static bool user_ok(const char *user, int snum)
{
char **valid, **invalid;
bool ret;
valid = invalid = NULL;
ret = True;
if (lp_invalid_users(snum)) {
invalid = str_list_copy(talloc_tos(), lp_invalid_users(snum));
if (invalid &&
str_list_substitute(invalid, "%S", lp_servicename(snum))) {
/* This is used in sec=share only, so no current user
* around to pass to str_list_sub_basic() */
if ( invalid && str_list_sub_basic(invalid, "", "") ) {
ret = !user_in_list(user,
(const char **)invalid);
}
}
}
TALLOC_FREE(invalid);
if (ret && lp_valid_users(snum)) {
valid = str_list_copy(talloc_tos(), lp_valid_users(snum));
if ( valid &&
str_list_substitute(valid, "%S", lp_servicename(snum)) ) {
/* This is used in sec=share only, so no current user
* around to pass to str_list_sub_basic() */
if ( valid && str_list_sub_basic(valid, "", "") ) {
ret = user_in_list(user, (const char **)valid);
}
}
}
TALLOC_FREE(valid);
if (ret && lp_onlyuser(snum)) {
char **user_list = str_list_make_v3(
talloc_tos(), lp_username(snum), NULL);
if (user_list &&
str_list_substitute(user_list, "%S",
lp_servicename(snum))) {
ret = user_in_list(user, (const char **)user_list);
}
TALLOC_FREE(user_list);
}
return(ret);
}
static BOOL user_ok(const char *user, int snum)
{
char **valid, **invalid;
BOOL ret;
valid = invalid = NULL;
ret = True;
if (lp_invalid_users(snum)) {
str_list_copy(&invalid, lp_invalid_users(snum));
if (invalid &&
str_list_substitute(invalid, "%S", lp_servicename(snum))) {
if ( invalid &&
str_list_sub_basic(invalid,
current_user_info.smb_name) ) {
ret = !user_in_list(user,
(const char **)invalid);
}
}
}
if (invalid)
str_list_free (&invalid);
if (ret && lp_valid_users(snum)) {
str_list_copy(&valid, lp_valid_users(snum));
if ( valid &&
str_list_substitute(valid, "%S", lp_servicename(snum)) ) {
if ( valid &&
str_list_sub_basic(valid,
current_user_info.smb_name) ) {
ret = user_in_list(user, (const char **)valid);
}
}
}
if (valid)
str_list_free (&valid);
if (ret && lp_onlyuser(snum)) {
char **user_list = str_list_make (lp_username(snum), NULL);
if (user_list &&
str_list_substitute(user_list, "%S",
lp_servicename(snum))) {
ret = user_in_list(user, (const char **)user_list);
}
if (user_list) str_list_free (&user_list);
}
return(ret);
}
bool user_ok_token(const char *username, const char *domain,
const struct nt_user_token *token, int snum)
{
if (lp_invalid_users(snum) != NULL) {
if (token_contains_name_in_list(username, domain,
lp_servicename(snum),
token,
lp_invalid_users(snum))) {
DEBUG(10, ("User %s in 'invalid users'\n", username));
return False;
}
}
if (lp_valid_users(snum) != NULL) {
if (!token_contains_name_in_list(username, domain,
lp_servicename(snum), token,
lp_valid_users(snum))) {
DEBUG(10, ("User %s not in 'valid users'\n",
username));
return False;
}
}
if (lp_onlyuser(snum)) {
const char *list[2];
list[0] = lp_username(snum);
list[1] = NULL;
if ((list[0] == NULL) || (*list[0] == '\0')) {
DEBUG(0, ("'only user = yes' and no 'username ='******'username'\n", username));
return False;
}
}
DEBUG(10, ("user_ok_token: share %s is ok for unix user %s\n",
lp_servicename(snum), username));
return True;
}
/****************************************************************************
check if a username is valid
****************************************************************************/
BOOL user_ok(char *user,int snum)
{
pstring valid, invalid;
BOOL ret;
StrnCpy(valid, lp_valid_users(snum), sizeof(pstring));
StrnCpy(invalid, lp_invalid_users(snum), sizeof(pstring));
string_sub(valid,"%S",lp_servicename(snum));
string_sub(invalid,"%S",lp_servicename(snum));
ret = !user_in_list(user,invalid);
if (ret && valid && *valid)
ret = user_in_list(user,valid);
if (ret && lp_onlyuser(snum)) {
char *user_list = lp_username(snum);
string_sub(user_list,"%S",lp_servicename(snum));
ret = user_in_list(user,user_list);
}
return(ret);
}
/****************************************************************************
check for authority to login to a service with a given username/password
****************************************************************************/
BOOL authorise_login(int snum,char *user,char *password, int pwlen,
BOOL *guest,BOOL *force,uint16 vuid)
{
BOOL ok = False;
*guest = False;
#if DEBUG_PASSWORD
DEBUG(100,("checking authorisation on user=%s pass=%s\n",user,password));
#endif
/* there are several possibilities:
1) login as the given user with given password
2) login as a previously registered username with the given password
3) login as a session list username with the given password
4) login as a previously validated user/password pair
5) login as the "user ="******"user ="******"ACCEPTED: given username password ok\n"));
}
/* check for a previously registered guest username */
if (!ok && (vuser != 0) && vuser->guest) {
if (user_ok(vuser->name,snum) &&
password_ok(vuser->name, password, pwlen, NULL)) {
pstrcpy(user, vuser->name);
vuser->guest = False;
DEBUG(3,("ACCEPTED: given password with registered user %s\n", user));
ok = True;
}
}
/* now check the list of session users */
if (!ok)
{
char *auser;
char *user_list = strdup(session_users);
if (!user_list) return(False);
for (auser=strtok(user_list,LIST_SEP);
!ok && auser;
auser = strtok(NULL,LIST_SEP))
{
fstring user2;
fstrcpy(user2,auser);
if (!user_ok(user2,snum)) continue;
if (password_ok(user2,password, pwlen, NULL)) {
ok = True;
pstrcpy(user,user2);
DEBUG(3,("ACCEPTED: session list username and given password ok\n"));
}
}
free(user_list);
}
/* check for a previously validated username/password pair */
if (!ok && (!lp_revalidate(snum) || lp_security() > SEC_SHARE) &&
(vuser != 0) && !vuser->guest &&
user_ok(vuser->name,snum)) {
pstrcpy(user,vuser->name);
*guest = False;
DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
ok = True;
}
/* check for a rhosts entry */
if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
ok = True;
DEBUG(3,("ACCEPTED: hosts equiv or rhosts entry\n"));
}
/* check the user= fields and the given password */
if (!ok && lp_username(snum)) {
char *auser;
pstring user_list;
StrnCpy(user_list,lp_username(snum),sizeof(pstring));
string_sub(user_list,"%S",lp_servicename(snum));
for (auser=strtok(user_list,LIST_SEP);
auser && !ok;
auser = strtok(NULL,LIST_SEP))
{
if (*auser == '@')
{
auser = validate_group(auser+1,password,pwlen,snum);
if (auser)
{
ok = True;
pstrcpy(user,auser);
DEBUG(3,("ACCEPTED: group username and given password ok\n"));
}
}
else
{
fstring user2;
fstrcpy(user2,auser);
if (user_ok(user2,snum) &&
password_ok(user2,password,pwlen,NULL))
{
ok = True;
pstrcpy(user,user2);
DEBUG(3,("ACCEPTED: user list username and given password ok\n"));
}
}
}
}
} /* not guest only */
/* check for a normal guest connection */
if (!ok && GUEST_OK(snum))
{
fstring guestname;
StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
if (Get_Pwnam(guestname,True))
{
pstrcpy(user,guestname);
ok = True;
DEBUG(3,("ACCEPTED: guest account and guest ok\n"));
}
else
DEBUG(0,("Invalid guest account %s??\n",guestname));
*guest = True;
*force = True;
}
if (ok && !user_ok(user,snum))
{
DEBUG(0,("rejected invalid user %s\n",user));
ok = False;
}
return(ok);
}
BOOL authorise_login(int snum, fstring user, DATA_BLOB password,
BOOL *guest)
{
BOOL ok = False;
#ifdef DEBUG_PASSWORD
DEBUG(100,("authorise_login: checking authorisation on "
"user=%s pass=%s\n", user,password.data));
#endif
*guest = False;
/* there are several possibilities:
1) login as the given user with given password
2) login as a previously registered username with the given
password
3) login as a session list username with the given password
4) login as a previously validated user/password pair
5) login as the "user ="******"user ="******"");
if (!user_list)
return(False);
for (auser=strtok(user_list,LIST_SEP); !ok && auser;
auser = strtok(NULL,LIST_SEP)) {
fstring user2;
fstrcpy(user2,auser);
if (!user_ok(user2,snum))
continue;
if (password_ok(user2,password)) {
ok = True;
fstrcpy(user,user2);
DEBUG(3,("authorise_login: ACCEPTED: session "
"list username (%s) and given "
"password ok\n", user));
}
}
SAFE_FREE(user_list);
}
/* check the user= fields and the given password */
if (!ok && lp_username(snum)) {
char *auser;
pstring user_list;
pstrcpy(user_list,lp_username(snum));
pstring_sub(user_list,"%S",lp_servicename(snum));
for (auser=strtok(user_list,LIST_SEP); auser && !ok;
auser = strtok(NULL,LIST_SEP)) {
if (*auser == '@') {
auser = validate_group(auser+1,password,snum);
if (auser) {
ok = True;
fstrcpy(user,auser);
DEBUG(3,("authorise_login: ACCEPTED: "
"group username and given "
"password ok (%s)\n", user));
}
} else {
fstring user2;
fstrcpy(user2,auser);
if (user_ok(user2,snum) &&
password_ok(user2,password)) {
ok = True;
fstrcpy(user,user2);
DEBUG(3,("authorise_login: ACCEPTED: "
"user list username and "
"given password ok (%s)\n",
user));
}
}
}
}
/* check for a normal guest connection */
if (!ok && GUEST_OK(snum)) {
fstring guestname;
fstrcpy(guestname,lp_guestaccount());
if (Get_Pwnam(guestname)) {
fstrcpy(user,guestname);
ok = True;
DEBUG(3,("authorise_login: ACCEPTED: guest account "
"and guest ok (%s)\n", user));
} else {
DEBUG(0,("authorise_login: Invalid guest account "
"%s??\n",guestname));
}
*guest = True;
}
if (ok && !user_ok(user, snum)) {
DEBUG(0,("authorise_login: rejected invalid user %s\n",user));
ok = False;
}
return(ok);
}