summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/smbd/password.c283
-rw-r--r--source3/smbd/reply.c18
2 files changed, 164 insertions, 137 deletions
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index d2059e7e20..6be2989881 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -765,171 +765,182 @@ static char *validate_group(char *group,char *password,int pwlen,int snum)
return(NULL);
}
-
-
/****************************************************************************
-check for authority to login to a service with a given username/password
+ Check for authority to login to a service with a given username/password.
+ Note this is *NOT* used when logging on using sessionsetup_and_X.
****************************************************************************/
+
BOOL authorise_login(int snum,char *user,char *password, int pwlen,
BOOL *guest,BOOL *force,uint16 vuid)
{
- BOOL ok = False;
- user_struct *vuser = get_valid_user_struct(vuid);
+ BOOL ok = False;
+ user_struct *vuser = get_valid_user_struct(vuid);
- if (lp_security() > SEC_SHARE && !vuser) {
- DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
- user));
- return False;
- }
-
- *guest = False;
-
#if DEBUG_PASSWORD
- DEBUG(100,("checking authorisation on user=%s pass=%s\n",user,password));
+ DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n",
+ user,password));
#endif
- /* there are several possibilities:
- 1) login as the given user with given password
- 2) login as a previously registered username with the given password
- 3) login as a session list username with the given password
- 4) login as a previously validated user/password pair
- 5) login as the "user =" user with given password
- 6) login as the "user =" user with no password (guest connection)
- 7) login as guest user with no password
+ *guest = False;
+
+ if (GUEST_ONLY(snum))
+ *force = True;
- if the service is guest_only then steps 1 to 5 are skipped
- */
+ if (!GUEST_ONLY(snum) && (lp_security() > SEC_SHARE)) {
- if (GUEST_ONLY(snum)) *force = True;
+ /*
+ * We should just use the given vuid from a sessionsetup_and_X.
+ */
- if (!(GUEST_ONLY(snum) && GUEST_OK(snum)))
- {
- /* check the given username and password */
- if (!ok && (*user) && user_ok(user,snum)) {
- ok = password_ok(user,password, pwlen, NULL);
- if (ok) DEBUG(3,("ACCEPTED: given username password ok\n"));
- }
+ if (!vuser) {
+ DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
+ user));
+ return False;
+ }
- /* check for a previously registered guest username */
- if (!ok && (vuser != 0) && vuser->guest) {
- if (user_ok(vuser->user.unix_name,snum) &&
- password_ok(vuser->user.unix_name, password, pwlen, NULL)) {
- fstrcpy(user, vuser->user.unix_name);
- vuser->guest = False;
- DEBUG(3,("ACCEPTED: given password with registered user %s\n", user));
- ok = True;
+ if (!vuser->guest && user_ok(vuser->user.unix_name,snum)) {
+ fstrcpy(user,vuser->user.unix_name);
+ *guest = False;
+ DEBUG(3,("authorise_login: ACCEPTED: validated uid ok as non-guest \
+(user=%s)\n", user));
+ return True;
+ }
}
- }
-
+
+ /* there are several possibilities:
+ 1) login as the given user with given password
+ 2) login as a previously registered username with the given password
+ 3) login as a session list username with the given password
+ 4) login as a previously validated user/password pair
+ 5) login as the "user =" user with given password
+ 6) login as the "user =" user with no password (guest connection)
+ 7) login as guest user with no password
+
+ if the service is guest_only then steps 1 to 5 are skipped
+ */
+
+ if (!(GUEST_ONLY(snum) && GUEST_OK(snum))) {
+ /* check the given username and password */
+ if (!ok && (*user) && user_ok(user,snum)) {
+ ok = password_ok(user,password, pwlen, NULL);
+ if (ok)
+ DEBUG(3,("authorise_login: ACCEPTED: given username (%s) password ok\n",
+ user ));
+ }
- /* now check the list of session users */
- if (!ok)
- {
- char *auser;
- char *user_list = strdup(session_users);
- if (!user_list) return(False);
+ /* check for a previously registered guest username */
+ if (!ok && (vuser != 0) && vuser->guest) {
+ if (user_ok(vuser->user.unix_name,snum) &&
+ password_ok(vuser->user.unix_name, password, pwlen, NULL)) {
+ fstrcpy(user, vuser->user.unix_name);
+ vuser->guest = False;
+ DEBUG(3,("authorise_login: ACCEPTED: given password with registered user %s\n", user));
+ ok = True;
+ }
+ }
- for (auser=strtok(user_list,LIST_SEP);
- !ok && auser;
- auser = strtok(NULL,LIST_SEP))
- {
- fstring user2;
- fstrcpy(user2,auser);
- if (!user_ok(user2,snum)) continue;
+ /* now check the list of session users */
+ if (!ok) {
+ char *auser;
+ char *user_list = strdup(session_users);
+ if (!user_list)
+ return(False);
+
+ for (auser=strtok(user_list,LIST_SEP); !ok && auser;
+ auser = strtok(NULL,LIST_SEP)) {
+ fstring user2;
+ fstrcpy(user2,auser);
+ if (!user_ok(user2,snum))
+ continue;
- if (password_ok(user2,password, pwlen, NULL)) {
- ok = True;
- fstrcpy(user,user2);
- DEBUG(3,("ACCEPTED: session list username and given password ok\n"));
- }
- }
- free(user_list);
- }
+ if (password_ok(user2,password, pwlen, NULL)) {
+ ok = True;
+ fstrcpy(user,user2);
+ DEBUG(3,("authorise_login: ACCEPTED: session list username (%s) \
+and given password ok\n", user));
+ }
+ }
- /* check for a previously validated username/password pair */
- if (!ok && (lp_security() > SEC_SHARE) &&
- (vuser != 0) && !vuser->guest &&
- user_ok(vuser->user.unix_name,snum)) {
- fstrcpy(user,vuser->user.unix_name);
- *guest = False;
- DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
- ok = True;
- }
+ free(user_list);
+ }
- /* check for a rhosts entry */
- if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
- ok = True;
- DEBUG(3,("ACCEPTED: hosts equiv or rhosts entry\n"));
- }
+ /* check for a previously validated username/password pair */
+ if (!ok && (lp_security() > SEC_SHARE) && (vuser != 0) && !vuser->guest &&
+ user_ok(vuser->user.unix_name,snum)) {
+ fstrcpy(user,vuser->user.unix_name);
+ *guest = False;
+ DEBUG(3,("authorise_login: ACCEPTED: validated uid (%s) as non-guest\n",
+ user));
+ ok = True;
+ }
- /* check the user= fields and the given password */
- if (!ok && lp_username(snum)) {
- char *auser;
- pstring user_list;
- StrnCpy(user_list,lp_username(snum),sizeof(pstring));
+ /* check for a rhosts entry */
+ if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
+ ok = True;
+ DEBUG(3,("authorise_login: ACCEPTED: hosts equiv or rhosts entry for %s\n",
+ user));
+ }
- pstring_sub(user_list,"%S",lp_servicename(snum));
-
- for (auser=strtok(user_list,LIST_SEP);
- auser && !ok;
- auser = strtok(NULL,LIST_SEP))
- {
- if (*auser == '@')
- {
- auser = validate_group(auser+1,password,pwlen,snum);
- if (auser)
- {
- ok = True;
- fstrcpy(user,auser);
- DEBUG(3,("ACCEPTED: group username and given password ok\n"));
- }
- }
- else
- {
- fstring user2;
- fstrcpy(user2,auser);
- if (user_ok(user2,snum) &&
- password_ok(user2,password,pwlen,NULL))
- {
- ok = True;
- fstrcpy(user,user2);
- DEBUG(3,("ACCEPTED: user list username and given password ok\n"));
- }
- }
- }
- }
- } /* not guest only */
+ /* check the user= fields and the given password */
+ if (!ok && lp_username(snum)) {
+ char *auser;
+ pstring user_list;
+ StrnCpy(user_list,lp_username(snum),sizeof(pstring));
- /* check for a normal guest connection */
- if (!ok && GUEST_OK(snum))
- {
- fstring guestname;
- StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
- if (Get_Pwnam(guestname,True))
- {
- fstrcpy(user,guestname);
- ok = True;
- DEBUG(3,("ACCEPTED: guest account and guest ok\n"));
+ pstring_sub(user_list,"%S",lp_servicename(snum));
+
+ for (auser=strtok(user_list,LIST_SEP); auser && !ok;
+ auser = strtok(NULL,LIST_SEP)) {
+ if (*auser == '@') {
+ auser = validate_group(auser+1,password,pwlen,snum);
+ if (auser) {
+ ok = True;
+ fstrcpy(user,auser);
+ DEBUG(3,("authorise_login: ACCEPTED: group username \
+and given password ok (%s)\n", user));
+ }
+ } else {
+ fstring user2;
+ fstrcpy(user2,auser);
+ if (user_ok(user2,snum) && password_ok(user2,password,pwlen,NULL)) {
+ ok = True;
+ fstrcpy(user,user2);
+ DEBUG(3,("authorise_login: ACCEPTED: user list username \
+and given password ok (%s)\n", user));
+ }
+ }
+ }
+ }
+ } /* not guest only */
+
+ /* check for a normal guest connection */
+ if (!ok && GUEST_OK(snum)) {
+ fstring guestname;
+ StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
+ if (Get_Pwnam(guestname,True)) {
+ fstrcpy(user,guestname);
+ ok = True;
+ DEBUG(3,("authorise_login: ACCEPTED: guest account and guest ok (%s)\n",
+ user));
+ } else {
+ DEBUG(0,("authorise_login: Invalid guest account %s??\n",guestname));
+ }
+ *guest = True;
}
- else
- DEBUG(0,("Invalid guest account %s??\n",guestname));
- *guest = True;
- }
- if (ok && !user_ok(user,snum))
- {
- DEBUG(0,("rejected invalid user %s\n",user));
- ok = False;
- }
+ if (ok && !user_ok(user,snum)) {
+ DEBUG(0,("authorise_login: rejected invalid user %s\n",user));
+ ok = False;
+ }
- return(ok);
+ return(ok);
}
-
/****************************************************************************
-read the a hosts.equiv or .rhosts file and check if it
-allows this user from this machine
+ Read the a hosts.equiv or .rhosts file and check if it
+ allows this user from this machine.
****************************************************************************/
+
static BOOL check_user_equiv(char *user, char *remote, char *equiv_file)
{
int plus_allowed = 1;
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index e0b0cea2d3..cd7b3fe6fe 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -205,6 +205,14 @@ int reply_tcon(connection_struct *conn,
pstrcpy(service, p+1);
}
+ /*
+ * If the vuid is valid, we should be using that....
+ */
+
+ if (*user == '\0' && (lp_security() != SEC_SHARE) && validated_username(vuid)) {
+ pstrcpy(user,validated_username(vuid));
+ }
+
/*
* Ensure the user and password names are in UNIX codepage format.
*/
@@ -247,6 +255,7 @@ int reply_tcon(connection_struct *conn,
/****************************************************************************
Reply to a tcon and X.
****************************************************************************/
+
int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize)
{
fstring service;
@@ -298,6 +307,14 @@ int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
DEBUG(4,("Got device type %s\n",devicename));
+ /*
+ * If the vuid is valid, we should be using that....
+ */
+
+ if (*user == '\0' && (lp_security() != SEC_SHARE) && validated_username(vuid)) {
+ pstrcpy(user,validated_username(vuid));
+ }
+
/*
* Pass the user through the NT -> unix user mapping
* function.
@@ -1066,7 +1083,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
return chain_reply(inbuf,outbuf,length,bufsize);
}
-
/****************************************************************************
reply to a chkpth
****************************************************************************/
generated by cgit (git 2.34.1) at 2024-11-30 01:50:04 +0000