summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/include/proto.h5
-rw-r--r--source3/printing/nt_printing.c2
-rw-r--r--source3/rpc_server/srv_spoolss_nt.c16
-rw-r--r--source3/smbd/service.c1
-rw-r--r--source3/smbd/share_access.c26
-rw-r--r--source3/smbd/uid.c9
6 files changed, 38 insertions, 21 deletions
diff --git a/source3/include/proto.h b/source3/include/proto.h
index 719eacb42e..afce9ae63b 100644
--- a/source3/include/proto.h
+++ b/source3/include/proto.h
@@ -10237,11 +10237,14 @@ void reply_sesssetup_and_X(struct smb_request *req);
/* The following definitions come from smbd/share_access.c */
bool token_contains_name_in_list(const char *username,
+ const char *domain,
const char *sharename,
const struct nt_user_token *token,
const char **list);
-bool user_ok_token(const char *username, struct nt_user_token *token, int snum);
+bool user_ok_token(const char *username, const char *domain,
+ struct nt_user_token *token, int snum);
bool is_share_read_only_for_token(const char *username,
+ const char *domain,
struct nt_user_token *token, int snum);
/* The following definitions come from smbd/srvstr.c */
diff --git a/source3/printing/nt_printing.c b/source3/printing/nt_printing.c
index 3a7f1174bd..c13ab5a180 100644
--- a/source3/printing/nt_printing.c
+++ b/source3/printing/nt_printing.c
@@ -5835,7 +5835,7 @@ bool print_access_check(struct current_user *user, int snum, int access_type)
/* see if we need to try the printer admin list */
if ((access_granted == 0) &&
- (token_contains_name_in_list(uidtoname(user->ut.uid), NULL,
+ (token_contains_name_in_list(uidtoname(user->ut.uid), NULL, NULL,
user->nt_user_token,
lp_printer_admin(snum)))) {
talloc_destroy(mem_ctx);
diff --git a/source3/rpc_server/srv_spoolss_nt.c b/source3/rpc_server/srv_spoolss_nt.c
index 0e98a39426..06b3d4a07a 100644
--- a/source3/rpc_server/srv_spoolss_nt.c
+++ b/source3/rpc_server/srv_spoolss_nt.c
@@ -1649,7 +1649,8 @@ WERROR _spoolss_open_printer_ex( pipes_struct *p, SPOOL_Q_OPEN_PRINTER_EX *q_u,
!user_has_privileges(p->pipe_user.nt_user_token,
&se_printop ) &&
!token_contains_name_in_list(
- uidtoname(p->pipe_user.ut.uid), NULL,
+ uidtoname(p->pipe_user.ut.uid),
+ NULL, NULL,
p->pipe_user.nt_user_token,
lp_printer_admin(snum))) {
close_printer_handle(p, handle);
@@ -1703,7 +1704,7 @@ WERROR _spoolss_open_printer_ex( pipes_struct *p, SPOOL_Q_OPEN_PRINTER_EX *q_u,
return WERR_ACCESS_DENIED;
}
- if (!user_ok_token(uidtoname(p->pipe_user.ut.uid),
+ if (!user_ok_token(uidtoname(p->pipe_user.ut.uid), NULL,
p->pipe_user.nt_user_token, snum) ||
!print_access_check(&p->pipe_user, snum,
printer_default->access_required)) {
@@ -2008,8 +2009,10 @@ WERROR _spoolss_deleteprinterdriver(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIVER
if ( (p->pipe_user.ut.uid != 0)
&& !user_has_privileges(p->pipe_user.nt_user_token, &se_printop )
- && !token_contains_name_in_list( uidtoname(p->pipe_user.ut.uid),
- NULL, p->pipe_user.nt_user_token, lp_printer_admin(-1)) )
+ && !token_contains_name_in_list(
+ uidtoname(p->pipe_user.ut.uid), NULL,
+ NULL, p->pipe_user.nt_user_token,
+ lp_printer_admin(-1)) )
{
return WERR_ACCESS_DENIED;
}
@@ -2103,8 +2106,9 @@ WERROR _spoolss_deleteprinterdriverex(pipes_struct *p, SPOOL_Q_DELETEPRINTERDRIV
if ( (p->pipe_user.ut.uid != 0)
&& !user_has_privileges(p->pipe_user.nt_user_token, &se_printop )
- && !token_contains_name_in_list( uidtoname(p->pipe_user.ut.uid),
- NULL, p->pipe_user.nt_user_token, lp_printer_admin(-1)) )
+ && !token_contains_name_in_list(
+ uidtoname(p->pipe_user.ut.uid), NULL, NULL,
+ p->pipe_user.nt_user_token, lp_printer_admin(-1)) )
{
return WERR_ACCESS_DENIED;
}
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index c90d4d16bc..4092928de1 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -646,6 +646,7 @@ static NTSTATUS create_connection_server_info(TALLOC_CTX *mem_ctx, int snum,
}
} else {
if (!user_ok_token(vuid_serverinfo->unix_name,
+ pdb_get_domain(vuid_serverinfo->sam_account),
vuid_serverinfo->ptok, snum)) {
DEBUG(2, ("user '%s' (from session setup) not "
"permitted to access this share "
diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c
index 512126254a..f5f79c86e5 100644
--- a/source3/smbd/share_access.c
+++ b/source3/smbd/share_access.c
@@ -27,8 +27,6 @@
* + and & may be combined
*/
-extern userdom_struct current_user_info;
-
static bool do_group_checks(const char **name, const char **pattern)
{
if ((*name)[0] == '@') {
@@ -66,6 +64,7 @@ static bool do_group_checks(const char **name, const char **pattern)
static bool token_contains_name(TALLOC_CTX *mem_ctx,
const char *username,
+ const char *domain,
const char *sharename,
const struct nt_user_token *token,
const char *name)
@@ -75,8 +74,7 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
enum lsa_SidType type;
if (username != NULL) {
- name = talloc_sub_basic(mem_ctx, username,
- current_user_info.domain, name);
+ name = talloc_sub_basic(mem_ctx, username, domain, name);
}
if (sharename != NULL) {
name = talloc_string_sub(mem_ctx, name, "%S", sharename);
@@ -152,6 +150,7 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx,
*/
bool token_contains_name_in_list(const char *username,
+ const char *domain,
const char *sharename,
const struct nt_user_token *token,
const char **list)
@@ -167,7 +166,8 @@ bool token_contains_name_in_list(const char *username,
}
while (*list != NULL) {
- if (token_contains_name(mem_ctx, username, sharename,token, *list)) {
+ if (token_contains_name(mem_ctx, username, domain, sharename,
+ token, *list)) {
TALLOC_FREE(mem_ctx);
return True;
}
@@ -191,10 +191,12 @@ bool token_contains_name_in_list(const char *username,
* The other use is the netgroup check when using @group or &group.
*/
-bool user_ok_token(const char *username, struct nt_user_token *token, int snum)
+bool user_ok_token(const char *username, const char *domain,
+ struct nt_user_token *token, int snum)
{
if (lp_invalid_users(snum) != NULL) {
- if (token_contains_name_in_list(username, lp_servicename(snum),
+ if (token_contains_name_in_list(username, domain,
+ lp_servicename(snum),
token,
lp_invalid_users(snum))) {
DEBUG(10, ("User %s in 'invalid users'\n", username));
@@ -203,7 +205,7 @@ bool user_ok_token(const char *username, struct nt_user_token *token, int snum)
}
if (lp_valid_users(snum) != NULL) {
- if (!token_contains_name_in_list(username,
+ if (!token_contains_name_in_list(username, domain,
lp_servicename(snum), token,
lp_valid_users(snum))) {
DEBUG(10, ("User %s not in 'valid users'\n",
@@ -220,7 +222,8 @@ bool user_ok_token(const char *username, struct nt_user_token *token, int snum)
DEBUG(0, ("'only user = yes' and no 'username ='\n"));
return False;
}
- if (!token_contains_name_in_list(NULL, lp_servicename(snum),
+ if (!token_contains_name_in_list(NULL, domain,
+ lp_servicename(snum),
token, list)) {
DEBUG(10, ("%s != 'username'\n", username));
return False;
@@ -248,12 +251,13 @@ bool user_ok_token(const char *username, struct nt_user_token *token, int snum)
*/
bool is_share_read_only_for_token(const char *username,
+ const char *domain,
struct nt_user_token *token, int snum)
{
bool result = lp_readonly(snum);
if (lp_readlist(snum) != NULL) {
- if (token_contains_name_in_list(username,
+ if (token_contains_name_in_list(username, domain,
lp_servicename(snum), token,
lp_readlist(snum))) {
result = True;
@@ -261,7 +265,7 @@ bool is_share_read_only_for_token(const char *username,
}
if (lp_writelist(snum) != NULL) {
- if (token_contains_name_in_list(username,
+ if (token_contains_name_in_list(username, domain,
lp_servicename(snum), token,
lp_writelist(snum))) {
result = False;
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index 310ad4d23a..b0f8cb224b 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -78,12 +78,15 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
}
if (!user_ok_token(vuser->server_info->unix_name,
+ pdb_get_domain(vuser->server_info->sam_account),
vuser->server_info->ptok,
snum))
return(False);
readonly_share = is_share_read_only_for_token(
- vuser->server_info->unix_name, vuser->server_info->ptok,
+ vuser->server_info->unix_name,
+ pdb_get_domain(vuser->server_info->sam_account),
+ vuser->server_info->ptok,
SNUM(conn));
if (!readonly_share &&
@@ -127,7 +130,9 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
ent->read_only = readonly_share;
ent->admin_user = token_contains_name_in_list(
- vuser->server_info->unix_name, NULL, vuser->server_info->ptok,
+ vuser->server_info->unix_name,
+ pdb_get_domain(vuser->server_info->sam_account),
+ NULL, vuser->server_info->ptok,
lp_admin_users(SNUM(conn)));
conn->read_only = ent->read_only;