s3-auth Remove seperate guest boolean

Instead, we base our guest calculations on the presence or absense of the
authenticated users group in the token, ensuring that we have only
one canonical source of this important piece of authorization data

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

librpc/idl/auth.idl

@@ -65,7 +65,6 @@ interface auth
 		/* These match exactly the values from the
 		 * auth_serversupplied_info, but should be changed to
 		 * checks involving just the SIDs */
-		boolean8 guest;
 		boolean8 system;
 
 		[unique,charset(UTF8),string] char *unix_name;

source3/Makefile.in

@@ -466,7 +466,7 @@ LIB_OBJ = $(LIBSAMBAUTIL_OBJ) $(UTIL_OBJ) $(CRYPTO_OBJ) $(LIBTSOCKET_OBJ) \
 	  lib/ldap_escape.o @CHARSET_STATIC@ \
 	  ../libcli/security/secdesc.o ../libcli/security/access_check.o \
 	  ../libcli/security/secace.o ../libcli/security/object_tree.o \
-	  ../libcli/security/sddl.o \
+	  ../libcli/security/sddl.o ../libcli/security/session.o \
 	  ../libcli/security/secacl.o @PTHREADPOOL_OBJ@ \
 	  lib/fncall.o \
 	  libads/krb5_errs.o lib/system_smbd.o lib/audit.o $(LIBNDR_OBJ) \

source3/auth/auth_util.c

@@ -504,7 +504,6 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_NO_MEMORY;
 	}
 
-	session_info->unix_info->guest = server_info->guest;
 	session_info->unix_info->system = server_info->system;
 
 	if (session_key) {
@@ -993,8 +992,8 @@ static struct auth_serversupplied_info *copy_session_info_serverinfo_guest(TALLO
 	/* This element must be provided to convert back to an auth_serversupplied_info */
 	SMB_ASSERT(src->unix_info);
 
-	dst->guest = src->unix_info->guest;
-	dst->system = src->unix_info->system;
+	dst->guest = true;
+	dst->system = false;
 
 	/* This element must be provided to convert back to an
 	 * auth_serversupplied_info.  This needs to be from hte

source3/rpc_server/lsa/srv_lsa_nt.c

@@ -2400,7 +2400,7 @@ NTSTATUS _lsa_GetUserName(struct pipes_struct *p,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
-	if (p->session_info->unix_info->guest) {
+	if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) {
 		/*
 		 * I'm 99% sure this is not the right place to do this,
 		 * global_sid_Anonymous should probably be put into the token

source3/rpc_server/rpc_handles.c

@@ -25,6 +25,7 @@
 #include "auth.h"
 #include "ntdomain.h"
 #include "rpc_server/rpc_ncacn_np.h"
+#include "../libcli/security/security.h"
 
 #undef DBGC_CLASS
 #define DBGC_CLASS DBGC_RPC_SRV
@@ -346,7 +347,7 @@ bool pipe_access_check(struct pipes_struct *p)
 			return True;
 		}
 
-		if (p->session_info->unix_info->guest) {
+		if (security_session_user_level(p->session_info, NULL) < SECURITY_USER) {
 			return False;
 		}
 	}

source3/smbd/lanman.c

@@ -5857,7 +5857,7 @@ void api_reply(connection_struct *conn, uint16 vuid,
 	if (api_commands[i].auth_user && lp_restrict_anonymous()) {
 		user_struct *user = get_valid_user_struct(req->sconn, vuid);
 
-		if (!user || user->session_info->unix_info->guest) {
+		if (!user || security_session_user_level(user->session_info, NULL) < SECURITY_USER) {
 			reply_nterror(req, NT_STATUS_ACCESS_DENIED);
 			return;
 		}

source3/smbd/password.c

@@ -24,6 +24,7 @@
 #include "smbd/globals.h"
 #include "../librpc/gen_ndr/netlogon.h"
 #include "auth.h"
+#include "../libcli/security/security.h"
 
 /* Fix up prototypes for OSX 10.4, where they're missing */
 #ifndef HAVE_SETNETGRENT_PROTOTYPE
@@ -269,6 +270,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
 {
 	fstring tmp;
 	user_struct *vuser;
+	bool guest = security_session_user_level(session_info, NULL) < SECURITY_USER;
 
 	vuser = get_partial_auth_user_struct(sconn, vuid);
 	if (!vuser) {
@@ -294,7 +296,7 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
 		  vuser->session_info->unix_info->unix_name,
 		  vuser->session_info->unix_info->sanitized_username,
 		  vuser->session_info->info->domain_name,
-		  vuser->session_info->unix_info->guest ));
+		  guest));
 
 	DEBUG(3, ("register_existing_vuid: User name: %s\t"
 		  "Real name: %s\n", vuser->session_info->unix_info->unix_name,
@@ -328,13 +330,14 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
 
 	vuser->homes_snum = -1;
 
-	if (!vuser->session_info->unix_info->guest) {
+
+	if (!guest) {
 		vuser->homes_snum = register_homes_share(
 			vuser->session_info->unix_info->unix_name);
 	}
 
 	if (srv_is_signing_negotiated(sconn) &&
-	    !vuser->session_info->unix_info->guest) {
+	    !guest) {
 		/* Try and turn on server signing on the first non-guest
 		 * sessionsetup. */
 		srv_set_signing(sconn,

source3/smbd/service.c

@@ -394,8 +394,8 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
                  * This is the normal security != share case where we have a
                  * valid vuid from the session setup.                 */
 
-                if (vuid_serverinfo->unix_info->guest) {
-                        if (!lp_guest_ok(snum)) {
+		if (security_session_user_level(vuid_serverinfo, NULL) < SECURITY_USER) {
+                      if (!lp_guest_ok(snum)) {
                                 DEBUG(2, ("guest user (from session setup) "
                                           "not permitted to access this share "
                                           "(%s)\n", lp_servicename(snum)));
@@ -467,6 +467,7 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
 
 		char *fuser;
 		struct auth_session_info *forced_serverinfo;
+		bool guest;
 
 		fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
 					  lp_const_servicename(snum));
@@ -474,8 +475,11 @@ NTSTATUS set_conn_force_user_group(connection_struct *conn, int snum)
 			return NT_STATUS_NO_MEMORY;
 		}
 
+		guest = security_session_user_level(conn->session_info, NULL) < SECURITY_USER;
+
 		status = make_session_info_from_username(
-			conn, fuser, conn->session_info->unix_info->guest,
+			conn, fuser,
+			guest,
 			&forced_serverinfo);
 		if (!NT_STATUS_IS_OK(status)) {
 			return status;

source3/smbd/session.c

@@ -33,6 +33,7 @@
 #include "session.h"
 #include "auth.h"
 #include "../lib/tsocket/tsocket.h"
+#include "../libcli/security/security.h"
 
 /********************************************************************
  called when a session is created
@@ -53,7 +54,7 @@ bool session_claim(struct smbd_server_connection *sconn, user_struct *vuser)
 
 	/* don't register sessions for the guest user - its just too
 	   expensive to go through pam session code for browsing etc */
-	if (vuser->session_info->unix_info->guest) {
+	if (security_session_user_level(vuser->session_info, NULL) < SECURITY_USER) {
 		return True;
 	}
 

source3/smbd/sesssetup.c

@@ -35,6 +35,7 @@
 #include "auth.h"
 #include "messages.h"
 #include "smbprofile.h"
+#include "../libcli/security/security.h"
 
 /* For split krb5 SPNEGO blobs. */
 struct pending_auth_data {
@@ -441,7 +442,7 @@ static void reply_spnego_kerberos(struct smb_request *req,
 
 		SSVAL(req->outbuf, smb_vwv3, 0);
 
-		if (session_info->unix_info->guest) {
+		if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
 			SSVAL(req->outbuf,smb_vwv2,1);
 		}
 
@@ -535,7 +536,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
 
 		SSVAL(req->outbuf, smb_vwv3, 0);
 
-		if (session_info->unix_info->guest) {
+		if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
 			SSVAL(req->outbuf,smb_vwv2,1);
 		}
 	}
@@ -1702,7 +1703,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
 		/* perhaps grab OS version here?? */
 	}
 
-	if (session_info->unix_info->guest) {
+	if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
 		SSVAL(req->outbuf,smb_vwv2,1);
 	}
 

source3/smbd/smb2_sesssetup.c

@@ -31,6 +31,7 @@
 #include "../lib/util/asn1.h"
 #include "auth.h"
 #include "../lib/tsocket/tsocket.h"
+#include "../libcli/security/security.h"
 
 static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
 					uint64_t in_session_id,
@@ -253,7 +254,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 		session->do_signing = true;
 	}
 
-	if (session->session_info->unix_info->guest) {
+	if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
 		/* we map anonymous to guest internally */
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
@@ -280,7 +281,7 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
 	session->session_info->unix_info->sanitized_username =
 				talloc_strdup(session->session_info, tmp);
 
-	if (!session->session_info->unix_info->guest) {
+	if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
 		session->compat_vuser->homes_snum =
 			register_homes_share(session->session_info->unix_info->unix_name);
 	}
@@ -460,7 +461,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 		session->do_signing = true;
 	}
 
-	if (session->session_info->unix_info->guest) {
+	if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
 		/* we map anonymous to guest internally */
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
 		*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
@@ -491,7 +492,7 @@ static NTSTATUS smbd_smb2_common_ntlmssp_auth_return(struct smbd_smb2_session *s
 	session->session_info->unix_info->sanitized_username = talloc_strdup(
 		session->session_info, tmp);
 
-	if (!session->compat_vuser->session_info->unix_info->guest) {
+	if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
 		session->compat_vuser->homes_snum =
 			register_homes_share(session->session_info->unix_info->unix_name);
 	}