From 55dfb66079333acd8e0aee91c0ee90d0a413a8e6 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 8 Nov 2001 22:19:01 +0000 Subject: Change to guest logon code. This changes the way we process guest logons - we now treat them as normal logons, but set the 'guest' flag. In particular this is needed becouse Win2k will do an NTLMSSP login with username "", therefore missing our previous guest connection code - this is getting a pain to do as a special case all over the shop. Tridge: We don't seem to be setting a guest bit for NTLMSSP, in either the anonymous or authenticated case, can you take a look at this? Also some cleanups in the check_password() code that should make some of the debugs clearer. Various other minor cleanups: - change the session code to just take a vuser, rather than having to do a vuid lookup on vuser.vuid - Change some of the global_client_caps linking - Better debug in authorise_login(): show the vuid. Andrew Bartlett (This used to be commit 62f4e4bd0aef9ade653b3f8d575d2864c166ab4d) --- source3/rpc_server/srv_netlog_nt.c | 9 ++++++- source3/rpc_server/srv_pipe.c | 51 ++++++++++++++++---------------------- 2 files changed, 30 insertions(+), 30 deletions(-) (limited to 'source3/rpc_server') diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 44faefb645..1aa58f5274 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -597,7 +597,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * free_user_info(&user_info); - DEBUG(5, ("_net_sam_logon: exiting with status %s\n", + DEBUG(5, ("_net_sam_logon: check_password returned status %s\n", get_nt_error_msg(status))); /* Check account and password */ @@ -607,6 +607,13 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * return status; } + if (server_info->guest) { + /* We don't like guest domain logons... */ + DEBUG(5,("_net_sam_logon: Attempted domain logon as GUEST denied.\n")); + free_server_info(&server_info); + return NT_STATUS_LOGON_FAILURE; + } + /* This is the point at which, if the login was successful, that the SAM Local Security Authority should record that the user is logged in to the domain. */ diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index a718516baa..e3969f7ea8 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -268,7 +268,8 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm fstring pipe_user_name; fstring domain; fstring wks; - BOOL guest_user = False; + + NTSTATUS nt_status; auth_usersupplied_info *user_info = NULL; auth_serversupplied_info *server_info = NULL; @@ -328,8 +329,7 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm if((strlen(user_name) == 0) && (ntlmssp_resp->hdr_nt_resp.str_str_len==0)) { - guest_user = True; - + fstrcpy(pipe_user_name, lp_guestaccount(-1)); DEBUG(100,("Null user in NTLMSSP verification. Using guest = %s\n", pipe_user_name)); @@ -352,32 +352,25 @@ static BOOL api_pipe_ntlmssp_verify(pipes_struct *p, RPC_AUTH_NTLMSSP_RESP *ntlm } - if(!guest_user) { - NTSTATUS nt_status; - - if (!make_user_info_netlogon_network(&user_info, - user_name, domain, wks, (uchar*)p->challenge, - lm_owf, lm_pw_len, - nt_owf, nt_pw_len)) { - DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n")); - return False; - } - - nt_status = check_password(user_info, &server_info); - - free_user_info(&user_info); - - p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status); - - if (!p->ntlmssp_auth_validated) { - DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \ + if (!make_user_info_netlogon_network(&user_info, + user_name, domain, wks, (uchar*)p->challenge, + lm_owf, lm_pw_len, + nt_owf, nt_pw_len)) { + DEBUG(0,("make_user_info_netlogon_network failed! Failing authenticaion.\n")); + return False; + } + + nt_status = check_password(user_info, &server_info); + + free_user_info(&user_info); + + p->ntlmssp_auth_validated = NT_STATUS_IS_OK(nt_status); + + if (!p->ntlmssp_auth_validated) { + DEBUG(1,("api_pipe_ntlmssp_verify: User %s\\%s from machine %s \ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name )); - free_server_info(&server_info); - return False; - } - } else { - /* This includes a NULLed out first_8_lm_hash */ - make_server_info_guest(&server_info); + free_server_info(&server_info); + return False; } /* @@ -450,7 +443,7 @@ failed authentication on named pipe %s.\n", domain, pipe_user_name, wks, p->name /* Create an NT_USER_TOKEN struct for this user. */ p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid, p->pipe_user.ngroups, p->pipe_user.groups, - guest_user, server_info->ptok); + server_info->guest, server_info->ptok); p->ntlmssp_auth_validated = True; -- cgit