summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/proto.h8
-rw-r--r--source3/rpc_server/srv_srvsvc_nt.c14
-rw-r--r--source3/smbd/service.c44
3 files changed, 40 insertions, 26 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 453714c044..e606724363 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -1879,6 +1879,12 @@ BOOL pm_process( char *FileName,
BOOL pdb_generate_sam_sid(void);
+/*The following definitions come from passdb/pampass.c */
+
+BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty);
+BOOL pam_passcheck(char * user, char * password);
+BOOL pam_passcheck( char * user, char * password );
+
/*The following definitions come from passdb/pass_check.c */
void dfs_unlogin(void);
@@ -3768,7 +3774,7 @@ BOOL api_srvsvc_rpc(pipes_struct *p);
BOOL share_info_db_init(void);
void map_generic_share_sd_bits(SEC_DESC *psd);
-BOOL share_access_check(int snum, uint16 vuid, uint32 desired_access);
+BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 desired_access);
uint32 _srv_net_srv_get_info(pipes_struct *p, SRV_Q_NET_SRV_GET_INFO *q_u, SRV_R_NET_SRV_GET_INFO *r_u);
uint32 _srv_net_file_enum(pipes_struct *p, SRV_Q_NET_FILE_ENUM *q_u, SRV_R_NET_FILE_ENUM *r_u);
uint32 _srv_net_conn_enum(pipes_struct *p, SRV_Q_NET_CONN_ENUM *q_u, SRV_R_NET_CONN_ENUM *r_u);
diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c
index bce5c33225..0c165bf9fa 100644
--- a/source3/rpc_server/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srv_srvsvc_nt.c
@@ -293,7 +293,7 @@ void map_generic_share_sd_bits(SEC_DESC *psd)
Can this user access with share with the required permissions ?
********************************************************************/
-BOOL share_access_check(int snum, uint16 vuid, uint32 desired_access)
+BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 desired_access)
{
uint32 granted, status;
TALLOC_CTX *mem_ctx = NULL;
@@ -313,17 +313,25 @@ BOOL share_access_check(int snum, uint16 vuid, uint32 desired_access)
if (!psd)
goto out;
+ ZERO_STRUCT(tmp_user);
if (vuser) {
- ZERO_STRUCT(tmp_user);
tmp_user.vuid = vuid;
tmp_user.uid = vuser->uid;
tmp_user.gid = vuser->gid;
tmp_user.ngroups = vuser->n_groups;
tmp_user.groups = vuser->groups;
tmp_user.nt_user_token = vuser->nt_user_token;
- puser = &tmp_user;
+ } else {
+ tmp_user.vuid = vuid;
+ tmp_user.uid = conn->uid;
+ tmp_user.gid = conn->gid;
+ tmp_user.ngroups = conn->ngroups;
+ tmp_user.groups = conn->groups;
+ tmp_user.nt_user_token = conn->nt_user_token;
}
+ puser = &tmp_user;
+
ret = se_access_check(psd, puser, desired_access, &granted, &status);
out:
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 11ae11054a..507d07cc42 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -343,28 +343,6 @@ connection_struct *make_connection(char *service,char *user,char *password, int
conn->read_only = lp_readonly(snum);
- /*
- * New code to check if there's a share security descripter
- * added from NT server manager. This is an additional check
- * before the smb.conf checks are done. JRA.
- */
-
- {
- BOOL can_write = share_access_check(snum, vuid, FILE_WRITE_DATA);
-
- if (!can_write) {
- if (!share_access_check(snum, vuid, FILE_READ_DATA)) {
- /* No access, read or write. */
- *ecode = ERRaccess;
- DEBUG(0,( "make_connection: connection to %s denied due to security descriptor.\n",
- service ));
- conn_free(conn);
- return NULL;
- } else {
- conn->read_only = True;
- }
- }
- }
{
pstring list;
@@ -527,6 +505,28 @@ connection_struct *make_connection(char *service,char *user,char *password, int
conn->ngroups, conn->groups,
guest);
+ /*
+ * New code to check if there's a share security descripter
+ * added from NT server manager. This is done after the
+ * smb.conf checks are done as we need a uid and token. JRA.
+ */
+
+ {
+ BOOL can_write = share_access_check(conn, snum, vuid, FILE_WRITE_DATA);
+
+ if (!can_write) {
+ if (!share_access_check(conn, snum, vuid, FILE_READ_DATA)) {
+ /* No access, read or write. */
+ *ecode = ERRaccess;
+ DEBUG(0,( "make_connection: connection to %s denied due to security descriptor.\n",
+ service ));
+ conn_free(conn);
+ return NULL;
+ } else {
+ conn->read_only = True;
+ }
+ }
+ }
/* Initialise VFS function pointers */
if (*lp_vfsobj(SNUM(conn))) {