summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/auth/auth.c67
-rw-r--r--source3/auth/auth_util.c53
-rw-r--r--source3/rpc_server/srv_netlog_nt.c9
-rw-r--r--source3/rpc_server/srv_pipe.c51
-rw-r--r--source3/smbd/auth.c67
-rw-r--r--source3/smbd/auth_util.c53
-rw-r--r--source3/smbd/password.c18
-rw-r--r--source3/smbd/reply.c2
-rw-r--r--source3/smbd/session.c8
-rw-r--r--source3/smbd/sesssetup.c120
10 files changed, 292 insertions, 156 deletions
diff --git a/source3/auth/auth.c b/source3/auth/auth.c
index 4d1a566833..67f80afdda 100644
--- a/source3/auth/auth.c
+++ b/source3/auth/auth.c
@@ -63,9 +63,23 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
BOOL done_pam = False;
+ const char *pdb_username;
- DEBUG(3, ("check_password: Checking password for unmapped user %s\\%s@%s with the new password interface\n",
- user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str));
+ DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
+ user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str));
+
+ DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n",
+ user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str));
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ nt_status = check_guest_security(user_info, server_info);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(5, ("check_password: checking guest-account for user [%s] suceeded\n", user_info->smb_name.str));
+ } else {
+ DEBUG(10, ("check_password: checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+
+ }
+ }
/* This needs to be sorted: If it doesn't match, what should we do? */
if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) {
@@ -75,9 +89,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
if (!NT_STATUS_IS_OK(nt_status)) {
nt_status = check_rhosts_security(user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (rhosts) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(3, ("check_password: Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(10, ("check_password: Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
@@ -85,9 +99,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) {
nt_status = check_domain_security(user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (domain) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(7, ("check_password: Password (domain) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(5, ("check_password: Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
@@ -95,9 +109,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) {
nt_status = check_server_security(user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (server) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(7, ("check_password: Password (server) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(5, ("check_password: Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
@@ -115,32 +129,37 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
}
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(7, ("check_password: Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(5, ("check_password: Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
-
- if (NT_STATUS_IS_OK(nt_status) && !done_pam) {
- /* We might not be root if we are an RPC call */
- become_root();
- nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account));
- unbecome_root();
-
- if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("check_password: PAM Account for user %s suceeded\n", user_info->smb_name.str));
- } else {
- DEBUG(3, ("check_password: PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ if (NT_STATUS_IS_OK(nt_status)) {
+ pdb_username = pdb_get_username((*server_info)->sam_account);
+ if (!done_pam && !(*server_info)->guest) {
+ /* We might not be root if we are an RPC call */
+ become_root();
+ nt_status = smb_pam_accountcheck(pdb_username);
+ unbecome_root();
- }
+ if (NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", pdb_username));
+ } else {
+ DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status)));
+ }
+ }
}
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(3, ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n",
+ (*server_info)->guest ? "guest " : "",
+ user_info->smb_name.str,
+ user_info->internal_username.str,
+ pdb_username));
} else {
- DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(3, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status)));
ZERO_STRUCTP(server_info);
}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 421ab3f1e4..cfdf3a6acc 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -589,6 +589,27 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
return ret;
}
+/****************************************************************************
+ Create a guest user_info blob, for anonymous authenticaion.
+****************************************************************************/
+
+BOOL make_user_info_guest(auth_usersupplied_info **user_info)
+{
+ DATA_BLOB sec_blob = data_blob(NULL, 0);
+ DATA_BLOB lm_blob = data_blob(NULL, 0);
+ DATA_BLOB nt_blob = data_blob(NULL, 0);
+ DATA_BLOB plaintext_blob = data_blob(NULL, 0);
+ uint32 ntlmssp_flags = 0;
+
+ return make_user_info(user_info,
+ "","",
+ "","",
+ "", sec_blob,
+ nt_blob, lm_blob,
+ plaintext_blob,
+ ntlmssp_flags, True);
+}
+
BOOL make_server_info(auth_serversupplied_info **server_info)
{
*server_info = malloc(sizeof(**server_info));
@@ -664,13 +685,19 @@ void free_server_info(auth_serversupplied_info **server_info)
Make a server_info struct for a guest user
***************************************************************************/
-void make_server_info_guest(auth_serversupplied_info **server_info)
+BOOL make_server_info_guest(auth_serversupplied_info **server_info)
{
struct passwd *pass = sys_getpwnam(lp_guestaccount(-1));
if (pass) {
- make_server_info_pw(server_info, pass);
+ if (!make_server_info_pw(server_info, pass)) {
+ return False;
+ }
+ (*server_info)->guest = True;
+ return True;
}
+ DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n"));
+ return False;
}
/****************************************************************************
@@ -712,3 +739,25 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken)
return token;
}
+
+/****************************************************************************
+ Check for a guest logon (username = "") and if so create the required
+ structure.
+****************************************************************************/
+
+NTSTATUS check_guest_security(const auth_usersupplied_info *user_info,
+ auth_serversupplied_info **server_info)
+{
+ NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+
+ if (!(user_info->internal_username.str
+ && *user_info->internal_username.str)) {
+ if (make_server_info_guest(server_info)) {
+ nt_status = NT_STATUS_OK;
+ } else {
+ nt_status = NT_STATUS_NO_SUCH_USER;
+ }
+ }
+
+ return nt_status;
+}
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 44faefb645..1aa58f5274 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -597,7 +597,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
free_user_info(&user_info);
- DEBUG(5, ("_net_sam_logon: exiting with status %s\n",
+ DEBUG(5, ("_net_sam_logon: check_password returned status %s\n",
get_nt_error_msg(status)));
/* Check account and password */
@@ -607,6 +607,13 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
return status;
}
+ if (server_info->guest) {
+ /* We don't like guest domain logons... */
+ DEBUG(5,("_net_sam_logon: Attempted domain logon as GUEST denied.\n"));
+ free_server_info(&server_info);
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
/* This is the point at which, if the login was successful, that
the SAM Local Security Authority should record that the user is
logged in to the domain. */
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index a718516baa..e3969f7ea8 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -268,7 +268,8 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
fstring pipe_user_name;
fstring domain;
fstring wks;
- BOOL guest_user = False;
+
+ NTSTATUS nt_status;
auth_usersupplied_info *user_info = NULL;
auth_serversupplied_info *server_info = NULL;
@@ -328,8 +329,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
if((strlen(user_name) == 0) &&
(ntlmssp_resp->hdr_nt_resp.str_str_len==0))
{
- guest_user = True;
-
+
fstrcpy(pipe_user_name, lp_guestaccount(-1));
DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name));
@@ -352,32 +352,25 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm
}
- if(!guest_user) {
- NTSTATUS nt_status;
-
- if (!make_user_info_netlogon_network(&user_info,
- user_name, domain, wks, (uchar*)p->challenge,
- lm_owf, lm_pw_len,
- nt_owf, nt_pw_len)) {
- DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
- return False;
- }
-
- nt_status = check_password(user_info, &server_info);
-
- free_user_info(&user_info);
-
- p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
-
- if (!p->ntlmssp_auth_validated) {
- DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
+ if (!make_user_info_netlogon_network(&user_info,
+ user_name, domain, wks, (uchar*)p->challenge,
+ lm_owf, lm_pw_len,
+ nt_owf, nt_pw_len)) {
+ DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n"));
+ return False;
+ }
+
+ nt_status = check_password(user_info, &server_info);
+
+ free_user_info(&user_info);
+
+ p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status);
+
+ if (!p->ntlmssp_auth_validated) {
+ DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \
failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name ));
- free_server_info(&server_info);
- return False;
- }
- } else {
- /* This includes a NULLed out first_8_lm_hash */
- make_server_info_guest(&server_info);
+ free_server_info(&server_info);
+ return False;
}
/*
@@ -450,7 +443,7 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name
/* Create an NT_USER_TOKEN struct for this user. */
p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
p->pipe_user.ngroups, p->pipe_user.groups,
- guest_user, server_info->ptok);
+ server_info->guest, server_info->ptok);
p->ntlmssp_auth_validated = True;
diff --git a/source3/smbd/auth.c b/source3/smbd/auth.c
index 4d1a566833..67f80afdda 100644
--- a/source3/smbd/auth.c
+++ b/source3/smbd/auth.c
@@ -63,9 +63,23 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
BOOL done_pam = False;
+ const char *pdb_username;
- DEBUG(3, ("check_password: Checking password for unmapped user %s\\%s@%s with the new password interface\n",
- user_info->smb_name.str, user_info->client_domain.str, user_info->wksta_name.str));
+ DEBUG(3, ("check_password: Checking password for unmapped user [%s]\\[%s]@[%s] with the new password interface\n",
+ user_info->client_domain.str, user_info->smb_name.str, user_info->wksta_name.str));
+
+ DEBUG(3, ("check_password: mapped user is: [%s]\\[%s]@[%s]\n",
+ user_info->domain.str, user_info->internal_username.str, user_info->wksta_name.str));
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ nt_status = check_guest_security(user_info, server_info);
+ if (NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(5, ("check_password: checking guest-account for user [%s] suceeded\n", user_info->smb_name.str));
+ } else {
+ DEBUG(10, ("check_password: checking gusst-account for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+
+ }
+ }
/* This needs to be sorted: If it doesn't match, what should we do? */
if (!check_domain_match(user_info->smb_name.str, user_info->domain.str)) {
@@ -75,9 +89,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
if (!NT_STATUS_IS_OK(nt_status)) {
nt_status = check_rhosts_security(user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (rhosts) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(3, ("check_password: Password (rhosts) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (rhosts)for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(10, ("check_password: Password (rhosts) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
@@ -85,9 +99,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
if ((lp_security() == SEC_DOMAIN) && !NT_STATUS_IS_OK(nt_status)) {
nt_status = check_domain_security(user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (domain) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(7, ("check_password: Password (domain) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (domain) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(5, ("check_password: Password (domain) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
@@ -95,9 +109,9 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
if ((lp_security() == SEC_SERVER) && !NT_STATUS_IS_OK(nt_status)) {
nt_status = check_server_security(user_info, server_info);
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (server) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(7, ("check_password: Password (server) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (server) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(5, ("check_password: Password (server) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
@@ -115,32 +129,37 @@ NTSTATUS check_password(const auth_usersupplied_info *user_info,
}
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(7, ("check_password: Password (unix/smbpasswd) for user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(7, ("check_password: Password (unix/smbpasswd) for user [%s] suceeded\n", user_info->smb_name.str));
} else {
- DEBUG(5, ("check_password: Password (unix/smbpasswd) for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(5, ("check_password: Password (unix/smbpasswd) for user [%s] FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
}
}
-
- if (NT_STATUS_IS_OK(nt_status) && !done_pam) {
- /* We might not be root if we are an RPC call */
- become_root();
- nt_status = smb_pam_accountcheck(pdb_get_username((*server_info)->sam_account));
- unbecome_root();
-
- if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("check_password: PAM Account for user %s suceeded\n", user_info->smb_name.str));
- } else {
- DEBUG(3, ("check_password: PAM Account for user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ if (NT_STATUS_IS_OK(nt_status)) {
+ pdb_username = pdb_get_username((*server_info)->sam_account);
+ if (!done_pam && !(*server_info)->guest) {
+ /* We might not be root if we are an RPC call */
+ become_root();
+ nt_status = smb_pam_accountcheck(pdb_username);
+ unbecome_root();
- }
+ if (NT_STATUS_IS_OK(nt_status)) {
+ DEBUG(5, ("check_password: PAM Account for user [%s] suceeded\n", pdb_username));
+ } else {
+ DEBUG(3, ("check_password: PAM Account for user [%s] FAILED with error %s\n", pdb_username, get_nt_error_msg(nt_status)));
+ }
+ }
}
if (NT_STATUS_IS_OK(nt_status)) {
- DEBUG(5, ("check_password: Password for smb user %s suceeded\n", user_info->smb_name.str));
+ DEBUG(3, ("check_password: %sauthenticaion for user [%s] -> [%s] -> [%s] suceeded\n",
+ (*server_info)->guest ? "guest " : "",
+ user_info->smb_name.str,
+ user_info->internal_username.str,
+ pdb_username));
} else {
- DEBUG(3, ("check_password: Password for smb user %s FAILED with error %s\n", user_info->smb_name.str, get_nt_error_msg(nt_status)));
+ DEBUG(3, ("check_password: Authenticaion for user [%s] -> [%s] FAILED with error %s\n", user_info->smb_name.str, user_info->internal_username.str, get_nt_error_msg(nt_status)));
ZERO_STRUCTP(server_info);
}
diff --git a/source3/smbd/auth_util.c b/source3/smbd/auth_util.c
index 421ab3f1e4..cfdf3a6acc 100644
--- a/source3/smbd/auth_util.c
+++ b/source3/smbd/auth_util.c
@@ -589,6 +589,27 @@ BOOL make_user_info_for_reply(auth_usersupplied_info **user_info,
return ret;
}
+/****************************************************************************
+ Create a guest user_info blob, for anonymous authenticaion.
+****************************************************************************/
+
+BOOL make_user_info_guest(auth_usersupplied_info **user_info)
+{
+ DATA_BLOB sec_blob = data_blob(NULL, 0);
+ DATA_BLOB lm_blob = data_blob(NULL, 0);
+ DATA_BLOB nt_blob = data_blob(NULL, 0);
+ DATA_BLOB plaintext_blob = data_blob(NULL, 0);
+ uint32 ntlmssp_flags = 0;
+
+ return make_user_info(user_info,
+ "","",
+ "","",
+ "", sec_blob,
+ nt_blob, lm_blob,
+ plaintext_blob,
+ ntlmssp_flags, True);
+}
+
BOOL make_server_info(auth_serversupplied_info **server_info)
{
*server_info = malloc(sizeof(**server_info));
@@ -664,13 +685,19 @@ void free_server_info(auth_serversupplied_info **server_info)
Make a server_info struct for a guest user
***************************************************************************/
-void make_server_info_guest(auth_serversupplied_info **server_info)
+BOOL make_server_info_guest(auth_serversupplied_info **server_info)
{
struct passwd *pass = sys_getpwnam(lp_guestaccount(-1));
if (pass) {
- make_server_info_pw(server_info, pass);
+ if (!make_server_info_pw(server_info, pass)) {
+ return False;
+ }
+ (*server_info)->guest = True;
+ return True;
}
+ DEBUG(0,("make_server_info_guest: sys_getpwnam() failed on guest account!\n"));
+ return False;
}
/****************************************************************************
@@ -712,3 +739,25 @@ NT_USER_TOKEN *dup_nt_token(NT_USER_TOKEN *ptoken)
return token;
}
+
+/****************************************************************************
+ Check for a guest logon (username = "") and if so create the required
+ structure.
+****************************************************************************/
+
+NTSTATUS check_guest_security(const auth_usersupplied_info *user_info,
+ auth_serversupplied_info **server_info)
+{
+ NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
+
+ if (!(user_info->internal_username.str
+ && *user_info->internal_username.str)) {
+ if (make_server_info_guest(server_info)) {
+ nt_status = NT_STATUS_OK;
+ } else {
+ nt_status = NT_STATUS_NO_SUCH_USER;
+ }
+ }
+
+ return nt_status;
+}
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index f0fec9b796..cbd4d14681 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -66,7 +66,7 @@ void invalidate_vuid(uint16 vuid)
if (vuser == NULL)
return;
- session_yield(vuid);
+ session_yield(vuser);
DLIST_REMOVE(validated_users, vuser);
@@ -208,7 +208,7 @@ has been given. vuid is biased by an offset. This allows us to
tell random client vuid's (normally zero) from valid vuids.
****************************************************************************/
-int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL guest)
+int register_vuid(auth_serversupplied_info *server_info, char *smb_name)
{
user_struct *vuser = NULL;
uid_t *puid;
@@ -251,7 +251,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu
vuser->vuid = next_vuid;
vuser->uid = *puid;
vuser->gid = *pgid;
- vuser->guest = guest;
+ vuser->guest = server_info->guest;
fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account));
fstrcpy(vuser->user.smb_name, smb_name);
fstrcpy(vuser->user.domain, pdb_get_domain(server_info->sam_account));
@@ -260,7 +260,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu
DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n",
(unsigned int)vuser->uid,
(unsigned int)vuser->gid,
- vuser->user.unix_name, vuser->user.smb_name, vuser->user.domain, guest ));
+ vuser->user.unix_name, vuser->user.smb_name, vuser->user.domain, vuser->guest ));
DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,vuser->user.full_name));
@@ -276,7 +276,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu
add_supplementary_nt_login_groups(&vuser->n_groups, &vuser->groups, &server_info->ptok);
/* Create an NT_USER_TOKEN struct for this user. */
- vuser->nt_user_token = create_nt_token(vuser->uid, vuser->gid, vuser->n_groups, vuser->groups, guest, server_info->ptok);
+ vuser->nt_user_token = create_nt_token(vuser->uid, vuser->gid, vuser->n_groups, vuser->groups, vuser->guest, server_info->ptok);
DEBUG(3,("uid %d registered to name %s\n",(int)vuser->uid,vuser->user.unix_name));
@@ -285,7 +285,7 @@ int register_vuid(auth_serversupplied_info *server_info, char *smb_name, BOOL gu
DLIST_ADD(validated_users, vuser);
- if (!session_claim(vuser->vuid)) {
+ if (!session_claim(vuser)) {
DEBUG(1,("Failed to claim session for vuid=%d\n", vuser->vuid));
invalidate_vuid(vuser->vuid);
return -1;
@@ -453,8 +453,8 @@ BOOL authorise_login(int snum,char *user, DATA_BLOB password,
user_struct *vuser = get_valid_user_struct(vuid);
#if DEBUG_PASSWORD
- DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n",
- user,password.data));
+ DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s vuid=%d\n",
+ user,password.data, vuid));
#endif
*guest = False;
@@ -501,7 +501,7 @@ BOOL authorise_login(int snum,char *user, DATA_BLOB password,
if (user_ok(vuser->user.unix_name,snum) &&
password_ok(vuser->user.unix_name, password)) {
fstrcpy(user, vuser->user.unix_name);
- vuser->guest = False;
+ *guest = False;
DEBUG(3,("authorise_login: ACCEPTED: given password with registered user %s\n", user));
ok = True;
}
diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c
index 9ff74eae05..98898a6551 100644
--- a/source3/smbd/reply.c
+++ b/source3/smbd/reply.c
@@ -35,10 +35,8 @@ extern char magic_char;
extern BOOL case_sensitive;
extern BOOL case_preserve;
extern BOOL short_case_preserve;
-extern userdom_struct current_user_info;
extern pstring global_myname;
extern int global_oplock_break;
-uint32 global_client_caps = 0;
unsigned int smb_echo_count = 0;
extern fstring remote_machine;
diff --git a/source3/smbd/session.c b/source3/smbd/session.c
index 60c2a6e54d..9efc3e6b75 100644
--- a/source3/smbd/session.c
+++ b/source3/smbd/session.c
@@ -32,9 +32,8 @@ extern fstring remote_machine;
static TDB_CONTEXT *tdb;
/* called when a session is created */
-BOOL session_claim(uint16 vuid)
+BOOL session_claim(user_struct *vuser)
{
- user_struct *vuser = get_valid_user_struct(vuid);
int i;
TDB_DATA data;
struct sessionid sessionid;
@@ -47,7 +46,7 @@ BOOL session_claim(uint16 vuid)
/* don't register sessions for the guest user - its just too
expensive to go through pam session code for browsing etc */
- if (strequal(vuser->user.unix_name,lp_guestaccount(-1))) {
+ if (vuser->guest) {
return True;
}
@@ -119,9 +118,8 @@ BOOL session_claim(uint16 vuid)
}
/* called when a session is destroyed */
-void session_yield(uint16 vuid)
+void session_yield(user_struct *vuser)
{
- user_struct *vuser = get_valid_user_struct(vuid);
TDB_DATA dbuf;
struct sessionid sessionid;
TDB_DATA key;
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index c7522b3402..6e6d37c089 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -22,6 +22,8 @@
#include "includes.h"
+uint32 global_client_caps = 0;
+
#if HAVE_KRB5
/****************************************************************************
reply to a session setup spnego negotiate packet for kerberos
@@ -339,7 +341,7 @@ static int reply_spnego_auth(connection_struct *conn, char *inbuf, char *outbuf,
return ERROR_NT(nt_status_squash(nt_status));
}
- sess_vuid = register_vuid(server_info, user, False);
+ sess_vuid = register_vuid(server_info, user);
free_server_info(&server_info);
@@ -370,12 +372,18 @@ static int reply_spnego_anonymous(connection_struct *conn, char *inbuf, char *ou
{
int sess_vuid;
char *p;
+ auth_usersupplied_info *user_info = NULL;
auth_serversupplied_info *server_info = NULL;
+ NTSTATUS nt_status;
+
DEBUG(3,("Got anonymous request\n"));
- make_server_info_guest(&server_info);
- sess_vuid = register_vuid(server_info, lp_guestaccount(-1), True);
+ make_user_info_guest(&user_info);
+
+ nt_status = check_password(user_info, &server_info);
+
+ sess_vuid = register_vuid(server_info, lp_guestaccount(-1));
free_server_info(&server_info);
if (sess_vuid == -1) {
@@ -405,7 +413,6 @@ static int reply_sesssetup_and_X_spnego(connection_struct *conn, char *inbuf,cha
{
uint8 *p;
DATA_BLOB blob1;
- extern uint32 global_client_caps;
int ret;
DEBUG(3,("Doing spnego session setup\n"));
@@ -463,14 +470,13 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
DATA_BLOB nt_resp;
DATA_BLOB plaintext_password;
pstring user;
+ pstring sub_user; /* Sainitised username for substituion */
fstring domain;
fstring native_os;
fstring native_lanman;
- BOOL guest=False;
static BOOL done_sesssetup = False;
extern BOOL global_encrypted_passwords_negotiated;
extern BOOL global_spnego_negotiated;
- extern uint32 global_client_caps;
extern int Protocol;
extern fstring remote_machine;
extern userdom_struct current_user_info;
@@ -479,6 +485,8 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
auth_usersupplied_info *user_info = NULL;
auth_serversupplied_info *server_info = NULL;
+ NTSTATUS nt_status;
+
BOOL doencrypt = global_encrypted_passwords_negotiated;
START_PROFILE(SMBsesssetupX);
@@ -626,18 +634,20 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
DEBUG(3,("sesssetupX:name=[%s]\\[%s]@[%s]\n", domain, user, remote_machine));
- /* If no username is sent use the guest account */
- if (!*user) {
- pstrcpy(user,lp_guestaccount(-1));
- guest = True;
- } else {
+ if (*user) {
if (global_spnego_negotiated) {
DEBUG(0,("reply_sesssetup_and_X: Rejecting attempt at 'normal' session setup after negotiating spnego.\n"));
return ERROR_NT(NT_STATUS_UNSUCCESSFUL);
}
}
- pstrcpy(current_user_info.smb_name,user);
+ if (*user) {
+ pstrcpy(sub_user, user);
+ } else {
+ pstrcpy(sub_user, lp_guestaccount(-1));
+ }
+
+ pstrcpy(current_user_info.smb_name,sub_user);
reload_services(True);
@@ -648,9 +658,10 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
data_blob_free(&nt_resp);
data_blob_clear_free(&plaintext_password);
- guest = True;
- map_username(user);
- add_session_user(user);
+ map_username(sub_user);
+ add_session_user(sub_user);
+ /* Then force it to null for the benfit of the code below */
+ *user = 0;
}
if (done_sesssetup && lp_restrict_anonymous()) {
@@ -673,50 +684,45 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
return ERROR_DOS(ERRDOS,ERRnoaccess);
}
}
+
+ if (!make_user_info_for_reply(&user_info,
+ user, domain,
+ lm_resp, nt_resp,
+ plaintext_password, doencrypt)) {
+ return ERROR_NT(NT_STATUS_NO_MEMORY);
+ }
- if (!guest) {
- NTSTATUS nt_status;
- if (!make_user_info_for_reply(&user_info,
- user, domain,
- lm_resp, nt_resp,
- plaintext_password, doencrypt)) {
- return ERROR_NT(NT_STATUS_NO_MEMORY);
- }
-
- nt_status = check_password(user_info, &server_info);
-
- free_user_info(&user_info);
-
- data_blob_free(&lm_resp);
- data_blob_free(&nt_resp);
- data_blob_clear_free(&plaintext_password);
-
- if (!NT_STATUS_IS_OK(nt_status)) {
- if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
- if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
- (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
- DEBUG(3,("No such user %s [%s] - using guest account\n",user, domain));
- pstrcpy(user,lp_guestaccount(-1));
- guest = True;
-
- }
- } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
- if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
- pstrcpy(user,lp_guestaccount(-1));
- DEBUG(3,("Registered username %s for guest access\n",user));
- guest = True;
- }
- /* Match WinXP and don't give the game away */
- return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+ nt_status = check_password(user_info, &server_info);
+
+ free_user_info(&user_info);
+
+ data_blob_free(&lm_resp);
+ data_blob_free(&nt_resp);
+ data_blob_clear_free(&plaintext_password);
+
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ if NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_SUCH_USER) {
+ if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
+ (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
+
+ DEBUG(3,("No such user %s [%s] - using guest account\n",user, domain));
+ make_server_info_guest(&server_info);
+ nt_status = NT_STATUS_OK;
+ }
+
+ } else if NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD) {
+ if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
+ DEBUG(3,("Registered username %s for guest access\n",user));
+ make_server_info_guest(&server_info);
+ nt_status = NT_STATUS_OK;
}
-
- if (!guest) {
- free_server_info(&server_info);
- return ERROR_NT(nt_status_squash(nt_status));
- }
}
}
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return ERROR_NT(nt_status_squash(nt_status));
+ }
+
/* it's ok - setup a reply */
if (Protocol < PROTOCOL_NT1) {
set_message(outbuf,3,0,True);
@@ -731,10 +737,8 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
/* perhaps grab OS version here?? */
}
- if (guest) {
+ if (server_info->guest) {
SSVAL(outbuf,smb_vwv2,1);
- free_server_info(&server_info);
- make_server_info_guest(&server_info);
} else {
const char *home_dir = pdb_get_homedir(server_info->sam_account);
const char *username = pdb_get_username(server_info->sam_account);
@@ -747,7 +751,7 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,
/* register the name and uid as being validated, so further connections
to a uid can get through without a password, on the same VC */
- sess_vuid = register_vuid(server_info, user, guest);
+ sess_vuid = register_vuid(server_info, sub_user);
free_server_info(&server_info);