r7395: * new feature 'map to guest = bad uid' (based on patch from

aruna.prabakar@hp.com).

This re-enables the Samba 2.2 behavior where a user that was
successfully authenticated by a remote DC would be mapped
to the guest account if there was not existing UNIX account
for that user and we could not create one.

source/auth/auth.c

@@ -279,6 +279,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
 		}
 	}
 
+	/* successful authentication */
+	
 	if (NT_STATUS_IS_OK(nt_status)) {
 		unix_username = (*server_info)->unix_name;
 		if (!(*server_info)->guest) {
@@ -304,14 +306,22 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
 			       user_info->internal_username.str, 
 			       unix_username));
 		}
+		
+		return nt_status;
 	}
-
+	
-	if (!NT_STATUS_IS_OK(nt_status)) {
+	/* failed authentication; check for guest lapping */
+	
+	if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
+	 	make_server_info_guest(server_info); 
+		nt_status = NT_STATUS_OK;
+	 } else {
 		DEBUG(2, ("check_ntlm_password:  Authentication for user [%s] -> [%s] FAILED with error %s\n", 
-			  user_info->smb_name.str, user_info->internal_username.str, 
+	  	user_info->smb_name.str, user_info->internal_username.str, 
-			  nt_errstr(nt_status)));
+	  	nt_errstr(nt_status)));
-		ZERO_STRUCTP(server_info);
+		ZERO_STRUCTP(server_info); 
 	}
+	
 	return nt_status;
 }
 

source/include/smb.h

@@ -1648,12 +1648,6 @@ struct unix_error_map {
 	NTSTATUS nt_error;
 };
 
-/*
-#include "ntdomain.h"
-
-#include "client.h"
-*/
-
 /*
  * Size of new password account encoding string.  This is enough space to
  * hold 11 ACB characters, plus the surrounding [] and a terminating null.
@@ -1683,9 +1677,10 @@ struct unix_error_map {
    level security.
 */
 
-#define NEVER_MAP_TO_GUEST 0
+#define NEVER_MAP_TO_GUEST 		0
-#define MAP_TO_GUEST_ON_BAD_USER 1
+#define MAP_TO_GUEST_ON_BAD_USER 	1
-#define MAP_TO_GUEST_ON_BAD_PASSWORD 2
+#define MAP_TO_GUEST_ON_BAD_PASSWORD 	2
+#define MAP_TO_GUEST_ON_BAD_UID 	3
 
 #define SAFE_NETBIOS_CHARS ". -_"
 

source/param/loadparm.c

@@ -763,6 +763,7 @@ static const struct enum_list enum_map_to_guest[] = {
 	{NEVER_MAP_TO_GUEST, "Never"},
 	{MAP_TO_GUEST_ON_BAD_USER, "Bad User"},
 	{MAP_TO_GUEST_ON_BAD_PASSWORD, "Bad Password"},
+        {MAP_TO_GUEST_ON_BAD_UID, "Bad Uid"},
 	{-1, NULL}
 };
 

source/smbd/sesssetup.c

@@ -144,7 +144,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
 	char *client, *p, *domain;
 	fstring netbios_domain_name;
 	struct passwd *pw;
-	char *user;
+	fstring user;
 	int sess_vuid;
 	NTSTATUS ret;
 	DATA_BLOB auth_data;
@@ -154,6 +154,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
 	uint8 tok_id[2];
 	DATA_BLOB nullblob = data_blob(NULL, 0);
 	fstring real_username;
+	BOOL map_domainuser_to_guest = False;
 
 	ZERO_STRUCT(ticket);
 	ZERO_STRUCT(auth_data);
@@ -238,37 +239,52 @@ static int reply_spnego_kerberos(connection_struct *conn,
 		}
 	}
 
-	asprintf(&user, "%s%c%s", domain, *lp_winbind_separator(), client);
+	fstr_sprintf(user, "%s%c%s", domain, *lp_winbind_separator(), client);
 	
 	/* lookup the passwd struct, create a new user if necessary */
 
 	map_username( user );
 
 	pw = smb_getpwnam( user, real_username, True );
-	
 	if (!pw) {
-		DEBUG(1,("Username %s is invalid on this system\n",user));
+
-		SAFE_FREE(user);
+		/* this was originally the behavior of Samba 2.2, if a user
-		SAFE_FREE(client);
+		   did not have a local uid but has been authenticated, then 
-		data_blob_free(&ap_rep);
+		   map them to a guest account */
-		data_blob_free(&session_key);
+
-		return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+		if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID){ 
+			map_domainuser_to_guest = True;
+			fstrcpy(user,lp_guestaccount());
+			pw = smb_getpwnam( user, real_username, True );
+		} 
+
+		/* extra sanity check that the guest account is valid */
+
+		if ( !pw ) {
+			DEBUG(1,("Username %s is invalid on this system\n", user));
+			SAFE_FREE(client);
+			data_blob_free(&ap_rep);
+			data_blob_free(&session_key);
+			return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+		}
 	}
 
 	/* setup the string used by %U */
 	
 	sub_set_smb_name( real_username );
 	reload_services(True);
-	
+	if ( map_domainuser_to_guest ) {
-	if (!NT_STATUS_IS_OK(ret = make_server_info_pw(&server_info, real_username, pw))) 
+		make_server_info_guest(&server_info);
-	{
+	} else {
-		DEBUG(1,("make_server_info_from_pw failed!\n"));
+		ret = make_server_info_pw(&server_info, real_username, pw);
-		SAFE_FREE(user);
+		if ( !NT_STATUS_IS_OK(ret) ) {
-		SAFE_FREE(client);
+			DEBUG(1,("make_server_info_from_pw failed!\n"));
-		data_blob_free(&ap_rep);
+			SAFE_FREE(client);
-		data_blob_free(&session_key);
+			data_blob_free(&ap_rep);
-		passwd_free(&pw);
+			data_blob_free(&session_key);
-		return ERROR_NT(ret);
+			passwd_free(&pw);
+			return ERROR_NT(ret);
+		}
 	}
 	passwd_free(&pw);
 
@@ -284,7 +300,6 @@ static int reply_spnego_kerberos(connection_struct *conn,
  	   A better interface would copy it.... */
 	sess_vuid = register_vuid(server_info, session_key, nullblob, client);
 
-	SAFE_FREE(user);
 	SAFE_FREE(client);
 
 	if (sess_vuid == -1) {