summaryrefslogtreecommitdiff
path: root/source3/smbd/sesssetup.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/smbd/sesssetup.c')
-rw-r--r--source3/smbd/sesssetup.c60
1 files changed, 25 insertions, 35 deletions
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index bb7d17be56..eafe805aba 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -148,6 +148,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
DATA_BLOB auth_data;
auth_serversupplied_info *server_info = NULL;
ADS_STRUCT *ads;
+ BOOL foreign = False;
if (!spnego_parse_krb5_wrap(*secblob, &ticket)) {
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
@@ -168,6 +169,8 @@ static int reply_spnego_kerberos(connection_struct *conn,
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
}
+ data_blob_free(&auth_data);
+
DEBUG(3,("Ticket name is [%s]\n", client));
p = strchr_m(client, '@');
@@ -183,12 +186,20 @@ static int reply_spnego_kerberos(connection_struct *conn,
if (!lp_allow_trusted_domains()) {
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
}
- /* this gives a fully qualified user name (ie. with full realm).
- that leads to very long usernames, but what else can we do? */
- asprintf(&user, "%s%s%s", p+1, lp_winbind_separator(), client);
- } else {
- user = strdup(client);
+ foreign = True;
+ }
+
+ /* this gives a fully qualified user name (ie. with full realm).
+ that leads to very long usernames, but what else can we do? */
+ asprintf(&user, "%s%s%s", p+1, lp_winbind_separator(), client);
+
+ pw = Get_Pwnam(user);
+ if (!pw && !foreign) {
+ pw = Get_Pwnam(client);
+ SAFE_FREE(user);
+ user = smb_xstrdup(client);
}
+
ads_destroy(&ads);
/* setup the string used by %U */
@@ -196,19 +207,6 @@ static int reply_spnego_kerberos(connection_struct *conn,
reload_services(True);
- /* the password is good - let them in */
- pw = Get_Pwnam(user);
- if (!pw && !strstr(user, lp_winbind_separator())) {
- char *user2;
- /* try it with a winbind domain prefix */
- asprintf(&user2, "%s%s%s", lp_workgroup(), lp_winbind_separator(), user);
- pw = Get_Pwnam(user2);
- if (pw) {
- free(user);
- user = user2;
- }
- }
-
if (!pw) {
DEBUG(1,("Username %s is invalid on this system\n",user));
return ERROR_NT(NT_STATUS_NO_SUCH_USER);
@@ -219,10 +217,10 @@ static int reply_spnego_kerberos(connection_struct *conn,
return ERROR_NT(ret);
}
+ /* register_vuid keeps the server info */
sess_vuid = register_vuid(server_info, user);
free(user);
- free_server_info(&server_info);
if (sess_vuid == -1) {
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
@@ -263,8 +261,10 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
if (NT_STATUS_IS_OK(nt_status)) {
int sess_vuid;
- sess_vuid = register_vuid(server_info, (*auth_ntlmssp_state)->ntlmssp_state->user /* check this for weird */);
-
+ /* register_vuid keeps the server info */
+ sess_vuid = register_vuid(server_info, (*auth_ntlmssp_state)->ntlmssp_state->user);
+ (*auth_ntlmssp_state)->server_info = NULL;
+
if (sess_vuid == -1) {
nt_status = NT_STATUS_LOGON_FAILURE;
} else {
@@ -272,7 +272,7 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
set_message(outbuf,4,0,True);
SSVAL(outbuf, smb_vwv3, 0);
- if ((*auth_ntlmssp_state)->server_info && (*auth_ntlmssp_state)->server_info->guest) {
+ if (server_info->guest) {
SSVAL(outbuf,smb_vwv2,1);
}
@@ -285,7 +285,7 @@ static BOOL reply_spnego_ntlmssp(connection_struct *conn, char *outbuf,
data_blob_free(&response);
if (!ret || !NT_STATUS_EQUAL(nt_status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- auth_ntlmssp_end(&global_ntlmssp_state);
+ auth_ntlmssp_end(auth_ntlmssp_state);
}
return ret;
@@ -463,7 +463,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
extern BOOL global_encrypted_passwords_negotiated;
extern BOOL global_spnego_negotiated;
extern int Protocol;
- extern userdom_struct current_user_info;
extern int max_send;
auth_usersupplied_info *user_info = NULL;
@@ -584,13 +583,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
domain,native_os,native_lanman));
}
- /* don't allow for weird usernames or domains */
- alpha_strcpy(user, user, ". _-$", sizeof(user));
- alpha_strcpy(domain, domain, ". _-@", sizeof(domain));
- if (strstr(user, "..") || strstr(domain,"..")) {
- return ERROR_NT(NT_STATUS_LOGON_FAILURE);
- }
-
DEBUG(3,("sesssetupX:name=[%s]\\[%s]@[%s]\n", domain, user, get_remote_machine_name()));
if (*user) {
@@ -609,7 +601,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
fstrcpy(sub_user, lp_guestaccount());
}
- fstrcpy(current_user_info.smb_name,sub_user);
+ sub_set_smb_name(sub_user);
reload_services(True);
@@ -692,15 +684,13 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
/* register the name and uid as being validated, so further connections
to a uid can get through without a password, on the same VC */
+ /* register_vuid keeps the server info */
sess_vuid = register_vuid(server_info, sub_user);
-
- free_server_info(&server_info);
if (sess_vuid == -1) {
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
}
-
SSVAL(outbuf,smb_uid,sess_vuid);
SSVAL(inbuf,smb_uid,sess_vuid);
generated by cgit (git 2.34.1) at 2025-01-23 10:33:02 +0000