1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

Andrew - please look this over. I've fixed a long standing (maybe 4-5

years old) bug when chainging a sessionsetup_and_X and tcon together.
The wrong username was being entered into the tdb, even though the
correct user was used for accessing files. This is related to the fact
that authorise_login() is not used for sessionsetup, but only for tcon
auths.
Jeremy.
This commit is contained in:
Jeremy Allison 0001-01-01 00:00:00 +00:00
parent bbfbe03cc6
commit 0187cd6aef
2 changed files with 162 additions and 135 deletions

View File

@ -765,171 +765,182 @@ static char *validate_group(char *group,char *password,int pwlen,int snum)
return(NULL);
}
/****************************************************************************
check for authority to login to a service with a given username/password
Check for authority to login to a service with a given username/password.
Note this is *NOT* used when logging on using sessionsetup_and_X.
****************************************************************************/
BOOL authorise_login(int snum,char *user,char *password, int pwlen,
BOOL *guest,BOOL *force,uint16 vuid)
{
BOOL ok = False;
user_struct *vuser = get_valid_user_struct(vuid);
if (lp_security() > SEC_SHARE && !vuser) {
DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
user));
return False;
}
*guest = False;
BOOL ok = False;
user_struct *vuser = get_valid_user_struct(vuid);
#if DEBUG_PASSWORD
DEBUG(100,("checking authorisation on user=%s pass=%s\n",user,password));
DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n",
user,password));
#endif
/* there are several possibilities:
1) login as the given user with given password
2) login as a previously registered username with the given password
3) login as a session list username with the given password
4) login as a previously validated user/password pair
5) login as the "user =" user with given password
6) login as the "user =" user with no password (guest connection)
7) login as guest user with no password
*guest = False;
if the service is guest_only then steps 1 to 5 are skipped
*/
if (GUEST_ONLY(snum))
*force = True;
if (GUEST_ONLY(snum)) *force = True;
if (!GUEST_ONLY(snum) && (lp_security() > SEC_SHARE)) {
if (!(GUEST_ONLY(snum) && GUEST_OK(snum)))
{
/* check the given username and password */
if (!ok && (*user) && user_ok(user,snum)) {
ok = password_ok(user,password, pwlen, NULL);
if (ok) DEBUG(3,("ACCEPTED: given username password ok\n"));
}
/*
* We should just use the given vuid from a sessionsetup_and_X.
*/
/* check for a previously registered guest username */
if (!ok && (vuser != 0) && vuser->guest) {
if (user_ok(vuser->user.unix_name,snum) &&
password_ok(vuser->user.unix_name, password, pwlen, NULL)) {
fstrcpy(user, vuser->user.unix_name);
vuser->guest = False;
DEBUG(3,("ACCEPTED: given password with registered user %s\n", user));
ok = True;
if (!vuser) {
DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
user));
return False;
}
if (!vuser->guest && user_ok(vuser->user.unix_name,snum)) {
fstrcpy(user,vuser->user.unix_name);
*guest = False;
DEBUG(3,("authorise_login: ACCEPTED: validated uid ok as non-guest \
(user=%s)\n", user));
return True;
}
}
}
/* there are several possibilities:
1) login as the given user with given password
2) login as a previously registered username with the given password
3) login as a session list username with the given password
4) login as a previously validated user/password pair
5) login as the "user =" user with given password
6) login as the "user =" user with no password (guest connection)
7) login as guest user with no password
/* now check the list of session users */
if (!ok)
{
char *auser;
char *user_list = strdup(session_users);
if (!user_list) return(False);
if the service is guest_only then steps 1 to 5 are skipped
*/
for (auser=strtok(user_list,LIST_SEP);
!ok && auser;
auser = strtok(NULL,LIST_SEP))
{
fstring user2;
fstrcpy(user2,auser);
if (!user_ok(user2,snum)) continue;
if (!(GUEST_ONLY(snum) && GUEST_OK(snum))) {
/* check the given username and password */
if (!ok && (*user) && user_ok(user,snum)) {
ok = password_ok(user,password, pwlen, NULL);
if (ok)
DEBUG(3,("authorise_login: ACCEPTED: given username (%s) password ok\n",
user ));
}
if (password_ok(user2,password, pwlen, NULL)) {
ok = True;
fstrcpy(user,user2);
DEBUG(3,("ACCEPTED: session list username and given password ok\n"));
}
}
free(user_list);
}
/* check for a previously registered guest username */
if (!ok && (vuser != 0) && vuser->guest) {
if (user_ok(vuser->user.unix_name,snum) &&
password_ok(vuser->user.unix_name, password, pwlen, NULL)) {
fstrcpy(user, vuser->user.unix_name);
vuser->guest = False;
DEBUG(3,("authorise_login: ACCEPTED: given password with registered user %s\n", user));
ok = True;
}
}
/* check for a previously validated username/password pair */
if (!ok && (lp_security() > SEC_SHARE) &&
(vuser != 0) && !vuser->guest &&
user_ok(vuser->user.unix_name,snum)) {
fstrcpy(user,vuser->user.unix_name);
*guest = False;
DEBUG(3,("ACCEPTED: validated uid ok as non-guest\n"));
ok = True;
}
/* now check the list of session users */
if (!ok) {
char *auser;
char *user_list = strdup(session_users);
if (!user_list)
return(False);
/* check for a rhosts entry */
if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
ok = True;
DEBUG(3,("ACCEPTED: hosts equiv or rhosts entry\n"));
}
for (auser=strtok(user_list,LIST_SEP); !ok && auser;
auser = strtok(NULL,LIST_SEP)) {
fstring user2;
fstrcpy(user2,auser);
if (!user_ok(user2,snum))
continue;
/* check the user= fields and the given password */
if (!ok && lp_username(snum)) {
char *auser;
pstring user_list;
StrnCpy(user_list,lp_username(snum),sizeof(pstring));
if (password_ok(user2,password, pwlen, NULL)) {
ok = True;
fstrcpy(user,user2);
DEBUG(3,("authorise_login: ACCEPTED: session list username (%s) \
and given password ok\n", user));
}
}
pstring_sub(user_list,"%S",lp_servicename(snum));
free(user_list);
}
for (auser=strtok(user_list,LIST_SEP);
auser && !ok;
auser = strtok(NULL,LIST_SEP))
{
if (*auser == '@')
{
auser = validate_group(auser+1,password,pwlen,snum);
if (auser)
{
ok = True;
fstrcpy(user,auser);
DEBUG(3,("ACCEPTED: group username and given password ok\n"));
}
}
else
{
fstring user2;
fstrcpy(user2,auser);
if (user_ok(user2,snum) &&
password_ok(user2,password,pwlen,NULL))
{
ok = True;
fstrcpy(user,user2);
DEBUG(3,("ACCEPTED: user list username and given password ok\n"));
}
}
}
}
} /* not guest only */
/* check for a previously validated username/password pair */
if (!ok && (lp_security() > SEC_SHARE) && (vuser != 0) && !vuser->guest &&
user_ok(vuser->user.unix_name,snum)) {
fstrcpy(user,vuser->user.unix_name);
*guest = False;
DEBUG(3,("authorise_login: ACCEPTED: validated uid (%s) as non-guest\n",
user));
ok = True;
}
/* check for a normal guest connection */
if (!ok && GUEST_OK(snum))
{
fstring guestname;
StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
if (Get_Pwnam(guestname,True))
{
fstrcpy(user,guestname);
ok = True;
DEBUG(3,("ACCEPTED: guest account and guest ok\n"));
/* check for a rhosts entry */
if (!ok && user_ok(user,snum) && check_hosts_equiv(user)) {
ok = True;
DEBUG(3,("authorise_login: ACCEPTED: hosts equiv or rhosts entry for %s\n",
user));
}
/* check the user= fields and the given password */
if (!ok && lp_username(snum)) {
char *auser;
pstring user_list;
StrnCpy(user_list,lp_username(snum),sizeof(pstring));
pstring_sub(user_list,"%S",lp_servicename(snum));
for (auser=strtok(user_list,LIST_SEP); auser && !ok;
auser = strtok(NULL,LIST_SEP)) {
if (*auser == '@') {
auser = validate_group(auser+1,password,pwlen,snum);
if (auser) {
ok = True;
fstrcpy(user,auser);
DEBUG(3,("authorise_login: ACCEPTED: group username \
and given password ok (%s)\n", user));
}
} else {
fstring user2;
fstrcpy(user2,auser);
if (user_ok(user2,snum) && password_ok(user2,password,pwlen,NULL)) {
ok = True;
fstrcpy(user,user2);
DEBUG(3,("authorise_login: ACCEPTED: user list username \
and given password ok (%s)\n", user));
}
}
}
}
} /* not guest only */
/* check for a normal guest connection */
if (!ok && GUEST_OK(snum)) {
fstring guestname;
StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
if (Get_Pwnam(guestname,True)) {
fstrcpy(user,guestname);
ok = True;
DEBUG(3,("authorise_login: ACCEPTED: guest account and guest ok (%s)\n",
user));
} else {
DEBUG(0,("authorise_login: Invalid guest account %s??\n",guestname));
}
*guest = True;
}
else
DEBUG(0,("Invalid guest account %s??\n",guestname));
*guest = True;
}
if (ok && !user_ok(user,snum))
{
DEBUG(0,("rejected invalid user %s\n",user));
ok = False;
}
if (ok && !user_ok(user,snum)) {
DEBUG(0,("authorise_login: rejected invalid user %s\n",user));
ok = False;
}
return(ok);
return(ok);
}
/****************************************************************************
read the a hosts.equiv or .rhosts file and check if it
allows this user from this machine
Read the a hosts.equiv or .rhosts file and check if it
allows this user from this machine.
****************************************************************************/
static BOOL check_user_equiv(char *user, char *remote, char *equiv_file)
{
int plus_allowed = 1;

View File

@ -205,6 +205,14 @@ int reply_tcon(connection_struct *conn,
pstrcpy(service, p+1);
}
/*
* If the vuid is valid, we should be using that....
*/
if (*user == '\0' && (lp_security() != SEC_SHARE) && validated_username(vuid)) {
pstrcpy(user,validated_username(vuid));
}
/*
* Ensure the user and password names are in UNIX codepage format.
*/
@ -247,6 +255,7 @@ int reply_tcon(connection_struct *conn,
/****************************************************************************
Reply to a tcon and X.
****************************************************************************/
int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int length,int bufsize)
{
fstring service;
@ -298,6 +307,14 @@ int reply_tcon_and_X(connection_struct *conn, char *inbuf,char *outbuf,int lengt
DEBUG(4,("Got device type %s\n",devicename));
/*
* If the vuid is valid, we should be using that....
*/
if (*user == '\0' && (lp_security() != SEC_SHARE) && validated_username(vuid)) {
pstrcpy(user,validated_username(vuid));
}
/*
* Pass the user through the NT -> unix user mapping
* function.
@ -1066,7 +1083,6 @@ int reply_sesssetup_and_X(connection_struct *conn, char *inbuf,char *outbuf,int
return chain_reply(inbuf,outbuf,length,bufsize);
}
/****************************************************************************
reply to a chkpth
****************************************************************************/