Exemplo n.º 1
0
static NTSTATUS auth_anonymous_session_info(TALLOC_CTX *mem_ctx,
					    struct auth_session_info **session_info)
{
	NTSTATUS status;

	status = make_session_info_guest(mem_ctx, session_info);
	if (!NT_STATUS_IS_OK(status)) {
		return status;
	}

	return NT_STATUS_OK;
}
Exemplo n.º 2
0
static NTSTATUS create_connection_session_info(struct smbd_server_connection *sconn,
					      TALLOC_CTX *mem_ctx, int snum,
                                              struct auth_session_info *session_info,
                                              struct auth_session_info **presult)
{
	struct auth_session_info *result;

        if (lp_guest_only(snum)) {
                return make_session_info_guest(mem_ctx, presult);
        }

	/*
	 * This is the normal security != share case where we have a
	 * valid vuid from the session setup.                 */

	if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
		if (!lp_guest_ok(snum)) {
			DEBUG(2, ("guest user (from session setup) "
				  "not permitted to access this share "
				  "(%s)\n", lp_servicename(talloc_tos(), snum)));
			return NT_STATUS_ACCESS_DENIED;
		}
	} else {
		if (!user_ok_token(session_info->unix_info->unix_name,
				   session_info->info->domain_name,
				   session_info->security_token, snum)) {
			DEBUG(2, ("user '%s' (from session setup) not "
				  "permitted to access this share "
				  "(%s)\n",
				  session_info->unix_info->unix_name,
				  lp_servicename(talloc_tos(), snum)));
			return NT_STATUS_ACCESS_DENIED;
		}
	}

	result = copy_session_info(mem_ctx, session_info);
	if (result == NULL) {
		return NT_STATUS_NO_MEMORY;
	}

	*presult = result;
	return NT_STATUS_OK;
}
Exemplo n.º 3
0
NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context,
                                     TALLOC_CTX *mem_ctx,
                                     void *server_returned_info,
                                     const char *original_user_name,
                                     uint32_t session_info_flags,
                                     struct auth_session_info **session_info)
{
    struct auth_user_info_dc *user_info = NULL;
    struct auth_serversupplied_info *server_info = NULL;
    NTSTATUS nt_status;

    /*
     * This is a hack, some callers...
     *
     * Some callers pass auth_user_info_dc, the SCHANNEL and
     * NCALRPC_AS_SYSTEM gensec modules.
     *
     * While the reset passes auth3_check_password() returned.
     */
    user_info = talloc_get_type(server_returned_info,
                                struct auth_user_info_dc);
    if (user_info != NULL) {
        const struct dom_sid *sid;
        int cmp;

        /*
         * This should only be called from SCHANNEL or NCALRPC_AS_SYSTEM
         */
        if (user_info->num_sids != 1) {
            return NT_STATUS_INTERNAL_ERROR;
        }
        sid = &user_info->sids[PRIMARY_USER_SID_INDEX];

        cmp = dom_sid_compare(sid, &global_sid_System);
        if (cmp == 0) {
            return make_session_info_system(mem_ctx, session_info);
        }

        cmp = dom_sid_compare(sid, &global_sid_Anonymous);
        if (cmp == 0) {
            /*
             * TODO: use auth_anonymous_session_info() here?
             */
            return make_session_info_guest(mem_ctx, session_info);
        }

        return NT_STATUS_INTERNAL_ERROR;
    }

    server_info = talloc_get_type_abort(server_returned_info,
                                        struct auth_serversupplied_info);
    nt_status = create_local_token(mem_ctx,
                                   server_info,
                                   NULL,
                                   original_user_name,
                                   session_info);
    if (!NT_STATUS_IS_OK(nt_status)) {
        DEBUG(10, ("create_local_token failed: %s\n",
                   nt_errstr(nt_status)));
        return nt_status;
    }

    return NT_STATUS_OK;
}
Exemplo n.º 4
0
static NTSTATUS create_connection_session_info(struct smbd_server_connection *sconn,
					      TALLOC_CTX *mem_ctx, int snum,
                                              struct auth_session_info *vuid_serverinfo,
					      DATA_BLOB password,
                                              struct auth_session_info **presult)
{
        if (lp_guest_only(snum)) {
                return make_session_info_guest(mem_ctx, presult);
        }

        if (vuid_serverinfo != NULL) {

		struct auth_session_info *result;

                /*
                 * This is the normal security != share case where we have a
                 * valid vuid from the session setup.                 */

		if (security_session_user_level(vuid_serverinfo, NULL) < SECURITY_USER) {
                      if (!lp_guest_ok(snum)) {
                                DEBUG(2, ("guest user (from session setup) "
                                          "not permitted to access this share "
                                          "(%s)\n", lp_servicename(snum)));
                                return NT_STATUS_ACCESS_DENIED;
                        }
                } else {
                        if (!user_ok_token(vuid_serverinfo->unix_info->unix_name,
					   vuid_serverinfo->info->domain_name,
                                           vuid_serverinfo->security_token, snum)) {
                                DEBUG(2, ("user '%s' (from session setup) not "
                                          "permitted to access this share "
                                          "(%s)\n",
                                          vuid_serverinfo->unix_info->unix_name,
                                          lp_servicename(snum)));
                                return NT_STATUS_ACCESS_DENIED;
                        }
                }

                result = copy_session_info(mem_ctx, vuid_serverinfo);
		if (result == NULL) {
			return NT_STATUS_NO_MEMORY;
		}

		*presult = result;
		return NT_STATUS_OK;
        }

        if (lp_security() == SEC_SHARE) {

                fstring user;
		bool guest;

                /* add the sharename as a possible user name if we
                   are in share mode security */

                add_session_user(sconn, lp_servicename(snum));

                /* shall we let them in? */

                if (!authorise_login(sconn, snum,user,password,&guest)) {
                        DEBUG( 2, ( "Invalid username/password for [%s]\n",
                                    lp_servicename(snum)) );
			return NT_STATUS_WRONG_PASSWORD;
                }

		return make_session_info_from_username(mem_ctx, user, guest,
						       presult);
        }

	DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
	return NT_STATUS_ACCESS_DENIED;
}