diff options
-rw-r--r-- | source3/auth/auth.c | 67 | ||||
-rw-r--r-- | source3/auth/auth_util.c | 53 | ||||
-rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 9 | ||||
-rw-r--r-- | source3/rpc_server/srv_pipe.c | 51 | ||||
-rw-r--r-- | source3/smbd/auth.c | 67 | ||||
-rw-r--r-- | source3/smbd/auth_util.c | 53 | ||||
-rw-r--r-- | source3/smbd/password.c | 18 | ||||
-rw-r--r-- | source3/smbd/reply.c | 2 | ||||
-rw-r--r-- | source3/smbd/session.c | 8 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 120 |
10 files changed, 292 insertions, 156 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4d1a566833..67f80afdda 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -63,9 +63,23 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; + const char *pdb_username; - DEBUG(3, ("check_password: Checking password for unmapped user %s\\%s@%s with the new password interface\n", - user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str)); + DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", + user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); + + DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", + user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); + + if (!NT_STATUS_IS_OK(nt_status)) { + nt_status = check_guest_security(user_info, server_info); + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: checking guest-account for user [%s] suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(10, ("check_password: checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } + } /* This needs to be sorted: If it doesn't match, what should we do? */ if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { @@ -75,9 +89,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if (!NT_STATUS_IS_OK(nt_status)) { nt_status = check_rhosts_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (rhosts) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(10, ("check_password: Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -85,9 +99,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_domain_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (domain) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (domain) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -95,9 +109,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_server_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (server) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (server) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -115,32 +129,37 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } - - if (NT_STATUS_IS_OK(nt_status) && !done_pam) { - /* We might not be root if we are an RPC call */ - become_root(); - nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account)); - unbecome_root(); - - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: PAM Account for user %s suceeded\n", user_info->smb_name.str)); - } else { - DEBUG(3, ("check_password: PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + if (NT_STATUS_IS_OK(nt_status)) { + pdb_username = pdb_get_username((*server_info)->sam_account); + if (!done_pam && !(*server_info)->guest) { + /* We might not be root if we are an RPC call */ + become_root(); + nt_status = smb_pam_accountcheck(pdb_username); + unbecome_root(); - } + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", pdb_username)); + } else { + DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status))); + } + } } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", + (*server_info)->guest ? "guest " : "", + user_info->smb_name.str, + user_info->internal_username.str, + pdb_username)); } else { - DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(3, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status))); ZERO_STRUCTP(server_info); } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 421ab3f1e4..cfdf3a6acc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -589,6 +589,27 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, return ret; } +/**************************************************************************** + Create a guest user_info blob, for anonymous authenticaion. +****************************************************************************/ + +BOOL make_user_info_guest(auth_usersupplied_info **user_info) +{ + DATA_BLOB sec_blob = data_blob(NULL, 0); + DATA_BLOB lm_blob = data_blob(NULL, 0); + DATA_BLOB nt_blob = data_blob(NULL, 0); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + uint32 ntlmssp_flags = 0; + + return make_user_info(user_info, + "","", + "","", + "", sec_blob, + nt_blob, lm_blob, + plaintext_blob, + ntlmssp_flags, True); +} + BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); @@ -664,13 +685,19 @@ void free_server_info(auth_serversupplied_info **server_info) Make a server_info struct for a guest user ***************************************************************************/ -void make_server_info_guest(auth_serversupplied_info **server_info) +BOOL make_server_info_guest(auth_serversupplied_info **server_info) { struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); if (pass) { - make_server_info_pw(server_info, pass); + if (!make_server_info_pw(server_info, pass)) { + return False; + } + (*server_info)->guest = True; + return True; } + DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n")); + return False; } /**************************************************************************** @@ -712,3 +739,25 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } + +/**************************************************************************** + Check for a guest logon (username = "") and if so create the required + structure. +****************************************************************************/ + +NTSTATUS check_guest_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + + if (!(user_info->internal_username.str + && *user_info->internal_username.str)) { + if (make_server_info_guest(server_info)) { + nt_status = NT_STATUS_OK; + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } + } + + return nt_status; +} diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 44faefb645..1aa58f5274 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -597,7 +597,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * free_user_info(&user_info); - DEBUG(5, ("_net_sam_logon: exiting with status %s\n", + DEBUG(5, ("_net_sam_logon: check_password returned status %s\n", get_nt_error_msg(status))); /* Check account and password */ @@ -607,6 +607,13 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * return status; } + if (server_info->guest) { + /* We don't like guest domain logons... */ + DEBUG(5,("_net_sam_logon: Attempted domain logon as GUEST denied.\n")); + free_server_info(&server_info); + return NT_STATUS_LOGON_FAILURE; + } + /* This is the point at which, if the login was successful, that the SAM Local Security Authority should record that the user is logged in to the domain. */ diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index a718516baa..e3969f7ea8 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -268,7 +268,8 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm fstring pipe_user_name; fstring domain; fstring wks; - BOOL guest_user = False; + + NTSTATUS nt_status; auth_usersupplied_info *user_info = NULL; auth_serversupplied_info *server_info = NULL; @@ -328,8 +329,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm if((strlen(user_name) == 0) && (ntlmssp_resp->hdr_nt_resp.str_str_len==0)) { - guest_user = True; - + fstrcpy(pipe_user_name, lp_guestaccount(-1)); DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name)); @@ -352,32 +352,25 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm } - if(!guest_user) { - NTSTATUS nt_status; - - if (!make_user_info_netlogon_network(&user_info, - user_name, domain, wks, (uchar*)p->challenge, - lm_owf, lm_pw_len, - nt_owf, nt_pw_len)) { - DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n")); - return False; - } - - nt_status = check_password(user_info, &server_info); - - free_user_info(&user_info); - - p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status); - - if (!p->ntlmssp_auth_validated) { - DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \ + if (!make_user_info_netlogon_network(&user_info, + user_name, domain, wks, (uchar*)p->challenge, + lm_owf, lm_pw_len, + nt_owf, nt_pw_len)) { + DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n")); + return False; + } + + nt_status = check_password(user_info, &server_info); + + free_user_info(&user_info); + + p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status); + + if (!p->ntlmssp_auth_validated) { + DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name )); - free_server_info(&server_info); - return False; - } - } else { - /* This includes a NULLed out first_8_lm_hash */ - make_server_info_guest(&server_info); + free_server_info(&server_info); + return False; } /* @@ -450,7 +443,7 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name /* Create an NT_USER_TOKEN struct for this user. */ p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid, p->pipe_user.ngroups, p->pipe_user.groups, - guest_user, server_info->ptok); + server_info->guest, server_info->ptok); p->ntlmssp_auth_validated = True; diff --git a/source3/smbd/auth.c b/source3/smbd/auth.c index 4d1a566833..67f80afdda 100644 --- a/source3/smbd/auth.c +++ b/source3/smbd/auth.c @@ -63,9 +63,23 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; + const char *pdb_username; - DEBUG(3, ("check_password: Checking password for unmapped user %s\\%s@%s with the new password interface\n", - user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str)); + DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", + user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); + + DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", + user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); + + if (!NT_STATUS_IS_OK(nt_status)) { + nt_status = check_guest_security(user_info, server_info); + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: checking guest-account for user [%s] suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(10, ("check_password: checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } + } /* This needs to be sorted: If it doesn't match, what should we do? */ if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { @@ -75,9 +89,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if (!NT_STATUS_IS_OK(nt_status)) { nt_status = check_rhosts_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (rhosts) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(10, ("check_password: Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -85,9 +99,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_domain_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (domain) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (domain) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -95,9 +109,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_server_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (server) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (server) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -115,32 +129,37 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } - - if (NT_STATUS_IS_OK(nt_status) && !done_pam) { - /* We might not be root if we are an RPC call */ - become_root(); - nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account)); - unbecome_root(); - - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: PAM Account for user %s suceeded\n", user_info->smb_name.str)); - } else { - DEBUG(3, ("check_password: PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + if (NT_STATUS_IS_OK(nt_status)) { + pdb_username = pdb_get_username((*server_info)->sam_account); + if (!done_pam && !(*server_info)->guest) { + /* We might not be root if we are an RPC call */ + become_root(); + nt_status = smb_pam_accountcheck(pdb_username); + unbecome_root(); - } + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", pdb_username)); + } else { + DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status))); + } + } } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", + (*server_info)->guest ? "guest " : "", + user_info->smb_name.str, + user_info->internal_username.str, + pdb_username)); } else { - DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(3, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status))); ZERO_STRUCTP(server_info); } diff --git a/source3/smbd/auth_util.c b/source3/smbd/auth_util.c index 421ab3f1e4..cfdf3a6acc 100644 --- a/source3/smbd/auth_util.c +++ b/source3/smbd/auth_util.c @@ -589,6 +589,27 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, return ret; } +/**************************************************************************** + Create a guest user_info blob, for anonymous authenticaion. +****************************************************************************/ + +BOOL make_user_info_guest(auth_usersupplied_info **user_info) +{ + DATA_BLOB sec_blob = data_blob(NULL, 0); + DATA_BLOB lm_blob = data_blob(NULL, 0); + DATA_BLOB nt_blob = data_blob(NULL, 0); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + uint32 ntlmssp_flags = 0; + + return make_user_info(user_info, + "","", + "","", + "", sec_blob, + nt_blob, lm_blob, + plaintext_blob, + ntlmssp_flags, True); +} + BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); @@ -664,13 +685,19 @@ void free_server_info(auth_serversupplied_info **server_info) Make a server_info struct for a guest user ***************************************************************************/ -void make_server_info_guest(auth_serversupplied_info **server_info) +BOOL make_server_info_guest(auth_serversupplied_info **server_info) { struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); if (pass) { - make_server_info_pw(server_info, pass); + if (!make_server_info_pw(server_info, pass)) { + return False; + } + (*server_info)->guest = True; + return True; } + DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n")); + return False; } /**************************************************************************** @@ -712,3 +739,25 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } + +/**************************************************************************** + Check for a guest logon (username = "") and if so create the required + structure. +****************************************************************************/ + +NTSTATUS check_guest_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + + if (!(user_info->internal_username.str + && *user_info->internal_username.str)) { + if (make_server_info_guest(server_info)) { + nt_status = NT_STATUS_OK; + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } + } + + return nt_status; +} diff --git a/source3/smbd/password.c b/source3/smbd/password.c index f0fec9b796..cbd4d14681 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -66,7 +66,7 @@ void invalidate_vuid(uint16 vuid) if (vuser == NULL) return; - session_yield(vuid); + session_yield(vuser); DLIST_REMOVE(validated_users, vuser); @@ -208,7 +208,7 @@ has been given. vuid is biased by an offset. This allows us to tell random client vuid's (normally zero) from valid vuids. ****************************************************************************/ -int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL guest) +int register_vuid(auth_serversupplied_info *server_info, char *smb_name) { user_struct *vuser = NULL; uid_t *puid; @@ -251,7 +251,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu vuser->vuid = next_vuid; vuser->uid = *puid; vuser->gid = *pgid; - vuser->guest = guest; + vuser->guest = server_info->guest; fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account)); fstrcpy(vuser->user.smb_name, smb_name); fstrcpy(vuser->user.domain, pdb_get_domain(server_info->sam_account)); @@ -260,7 +260,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", (unsigned int)vuser->uid, (unsigned int)vuser->gid, - vuser->user.unix_name, vuser->user.smb_name, vuser->user.domain, guest )); + vuser->user.unix_name, vuser->user.smb_name, vuser->user.domain, vuser->guest )); DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,vuser->user.full_name)); @@ -276,7 +276,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu add_supplementary_nt_login_groups(&vuser->n_groups, &vuser->groups, &server_info->ptok); /* Create an NT_USER_TOKEN struct for this user. */ - vuser->nt_user_token = create_nt_token(vuser->uid, vuser->gid, vuser->n_groups, vuser->groups, guest, server_info->ptok); + vuser->nt_user_token = create_nt_token(vuser->uid, vuser->gid, vuser->n_groups, vuser->groups, vuser->guest, server_info->ptok); DEBUG(3,("uid %d registered to name %s\n",(int)vuser->uid,vuser->user.unix_name)); @@ -285,7 +285,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu DLIST_ADD(validated_users, vuser); - if (!session_claim(vuser->vuid)) { + if (!session_claim(vuser)) { DEBUG(1,("Failed to claim session for vuid=%d\n", vuser->vuid)); invalidate_vuid(vuser->vuid); return -1; @@ -453,8 +453,8 @@ BOOL authorise_login(int snum,char *user, DATA_BLOB password, user_struct *vuser = get_valid_user_struct(vuid); #if DEBUG_PASSWORD - DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n", - user,password.data)); + DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s vuid=%d\n", + user,password.data, vuid)); #endif *guest = False; @@ -501,7 +501,7 @@ BOOL authorise_login(int snum,char *user, DATA_BLOB password, if (user_ok(vuser->user.unix_name,snum) && password_ok(vuser->user.unix_name, password)) { fstrcpy(user, vuser->user.unix_name); - vuser->guest = False; + *guest = False; DEBUG(3,("authorise_login: ACCEPTED: given password with registered user %s\n", user)); ok = True; } diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index 9ff74eae05..98898a6551 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -35,10 +35,8 @@ extern char magic_char; extern BOOL case_sensitive; extern BOOL case_preserve; extern BOOL short_case_preserve; -extern userdom_struct current_user_info; extern pstring global_myname; extern int global_oplock_break; -uint32 global_client_caps = 0; unsigned int smb_echo_count = 0; extern fstring remote_machine; diff --git a/source3/smbd/session.c b/source3/smbd/session.c index 60c2a6e54d..9efc3e6b75 100644 --- a/source3/smbd/session.c +++ b/source3/smbd/session.c @@ -32,9 +32,8 @@ extern fstring remote_machine; static TDB_CONTEXT *tdb; /* called when a session is created */ -BOOL session_claim(uint16 vuid) +BOOL session_claim(user_struct *vuser) { - user_struct *vuser = get_valid_user_struct(vuid); int i; TDB_DATA data; struct sessionid sessionid; @@ -47,7 +46,7 @@ BOOL session_claim(uint16 vuid) /* don't register sessions for the guest user - its just too expensive to go through pam session code for browsing etc */ - if (strequal(vuser->user.unix_name,lp_guestaccount(-1))) { + if (vuser->guest) { return True; } @@ -119,9 +118,8 @@ BOOL session_claim(uint16 vuid) } /* called when a session is destroyed */ -void session_yield(uint16 vuid) +void session_yield(user_struct *vuser) { - user_struct *vuser = get_valid_user_struct(vuid); TDB_DATA dbuf; struct sessionid sessionid; TDB_DATA key; diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index c7522b3402..6e6d37c089 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -22,6 +22,8 @@ #include "includes.h" +uint32 global_client_caps = 0; + #if HAVE_KRB5 /**************************************************************************** reply to a session setup spnego negotiate packet for kerberos @@ -339,7 +341,7 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf, return ERROR_NT(nt_status_squash(nt_status)); } - sess_vuid = register_vuid(server_info, user, False); + sess_vuid = register_vuid(server_info, user); free_server_info(&server_info); @@ -370,12 +372,18 @@ static int reply_spnego_anonymous(connection_struct *conn, char *inbuf, char *ou { int sess_vuid; char *p; + auth_usersupplied_info *user_info = NULL; auth_serversupplied_info *server_info = NULL; + NTSTATUS nt_status; + DEBUG(3,("Got anonymous request\n")); - make_server_info_guest(&server_info); - sess_vuid = register_vuid(server_info, lp_guestaccount(-1), True); + make_user_info_guest(&user_info); + + nt_status = check_password(user_info, &server_info); + + sess_vuid = register_vuid(server_info, lp_guestaccount(-1)); free_server_info(&server_info); if (sess_vuid == -1) { @@ -405,7 +413,6 @@ static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,cha { uint8 *p; DATA_BLOB blob1; - extern uint32 global_client_caps; int ret; DEBUG(3,("Doing spnego session setup\n")); @@ -463,14 +470,13 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, DATA_BLOB nt_resp; DATA_BLOB plaintext_password; pstring user; + pstring sub_user; /* Sainitised username for substituion */ fstring domain; fstring native_os; fstring native_lanman; - BOOL guest=False; static BOOL done_sesssetup = False; extern BOOL global_encrypted_passwords_negotiated; extern BOOL global_spnego_negotiated; - extern uint32 global_client_caps; extern int Protocol; extern fstring remote_machine; extern userdom_struct current_user_info; @@ -479,6 +485,8 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, auth_usersupplied_info *user_info = NULL; auth_serversupplied_info *server_info = NULL; + NTSTATUS nt_status; + BOOL doencrypt = global_encrypted_passwords_negotiated; START_PROFILE(SMBsesssetupX); @@ -626,18 +634,20 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, DEBUG(3,("sesssetupX:name=[%s]\\[%s]@[%s]\n", domain, user, remote_machine)); - /* If no username is sent use the guest account */ - if (!*user) { - pstrcpy(user,lp_guestaccount(-1)); - guest = True; - } else { + if (*user) { if (global_spnego_negotiated) { DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt at 'normal' session setup after negotiating spnego.\n")); return ERROR_NT(NT_STATUS_UNSUCCESSFUL); } } - pstrcpy(current_user_info.smb_name,user); + if (*user) { + pstrcpy(sub_user, user); + } else { + pstrcpy(sub_user, lp_guestaccount(-1)); + } + + pstrcpy(current_user_info.smb_name,sub_user); reload_services(True); @@ -648,9 +658,10 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, data_blob_free(&nt_resp); data_blob_clear_free(&plaintext_password); - guest = True; - map_username(user); - add_session_user(user); + map_username(sub_user); + add_session_user(sub_user); + /* Then force it to null for the benfit of the code below */ + *user = 0; } if (done_sesssetup && lp_restrict_anonymous()) { @@ -673,50 +684,45 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, return ERROR_DOS(ERRDOS,ERRnoaccess); } } + + if (!make_user_info_for_reply(&user_info, + user, domain, + lm_resp, nt_resp, + plaintext_password, doencrypt)) { + return ERROR_NT(NT_STATUS_NO_MEMORY); + } - if (!guest) { - NTSTATUS nt_status; - if (!make_user_info_for_reply(&user_info, - user, domain, - lm_resp, nt_resp, - plaintext_password, doencrypt)) { - return ERROR_NT(NT_STATUS_NO_MEMORY); - } - - nt_status = check_password(user_info, &server_info); - - free_user_info(&user_info); - - data_blob_free(&lm_resp); - data_blob_free(&nt_resp); - data_blob_clear_free(&plaintext_password); - - if (!NT_STATUS_IS_OK(nt_status)) { - if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { - if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || - (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { - DEBUG(3,("No such user %s [%s] - using guest account\n",user, domain)); - pstrcpy(user,lp_guestaccount(-1)); - guest = True; - - } - } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { - if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { - pstrcpy(user,lp_guestaccount(-1)); - DEBUG(3,("Registered username %s for guest access\n",user)); - guest = True; - } - /* Match WinXP and don't give the game away */ - return ERROR_NT(NT_STATUS_LOGON_FAILURE); + nt_status = check_password(user_info, &server_info); + + free_user_info(&user_info); + + data_blob_free(&lm_resp); + data_blob_free(&nt_resp); + data_blob_clear_free(&plaintext_password); + + if (!NT_STATUS_IS_OK(nt_status)) { + if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) { + if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || + (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { + + DEBUG(3,("No such user %s [%s] - using guest account\n",user, domain)); + make_server_info_guest(&server_info); + nt_status = NT_STATUS_OK; + } + + } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) { + if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { + DEBUG(3,("Registered username %s for guest access\n",user)); + make_server_info_guest(&server_info); + nt_status = NT_STATUS_OK; } - - if (!guest) { - free_server_info(&server_info); - return ERROR_NT(nt_status_squash(nt_status)); - } } } + if (!NT_STATUS_IS_OK(nt_status)) { + return ERROR_NT(nt_status_squash(nt_status)); + } + /* it's ok - setup a reply */ if (Protocol < PROTOCOL_NT1) { set_message(outbuf,3,0,True); @@ -731,10 +737,8 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, /* perhaps grab OS version here?? */ } - if (guest) { + if (server_info->guest) { SSVAL(outbuf,smb_vwv2,1); - free_server_info(&server_info); - make_server_info_guest(&server_info); } else { const char *home_dir = pdb_get_homedir(server_info->sam_account); const char *username = pdb_get_username(server_info->sam_account); @@ -747,7 +751,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf, /* register the name and uid as being validated, so further connections to a uid can get through without a password, on the same VC */ - sess_vuid = register_vuid(server_info, user, guest); + sess_vuid = register_vuid(server_info, sub_user); free_server_info(&server_info); |