summaryrefslogtreecommitdiff
path: root/source3/auth
diff options
context:
space:
mode:
Diffstat (limited to 'source3/auth')
-rw-r--r--source3/auth/auth.c67
-rw-r--r--source3/auth/auth_util.c53
2 files changed, 94 insertions, 26 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 4d1a566833..67f80afdda 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -63,9 +63,23 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
BOOL done_pam = False;
+ const char *pdb_username;
- DEBUG(3, ("check_password: Checking password for unmapped user %s\\%s@%s with the new password interface\n",
- user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str));
+ DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
+ user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str));
+
+ DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n",
+ user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str));
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ nt_status = check_guest_security(user_info, server_info);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(5, ("check_password: checking guest-account for user [%s] suceeded\n", user_info->smb_name.str));
+ } else {
+ DEBUG(10, ("check_password: checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+
+ }
+ }
/* This needs to be sorted: If it doesn't match, what should we do? */
if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) {
@@ -75,9 +89,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
if (!NT_STATUS_IS_OK(nt_status)) {
nt_status = check_rhosts_security(user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (rhosts) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(3, ("check_password: Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(10, ("check_password: Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
@@ -85,9 +99,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) {
nt_status = check_domain_security(user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (domain) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(7, ("check_password: Password (domain) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(5, ("check_password: Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
@@ -95,9 +109,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) {
nt_status = check_server_security(user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (server) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(7, ("check_password: Password (server) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(5, ("check_password: Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
@@ -115,32 +129,37 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
}
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(7, ("check_password: Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(5, ("check_password: Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
-
- if (NT_STATUS_IS_OK(nt_status) && !done_pam) {
- /* We might not be root if we are an RPC call */
- become_root();
- nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account));
- unbecome_root();
-
- if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("check_password: PAM Account for user %s suceeded\n", user_info->smb_name.str));
- } else {
- DEBUG(3, ("check_password: PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ if (NT_STATUS_IS_OK(nt_status)) {
+ pdb_username = pdb_get_username((*server_info)->sam_account);
+ if (!done_pam && !(*server_info)->guest) {
+ /* We might not be root if we are an RPC call */
+ become_root();
+ nt_status = smb_pam_accountcheck(pdb_username);
+ unbecome_root();
- }
+ if (NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", pdb_username));
+ } else {
+ DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status)));
+ }
+ }
}
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(3, ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n",
+ (*server_info)->guest ? "guest " : "",
+ user_info->smb_name.str,
+ user_info->internal_username.str,
+ pdb_username));
} else {
- DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(3, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status)));
ZERO_STRUCTP(server_info);
}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 421ab3f1e4..cfdf3a6acc 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -589,6 +589,27 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
return ret;
}
+/****************************************************************************
+ Create a guest user_info blob, for anonymous authenticaion.
+****************************************************************************/
+
+BOOL make_user_info_guest(auth_usersupplied_info **user_info)
+{
+ DATA_BLOB sec_blob = data_blob(NULL, 0);
+ DATA_BLOB lm_blob = data_blob(NULL, 0);
+ DATA_BLOB nt_blob = data_blob(NULL, 0);
+ DATA_BLOB plaintext_blob = data_blob(NULL, 0);
+ uint32 ntlmssp_flags = 0;
+
+ return make_user_info(user_info,
+ "","",
+ "","",
+ "", sec_blob,
+ nt_blob, lm_blob,
+ plaintext_blob,
+ ntlmssp_flags, True);
+}
+
BOOL make_server_info(auth_serversupplied_info **server_info)
{
*server_info = malloc(sizeof(**server_info));
@@ -664,13 +685,19 @@ void free_server_info(auth_serversupplied_info **server_info)
Make a server_info struct for a guest user
***************************************************************************/
-void make_server_info_guest(auth_serversupplied_info **server_info)
+BOOL make_server_info_guest(auth_serversupplied_info **server_info)
{
struct passwd *pass = sys_getpwnam(lp_guestaccount(-1));
if (pass) {
- make_server_info_pw(server_info, pass);
+ if (!make_server_info_pw(server_info, pass)) {
+ return False;
+ }
+ (*server_info)->guest = True;
+ return True;
}
+ DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n"));
+ return False;
}
/****************************************************************************
@@ -712,3 +739,25 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken)
return token;
}
+
+/****************************************************************************
+ Check for a guest logon (username = "") and if so create the required
+ structure.
+****************************************************************************/
+
+NTSTATUS check_guest_security(const auth_usersupplied_info *user_info,
+ auth_serversupplied_info **server_info)
+{
+ NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+
+ if (!(user_info->internal_username.str
+ && *user_info->internal_username.str)) {
+ if (make_server_info_guest(server_info)) {
+ nt_status = NT_STATUS_OK;
+ } else {
+ nt_status = NT_STATUS_NO_SUCH_USER;
+ }
+ }
+
+ return nt_status;
+}
generated by cgit (git 2.34.1) at 2024-07-10 15:54:14 +0000