diff options
Diffstat (limited to 'source3/auth')
-rw-r--r-- | source3/auth/auth.c | 67 | ||||
-rw-r--r-- | source3/auth/auth_util.c | 53 |
2 files changed, 94 insertions, 26 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c index 4d1a566833..67f80afdda 100644 --- a/source3/auth/auth.c +++ b/source3/auth/auth.c @@ -63,9 +63,23 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; BOOL done_pam = False; + const char *pdb_username; - DEBUG(3, ("check_password: Checking password for unmapped user %s\\%s@%s with the new password interface\n", - user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str)); + DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n", + user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str)); + + DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n", + user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str)); + + if (!NT_STATUS_IS_OK(nt_status)) { + nt_status = check_guest_security(user_info, server_info); + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: checking guest-account for user [%s] suceeded\n", user_info->smb_name.str)); + } else { + DEBUG(10, ("check_password: checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + + } + } /* This needs to be sorted: If it doesn't match, what should we do? */ if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) { @@ -75,9 +89,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if (!NT_STATUS_IS_OK(nt_status)) { nt_status = check_rhosts_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (rhosts) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(10, ("check_password: Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -85,9 +99,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_domain_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (domain) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (domain) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -95,9 +109,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) { nt_status = check_server_security(user_info, server_info); if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (server) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (server) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } @@ -115,32 +129,37 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info, } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(7, ("check_password: Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str)); + DEBUG(7, ("check_password: Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str)); } else { - DEBUG(5, ("check_password: Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(5, ("check_password: Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); } } - - if (NT_STATUS_IS_OK(nt_status) && !done_pam) { - /* We might not be root if we are an RPC call */ - become_root(); - nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account)); - unbecome_root(); - - if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: PAM Account for user %s suceeded\n", user_info->smb_name.str)); - } else { - DEBUG(3, ("check_password: PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + if (NT_STATUS_IS_OK(nt_status)) { + pdb_username = pdb_get_username((*server_info)->sam_account); + if (!done_pam && !(*server_info)->guest) { + /* We might not be root if we are an RPC call */ + become_root(); + nt_status = smb_pam_accountcheck(pdb_username); + unbecome_root(); - } + if (NT_STATUS_IS_OK(nt_status)) { + DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", pdb_username)); + } else { + DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status))); + } + } } if (NT_STATUS_IS_OK(nt_status)) { - DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_name.str)); + DEBUG(3, ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n", + (*server_info)->guest ? "guest " : "", + user_info->smb_name.str, + user_info->internal_username.str, + pdb_username)); } else { - DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status))); + DEBUG(3, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status))); ZERO_STRUCTP(server_info); } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 421ab3f1e4..cfdf3a6acc 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -589,6 +589,27 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info, return ret; } +/**************************************************************************** + Create a guest user_info blob, for anonymous authenticaion. +****************************************************************************/ + +BOOL make_user_info_guest(auth_usersupplied_info **user_info) +{ + DATA_BLOB sec_blob = data_blob(NULL, 0); + DATA_BLOB lm_blob = data_blob(NULL, 0); + DATA_BLOB nt_blob = data_blob(NULL, 0); + DATA_BLOB plaintext_blob = data_blob(NULL, 0); + uint32 ntlmssp_flags = 0; + + return make_user_info(user_info, + "","", + "","", + "", sec_blob, + nt_blob, lm_blob, + plaintext_blob, + ntlmssp_flags, True); +} + BOOL make_server_info(auth_serversupplied_info **server_info) { *server_info = malloc(sizeof(**server_info)); @@ -664,13 +685,19 @@ void free_server_info(auth_serversupplied_info **server_info) Make a server_info struct for a guest user ***************************************************************************/ -void make_server_info_guest(auth_serversupplied_info **server_info) +BOOL make_server_info_guest(auth_serversupplied_info **server_info) { struct passwd *pass = sys_getpwnam(lp_guestaccount(-1)); if (pass) { - make_server_info_pw(server_info, pass); + if (!make_server_info_pw(server_info, pass)) { + return False; + } + (*server_info)->guest = True; + return True; } + DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n")); + return False; } /**************************************************************************** @@ -712,3 +739,25 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken) return token; } + +/**************************************************************************** + Check for a guest logon (username = "") and if so create the required + structure. +****************************************************************************/ + +NTSTATUS check_guest_security(const auth_usersupplied_info *user_info, + auth_serversupplied_info **server_info) +{ + NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE; + + if (!(user_info->internal_username.str + && *user_info->internal_username.str)) { + if (make_server_info_guest(server_info)) { + nt_status = NT_STATUS_OK; + } else { + nt_status = NT_STATUS_NO_SUCH_USER; + } + } + + return nt_status; +} |