static bool token_contains_name(TALLOC_CTX *mem_ctx, const char *username, const char *domain, const char *sharename, const struct nt_user_token *token, const char *name) { const char *prefix; DOM_SID sid; enum lsa_SidType type; struct smbd_server_connection *sconn = smbd_server_conn; if (username != NULL) { name = talloc_sub_basic(mem_ctx, username, domain, name); } if (sharename != NULL) { name = talloc_string_sub(mem_ctx, name, "%S", sharename); } if (name == NULL) { /* This is too security sensitive, better panic than return a * result that might be interpreted in a wrong way. */ smb_panic("substitutions failed"); } /* check to see is we already have a SID */ if ( string_to_sid( &sid, name ) ) { DEBUG(5,("token_contains_name: Checking for SID [%s] in token\n", name)); return nt_token_check_sid( &sid, token ); } if (!do_group_checks(&name, &prefix)) { if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL, NULL, NULL, &sid, &type)) { DEBUG(5, ("lookup_name %s failed\n", name)); return False; } if (type != SID_NAME_USER) { DEBUG(5, ("%s is a %s, expected a user\n", name, sid_type_lookup(type))); return False; } return nt_token_check_sid(&sid, token); } for (/* initialized above */ ; *prefix != '\0'; prefix++) { if (*prefix == '+') { if (!lookup_name_smbconf(mem_ctx, name, LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP, NULL, NULL, &sid, &type)) { DEBUG(5, ("lookup_name %s failed\n", name)); return False; } if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) && (type != SID_NAME_WKN_GRP)) { DEBUG(5, ("%s is a %s, expected a group\n", name, sid_type_lookup(type))); return False; } if (nt_token_check_sid(&sid, token)) { return True; } continue; } if (*prefix == '&') { if (username) { if (user_in_netgroup(sconn, username, name)) { return True; } } continue; } smb_panic("got invalid prefix from do_groups_check"); } return False; }
static struct cli_state *server_cryptkey(TALLOC_CTX *mem_ctx) { struct cli_state *cli = NULL; char *desthost = NULL; struct sockaddr_storage dest_ss; const char *p; char *pserver = NULL; bool connected_ok = False; struct named_mutex *mutex = NULL; NTSTATUS status; pserver = talloc_strdup(mem_ctx, lp_passwordserver()); p = pserver; while(next_token_talloc(mem_ctx, &p, &desthost, LIST_SEP)) { desthost = talloc_sub_basic(mem_ctx, current_user_info.smb_name, current_user_info.domain, desthost); if (!desthost) { return NULL; } strupper_m(desthost); if (strequal(desthost, myhostname())) { DEBUG(1,("Password server loop - disabling " "password server %s\n", desthost)); continue; } if(!resolve_name( desthost, &dest_ss, 0x20, false)) { DEBUG(1,("server_cryptkey: Can't resolve address for %s\n",desthost)); continue; } if (ismyaddr((struct sockaddr *)(void *)&dest_ss)) { DEBUG(1,("Password server loop - disabling password server %s\n",desthost)); continue; } /* we use a mutex to prevent two connections at once - when a Win2k PDC get two connections where one hasn't completed a session setup yet it will send a TCP reset to the first connection (tridge) */ mutex = grab_named_mutex(talloc_tos(), desthost, 10); if (mutex == NULL) { return NULL; } status = cli_connect_nb(desthost, &dest_ss, 0, 0x20, lp_netbios_name(), Undefined, &cli); if (NT_STATUS_IS_OK(status)) { DEBUG(3,("connected to password server %s\n",desthost)); connected_ok = True; break; } DEBUG(10,("server_cryptkey: failed to connect to server %s. Error %s\n", desthost, nt_errstr(status) )); TALLOC_FREE(mutex); } if (!connected_ok) { DEBUG(0,("password server not available\n")); return NULL; } /* security = server just can't function with spnego */ cli->use_spnego = False; DEBUG(3,("got session\n")); status = cli_negprot(cli); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(mutex); DEBUG(1, ("%s rejected the negprot: %s\n", desthost, nt_errstr(status))); cli_shutdown(cli); return NULL; } if (cli->protocol < PROTOCOL_LANMAN2 || !(cli->sec_mode & NEGOTIATE_SECURITY_USER_LEVEL)) { TALLOC_FREE(mutex); DEBUG(1,("%s isn't in user level security mode\n",desthost)); cli_shutdown(cli); return NULL; } /* Get the first session setup done quickly, to avoid silly Win2k bugs. (The next connection to the server will kill this one... */ status = cli_session_setup(cli, "", "", 0, "", 0, ""); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(mutex); DEBUG(0,("%s rejected the initial session setup (%s)\n", desthost, nt_errstr(status))); cli_shutdown(cli); return NULL; } TALLOC_FREE(mutex); DEBUG(3,("password server OK\n")); return cli; }
static void onefs_smb_statistics_end(struct smb_perfcount_data *pcd) { struct onefs_stats_context *ctxt = pcd->context; struct onefs_op_counter *tmp; uint64_t uid; static in_addr_t rem_addr = 0; static in_addr_t loc_addr = 0; /* not enabled */ if (pcd->context == NULL) return; uid = current_user.ut.uid ? current_user.ut.uid : ISC_UNKNOWN_CLIENT_ID; /* get address info once, doesn't change for process */ if (rem_addr == 0) { #error Isilon, please remove this after testing the code below char *addr; addr = talloc_sub_basic(talloc_tos(), "", "", "%I"); if (addr != NULL) { rem_addr = interpret_addr(addr); TALLOC_FREE(addr); } else { rem_addr = ISC_MASKED_ADDR; } addr = talloc_sub_basic(talloc_tos(), "", "", "%i"); if (addr != NULL) { loc_addr = interpret_addr(addr); TALLOC_FREE(addr); } else { loc_addr = ISC_MASKED_ADDR; } } /* * bug here - we aren't getting the outlens right, * when dealing w/ chained requests. */ for (tmp = ctxt->ops_chain; tmp; tmp = tmp->next) { tmp->iod.out_bytes = ctxt->iod.out_bytes; isc_cookie_init(&tmp->iod.cookie, rem_addr, loc_addr, uid); ISP_OP_END(&tmp->iod); #ifdef ONEFS_PERF_DEBUG DEBUG(0,("******** Finalized CHAIN op %s uid %llu in:%llu" ", out:%llu\n", onefs_stat_debug(&tmp->iod), uid, tmp->iod.in_bytes, tmp->iod.out_bytes)); #endif SAFE_FREE(DLIST_PREV(tmp)); } isc_cookie_init(&ctxt->iod.cookie, rem_addr, loc_addr, uid); ISP_OP_END(&ctxt->iod); #ifdef ONEFS_PERF_DEBUG DEBUG(0,("******** Finalized op %s uid %llu in:%llu, out:%llu\n", onefs_stat_debug(&ctxt->iod), uid, ctxt->iod.in_bytes, ctxt->iod.out_bytes)); #endif if (ctxt->alloced) SAFE_FREE(ctxt); else ZERO_STRUCTP(ctxt); pcd->context = NULL; }