2012-10-19 21:48:20 +02:00
/*
2006-02-03 22:19:41 +00:00
Unix SMB / CIFS implementation .
Check access based on valid users , read list and friends
Copyright ( C ) Volker Lendecke 2005
2012-10-19 21:48:20 +02:00
2006-02-03 22:19:41 +00:00
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-09 19:25:36 +00:00
the Free Software Foundation ; either version 3 of the License , or
2006-02-03 22:19:41 +00:00
( at your option ) any later version .
2012-10-19 21:48:20 +02:00
2006-02-03 22:19:41 +00:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2012-10-19 21:48:20 +02:00
2006-02-03 22:19:41 +00:00
You should have received a copy of the GNU General Public License
2007-07-10 00:52:41 +00:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2006-02-03 22:19:41 +00:00
*/
# include "includes.h"
2011-03-22 16:57:01 +01:00
# include "smbd/smbd.h"
2009-05-26 16:38:45 +02:00
# include "smbd/globals.h"
2010-10-12 15:27:50 +11:00
# include "../libcli/security/security.h"
2006-02-03 22:19:41 +00:00
/*
* Check whether a user is contained in the list provided .
*
* Please note that the user name and share names passed in here mainly for
* the substitution routines that expand the parameter values , the decision
* whether a user is in the list is done after a lookup_name on the expanded
* parameter value , solely based on comparing the SIDs in token .
*
* The other use is the netgroup check when using @ group or & group .
*/
2007-10-18 17:40:25 -07:00
bool token_contains_name_in_list ( const char * username ,
2008-05-11 01:03:45 +02:00
const char * domain ,
2006-02-03 22:19:41 +00:00
const char * sharename ,
2010-08-26 20:04:11 +10:00
const struct security_token * token ,
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
const char * * list ,
bool * match )
2006-02-03 22:19:41 +00:00
{
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
* match = false ;
2006-02-03 22:19:41 +00:00
if ( list = = NULL ) {
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
return true ;
2006-02-03 22:19:41 +00:00
}
while ( * list ! = NULL ) {
2012-10-20 07:20:39 +02:00
TALLOC_CTX * frame = talloc_stackframe ( ) ;
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
bool ok ;
2012-10-20 07:20:39 +02:00
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
ok = token_contains_name ( frame , username , domain , sharename ,
token , * list , match ) ;
2012-10-20 07:20:39 +02:00
TALLOC_FREE ( frame ) ;
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
if ( ! ok ) {
return false ;
}
if ( * match ) {
2012-10-20 07:20:39 +02:00
return true ;
2006-02-03 22:19:41 +00:00
}
list + = 1 ;
}
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
return true ;
2006-02-03 22:19:41 +00:00
}
/*
* Check whether the user described by " token " has access to share snum .
*
2016-04-06 08:50:27 +03:00
* This looks at " invalid users " and " valid users " .
2006-02-03 22:19:41 +00:00
*
* Please note that the user name and share names passed in here mainly for
* the substitution routines that expand the parameter values , the decision
* whether a user is in the list is done after a lookup_name on the expanded
* parameter value , solely based on comparing the SIDs in token .
*
* The other use is the netgroup check when using @ group or & group .
*/
2008-05-11 01:03:45 +02:00
bool user_ok_token ( const char * username , const char * domain ,
2010-08-26 20:04:11 +10:00
const struct security_token * token , int snum )
2006-02-03 22:19:41 +00:00
{
2019-11-07 11:01:05 +01:00
const struct loadparm_substitution * lp_sub =
loadparm_s3_global_substitution ( ) ;
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
bool match ;
bool ok ;
2019-11-07 11:01:05 +01:00
2006-02-03 22:19:41 +00:00
if ( lp_invalid_users ( snum ) ! = NULL ) {
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
ok = token_contains_name_in_list ( username , domain ,
lp_servicename ( talloc_tos ( ) , lp_sub , snum ) ,
token ,
lp_invalid_users ( snum ) ,
& match ) ;
if ( ! ok ) {
return false ;
}
if ( match ) {
2006-02-03 22:19:41 +00:00
DEBUG ( 10 , ( " User %s in 'invalid users' \n " , username ) ) ;
return False ;
}
}
if ( lp_valid_users ( snum ) ! = NULL ) {
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
ok = token_contains_name_in_list ( username , domain ,
2019-11-07 11:01:05 +01:00
lp_servicename ( talloc_tos ( ) , lp_sub , snum ) ,
2012-07-18 15:07:23 +09:30
token ,
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
lp_valid_users ( snum ) ,
& match ) ;
if ( ! ok ) {
return false ;
}
if ( ! match ) {
2006-04-30 14:14:46 +00:00
DEBUG ( 10 , ( " User %s not in 'valid users' \n " ,
username ) ) ;
2006-02-03 22:19:41 +00:00
return False ;
}
}
DEBUG ( 10 , ( " user_ok_token: share %s is ok for unix user %s \n " ,
2019-11-07 11:01:05 +01:00
lp_servicename ( talloc_tos ( ) , lp_sub , snum ) , username ) ) ;
2006-02-03 22:19:41 +00:00
return True ;
}
/*
* Check whether the user described by " token " is restricted to read - only
* access on share snum .
*
2016-04-06 08:50:27 +03:00
* This looks at " read list " , " write list " and " read only " .
2006-02-03 22:19:41 +00:00
*
* Please note that the user name and share names passed in here mainly for
* the substitution routines that expand the parameter values , the decision
* whether a user is in the list is done after a lookup_name on the expanded
* parameter value , solely based on comparing the SIDs in token .
*
* The other use is the netgroup check when using @ group or & group .
*/
2007-10-18 17:40:25 -07:00
bool is_share_read_only_for_token ( const char * username ,
2008-05-11 01:03:45 +02:00
const char * domain ,
2010-08-26 20:04:11 +10:00
const struct security_token * token ,
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
connection_struct * conn ,
bool * _read_only )
2006-02-03 22:19:41 +00:00
{
2019-11-07 11:01:05 +01:00
const struct loadparm_substitution * lp_sub =
loadparm_s3_global_substitution ( ) ;
2008-11-17 14:13:20 -08:00
int snum = SNUM ( conn ) ;
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
bool read_only = conn - > read_only ;
bool match ;
bool ok ;
2006-02-03 22:19:41 +00:00
2014-02-04 15:09:10 +13:00
if ( lp_read_list ( snum ) ! = NULL ) {
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
ok = token_contains_name_in_list ( username , domain ,
lp_servicename ( talloc_tos ( ) , lp_sub , snum ) ,
token ,
lp_read_list ( snum ) ,
& match ) ;
if ( ! ok ) {
return false ;
}
if ( match ) {
read_only = true ;
2006-02-03 22:19:41 +00:00
}
}
2014-02-04 15:09:11 +13:00
if ( lp_write_list ( snum ) ! = NULL ) {
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
ok = token_contains_name_in_list ( username , domain ,
lp_servicename ( talloc_tos ( ) , lp_sub , snum ) ,
token ,
lp_write_list ( snum ) ,
& match ) ;
if ( ! ok ) {
return false ;
}
if ( match ) {
read_only = false ;
2006-02-03 22:19:41 +00:00
}
}
DEBUG ( 10 , ( " is_share_read_only_for_user: share %s is %s for unix user "
2019-11-07 11:01:05 +01:00
" %s \n " , lp_servicename ( talloc_tos ( ) , lp_sub , snum ) ,
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
read_only ? " read-only " : " read-write " , username ) ) ;
2006-02-03 22:19:41 +00:00
smbd: return errors from token_contains_name()
Invalid names in "valid users", "invalid users", "read list", "write list",
"veto files" and "hide files" are logged and ignored, but a failure to contact
winbind or a DC from winbind, or a memory allocation failure, now all trigger a
failure of the tree connect.
Manually tested with smbclient with the following hack in winbindd:
---8<---
$ git di
source3/winbindd/winbindd_cache.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/source3/winbindd/winbindd_cache.c b/source3/winbindd/winbindd_cache.c
index c889489dbbbc..8ccf0a28e11a 100644
--- a/source3/winbindd/winbindd_cache.c
+++ b/source3/winbindd/winbindd_cache.c
@@ -1821,6 +1821,13 @@ NTSTATUS wb_cache_name_to_sid(struct winbindd_domain *domain,
ZERO_STRUCTP(sid);
*type = SID_NAME_UNKNOWN;
+ if (strequal(name, "unknown")) {
+ return NT_STATUS_OK;
+ }
+ if (strequal(name, "iotimeout")) {
+ return NT_STATUS_IO_TIMEOUT;
+ }
+
status = wcache_name_to_sid(domain, domain_name, name, sid, type);
if (!NT_STATUS_EQUAL(status, NT_STATUS_NOT_FOUND)) {
return status;
---8<---
veto files = ../unknown/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
$
In the log:
[2024/03/04 15:21:33.659356, 1, pid=977167, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:128(token_contains_name)
token_contains_name: lookup_name 'unknown' failed
veto files = ../iotimeout/file1/../slow/file2
$ bin/smbclient -U slow%x //localhost/test -c quit
tree connect failed: NT_STATUS_LOGON_FAILURE
$
[2024/03/04 15:22:15.655811, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/lib/util_namearray.c:131(token_contains_name)
token_contains_name: lookup_name 'iotimeout' failed NT_STATUS_NO_SUCH_DOMAIN
[2024/03/04 15:22:15.655846, 1, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/uid.c:381(change_to_user_impersonate)
change_to_user_impersonate: SMB user slow (unix user slow) not permitted access to share test.
[2024/03/04 15:22:15.655855, 0, pid=977177, effective(0, 0), real(0, 0)] ../../source3/smbd/smb2_service.c:689(make_connection_snum)
make_connection_snum: Can't become connected user!
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-02-02 08:10:54 +01:00
* _read_only = read_only ;
return true ;
2006-02-03 22:19:41 +00:00
}
