diff options
Diffstat (limited to 'source3/smbd')
-rw-r--r-- | source3/smbd/service.c | 1 | ||||
-rw-r--r-- | source3/smbd/share_access.c | 26 | ||||
-rw-r--r-- | source3/smbd/uid.c | 9 |
3 files changed, 23 insertions, 13 deletions
diff --git a/source3/smbd/service.c b/source3/smbd/service.c index c90d4d16bc..4092928de1 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -646,6 +646,7 @@ static NTSTATUS create_connection_server_info(TALLOC_CTX *mem_ctx, int snum, } } else { if (!user_ok_token(vuid_serverinfo->unix_name, + pdb_get_domain(vuid_serverinfo->sam_account), vuid_serverinfo->ptok, snum)) { DEBUG(2, ("user '%s' (from session setup) not " "permitted to access this share " diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c index 512126254a..f5f79c86e5 100644 --- a/source3/smbd/share_access.c +++ b/source3/smbd/share_access.c @@ -27,8 +27,6 @@ * + and & may be combined */ -extern userdom_struct current_user_info; - static bool do_group_checks(const char **name, const char **pattern) { if ((*name)[0] == '@') { @@ -66,6 +64,7 @@ static bool do_group_checks(const char **name, const char **pattern) static bool token_contains_name(TALLOC_CTX *mem_ctx, const char *username, + const char *domain, const char *sharename, const struct nt_user_token *token, const char *name) @@ -75,8 +74,7 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx, enum lsa_SidType type; if (username != NULL) { - name = talloc_sub_basic(mem_ctx, username, - current_user_info.domain, name); + name = talloc_sub_basic(mem_ctx, username, domain, name); } if (sharename != NULL) { name = talloc_string_sub(mem_ctx, name, "%S", sharename); @@ -152,6 +150,7 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx, */ bool token_contains_name_in_list(const char *username, + const char *domain, const char *sharename, const struct nt_user_token *token, const char **list) @@ -167,7 +166,8 @@ bool token_contains_name_in_list(const char *username, } while (*list != NULL) { - if (token_contains_name(mem_ctx, username, sharename,token, *list)) { + if (token_contains_name(mem_ctx, username, domain, sharename, + token, *list)) { TALLOC_FREE(mem_ctx); return True; } @@ -191,10 +191,12 @@ bool token_contains_name_in_list(const char *username, * The other use is the netgroup check when using @group or &group. */ -bool user_ok_token(const char *username, struct nt_user_token *token, int snum) +bool user_ok_token(const char *username, const char *domain, + struct nt_user_token *token, int snum) { if (lp_invalid_users(snum) != NULL) { - if (token_contains_name_in_list(username, lp_servicename(snum), + if (token_contains_name_in_list(username, domain, + lp_servicename(snum), token, lp_invalid_users(snum))) { DEBUG(10, ("User %s in 'invalid users'\n", username)); @@ -203,7 +205,7 @@ bool user_ok_token(const char *username, struct nt_user_token *token, int snum) } if (lp_valid_users(snum) != NULL) { - if (!token_contains_name_in_list(username, + if (!token_contains_name_in_list(username, domain, lp_servicename(snum), token, lp_valid_users(snum))) { DEBUG(10, ("User %s not in 'valid users'\n", @@ -220,7 +222,8 @@ bool user_ok_token(const char *username, struct nt_user_token *token, int snum) DEBUG(0, ("'only user = yes' and no 'username ='\n")); return False; } - if (!token_contains_name_in_list(NULL, lp_servicename(snum), + if (!token_contains_name_in_list(NULL, domain, + lp_servicename(snum), token, list)) { DEBUG(10, ("%s != 'username'\n", username)); return False; @@ -248,12 +251,13 @@ bool user_ok_token(const char *username, struct nt_user_token *token, int snum) */ bool is_share_read_only_for_token(const char *username, + const char *domain, struct nt_user_token *token, int snum) { bool result = lp_readonly(snum); if (lp_readlist(snum) != NULL) { - if (token_contains_name_in_list(username, + if (token_contains_name_in_list(username, domain, lp_servicename(snum), token, lp_readlist(snum))) { result = True; @@ -261,7 +265,7 @@ bool is_share_read_only_for_token(const char *username, } if (lp_writelist(snum) != NULL) { - if (token_contains_name_in_list(username, + if (token_contains_name_in_list(username, domain, lp_servicename(snum), token, lp_writelist(snum))) { result = False; diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 310ad4d23a..b0f8cb224b 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -78,12 +78,15 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum) } if (!user_ok_token(vuser->server_info->unix_name, + pdb_get_domain(vuser->server_info->sam_account), vuser->server_info->ptok, snum)) return(False); readonly_share = is_share_read_only_for_token( - vuser->server_info->unix_name, vuser->server_info->ptok, + vuser->server_info->unix_name, + pdb_get_domain(vuser->server_info->sam_account), + vuser->server_info->ptok, SNUM(conn)); if (!readonly_share && @@ -127,7 +130,9 @@ static bool check_user_ok(connection_struct *conn, user_struct *vuser,int snum) ent->read_only = readonly_share; ent->admin_user = token_contains_name_in_list( - vuser->server_info->unix_name, NULL, vuser->server_info->ptok, + vuser->server_info->unix_name, + pdb_get_domain(vuser->server_info->sam_account), + NULL, vuser->server_info->ptok, lp_admin_users(SNUM(conn))); conn->read_only = ent->read_only; |