void set_local_machine_name(const char* local_name, BOOL perm) { static BOOL already_perm = False; fstring tmp_local_machine; /* * Windows NT/2k uses "*SMBSERVER" and XP uses "*SMBSERV" * arrggg!!! */ if (strequal(local_name, "*SMBSERVER")) return; if (strequal(local_name, "*SMBSERV")) return; if (already_perm) return; already_perm = perm; fstrcpy(tmp_local_machine,local_name); trim_char(tmp_local_machine,' ',' '); alpha_strcpy(local_machine,tmp_local_machine,SAFE_NETBIOS_CHARS,sizeof(local_machine)-1); strlower_m(local_machine); }
/* Fill in the auth_user_info_unix and auth_unix_token elements in a struct session_info */ NTSTATUS auth_session_info_fill_unix( struct wbc_context *wbc_ctx, struct loadparm_context *lp_ctx, struct auth_session_info *session_info) { char *su; size_t len; NTSTATUS status = security_token_to_unix_token(session_info, wbc_ctx, session_info->security_token, &session_info->unix_token); if (!NT_STATUS_IS_OK(status)) { return status; } session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix); NT_STATUS_HAVE_NO_MEMORY(session_info->unix_info); session_info->unix_info->system = security_token_is_system(session_info->security_token); session_info->unix_info->unix_name = talloc_asprintf(session_info->unix_info, "%s%s%s", session_info->info->domain_name, lpcfg_winbind_separator(lp_ctx), session_info->info->account_name); NT_STATUS_HAVE_NO_MEMORY(session_info->unix_info->unix_name); len = strlen(session_info->info->account_name) + 1; session_info->unix_info->sanitized_username = su = talloc_array(session_info->unix_info, char, len); NT_STATUS_HAVE_NO_MEMORY(su); alpha_strcpy(su, session_info->info->account_name, ". _-$", len); return NT_STATUS_OK; }
void sub_set_smb_name(const char *name) { fstring tmp; int len; BOOL is_machine_account = False; /* don't let anonymous logins override the name */ if (! *name) return; fstrcpy( tmp, name ); trim_char( tmp, ' ', ' ' ); strlower_m( tmp ); len = strlen( tmp ); if ( len == 0 ) return; /* long story but here goes....we have to allow usernames ending in '$' as they are valid machine account names. So check for a machine account and re-add the '$' at the end after the call to alpha_strcpy(). --jerry */ if ( tmp[len-1] == '$' ) is_machine_account = True; alpha_strcpy( smb_user_name, tmp, SAFE_NETBIOS_CHARS, sizeof(smb_user_name)-1 ); if ( is_machine_account ) { len = strlen( smb_user_name ); smb_user_name[len-1] = '$'; } }
char *get_peer_name(int fd, BOOL force_lookup) { static pstring name_buf; pstring tmp_name; static fstring addr_buf; struct hostent *hp; struct in_addr addr; char *p; /* reverse lookups can be *very* expensive, and in many situations won't work because many networks don't link dhcp with dns. To avoid the delay we avoid the lookup if possible */ if (!lp_hostname_lookups() && (force_lookup == False)) { return get_peer_addr(fd); } p = get_peer_addr(fd); /* it might be the same as the last one - save some DNS work */ if (strcmp(p, addr_buf) == 0) return name_buf; pstrcpy(name_buf,"UNKNOWN"); if (fd == -1) return name_buf; fstrcpy(addr_buf, p); addr = *interpret_addr2(p); /* Look up the remote host name. */ if ((hp = gethostbyaddr((char *)&addr.s_addr, sizeof(addr.s_addr), AF_INET)) == 0) { DEBUG(1,("Gethostbyaddr failed for %s\n",p)); pstrcpy(name_buf, p); } else { pstrcpy(name_buf,(char *)hp->h_name); if (!matchname(name_buf, addr)) { DEBUG(0,("Matchname failed on %s %s\n",name_buf,p)); pstrcpy(name_buf,"UNKNOWN"); } } /* can't pass the same source and dest strings in when you use --enable-developer or the clobber_region() call will get you */ pstrcpy( tmp_name, name_buf ); alpha_strcpy(name_buf, tmp_name, "_-.", sizeof(name_buf)); if (strstr(name_buf,"..")) { pstrcpy(name_buf, "UNKNOWN"); } return name_buf; }
static NTSTATUS make_new_server_info_guest(struct auth_serversupplied_info **server_info) { static const char zeros[16] = {0}; const char *guest_account = lp_guestaccount(); const char *domain = global_myname(); struct netr_SamInfo3 info3; TALLOC_CTX *tmp_ctx; NTSTATUS status; fstring tmp; tmp_ctx = talloc_stackframe(); if (tmp_ctx == NULL) { return NT_STATUS_NO_MEMORY; } ZERO_STRUCT(info3); status = get_guest_info3(tmp_ctx, &info3); if (!NT_STATUS_IS_OK(status)) { goto done; } status = make_server_info_info3(tmp_ctx, guest_account, domain, server_info, &info3); if (!NT_STATUS_IS_OK(status)) { goto done; } (*server_info)->guest = True; status = create_local_token(*server_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("create_local_token failed: %s\n", nt_errstr(status))); goto done; } /* annoying, but the Guest really does have a session key, and it is all zeros! */ (*server_info)->user_session_key = data_blob(zeros, sizeof(zeros)); (*server_info)->lm_session_key = data_blob(zeros, sizeof(zeros)); alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string, ". _-$", sizeof(tmp)); (*server_info)->sanitized_username = talloc_strdup(*server_info, tmp); status = NT_STATUS_OK; done: TALLOC_FREE(tmp_ctx); return status; }
void sub_set_smb_name(const char *name) { fstring tmp; /* don't let anonymous logins override the name */ if (! *name) return; fstrcpy(tmp,name); trim_char(tmp,' ',' '); strlower_m(tmp); alpha_strcpy(smb_user_name,tmp,SAFE_NETBIOS_CHARS,sizeof(smb_user_name)-1); }
void set_remote_machine_name(const char* remote_name, BOOL perm) { static BOOL already_perm = False; fstring tmp_remote_machine; if (already_perm) return; already_perm = perm; fstrcpy(tmp_remote_machine,remote_name); trim_char(tmp_remote_machine,' ',' '); alpha_strcpy(remote_machine,tmp_remote_machine,SAFE_NETBIOS_CHARS,sizeof(remote_machine)-1); strlower_m(remote_machine); }
int register_vuid(auth_serversupplied_info *server_info, DATA_BLOB session_key, DATA_BLOB response_blob, const char *smb_name) { user_struct *vuser = NULL; /* Paranoia check. */ if(lp_security() == SEC_SHARE) { smb_panic("Tried to register uid in security=share\n"); } /* Limit allowed vuids to 16bits - VUID_OFFSET. */ if (num_validated_vuids >= 0xFFFF-VUID_OFFSET) { data_blob_free(&session_key); return UID_FIELD_INVALID; } if((vuser = SMB_MALLOC_P(user_struct)) == NULL) { DEBUG(0,("Failed to malloc users struct!\n")); data_blob_free(&session_key); return UID_FIELD_INVALID; } ZERO_STRUCTP(vuser); /* Allocate a free vuid. Yes this is a linear search... :-) */ while( get_valid_user_struct(next_vuid) != NULL ) { next_vuid++; /* Check for vuid wrap. */ if (next_vuid == UID_FIELD_INVALID) next_vuid = VUID_OFFSET; } DEBUG(10,("register_vuid: allocated vuid = %u\n", (unsigned int)next_vuid )); vuser->vuid = next_vuid; if (!server_info) { /* * This happens in an unfinished NTLMSSP session setup. We * need to allocate a vuid between the first and second calls * to NTLMSSP. */ next_vuid++; num_validated_vuids++; vuser->server_info = NULL; DLIST_ADD(validated_users, vuser); return vuser->vuid; } /* the next functions should be done by a SID mapping system (SMS) as * the new real sam db won't have reference to unix uids or gids */ vuser->uid = server_info->uid; vuser->gid = server_info->gid; vuser->n_groups = server_info->n_groups; if (vuser->n_groups) { if (!(vuser->groups = (gid_t *)memdup(server_info->groups, sizeof(gid_t) * vuser->n_groups))) { DEBUG(0,("register_vuid: failed to memdup " "vuser->groups\n")); data_blob_free(&session_key); free(vuser); TALLOC_FREE(server_info); return UID_FIELD_INVALID; } } vuser->guest = server_info->guest; fstrcpy(vuser->user.unix_name, server_info->unix_name); /* This is a potentially untrusted username */ alpha_strcpy(vuser->user.smb_name, smb_name, ". _-$", sizeof(vuser->user.smb_name)); fstrcpy(vuser->user.domain, pdb_get_domain(server_info->sam_account)); fstrcpy(vuser->user.full_name, pdb_get_fullname(server_info->sam_account)); { /* Keep the homedir handy */ const char *homedir = pdb_get_homedir(server_info->sam_account); const char *logon_script = pdb_get_logon_script(server_info->sam_account); if (!IS_SAM_DEFAULT(server_info->sam_account, PDB_UNIXHOMEDIR)) { const char *unix_homedir = pdb_get_unix_homedir(server_info->sam_account); if (unix_homedir) { vuser->unix_homedir = smb_xstrdup(unix_homedir); } } else { struct passwd *passwd = getpwnam_alloc(NULL, vuser->user.unix_name); if (passwd) { vuser->unix_homedir = smb_xstrdup(passwd->pw_dir); TALLOC_FREE(passwd); } } if (homedir) { vuser->homedir = smb_xstrdup(homedir); } if (logon_script) { vuser->logon_script = smb_xstrdup(logon_script); } } vuser->session_key = session_key; DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", (unsigned int)vuser->uid, (unsigned int)vuser->gid, vuser->user.unix_name, vuser->user.smb_name, vuser->user.domain, vuser->guest )); DEBUG(3, ("User name: %s\tReal name: %s\n", vuser->user.unix_name, vuser->user.full_name)); if (server_info->ptok) { vuser->nt_user_token = dup_nt_token(NULL, server_info->ptok); } else { DEBUG(1, ("server_info does not contain a user_token - " "cannot continue\n")); TALLOC_FREE(server_info); data_blob_free(&session_key); SAFE_FREE(vuser->homedir); SAFE_FREE(vuser->unix_homedir); SAFE_FREE(vuser->logon_script); SAFE_FREE(vuser); return UID_FIELD_INVALID; } /* use this to keep tabs on all our info from the authentication */ vuser->server_info = server_info; DEBUG(3,("UNIX uid %d is UNIX user %s, and will be vuid %u\n", (int)vuser->uid,vuser->user.unix_name, vuser->vuid)); next_vuid++; num_validated_vuids++; DLIST_ADD(validated_users, vuser); if (!session_claim(vuser)) { DEBUG(1, ("Failed to claim session for vuid=%d\n", vuser->vuid)); invalidate_vuid(vuser->vuid); return UID_FIELD_INVALID; } /* Register a home dir service for this user iff (a) This is not a guest connection, (b) we have a home directory defined (c) there s not an existing static share by that name If a share exists by this name (autoloaded or not) reuse it . */ vuser->homes_snum = -1; if ( (!vuser->guest) && vuser->unix_homedir && *(vuser->unix_homedir)) { int servicenumber = lp_servicenumber(vuser->user.unix_name); if ( servicenumber == -1 ) { DEBUG(3, ("Adding homes service for user '%s' using " "home directory: '%s'\n", vuser->user.unix_name, vuser->unix_homedir)); vuser->homes_snum = add_home_service(vuser->user.unix_name, vuser->user.unix_name, vuser->unix_homedir); } else { DEBUG(3, ("Using static (or previously created) " "service for user '%s'; path = '%s'\n", vuser->user.unix_name, lp_pathname(servicenumber) )); vuser->homes_snum = servicenumber; } } if (srv_is_signing_negotiated() && !vuser->guest && !srv_signing_started()) { /* Try and turn on server signing on the first non-guest * sessionsetup. */ srv_set_signing(vuser->session_key, response_blob); } /* fill in the current_user_info struct */ set_current_user_info( &vuser->user ); return vuser->vuid; }
int register_existing_vuid(uint16 vuid, auth_serversupplied_info *server_info, DATA_BLOB response_blob, const char *smb_name) { fstring tmp; user_struct *vuser; vuser = get_partial_auth_user_struct(vuid); if (!vuser) { goto fail; } /* Use this to keep tabs on all our info from the authentication */ vuser->server_info = talloc_move(vuser, &server_info); /* This is a potentially untrusted username */ alpha_strcpy(tmp, smb_name, ". _-$", sizeof(tmp)); vuser->server_info->sanitized_username = talloc_strdup( vuser->server_info, tmp); DEBUG(10,("register_existing_vuid: (%u,%u) %s %s %s guest=%d\n", (unsigned int)vuser->server_info->utok.uid, (unsigned int)vuser->server_info->utok.gid, vuser->server_info->unix_name, vuser->server_info->sanitized_username, pdb_get_domain(vuser->server_info->sam_account), vuser->server_info->guest )); DEBUG(3, ("register_existing_vuid: User name: %s\t" "Real name: %s\n", vuser->server_info->unix_name, pdb_get_fullname(vuser->server_info->sam_account))); if (!vuser->server_info->ptok) { DEBUG(1, ("register_existing_vuid: server_info does not " "contain a user_token - cannot continue\n")); goto fail; } DEBUG(3,("register_existing_vuid: UNIX uid %d is UNIX user %s, " "and will be vuid %u\n", (int)vuser->server_info->utok.uid, vuser->server_info->unix_name, vuser->vuid)); if (!session_claim(vuser)) { DEBUG(1, ("register_existing_vuid: Failed to claim session " "for vuid=%d\n", vuser->vuid)); goto fail; } /* Register a home dir service for this user if (a) This is not a guest connection, (b) we have a home directory defined (c) there s not an existing static share by that name If a share exists by this name (autoloaded or not) reuse it . */ vuser->homes_snum = -1; if (!vuser->server_info->guest) { vuser->homes_snum = register_homes_share( vuser->server_info->unix_name); } if (srv_is_signing_negotiated() && !vuser->server_info->guest && !srv_signing_started()) { /* Try and turn on server signing on the first non-guest * sessionsetup. */ srv_set_signing(vuser->server_info->user_session_key, response_blob); } /* fill in the current_user_info struct */ set_current_user_info( vuser->server_info->sanitized_username, vuser->server_info->unix_name, pdb_get_domain(vuser->server_info->sam_account)); return vuser->vuid; fail: if (vuser) { invalidate_vuid(vuid); } return UID_FIELD_INVALID; }
NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, const struct auth_serversupplied_info *server_info, DATA_BLOB *session_key, const char *smb_username, /* for ->sanitized_username, for %U subs */ struct auth_session_info **session_info_out) { struct security_token *t; NTSTATUS status; size_t i; struct dom_sid tmp_sid; struct auth_session_info *session_info; struct unixid *ids; fstring tmp; /* Ensure we can't possible take a code path leading to a * null defref. */ if (!server_info) { return NT_STATUS_LOGON_FAILURE; } session_info = talloc_zero(mem_ctx, struct auth_session_info); if (!session_info) { return NT_STATUS_NO_MEMORY; } session_info->unix_token = talloc_zero(session_info, struct security_unix_token); if (!session_info->unix_token) { TALLOC_FREE(session_info); return NT_STATUS_NO_MEMORY; } session_info->unix_token->uid = server_info->utok.uid; session_info->unix_token->gid = server_info->utok.gid; session_info->unix_info = talloc_zero(session_info, struct auth_user_info_unix); if (!session_info->unix_info) { TALLOC_FREE(session_info); return NT_STATUS_NO_MEMORY; } session_info->unix_info->unix_name = talloc_strdup(session_info, server_info->unix_name); if (!session_info->unix_info->unix_name) { TALLOC_FREE(session_info); return NT_STATUS_NO_MEMORY; } /* This is a potentially untrusted username for use in %U */ alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp)); session_info->unix_info->sanitized_username = talloc_strdup(session_info->unix_info, tmp); if (session_key) { data_blob_free(&session_info->session_key); session_info->session_key = data_blob_talloc(session_info, session_key->data, session_key->length); if (!session_info->session_key.data && session_key->length) { return NT_STATUS_NO_MEMORY; } } else { session_info->session_key = data_blob_talloc( session_info, server_info->session_key.data, server_info->session_key.length); } /* We need to populate session_info->info with the information found in server_info->info3 */ status = make_user_info_SamBaseInfo(session_info, "", &server_info->info3->base, server_info->guest == false, &session_info->info); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("conversion of info3 into auth_user_info failed!\n")); TALLOC_FREE(session_info); return status; } if (server_info->security_token) { /* Just copy the token, it has already been finalised * (nasty hack to support a cached guest/system session_info */ session_info->security_token = dup_nt_token(session_info, server_info->security_token); if (!session_info->security_token) { TALLOC_FREE(session_info); return NT_STATUS_NO_MEMORY; } session_info->unix_token->ngroups = server_info->utok.ngroups; if (server_info->utok.ngroups != 0) { session_info->unix_token->groups = (gid_t *)talloc_memdup( session_info->unix_token, server_info->utok.groups, sizeof(gid_t)*session_info->unix_token->ngroups); } else { session_info->unix_token->groups = NULL; } *session_info_out = session_info; return NT_STATUS_OK; } /* * If winbind is not around, we can not make much use of the SIDs the * domain controller provided us with. Likewise if the user name was * mapped to some local unix user. */ if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || (server_info->nss_token)) { char *found_username = NULL; status = create_token_from_username(session_info, server_info->unix_name, server_info->guest, &session_info->unix_token->uid, &session_info->unix_token->gid, &found_username, &session_info->security_token); if (NT_STATUS_IS_OK(status)) { session_info->unix_info->unix_name = found_username; } } else { status = create_local_nt_token_from_info3(session_info, server_info->guest, server_info->info3, &server_info->extra, &session_info->security_token); } if (!NT_STATUS_IS_OK(status)) { return status; } /* Convert the SIDs to gids. */ session_info->unix_token->ngroups = 0; session_info->unix_token->groups = NULL; t = session_info->security_token; ids = talloc_array(talloc_tos(), struct unixid, t->num_sids); if (ids == NULL) { return NT_STATUS_NO_MEMORY; } if (!sids_to_unixids(t->sids, t->num_sids, ids)) { TALLOC_FREE(ids); return NT_STATUS_NO_MEMORY; } for (i=0; i<t->num_sids; i++) { if (i == 0 && ids[i].type != ID_TYPE_BOTH) { continue; } if (ids[i].type != ID_TYPE_GID && ids[i].type != ID_TYPE_BOTH) { DEBUG(10, ("Could not convert SID %s to gid, " "ignoring it\n", sid_string_dbg(&t->sids[i]))); continue; } if (!add_gid_to_array_unique(session_info, ids[i].id, &session_info->unix_token->groups, &session_info->unix_token->ngroups)) { return NT_STATUS_NO_MEMORY; } } /* * Add the "Unix Group" SID for each gid to catch mapped groups * and their Unix equivalent. This is to solve the backwards * compatibility problem of 'valid users = +ntadmin' where * ntadmin has been paired with "Domain Admins" in the group * mapping table. Otherwise smb.conf would need to be changed * to 'valid user = "******"'. --jerry * * For consistency we also add the "Unix User" SID, * so that the complete unix token is represented within * the nt token. */ uid_to_unix_users_sid(session_info->unix_token->uid, &tmp_sid); add_sid_to_array_unique(session_info->security_token, &tmp_sid, &session_info->security_token->sids, &session_info->security_token->num_sids); for ( i=0; i<session_info->unix_token->ngroups; i++ ) { gid_to_unix_groups_sid(session_info->unix_token->groups[i], &tmp_sid); add_sid_to_array_unique(session_info->security_token, &tmp_sid, &session_info->security_token->sids, &session_info->security_token->num_sids); } security_token_debug(DBGC_AUTH, 10, session_info->security_token); debug_unix_user_token(DBGC_AUTH, 10, session_info->unix_token->uid, session_info->unix_token->gid, session_info->unix_token->ngroups, session_info->unix_token->groups); status = log_nt_token(session_info->security_token); if (!NT_STATUS_IS_OK(status)) { return status; } *session_info_out = session_info; return NT_STATUS_OK; }
static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *session, struct smbd_smb2_request *smb2req, uint8_t in_security_mode, DATA_BLOB in_security_buffer, uint16_t *out_session_flags, uint64_t *out_session_id) { fstring tmp; bool guest = false; if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) || lp_server_signing() == Required) { session->do_signing = true; } if (session->session_info->guest) { /* we map anonymous to guest internally */ *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL; /* force no signing */ session->do_signing = false; guest = true; } session->session_key = session->session_info->user_session_key; session->compat_vuser = talloc_zero(session, user_struct); if (session->compat_vuser == NULL) { TALLOC_FREE(session->auth_ntlmssp_state); TALLOC_FREE(session); return NT_STATUS_NO_MEMORY; } session->compat_vuser->auth_ntlmssp_state = session->auth_ntlmssp_state; session->compat_vuser->homes_snum = -1; session->compat_vuser->session_info = session->session_info; session->compat_vuser->session_keystr = NULL; session->compat_vuser->vuid = session->vuid; DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser); /* This is a potentially untrusted username */ alpha_strcpy(tmp, auth_ntlmssp_get_username(session->auth_ntlmssp_state), ". _-$", sizeof(tmp)); session->session_info->sanitized_username = talloc_strdup( session->session_info, tmp); if (!session->compat_vuser->session_info->guest) { session->compat_vuser->homes_snum = register_homes_share(session->session_info->unix_name); } if (!session_claim(session->sconn, session->compat_vuser)) { DEBUG(1, ("smb2: Failed to claim session " "for vuid=%d\n", session->compat_vuser->vuid)); TALLOC_FREE(session->auth_ntlmssp_state); TALLOC_FREE(session); return NT_STATUS_LOGON_FAILURE; } session->status = NT_STATUS_OK; /* * we attach the session to the request * so that the response can be signed */ smb2req->session = session; if (!guest) { smb2req->do_signing = true; } global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32); *out_session_id = session->vuid; return NT_STATUS_OK; }
static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, struct smbd_smb2_request *smb2req, uint8_t in_security_mode, const DATA_BLOB *secblob, const char *mechOID, uint16_t *out_session_flags, DATA_BLOB *out_security_buffer, uint64_t *out_session_id) { DATA_BLOB ap_rep = data_blob_null; DATA_BLOB ap_rep_wrapped = data_blob_null; DATA_BLOB ticket = data_blob_null; DATA_BLOB session_key = data_blob_null; DATA_BLOB secblob_out = data_blob_null; uint8 tok_id[2]; struct PAC_LOGON_INFO *logon_info = NULL; char *principal = NULL; char *user = NULL; char *domain = NULL; struct passwd *pw = NULL; NTSTATUS status; char *real_username; fstring tmp; bool username_was_mapped = false; bool map_domainuser_to_guest = false; bool guest = false; if (!spnego_parse_krb5_wrap(talloc_tos(), *secblob, &ticket, tok_id)) { status = NT_STATUS_LOGON_FAILURE; goto fail; } status = ads_verify_ticket(smb2req, lp_realm(), 0, &ticket, &principal, &logon_info, &ap_rep, &session_key, true); if (!NT_STATUS_IS_OK(status)) { DEBUG(1,("smb2: Failed to verify incoming ticket with error %s!\n", nt_errstr(status))); if (!NT_STATUS_EQUAL(status, NT_STATUS_TIME_DIFFERENCE_AT_DC)) { status = NT_STATUS_LOGON_FAILURE; } goto fail; } status = get_user_from_kerberos_info(talloc_tos(), smb2req->sconn->client_id.name, principal, logon_info, &username_was_mapped, &map_domainuser_to_guest, &user, &domain, &real_username, &pw); if (!NT_STATUS_IS_OK(status)) { goto fail; } /* save the PAC data if we have it */ if (logon_info) { netsamlogon_cache_store(user, &logon_info->info3); } /* setup the string used by %U */ sub_set_smb_name(real_username); /* reload services so that the new %U is taken into account */ reload_services(smb2req->sconn->msg_ctx, smb2req->sconn->sock, true); status = make_server_info_krb5(session, user, domain, real_username, pw, logon_info, map_domainuser_to_guest, &session->session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("smb2: make_server_info_krb5 failed\n")); goto fail; } session->session_info->nss_token |= username_was_mapped; /* we need to build the token for the user. make_session_info_guest() already does this */ if (!session->session_info->security_token ) { status = create_local_token(session->session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(10,("smb2: failed to create local token: %s\n", nt_errstr(status))); goto fail; } } if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) || lp_server_signing() == Required) { session->do_signing = true; } if (session->session_info->guest) { /* we map anonymous to guest internally */ *out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST; *out_session_flags |= SMB2_SESSION_FLAG_IS_NULL; /* force no signing */ session->do_signing = false; guest = true; } data_blob_free(&session->session_info->user_session_key); session->session_info->user_session_key = data_blob_talloc( session->session_info, session_key.data, session_key.length); if (session_key.length > 0) { if (session->session_info->user_session_key.data == NULL) { status = NT_STATUS_NO_MEMORY; goto fail; } } session->session_key = session->session_info->user_session_key; session->compat_vuser = talloc_zero(session, user_struct); if (session->compat_vuser == NULL) { status = NT_STATUS_NO_MEMORY; goto fail; } session->compat_vuser->auth_ntlmssp_state = NULL; session->compat_vuser->homes_snum = -1; session->compat_vuser->session_info = session->session_info; session->compat_vuser->session_keystr = NULL; session->compat_vuser->vuid = session->vuid; DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser); /* This is a potentially untrusted username */ alpha_strcpy(tmp, user, ". _-$", sizeof(tmp)); session->session_info->sanitized_username = talloc_strdup(session->session_info, tmp); if (!session->session_info->guest) { session->compat_vuser->homes_snum = register_homes_share(session->session_info->unix_name); } if (!session_claim(session->sconn, session->compat_vuser)) { DEBUG(1, ("smb2: Failed to claim session " "for vuid=%d\n", session->compat_vuser->vuid)); goto fail; } session->status = NT_STATUS_OK; /* * we attach the session to the request * so that the response can be signed */ smb2req->session = session; if (!guest) { smb2req->do_signing = true; } global_client_caps |= (CAP_LEVEL_II_OPLOCKS|CAP_STATUS32); status = NT_STATUS_OK; /* wrap that up in a nice GSS-API wrapping */ ap_rep_wrapped = spnego_gen_krb5_wrap(talloc_tos(), ap_rep, TOK_ID_KRB_AP_REP); secblob_out = spnego_gen_auth_response( talloc_tos(), &ap_rep_wrapped, status, mechOID); *out_security_buffer = data_blob_talloc(smb2req, secblob_out.data, secblob_out.length); if (secblob_out.data && out_security_buffer->data == NULL) { status = NT_STATUS_NO_MEMORY; goto fail; } data_blob_free(&ap_rep); data_blob_free(&ap_rep_wrapped); data_blob_free(&ticket); data_blob_free(&session_key); data_blob_free(&secblob_out); *out_session_id = session->vuid; return NT_STATUS_OK; fail: data_blob_free(&ap_rep); data_blob_free(&ap_rep_wrapped); data_blob_free(&ticket); data_blob_free(&session_key); data_blob_free(&secblob_out); ap_rep_wrapped = data_blob_null; secblob_out = spnego_gen_auth_response( talloc_tos(), &ap_rep_wrapped, status, mechOID); *out_security_buffer = data_blob_talloc(smb2req, secblob_out.data, secblob_out.length); data_blob_free(&secblob_out); return status; }
/**************************************************************************** deliver the message ****************************************************************************/ static void msg_deliver(void) { pstring name; int i; int fd; char *msg; int len; if (! (*lp_msg_command())) { DEBUG(1,("no messaging command specified\n")); msgpos = 0; return; } /* put it in a temporary file */ slprintf(name,sizeof(name)-1, "%s/msg.XXXXXX",tmpdir()); fd = smb_mkstemp(name); if (fd == -1) { DEBUG(1,("can't open message file %s\n",name)); return; } /* * Incoming message is in DOS codepage format. Convert to UNIX. */ if ((len = convert_string_allocate(NULL,CH_DOS, CH_UNIX, msgbuf, msgpos, (void **) &msg)) < 0 || !msg) { DEBUG(3,("Conversion failed, delivering message in DOS codepage format\n")); for (i = 0; i < msgpos;) { if (msgbuf[i] == '\r' && i < (msgpos-1) && msgbuf[i+1] == '\n') { i++; continue; } write(fd, &msgbuf[i++], 1); } } else { for (i = 0; i < len;) { if (msg[i] == '\r' && i < (len-1) && msg[i+1] == '\n') { i++; continue; } write(fd, &msg[i++],1); } SAFE_FREE(msg); } close(fd); /* run the command */ if (*lp_msg_command()) { fstring alpha_msgfrom; fstring alpha_msgto; pstring s; pstrcpy(s,lp_msg_command()); pstring_sub(s,"%f",alpha_strcpy(alpha_msgfrom,msgfrom,NULL,sizeof(alpha_msgfrom))); pstring_sub(s,"%t",alpha_strcpy(alpha_msgto,msgto,NULL,sizeof(alpha_msgto))); standard_sub_basic(current_user_info.smb_name, s, sizeof(s)); pstring_sub(s,"%s",name); smbrun(s,NULL); } msgpos = 0; }