mirror of
https://github.com/samba-team/samba.git
synced 2025-12-07 20:23:50 +03:00
r7395: * new feature 'map to guest = bad uid' (based on patch from
aruna.prabakar@hp.com). This re-enables the Samba 2.2 behavior where a user that was successfully authenticated by a remote DC would be mapped to the guest account if there was not existing UNIX account for that user and we could not create one.
This commit is contained in:
Gerald Carter
committed by
Gerald (Jerry) Carter
Gerald (Jerry) Carter
parent
5125852939
commit
b7455fbf81
@@ -279,6 +279,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
|
||||
}
|
||||
}
|
||||
|
||||
/* successful authentication */
|
||||
|
||||
if (NT_STATUS_IS_OK(nt_status)) {
|
||||
unix_username = (*server_info)->unix_name;
|
||||
if (!(*server_info)->guest) {
|
||||
@@ -304,14 +306,22 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
|
||||
user_info->internal_username.str,
|
||||
unix_username));
|
||||
}
|
||||
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
if (!NT_STATUS_IS_OK(nt_status)) {
|
||||
/* failed authentication; check for guest lapping */
|
||||
|
||||
if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
|
||||
make_server_info_guest(server_info);
|
||||
nt_status = NT_STATUS_OK;
|
||||
} else {
|
||||
DEBUG(2, ("check_ntlm_password: Authentication for user [%s] -> [%s] FAILED with error %s\n",
|
||||
user_info->smb_name.str, user_info->internal_username.str,
|
||||
nt_errstr(nt_status)));
|
||||
ZERO_STRUCTP(server_info);
|
||||
}
|
||||
|
||||
return nt_status;
|
||||
}
|
||||
|
||||
|
||||
@@ -1648,12 +1648,6 @@ struct unix_error_map {
|
||||
NTSTATUS nt_error;
|
||||
};
|
||||
|
||||
/*
|
||||
#include "ntdomain.h"
|
||||
|
||||
#include "client.h"
|
||||
*/
|
||||
|
||||
/*
|
||||
* Size of new password account encoding string. This is enough space to
|
||||
* hold 11 ACB characters, plus the surrounding [] and a terminating null.
|
||||
@@ -1686,6 +1680,7 @@ struct unix_error_map {
|
||||
#define NEVER_MAP_TO_GUEST 0
|
||||
#define MAP_TO_GUEST_ON_BAD_USER 1
|
||||
#define MAP_TO_GUEST_ON_BAD_PASSWORD 2
|
||||
#define MAP_TO_GUEST_ON_BAD_UID 3
|
||||
|
||||
#define SAFE_NETBIOS_CHARS ". -_"
|
||||
|
||||
|
||||
@@ -763,6 +763,7 @@ static const struct enum_list enum_map_to_guest[] = {
|
||||
{NEVER_MAP_TO_GUEST, "Never"},
|
||||
{MAP_TO_GUEST_ON_BAD_USER, "Bad User"},
|
||||
{MAP_TO_GUEST_ON_BAD_PASSWORD, "Bad Password"},
|
||||
{MAP_TO_GUEST_ON_BAD_UID, "Bad Uid"},
|
||||
{-1, NULL}
|
||||
};
|
||||
|
||||
|
||||
@@ -144,7 +144,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
|
||||
char *client, *p, *domain;
|
||||
fstring netbios_domain_name;
|
||||
struct passwd *pw;
|
||||
char *user;
|
||||
fstring user;
|
||||
int sess_vuid;
|
||||
NTSTATUS ret;
|
||||
DATA_BLOB auth_data;
|
||||
@@ -154,6 +154,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
|
||||
uint8 tok_id[2];
|
||||
DATA_BLOB nullblob = data_blob(NULL, 0);
|
||||
fstring real_username;
|
||||
BOOL map_domainuser_to_guest = False;
|
||||
|
||||
ZERO_STRUCT(ticket);
|
||||
ZERO_STRUCT(auth_data);
|
||||
@@ -238,38 +239,53 @@ static int reply_spnego_kerberos(connection_struct *conn,
|
||||
}
|
||||
}
|
||||
|
||||
asprintf(&user, "%s%c%s", domain, *lp_winbind_separator(), client);
|
||||
fstr_sprintf(user, "%s%c%s", domain, *lp_winbind_separator(), client);
|
||||
|
||||
/* lookup the passwd struct, create a new user if necessary */
|
||||
|
||||
map_username( user );
|
||||
|
||||
pw = smb_getpwnam( user, real_username, True );
|
||||
if (!pw) {
|
||||
|
||||
/* this was originally the behavior of Samba 2.2, if a user
|
||||
did not have a local uid but has been authenticated, then
|
||||
map them to a guest account */
|
||||
|
||||
if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID){
|
||||
map_domainuser_to_guest = True;
|
||||
fstrcpy(user,lp_guestaccount());
|
||||
pw = smb_getpwnam( user, real_username, True );
|
||||
}
|
||||
|
||||
/* extra sanity check that the guest account is valid */
|
||||
|
||||
if ( !pw ) {
|
||||
DEBUG(1,("Username %s is invalid on this system\n", user));
|
||||
SAFE_FREE(user);
|
||||
SAFE_FREE(client);
|
||||
data_blob_free(&ap_rep);
|
||||
data_blob_free(&session_key);
|
||||
return ERROR_NT(NT_STATUS_LOGON_FAILURE);
|
||||
}
|
||||
}
|
||||
|
||||
/* setup the string used by %U */
|
||||
|
||||
sub_set_smb_name( real_username );
|
||||
reload_services(True);
|
||||
|
||||
if (!NT_STATUS_IS_OK(ret = make_server_info_pw(&server_info, real_username, pw)))
|
||||
{
|
||||
if ( map_domainuser_to_guest ) {
|
||||
make_server_info_guest(&server_info);
|
||||
} else {
|
||||
ret = make_server_info_pw(&server_info, real_username, pw);
|
||||
if ( !NT_STATUS_IS_OK(ret) ) {
|
||||
DEBUG(1,("make_server_info_from_pw failed!\n"));
|
||||
SAFE_FREE(user);
|
||||
SAFE_FREE(client);
|
||||
data_blob_free(&ap_rep);
|
||||
data_blob_free(&session_key);
|
||||
passwd_free(&pw);
|
||||
return ERROR_NT(ret);
|
||||
}
|
||||
}
|
||||
passwd_free(&pw);
|
||||
|
||||
/* make_server_info_pw does not set the domain. Without this we end up
|
||||
@@ -284,7 +300,6 @@ static int reply_spnego_kerberos(connection_struct *conn,
|
||||
A better interface would copy it.... */
|
||||
sess_vuid = register_vuid(server_info, session_key, nullblob, client);
|
||||
|
||||
SAFE_FREE(user);
|
||||
SAFE_FREE(client);
|
||||
|
||||
if (sess_vuid == -1) {
|
||||
|
||||
Reference in New Issue
Block a user