10 files changed, 31 insertions, 21 deletions

diff --git a/source3/Makefile.in b/source3/Makefile.in
index 0a72cf579a..51b0a7cb67 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -466,7 +466,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) $(LIBTSOCKET_OBJ) \
 	  lib/ldap_escape.o @CHARSET_STATIC@ \
 	  ../libcli/security/secdesc.o ../libcli/security/access_check.o \
 	  ../libcli/security/secace.o ../libcli/security/object_tree.o \
-	  ../libcli/security/sddl.o \
+	  ../libcli/security/sddl.o ../libcli/security/session.o \
 	  ../libcli/security/secacl.o @PTHREADPOOL_OBJ@ \
 	  lib/fncall.o \
 	  libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index d5ca1a206b..b0deb2c8ab 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -504,7 +504,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	session_info->unix_info->guest = server_info->guest;
 	session_info->unix_info->system = server_info->system;
 
 	if (session_key) {
@@ -993,8 +992,8 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO
 	/* This element must be provided to convert back to an auth_serversupplied_info */
 	SMB_ASSERT(src->unix_info);
 
-	dst->guest = src->unix_info->guest;
-	dst->system = src->unix_info->system;
+	dst->guest = true;
+	dst->system = false;
 
 	/* This element must be provided to convert back to an
 	 * auth_serversupplied_info.  This needs to be from hte
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index 8aea353679..5877c7b295 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -2400,7 +2400,7 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	if (p->session_info->unix_info->guest) {
+	if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) {
 		/*
 		 * I'm 99% sure this is not the right place to do this,
 		 * global_sid_Anonymous should probably be put into the token
diff --git a/source3/rpc_server/rpc_handles.c b/source3/rpc_server/rpc_handles.c
index f3a97b37a2..3500a228d5 100644
--- a/source3/rpc_server/rpc_handles.c
+++ b/source3/rpc_server/rpc_handles.c
@@ -25,6 +25,7 @@
 #include "auth.h"
 #include "ntdomain.h"
 #include "rpc_server/rpc_ncacn_np.h"
+#include "../libcli/security/security.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -346,7 +347,7 @@ bool pipe_access_check(struct pipes_struct *p)
 			return True;
 		}
 
-		if (p->session_info->unix_info->guest) {
+		if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) {
 			return False;
 		}
 	}
diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c
index 4f905cf9b1..292ebf4385 100644
--- a/source3/smbd/lanman.c
+++ b/source3/smbd/lanman.c
@@ -5857,7 +5857,7 @@ void api_reply(connection_struct *conn, uint16 vuid,
 	if (api_commands[i].auth_user && lp_restrict_anonymous()) {
 		user_struct *user = get_valid_user_struct(req->sconn, vuid);
 
-		if (!user || user->session_info->unix_info->guest) {
+		if (!user || security_session_user_level(user->session_info, NULL) < SECURITY_USER) {
 			reply_nterror(req, NT_STATUS_ACCESS_DENIED);
 			return;
 		}
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index d529dc1a63..e23818f2d1 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -24,6 +24,7 @@
 #include "smbd/globals.h"
 #include "../librpc/gen_ndr/netlogon.h"
 #include "auth.h"
+#include "../libcli/security/security.h"
 
 /* Fix up prototypes for OSX 10.4, where they're missing */
 #ifndef HAVE_SETNETGRENT_PROTOTYPE
@@ -269,6 +270,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
 {
 	fstring tmp;
 	user_struct *vuser;
+	bool guest = security_session_user_level(session_info, NULL) < SECURITY_USER;
 
 	vuser = get_partial_auth_user_struct(sconn, vuid);
 	if (!vuser) {
@@ -294,7 +296,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
 		  vuser->session_info->unix_info->unix_name,
 		  vuser->session_info->unix_info->sanitized_username,
 		  vuser->session_info->info->domain_name,
-		  vuser->session_info->unix_info->guest ));
+		  guest));
 
 	DEBUG(3, ("register_existing_vuid: User name: %s\t"
 		  "Real name: %s\n", vuser->session_info->unix_info->unix_name,
@@ -328,13 +330,14 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
 
 	vuser->homes_snum = -1;
 
-	if (!vuser->session_info->unix_info->guest) {
+
+	if (!guest) {
 		vuser->homes_snum = register_homes_share(
 			vuser->session_info->unix_info->unix_name);
 	}
 
 	if (srv_is_signing_negotiated(sconn) &&
-	    !vuser->session_info->unix_info->guest) {
+	    !guest) {
 		/* Try and turn on server signing on the first non-guest
 		 * sessionsetup. */
 		srv_set_signing(sconn,
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 71681aeca2..f1d2ca040d 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -394,8 +394,8 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
                  * This is the normal security != share case where we have a
                  * valid vuid from the session setup.                 */
 
-                if (vuid_serverinfo->unix_info->guest) {
-                        if (!lp_guest_ok(snum)) {
+		if (security_session_user_level(vuid_serverinfo, NULL) < SECURITY_USER) {
+                      if (!lp_guest_ok(snum)) {
                                 DEBUG(2, ("guest user (from session setup) "
                                           "not permitted to access this share "
                                           "(%s)\n", lp_servicename(snum)));
@@ -467,6 +467,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
 
 		char *fuser;
 		struct auth_session_info *forced_serverinfo;
+		bool guest;
 
 		fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
 					  lp_const_servicename(snum));
@@ -474,8 +475,11 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
 			return NT_STATUS_NO_MEMORY;
 		}
 
+		guest = security_session_user_level(conn->session_info, NULL) < SECURITY_USER;
+
 		status = make_session_info_from_username(
-			conn, fuser, conn->session_info->unix_info->guest,
+			conn, fuser,
+			guest,
 			&forced_serverinfo);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;
diff --git a/source3/smbd/session.c b/source3/smbd/session.c
index 9b8d11cc65..10f7defb81 100644
--- a/source3/smbd/session.c
+++ b/source3/smbd/session.c
@@ -33,6 +33,7 @@
 #include "session.h"
 #include "auth.h"
 #include "../lib/tsocket/tsocket.h"
+#include "../libcli/security/security.h"
 
 /********************************************************************
  called when a session is created
@@ -53,7 +54,7 @@ bool session_claim(struct smbd_server_connection *sconn, user_struct *vuser)
 
 	/* don't register sessions for the guest user - its just too
 	   expensive to go through pam session code for browsing etc */
-	if (vuser->session_info->unix_info->guest) {
+	if (security_session_user_level(vuser->session_info, NULL) < SECURITY_USER) {
 		return True;
 	}
 
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index b6a3243b85..2df8b435e5 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -35,6 +35,7 @@
 #include "auth.h"
 #include "messages.h"
 #include "smbprofile.h"
+#include "../libcli/security/security.h"
 
 /* For split krb5 SPNEGO blobs. */
 struct pending_auth_data {
@@ -441,7 +442,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
 
 		SSVAL(req->outbuf, smb_vwv3, 0);
 
-		if (session_info->unix_info->guest) {
+		if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
 			SSVAL(req->outbuf,smb_vwv2,1);
 		}
 
@@ -535,7 +536,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 
 		SSVAL(req->outbuf, smb_vwv3, 0);
 
-		if (session_info->unix_info->guest) {
+		if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
 			SSVAL(req->outbuf,smb_vwv2,1);
 		}
 	}
@@ -1702,7 +1703,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
 		/* perhaps grab OS version here?? */
 	}
 
-	if (session_info->unix_info->guest) {
+	if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
 		SSVAL(req->outbuf,smb_vwv2,1);
 	}
 
diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 9475ffb363..7a83953256 100644
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -31,6 +31,7 @@
 #include "../lib/util/asn1.h"
 #include "auth.h"
 #include "../lib/tsocket/tsocket.h"
+#include "../libcli/security/security.h"
 
 static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
 					uint64_t in_session_id,
@@ -253,7 +254,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 		session->do_signing = true;
 	}
 
-	if (session->session_info->unix_info->guest) {
+	if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
 		/* we map anonymous to guest internally */
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
@@ -280,7 +281,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 	session->session_info->unix_info->sanitized_username =
 				talloc_strdup(session->session_info, tmp);
 
-	if (!session->session_info->unix_info->guest) {
+	if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
 		session->compat_vuser->homes_snum =
 			register_homes_share(session->session_info->unix_info->unix_name);
 	}
@@ -460,7 +461,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 		session->do_signing = true;
 	}
 
-	if (session->session_info->unix_info->guest) {
+	if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
 		/* we map anonymous to guest internally */
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
@@ -491,7 +492,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 	session->session_info->unix_info->sanitized_username = talloc_strdup(
 		session->session_info, tmp);
 
-	if (!session->compat_vuser->session_info->unix_info->guest) {
+	if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
 		session->compat_vuser->homes_snum =
 			register_homes_share(session->session_info->unix_info->unix_name);
 	}