NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum) { NTSTATUS status; if (*lp_force_user(talloc_tos(), snum)) { /* * Replace conn->session_info with a completely faked up one * from the username we are forced into :-) */ char *fuser; char *sanitized_username; struct auth_session_info *forced_serverinfo; bool guest; fuser = talloc_string_sub(conn, lp_force_user(talloc_tos(), snum), "%S", lp_const_servicename(snum)); if (fuser == NULL) { return NT_STATUS_NO_MEMORY; } guest = security_session_user_level(conn->session_info, NULL) < SECURITY_USER; status = make_session_info_from_username( conn, fuser, guest, &forced_serverinfo); if (!NT_STATUS_IS_OK(status)) { return status; } /* We don't want to replace the original sanitized_username as it is the original user given in the connect attempt. This is used in '%U' substitutions. */ sanitized_username = discard_const_p(char, forced_serverinfo->unix_info->sanitized_username); TALLOC_FREE(sanitized_username); forced_serverinfo->unix_info->sanitized_username = talloc_move(forced_serverinfo->unix_info, &conn->session_info->unix_info->sanitized_username); TALLOC_FREE(conn->session_info); conn->session_info = forced_serverinfo; conn->force_user = true; DEBUG(3,("Forced user %s\n", fuser)); } /* * If force group is true, then override * any groupid stored for the connecting user. */ if (*lp_force_group(talloc_tos(), snum)) { status = find_forced_group( conn->force_user, snum, conn->session_info->unix_info->unix_name, &conn->session_info->security_token->sids[1], &conn->session_info->unix_token->gid); if (!NT_STATUS_IS_OK(status)) { return status; } /* * We need to cache this gid, to use within * change_to_user() separately from the conn->session_info * struct. We only use conn->session_info directly if * "force_user" was set. */ conn->force_group_gid = conn->session_info->unix_token->gid; } return NT_STATUS_OK; }
static NTSTATUS create_connection_session_info(struct smbd_server_connection *sconn, TALLOC_CTX *mem_ctx, int snum, struct auth_session_info *vuid_serverinfo, DATA_BLOB password, struct auth_session_info **presult) { if (lp_guest_only(snum)) { return make_session_info_guest(mem_ctx, presult); } if (vuid_serverinfo != NULL) { struct auth_session_info *result; /* * This is the normal security != share case where we have a * valid vuid from the session setup. */ if (security_session_user_level(vuid_serverinfo, NULL) < SECURITY_USER) { if (!lp_guest_ok(snum)) { DEBUG(2, ("guest user (from session setup) " "not permitted to access this share " "(%s)\n", lp_servicename(snum))); return NT_STATUS_ACCESS_DENIED; } } else { if (!user_ok_token(vuid_serverinfo->unix_info->unix_name, vuid_serverinfo->info->domain_name, vuid_serverinfo->security_token, snum)) { DEBUG(2, ("user '%s' (from session setup) not " "permitted to access this share " "(%s)\n", vuid_serverinfo->unix_info->unix_name, lp_servicename(snum))); return NT_STATUS_ACCESS_DENIED; } } result = copy_session_info(mem_ctx, vuid_serverinfo); if (result == NULL) { return NT_STATUS_NO_MEMORY; } *presult = result; return NT_STATUS_OK; } if (lp_security() == SEC_SHARE) { fstring user; bool guest; /* add the sharename as a possible user name if we are in share mode security */ add_session_user(sconn, lp_servicename(snum)); /* shall we let them in? */ if (!authorise_login(sconn, snum,user,password,&guest)) { DEBUG( 2, ( "Invalid username/password for [%s]\n", lp_servicename(snum)) ); return NT_STATUS_WRONG_PASSWORD; } return make_session_info_from_username(mem_ctx, user, guest, presult); } DEBUG(0, ("invalid VUID (vuser) but not in security=share\n")); return NT_STATUS_ACCESS_DENIED; }