static NTSTATUS auth_anonymous_session_info(TALLOC_CTX *mem_ctx,
struct auth_session_info **session_info)
{
NTSTATUS status;
status = make_session_info_guest(mem_ctx, session_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
return NT_STATUS_OK;
}
static NTSTATUS create_connection_session_info(struct smbd_server_connection *sconn,
TALLOC_CTX *mem_ctx, int snum,
struct auth_session_info *session_info,
struct auth_session_info **presult)
{
struct auth_session_info *result;
if (lp_guest_only(snum)) {
return make_session_info_guest(mem_ctx, presult);
}
/*
* This is the normal security != share case where we have a
* valid vuid from the session setup. */
if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
if (!lp_guest_ok(snum)) {
DEBUG(2, ("guest user (from session setup) "
"not permitted to access this share "
"(%s)\n", lp_servicename(talloc_tos(), snum)));
return NT_STATUS_ACCESS_DENIED;
}
} else {
if (!user_ok_token(session_info->unix_info->unix_name,
session_info->info->domain_name,
session_info->security_token, snum)) {
DEBUG(2, ("user '%s' (from session setup) not "
"permitted to access this share "
"(%s)\n",
session_info->unix_info->unix_name,
lp_servicename(talloc_tos(), snum)));
return NT_STATUS_ACCESS_DENIED;
}
}
result = copy_session_info(mem_ctx, session_info);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
*presult = result;
return NT_STATUS_OK;
}
NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context,
TALLOC_CTX *mem_ctx,
void *server_returned_info,
const char *original_user_name,
uint32_t session_info_flags,
struct auth_session_info **session_info)
{
struct auth_user_info_dc *user_info = NULL;
struct auth_serversupplied_info *server_info = NULL;
NTSTATUS nt_status;
/*
* This is a hack, some callers...
*
* Some callers pass auth_user_info_dc, the SCHANNEL and
* NCALRPC_AS_SYSTEM gensec modules.
*
* While the reset passes auth3_check_password() returned.
*/
user_info = talloc_get_type(server_returned_info,
struct auth_user_info_dc);
if (user_info != NULL) {
const struct dom_sid *sid;
int cmp;
/*
* This should only be called from SCHANNEL or NCALRPC_AS_SYSTEM
*/
if (user_info->num_sids != 1) {
return NT_STATUS_INTERNAL_ERROR;
}
sid = &user_info->sids[PRIMARY_USER_SID_INDEX];
cmp = dom_sid_compare(sid, &global_sid_System);
if (cmp == 0) {
return make_session_info_system(mem_ctx, session_info);
}
cmp = dom_sid_compare(sid, &global_sid_Anonymous);
if (cmp == 0) {
/*
* TODO: use auth_anonymous_session_info() here?
*/
return make_session_info_guest(mem_ctx, session_info);
}
return NT_STATUS_INTERNAL_ERROR;
}
server_info = talloc_get_type_abort(server_returned_info,
struct auth_serversupplied_info);
nt_status = create_local_token(mem_ctx,
server_info,
NULL,
original_user_name,
session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
DEBUG(10, ("create_local_token failed: %s\n",
nt_errstr(nt_status)));
return nt_status;
}
return NT_STATUS_OK;
}
static NTSTATUS create_connection_session_info(struct smbd_server_connection *sconn,
TALLOC_CTX *mem_ctx, int snum,
struct auth_session_info *vuid_serverinfo,
DATA_BLOB password,
struct auth_session_info **presult)
{
if (lp_guest_only(snum)) {
return make_session_info_guest(mem_ctx, presult);
}
if (vuid_serverinfo != NULL) {
struct auth_session_info *result;
/*
* This is the normal security != share case where we have a
* valid vuid from the session setup. */
if (security_session_user_level(vuid_serverinfo, NULL) < SECURITY_USER) {
if (!lp_guest_ok(snum)) {
DEBUG(2, ("guest user (from session setup) "
"not permitted to access this share "
"(%s)\n", lp_servicename(snum)));
return NT_STATUS_ACCESS_DENIED;
}
} else {
if (!user_ok_token(vuid_serverinfo->unix_info->unix_name,
vuid_serverinfo->info->domain_name,
vuid_serverinfo->security_token, snum)) {
DEBUG(2, ("user '%s' (from session setup) not "
"permitted to access this share "
"(%s)\n",
vuid_serverinfo->unix_info->unix_name,
lp_servicename(snum)));
return NT_STATUS_ACCESS_DENIED;
}
}
result = copy_session_info(mem_ctx, vuid_serverinfo);
if (result == NULL) {
return NT_STATUS_NO_MEMORY;
}
*presult = result;
return NT_STATUS_OK;
}
if (lp_security() == SEC_SHARE) {
fstring user;
bool guest;
/* add the sharename as a possible user name if we
are in share mode security */
add_session_user(sconn, lp_servicename(snum));
/* shall we let them in? */
if (!authorise_login(sconn, snum,user,password,&guest)) {
DEBUG( 2, ( "Invalid username/password for [%s]\n",
lp_servicename(snum)) );
return NT_STATUS_WRONG_PASSWORD;
}
return make_session_info_from_username(mem_ctx, user, guest,
presult);
}
DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
return NT_STATUS_ACCESS_DENIED;
}
