting/ejs/smbcalls.h"
#include "lib/events/events.h"
#include "lib/messaging/irpc.h"
+#include "libcli/security/security.h"
static int ejs_doauth(MprVarHandle eid,
TALLOC_CTX *tmp_ctx, struct MprVar *auth, const char *username,
@@ -39,6 +40,7 @@ static int ejs_doauth(MprVarHandle eid,
struct auth_context *auth_context;
struct MprVar *session_info_obj;
NTSTATUS nt_status;
+ bool set;
struct smbcalls_context *c;
struct event_context *ev;
@@ -111,6 +113,32 @@ static int ejs_doauth(MprVarHandle eid,
goto done;
}
+ if (security_token_has_nt_authenticated_users(session_info->security_token)) {
+ mprSetPropertyValue(auth, "user_class", mprString("USER"));
+ set = true;
+ }
+
+ if (security_token_has_builtin_administrators(session_info->security_token)) {
+ mprSetPropertyValue(auth, "user_class", mprString("ADMINISTRATOR"));
+ set = true;
+ }
+
+ if (security_token_is_system(session_info->security_token)) {
+ mprSetPropertyValue(auth, "user_class", mprString("SYSTEM"));
+ set = true;
+ }
+
+ if (security_token_is_anonymous(session_info->security_token)) {
+ mprSetPropertyValue(auth, "report", mprString("Anonymous login not permitted"));
+ mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
+ goto done;
+ }
+
+ if (!set) {
+ mprSetPropertyValue(auth, "report", mprString("Session Info generation failed"));
+ mprSetPropertyValue(auth, "result", mprCreateBoolVar(False));
+ }
+
session_info_obj = mprInitObject(eid, "session_info", 0, NULL);
mprSetPtrChild(session_info_obj, "session_info", session_info);
@@ -121,6 +149,23 @@ static int ejs_doauth(MprVarHandle eid,
mprSetPropertyValue(auth, "username", mprString(server_info->account_name));
mprSetPropertyValue(auth, "domain", mprString(server_info->domain_name));
+ if (security_token_is_system(session_info->security_token)) {
+ mprSetPropertyValue(auth, "report", mprString("SYSTEM"));
+ }
+
+ if (security_token_is_anonymous(session_info->security_token)) {
+ mprSetPropertyValue(auth, "report", mprString("ANONYMOUS"));
+ }
+
+ if (security_token_has_builtin_administrators(session_info->security_token)) {
+ mprSetPropertyValue(auth, "report", mprString("ADMINISTRATOR"));
+ }
+
+ if (security_token_has_nt_authenticated_users(session_info->security_token)) {
+ mprSetPropertyValue(auth, "report", mprString("USER"));
+ }
+
+
done:
return 0;
}
diff --git a/webapps/install/provision.esp b/webapps/install/provision.esp
index 8caa7391b0..6183722cb4 100644
--- a/webapps/install/provision.esp
+++ b/webapps/install/provision.esp
@@ -12,70 +12,77 @@ var f = FormObj("Provisioning", 0, 2);
var i;
var lp = loadparm_init();
-if (lp.get("realm") == "") {
- lp.set("realm", lp.get("workgroup") + ".example.com");
-}
+if (session.authinfo.user_class == "ADMINISTRATOR"
+ || session.authinfo.user_class == "SYSTEM") {
-var subobj = provision_guess();
-/* Don't supply default password for web interface */
-subobj.ADMINPASS = "";
+ if (lp.get("realm") == "") {
+ lp.set("realm", lp.get("workgroup") + ".example.com");
+ }
-f.add("REALM", "DNS Domain Name");
-f.add("DOMAIN", "NetBIOS Domain Name");
-f.add("HOSTNAME", "Hostname");
-f.add("ADMINPASS", "Administrator Password", "password");
-f.add("CONFIRM", "Confirm Password", "password");
-f.add("DOMAINSID", "Domain SID");
-f.add("HOSTIP", "Host IP");
-f.add("DEFAULTSITE", "Default Site");
-f.submit[0] = "Provision";
-f.submit[1] = "Cancel";
+ var subobj = provision_guess();
+ /* Don't supply default password for web interface */
+ subobj.ADMINPASS = "";
-if (form['submit'] == "Cancel") {
- redirect("/");
-}
+ f.add("REALM", "DNS Domain Name");
+ f.add("DOMAIN", "NetBIOS Domain Name");
+ f.add("HOSTNAME", "Hostname");
+ f.add("ADMINPASS", "Administrator Password", "password");
+ f.add("CONFIRM", "Confirm Password", "password");
+ f.add("DOMAINSID", "Domain SID");
+ f.add("HOSTIP", "Host IP");
+ f.add("DEFAULTSITE", "Default Site");
+ f.submit[0] = "Provision";
+ f.submit[1] = "Cancel";
-if (form['submit'] == "Provision") {
- for (r in form) {
- subobj[r] = form[r];
+ if (form['submit'] == "Cancel") {
+ redirect("/");
}
-}
-for (i=0;i<f.element.length;i++) {
- f.element[i].value = subobj[f.element[i].name];
-}
+ if (form['submit'] == "Provision") {
+ for (r in form) {
+ subobj[r] = form[r];
+ }
+ }
-if (form['submit'] == "Provision") {
+ for (i=0;i<f.element.length;i++) {
+ f.element[i].value = subobj[f.element[i].name];
+ }
- /* overcome an initially blank smb.conf */
- lp.set("realm", subobj.REALM);
- lp.set("workgroup", subobj.DOMAIN);
- lp.reload();
- var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
+ if (form['submit'] == "Provision") {
+
+ /* overcome an initially blank smb.conf */
+ lp.set("realm", subobj.REALM);
+ lp.set("workgroup", subobj.DOMAIN);
+ lp.reload();
+ var goodpass = (subobj.CONFIRM == subobj.ADMINPASS);
- if (!goodpass) {
- write("<h3>Passwords don't match. Please try again.</h3>");
- f.display();
- } else if (subobj.ADMINPASS == "") {
- write("<h3>You must choose an administrator password. Please try again.</h3>");
- f.display();
- } else if (!provision_validate(subobj, writefln)) {
- f.display();
- } else {
- var paths = provision_default_paths(subobj);
- if (!provision(subobj, writefln, false, paths,
- session.authinfo.session_info, session.authinfo.credentials, false)) {
- writefln("Provision failed!");
- } else if (!provision_dns(subobj, writefln, paths,
- session.authinfo.session_info, session.authinfo.credentials)) {
- writefln("DNS Provision failed!");
+ if (!goodpass) {
+ write("<h3>Passwords don't match. Please try again.</h3>");
+ f.display();
+ } else if (subobj.ADMINPASS == "") {
+ write("<h3>You must choose an administrator password. Please try again.</h3>");
+ f.display();
+ } else if (!provision_validate(subobj, writefln)) {
+ f.display();
} else {
- writefln("Provision Complete!");
+ var paths = provision_default_paths(subobj);
+ if (!provision(subobj, writefln, false, paths,
+ session.authinfo.session_info, session.authinfo.credentials, false)) {
+ writefln("Provision failed!");
+ } else if (!provision_dns(subobj, writefln, paths,
+ session.authinfo.session_info, session.authinfo.credentials)) {
+ writefln("DNS Provision failed!");
+ } else {
+ writefln("Provision Complete!");
+ }
}
+ } else {
+ f.display();
}
} else {
- f.display();
+ redirect("/");
}
+
%>
diff --git a/webapps/install/vampire.esp b/webapps/install/vampire.esp
index 675bac2ec3..6860b3ac5b 100644
--- a/webapps/install/vampire.esp
+++ b/webapps/install/vampire.esp
@@ -14,6 +14,11 @@ var f = FormObj("Provisioning", 0, 2);
var i;
var lp = loadparm_init();
+if (session.authinfo.user_class != "ADMINISTRATOR"
+ && session.authinfo.user_class != "SYSTEM") {
+ redirect("/");
+}
+
if (lp.get("realm") == "") {
lp.set("realm", lp.get("workgroup") + ".example.com");
}