1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s3-auth: Remove security=share (depricated since 3.6).

This patch removes security=share, which Samba implemented by matching
the per-share password provided by the client in the Tree Connect with
a selection of usernames supplied by the client, the smb.conf or
guessed from the environment.

The rationale for the removal is that for the bulk of security=share
users, we just we need a very simple way to run a 'trust the network'
Samba server, where users mark shares as guest ok.  This is still
supported, and the smb.conf options are documented at
https://wiki.samba.org/index.php/Public_Samba_Server

At the same time, this closes the door on one of the most arcane areas
of Samba authentication.

Naturally, full user-name/password authentication remain available in
security=user and above.

This includes documentation updates for username and only user, which
now only do a small amount of what they used to do.

Andrew Bartlett

                       --------------
                      /              \
                     /      REST      \
                    /        IN        \
                   /       PEACE        \
                  /                      \
                  |      SEC_SHARE       |
                  |    security=share    |
                  |                      |
                  |                      |
                  |       5 March        |
                  |                      |
                  |        2012          |
                 *|     *  *  *          | *
        _________)/\\_//(\/(/\)/\//\/\///|_)_______
This commit is contained in:
Andrew Bartlett 2012-02-03 18:03:10 +11:00
parent acfa107ec6
commit d7bb961859
27 changed files with 103 additions and 1068 deletions

View File

@ -670,59 +670,6 @@ chmod 1770 /usr/local/samba/lib/usershares
</refsect1>
<refsect1 id="VALIDATIONSECT">
<title>NOTE ABOUT USERNAME/PASSWORD VALIDATION</title>
<para>
There are a number of ways in which a user can connect to a service. The server uses the following steps
in determining if it will allow a connection to a specified service. If all the steps fail, the connection
request is rejected. However, if one of the steps succeeds, the following steps are not checked.
</para>
<para>
If the service is marked <quote>guest only = yes</quote> and the server is running with share-level
security (<quote>security = share</quote>, steps 1 to 5 are skipped.
</para>
<orderedlist continuation="restarts" inheritnum="ignore" numeration="arabic">
<listitem><para>
If the client has passed a username/password pair and that username/password pair is validated by the UNIX
system's password programs, the connection is made as that username. This includes the
<literal>\\server\service</literal>%<replaceable>username</replaceable> method of passing a username.
</para></listitem>
<listitem><para>
If the client has previously registered a username with the system and now supplies a correct password for that
username, the connection is allowed.
</para></listitem>
<listitem><para>
The client's NetBIOS name and any previously used usernames are checked against the supplied password. If
they match, the connection is allowed as the corresponding user.
</para></listitem>
<listitem><para>
If the client has previously validated a username/password pair with the server and the client has passed
the validation token, that username is used.
</para></listitem>
<listitem><para>
If a <literal>user = </literal> field is given in the <filename moreinfo="none">smb.conf</filename> file for the
service and the client has supplied a password, and that password matches (according to the UNIX system's
password checking) with one of the usernames from the <literal>user =</literal> field, the connection is made as
the username in the <literal>user =</literal> line. If one of the usernames in the <literal>user =</literal> list
begins with a <literal>@</literal>, that name expands to a list of names in the group of the same name.
</para></listitem>
<listitem><para>
If the service is a guest service, a connection is made as the username given in the <literal>guest account
=</literal> for the service, irrespective of the supplied password.
</para></listitem>
</orderedlist>
</refsect1>
<refsect1>
<title>REGISTRY-BASED CONFIGURATION</title>

View File

@ -3,20 +3,16 @@
context="S"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This is a boolean option that controls whether
connections with usernames not in the <parameter moreinfo="none">user</parameter>
list will be allowed. By default this option is disabled so that a
client can supply a username to be used by the server. Enabling
this parameter will force the server to only use the login
names from the <parameter moreinfo="none">user</parameter> list and is only really
useful in <smbconfoption name="security">share</smbconfoption> level security.</para>
<para>To restrict a service to a particular set of users you
can use the <smbconfoption name="valid users"/> parameter.</para>
<para>This parameter is deprecated</para>
<para>However, it currently operates only in conjunction with
<smbconfoption name="username"/>. The supported way to restrict
a service to a particular set of users is the
<smbconfoption name="valid users"/> parameter.</para>
<para>Note that this also means Samba won't try to deduce
usernames from the service name. This can be annoying for
the [homes] section. To get around this you could use <command moreinfo="none">user =
%S</command> which means your <parameter moreinfo="none">user</parameter> list
will be just the service name, which for home directories is the
name of the user.</para>
</description>
<related>user</related>

View File

@ -11,34 +11,18 @@
Samba and is one of the most important settings in the <filename moreinfo="none">
smb.conf</filename> file.</para>
<para>The option sets the &quot;security mode bit&quot; in replies to
protocol negotiations with <citerefentry><refentrytitle>smbd</refentrytitle>
<manvolnum>8</manvolnum></citerefentry> to turn share level security on or off. Clients decide
based on this bit whether (and how) to transfer user and password
information to the server.</para>
<para>The default is <command moreinfo="none">security = user</command>, as this is
the most common setting needed when talking to Windows 98 and
Windows NT.</para>
the most common setting, used for a standalone file server or a DC.</para>
<para>The alternatives are
<command moreinfo="none">security = ads</command> or <command moreinfo="none">security = domain
</command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = share</command> and <command moreinfo="none">security = server</command>, both of which are deprecated.</para>
<para>In versions of Samba prior to 2.0.0, the default was
<command moreinfo="none">security = share</command> mainly because that was
the only option at one stage.</para>
</command>, which support joining Samba to a Windows domain, along with <command moreinfo="none">security = server</command>, which is deprecated.</para>
<para>You should use <command moreinfo="none">security = user</command> and
<smbconfoption name="map to guest"/> if you
want to mainly setup shares without a password (guest shares). This
is commonly used for a shared printer server. </para>
<para>It is possible to use <command moreinfo="none">smbd</command> in a <emphasis>
hybrid mode</emphasis> where it is offers both user and share
level security under different <smbconfoption name="NetBIOS aliases"/>. </para>
<para>The different settings will now be explained.</para>
@ -65,8 +49,6 @@
the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
<para>See also the section <link linkend="VALIDATIONSECT">NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
<para><anchor id="SECURITYEQUALSDOMAIN"/><emphasis>SECURITY = DOMAIN</emphasis></para>
<para>This mode will only work correctly if <citerefentry><refentrytitle>net</refentrytitle>
@ -94,93 +76,9 @@
the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
<para>See also the section <link linkend="VALIDATIONSECT">
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
<para>See also the <smbconfoption name="password server"/> parameter and
the <smbconfoption name="encrypted passwords"/> parameter.</para>
<para><anchor id="SECURITYEQUALSSHARE"/><emphasis>SECURITY = SHARE</emphasis></para>
<note><para>This option is deprecated as it is incompatible with SMB2</para></note>
<para>When clients connect to a share level security server, they
need not log onto the server with a valid username and password before
attempting to connect to a shared resource (although modern clients
such as Windows 95/98 and Windows NT will send a logon request with
a username but no password when talking to a <command moreinfo="none">security = share
</command> server). Instead, the clients send authentication information
(passwords) on a per-share basis, at the time they attempt to connect
to that share.</para>
<para>Note that <command moreinfo="none">smbd</command> <emphasis>ALWAYS</emphasis>
uses a valid UNIX user to act on behalf of the client, even in
<command moreinfo="none">security = share</command> level security.</para>
<para>As clients are not required to send a username to the server
in share level security, <command moreinfo="none">smbd</command> uses several
techniques to determine the correct UNIX user to use on behalf
of the client.</para>
<para>A list of possible UNIX usernames to match with the given
client password is constructed using the following methods :</para>
<itemizedlist>
<listitem>
<para>If the <smbconfoption name="guest only"/> parameter is set, then all the other
stages are missed and only the <smbconfoption name="guest account"/> username is checked.
</para>
</listitem>
<listitem>
<para>Is a username is sent with the share connection
request, then this username (after mapping - see <smbconfoption name="username map"/>),
is added as a potential username.
</para>
</listitem>
<listitem>
<para>If the client did a previous <emphasis>logon
</emphasis> request (the SessionSetup SMB call) then the
username sent in this SMB will be added as a potential username.
</para>
</listitem>
<listitem>
<para>The name of the service the client requested is
added as a potential username.
</para>
</listitem>
<listitem>
<para>The NetBIOS name of the client is added to
the list as a potential username.
</para>
</listitem>
<listitem>
<para>Any users on the <smbconfoption name="user"/> list are added as potential usernames.
</para>
</listitem>
</itemizedlist>
<para>If the <parameter moreinfo="none">guest only</parameter> parameter is
not set, then this list is then tried with the supplied password.
The first user for whom the password matches will be used as the
UNIX user.</para>
<para>If the <parameter moreinfo="none">guest only</parameter> parameter is
set, or no username can be determined then if the share is marked
as available to the <parameter moreinfo="none">guest account</parameter>, then this
guest user will be used, otherwise access is denied.</para>
<para>Note that it can be <emphasis>very</emphasis> confusing
in share-level security as to which UNIX username will eventually
be used in granting access.</para>
<para>See also the section <link linkend="VALIDATIONSECT">
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
<para><anchor id="SECURITYEQUALSSERVER"/><emphasis>SECURITY = SERVER</emphasis></para>
<para>
@ -221,9 +119,6 @@
the server to automatically map unknown users into the <smbconfoption name="guest account"/>.
See the <smbconfoption name="map to guest"/> parameter for details on doing this.</para>
<para>See also the section <link linkend="VALIDATIONSECT">
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
<para>See also the <smbconfoption name="password server"/> parameter and the
<smbconfoption name="encrypted passwords"/> parameter.</para>

View File

@ -51,9 +51,6 @@
exist as well as the account on the Domain Controller to allow
Samba to have a valid UNIX account to map file access to. Winbind can provide this.</para>
<para>See also the section <link linkend="VALIDATIONSECT">
NOTE ABOUT USERNAME/PASSWORD VALIDATION</link>.</para>
<para><anchor id="DC"/><emphasis>SERVER ROLE = DOMAIN CONTROLLER</emphasis></para>
<para>This mode of operation runs Samba as a domain controller, providing domain logon services to Windows and Samba clients of the domain. Clients must be joined to the domain to create a secure, trusted path across the network.</para>

View File

@ -5,57 +5,16 @@
<synonym>user</synonym>
<synonym>users</synonym>
<description>
<para>Multiple users may be specified in a comma-delimited
list, in which case the supplied password will be tested against
each username in turn (left to right).</para>
<para>The deprecated <parameter moreinfo="none">username</parameter> line is needed only when
the PC is unable to supply its own username. This is the case
for the COREPLUS protocol or where your users have different WfWg
usernames to UNIX usernames. In both these cases you may also be
better using the \\server\share%user syntax instead.</para>
<para>The <parameter moreinfo="none">username</parameter> line is not a great
solution in many cases as it means Samba will try to validate
the supplied password against each of the usernames in the
<parameter moreinfo="none">username</parameter> line in turn. This is slow and
a bad idea for lots of users in case of duplicate passwords.
You may get timeouts or security breaches using this parameter
unwisely.</para>
<para>Samba relies on the underlying UNIX security. This
parameter does not restrict who can login, it just offers hints
to the Samba server as to what usernames might correspond to the
supplied password. Users can login as whoever they please and
they will be able to do no more damage than if they started a
telnet session. The daemon runs as the user that they log in as,
so they cannot do anything that user cannot do.</para>
<para>To restrict a service to a particular set of users you
can use the <smbconfoption name="valid users"/> parameter.</para>
<para>If any of the usernames begin with a '@' then the name
will be looked up first in the NIS netgroups list (if Samba
is compiled with netgroup support), followed by a lookup in
the UNIX groups database and will expand to a list of all users
in the group of that name.</para>
<para>If any of the usernames begin with a '+' then the name
will be looked up only in the UNIX groups database and will
expand to a list of all users in the group of that name.</para>
<para>This parameter is deprecated</para>
<para>If any of the usernames begin with a '&amp;' then the name
will be looked up only in the NIS netgroups database (if Samba
is compiled with netgroup support) and will expand to a list
of all users in the netgroup group of that name.</para>
<para>However, it currently operates only in conjunction with
<smbconfoption name="only user"/>. The supported way to restrict
a service to a particular set of users is the
<smbconfoption name="valid users"/> parameter.</para>
<para>Note that searching though a groups database can take
quite some time, and some clients may time out during the
search.</para>
<para>See the section <link linkend="VALIDATIONSECT">NOTE ABOUT
USERNAME/PASSWORD VALIDATION</link> for more information on how
this parameter determines access to the services.</para>
</description>
<value type="default"><comment>The guest account if a guest service,

View File

@ -73,11 +73,6 @@ int lp_find_server_role(int server_role, int security, int domain_logons, int do
role = ROLE_STANDALONE;
switch (security) {
case SEC_SHARE:
if (domain_logons) {
DEBUG(0, ("Server's Role (logon server) conflicts with share-level security\n"));
}
break;
case SEC_SERVER:
if (domain_logons) {
DEBUG(0, ("Server's Role (logon server) conflicts with server-level security\n"));
@ -162,7 +157,7 @@ bool lp_is_security_and_server_role_valid(int server_role, int security)
valid = true;
break;
case ROLE_STANDALONE:
if (security == SEC_SHARE || security == SEC_SERVER || security == SEC_USER) {
if (security == SEC_SERVER || security == SEC_USER) {
valid = true;
}
break;

View File

@ -44,7 +44,6 @@ static const struct enum_list enum_protocol[] = {
static const struct enum_list enum_security[] = {
{SEC_AUTO, "AUTO"},
{SEC_SHARE, "SHARE"},
{SEC_USER, "USER"},
{SEC_SERVER, "SERVER"},
{SEC_DOMAIN, "DOMAIN"},

View File

@ -42,9 +42,26 @@ enum server_role {
*/
#define ROLE_DOMAIN_CONTROLLER ROLE_DOMAIN_BDC
/* security levels for 'security =' option */
/* security levels for 'security =' option
--------------
/ \
/ REST \
/ IN \
/ PEACE \
/ \
| SEC_SHARE |
| security=share |
| |
| |
| 5 March |
| |
| 2012 |
*| * * * | *
_________)/\\_//(\/(/\)/\//\/\///|_)_______
*/
enum security_types {SEC_AUTO = 0,
SEC_SHARE = 1,
SEC_USER = 2,
SEC_SERVER = 3,
SEC_DOMAIN = 4,

View File

@ -912,7 +912,7 @@ AUTH_OBJ = auth/auth.o @AUTH_STATIC@ auth/auth_util.o auth/token_util.o \
auth/user_info.o \
auth/user_util.o \
auth/user_krb5.o \
auth/auth_compat.o auth/auth_ntlmssp.o auth/auth_generic.o \
auth/auth_ntlmssp.o auth/auth_generic.o \
$(PLAINTEXT_AUTH_OBJ) $(SLCACHE_OBJ) $(DCUTIL_OBJ)
MANGLE_OBJ = smbd/mangle.o smbd/mangle_hash.o smbd/mangle_hash2.o

View File

@ -523,17 +523,6 @@ NTSTATUS make_auth_context_subsystem(TALLOC_CTX *mem_ctx,
talloc_tos(), "guest unix", NULL);
}
break;
case SEC_SHARE:
if (lp_encrypted_passwords()) {
DEBUG(5,("Making default auth method list for security=share, encrypt passwords = yes\n"));
auth_method_list = str_list_make_v3(
talloc_tos(), "guest sam", NULL);
} else {
DEBUG(5,("Making default auth method list for security=share, encrypt passwords = no\n"));
auth_method_list = str_list_make_v3(
talloc_tos(), "guest unix", NULL);
}
break;
case SEC_ADS:
DEBUG(5,("Making default auth method list for security=ADS\n"));
auth_method_list = str_list_make_v3(

View File

@ -1,169 +0,0 @@
/*
Unix SMB/CIFS implementation.
Password and authentication handling
Copyright (C) Andrew Bartlett 2001-2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
#include "auth.h"
#include "../lib/tsocket/tsocket.h"
extern struct auth_context *negprot_global_auth_context;
extern bool global_encrypted_passwords_negotiated;
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
/****************************************************************************
COMPATIBILITY INTERFACES:
***************************************************************************/
/****************************************************************************
check if a username/password is OK assuming the password is in plaintext
return True if the password is correct, False otherwise
****************************************************************************/
NTSTATUS check_plaintext_password(const char *smb_name,
const struct tsocket_address *remote_address,
DATA_BLOB plaintext_blob,
struct auth_serversupplied_info **server_info)
{
struct auth_context *plaintext_auth_context = NULL;
struct auth_usersupplied_info *user_info = NULL;
uint8_t chal[8];
NTSTATUS nt_status;
nt_status = make_auth_context_subsystem(talloc_tos(),
&plaintext_auth_context);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
}
plaintext_auth_context->get_ntlm_challenge(plaintext_auth_context,
chal);
if (!make_user_info_for_reply(&user_info,
smb_name, lp_workgroup(),
remote_address,
chal,
plaintext_blob)) {
return NT_STATUS_NO_MEMORY;
}
nt_status = plaintext_auth_context->check_ntlm_password(plaintext_auth_context,
user_info, server_info);
TALLOC_FREE(plaintext_auth_context);
free_user_info(&user_info);
return nt_status;
}
static NTSTATUS pass_check_smb(struct auth_context *actx,
const char *smb_name,
const char *domain,
const struct tsocket_address *remote_address,
DATA_BLOB lm_pwd,
DATA_BLOB nt_pwd)
{
NTSTATUS nt_status;
struct auth_serversupplied_info *server_info = NULL;
struct auth_usersupplied_info *user_info = NULL;
if (actx == NULL) {
return NT_STATUS_INTERNAL_ERROR;
}
make_user_info_for_reply_enc(&user_info, smb_name,
domain,
remote_address,
lm_pwd,
nt_pwd);
nt_status = actx->check_ntlm_password(actx, user_info, &server_info);
free_user_info(&user_info);
TALLOC_FREE(server_info);
return nt_status;
}
/****************************************************************************
check if a username/password pair is ok via the auth subsystem.
return True if the password is correct, False otherwise
****************************************************************************/
bool password_ok(struct auth_context *actx, bool global_encrypted,
const char *session_workgroup,
const char *smb_name,
const struct tsocket_address *remote_address,
DATA_BLOB password_blob)
{
DATA_BLOB null_password = data_blob_null;
bool encrypted = (global_encrypted && (password_blob.length == 24 || password_blob.length > 46));
if (encrypted) {
/*
* The password could be either NTLM or plain LM. Try NTLM first,
* but fall-through as required.
* Vista sends NTLMv2 here - we need to try the client given workgroup.
*/
if (session_workgroup) {
if (NT_STATUS_IS_OK(pass_check_smb(actx,
smb_name,
session_workgroup,
remote_address,
null_password,
password_blob))) {
return True;
}
if (NT_STATUS_IS_OK(pass_check_smb(actx,
smb_name,
session_workgroup,
remote_address,
password_blob,
null_password))) {
return True;
}
}
if (NT_STATUS_IS_OK(pass_check_smb(actx,
smb_name,
lp_workgroup(),
remote_address,
null_password,
password_blob))) {
return True;
}
if (NT_STATUS_IS_OK(pass_check_smb(actx,
smb_name,
lp_workgroup(),
remote_address,
password_blob,
null_password))) {
return True;
}
} else {
struct auth_serversupplied_info *server_info = NULL;
NTSTATUS nt_status = check_plaintext_password(smb_name,
remote_address,
password_blob,
&server_info);
TALLOC_FREE(server_info);
if (NT_STATUS_IS_OK(nt_status)) {
return True;
}
}
return False;
}

View File

@ -48,18 +48,6 @@ NTSTATUS make_auth_context_fixed(TALLOC_CTX *mem_ctx,
NTSTATUS auth_builtin_init(void);
/* The following definitions come from auth/auth_compat.c */
NTSTATUS check_plaintext_password(const char *smb_name,
const struct tsocket_address *remote_address,
DATA_BLOB plaintext_password,
struct auth_serversupplied_info **server_info);
bool password_ok(struct auth_context *actx, bool global_encrypted,
const char *session_workgroup,
const char *smb_name,
const struct tsocket_address *remote_address,
DATA_BLOB password_blob);
/* The following definitions come from auth/auth_domain.c */
void attempt_machine_password_change(void);

View File

@ -12,7 +12,7 @@ AUTH_NETLOGOND_SRC = 'auth_netlogond.c'
AUTH_SRC = '''auth.c
user_krb5.c
auth_compat.c auth_ntlmssp.c auth_generic.c'''
auth_ntlmssp.c auth_generic.c'''
bld.SAMBA3_SUBSYSTEM('TOKEN_UTIL',
source='token_util.c',

View File

@ -1892,7 +1892,6 @@ static WERROR libnet_join_check_config(TALLOC_CTX *mem_ctx,
if (!valid_security) {
const char *sec = NULL;
switch (lp_security()) {
case SEC_SHARE: sec = "share"; break;
case SEC_USER: sec = "user"; break;
case SEC_DOMAIN: sec = "domain"; break;
case SEC_ADS: sec = "ads"; break;

View File

@ -5286,18 +5286,7 @@ FN_GLOBAL_INTEGER(lp_passwordlevel, pwordlevel)
FN_GLOBAL_INTEGER(lp_usernamelevel, unamelevel)
FN_GLOBAL_INTEGER(lp_deadtime, deadtime)
FN_GLOBAL_BOOL(lp_getwd_cache, getwd_cache)
static FN_GLOBAL_INTEGER(_lp_srv_maxprotocol, srv_maxprotocol)
int lp_srv_maxprotocol(void)
{
int ret = _lp_srv_maxprotocol();
if ((ret >= PROTOCOL_SMB2_02) && (lp_security() == SEC_SHARE)) {
DEBUG(2,("WARNING!!: \"security = share\" is incompatible "
"with the SMB2 protocol. Resetting to SMB1.\n" ));
lp_do_parameter(-1, "server max protocol", "NT1");
return PROTOCOL_NT1;
}
return ret;
}
FN_GLOBAL_INTEGER(lp_srv_maxprotocol, srv_maxprotocol)
FN_GLOBAL_INTEGER(lp_srv_minprotocol, srv_minprotocol)
FN_GLOBAL_INTEGER(lp_security, security)
FN_GLOBAL_LIST(lp_auth_methods, AuthMethods)
@ -9050,9 +9039,7 @@ static bool lp_load_ex(const char *pszFname,
set_allowed_client_auth();
if (lp_security() == SEC_SHARE) {
DEBUG(1, ("WARNING: The security=share option is deprecated\n"));
} else if (lp_security() == SEC_SERVER) {
if (lp_security() == SEC_SERVER) {
DEBUG(1, ("WARNING: The security=server option is deprecated\n"));
}

View File

@ -531,10 +531,6 @@ struct smbd_server_connection {
int max_send;
uint16_t last_session_tag;
/* users from session setup */
char *session_userlist;
/* workgroup from session setup. */
char *session_workgroup;
/*
* this holds info on user ids that are already
* validated for this VC

View File

@ -299,7 +299,6 @@ static void reply_nt1(struct smb_request *req, uint16 choice)
supports it and we can do encrypted passwords */
if (sconn->smb1.negprot.encrypted_passwords &&
(lp_security() != SEC_SHARE) &&
lp_use_spnego() &&
(req->flags2 & FLAGS2_EXTENDED_SECURITY)) {
negotiate_spnego = True;

View File

@ -172,12 +172,6 @@ int register_initial_vuid(struct smbd_server_connection *sconn)
{
user_struct *vuser;
/* Paranoia check. */
if(lp_security() == SEC_SHARE) {
smb_panic("register_initial_vuid: "
"Tried to register uid in security=share");
}
/* Limit allowed vuids to 16bits - VUID_OFFSET. */
if (sconn->smb1.sessions.num_validated_vuids >= 0xFFFF-VUID_OFFSET) {
return UID_FIELD_INVALID;
@ -352,394 +346,3 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
}
return UID_FIELD_INVALID;
}
/****************************************************************************
Add a name to the session users list.
****************************************************************************/
void add_session_user(struct smbd_server_connection *sconn,
const char *user)
{
struct passwd *pw;
char *tmp;
pw = Get_Pwnam_alloc(talloc_tos(), user);
if (pw == NULL) {
return;
}
if (sconn->smb1.sessions.session_userlist == NULL) {
sconn->smb1.sessions.session_userlist = SMB_STRDUP(pw->pw_name);
goto done;
}
if (in_list(pw->pw_name,sconn->smb1.sessions.session_userlist,false)) {
goto done;
}
if (strlen(sconn->smb1.sessions.session_userlist) > 128 * 1024) {
DEBUG(3,("add_session_user: session userlist already "
"too large.\n"));
goto done;
}
if (asprintf(&tmp, "%s %s",
sconn->smb1.sessions.session_userlist, pw->pw_name) == -1) {
DEBUG(3, ("asprintf failed\n"));
goto done;
}
SAFE_FREE(sconn->smb1.sessions.session_userlist);
sconn->smb1.sessions.session_userlist = tmp;
done:
TALLOC_FREE(pw);
}
/****************************************************************************
In security=share mode we need to store the client workgroup, as that's
what Vista uses for the NTLMv2 calculation.
****************************************************************************/
void add_session_workgroup(struct smbd_server_connection *sconn,
const char *workgroup)
{
if (sconn->smb1.sessions.session_workgroup) {
SAFE_FREE(sconn->smb1.sessions.session_workgroup);
}
sconn->smb1.sessions.session_workgroup = smb_xstrdup(workgroup);
}
/****************************************************************************
In security=share mode we need to return the client workgroup, as that's
what Vista uses for the NTLMv2 calculation.
****************************************************************************/
const char *get_session_workgroup(struct smbd_server_connection *sconn)
{
return sconn->smb1.sessions.session_workgroup;
}
/****************************************************************************
Check if a username is valid.
****************************************************************************/
static bool user_ok(const char *user, int snum)
{
bool ret;
ret = True;
if (lp_invalid_users(snum)) {
char **invalid = str_list_copy(talloc_tos(),
lp_invalid_users(snum));
if (invalid &&
str_list_substitute(invalid, "%S", lp_servicename(snum))) {
/* This is used in sec=share only, so no current user
* around to pass to str_list_sub_basic() */
if ( invalid && str_list_sub_basic(invalid, "", "") ) {
ret = !user_in_list(talloc_tos(), user,
(const char **)invalid);
}
}
TALLOC_FREE(invalid);
}
if (ret && lp_valid_users(snum)) {
char **valid = str_list_copy(talloc_tos(),
lp_valid_users(snum));
if ( valid &&
str_list_substitute(valid, "%S", lp_servicename(snum)) ) {
/* This is used in sec=share only, so no current user
* around to pass to str_list_sub_basic() */
if ( valid && str_list_sub_basic(valid, "", "") ) {
ret = user_in_list(talloc_tos(), user,
(const char **)valid);
}
}
TALLOC_FREE(valid);
}
if (ret && lp_onlyuser(snum)) {
char **user_list = str_list_make_v3(
talloc_tos(), lp_username(snum), NULL);
if (user_list &&
str_list_substitute(user_list, "%S",
lp_servicename(snum))) {
ret = user_in_list(talloc_tos(), user,
(const char **)user_list);
}
TALLOC_FREE(user_list);
}
return(ret);
}
/****************************************************************************
Validate a group username entry. Return the username or NULL.
****************************************************************************/
static char *validate_group(struct smbd_server_connection *sconn,
char *group, DATA_BLOB password,int snum)
{
#ifdef HAVE_NETGROUP
{
char *host, *user, *domain;
struct auth_context *actx = sconn->smb1.negprot.auth_context;
bool enc = sconn->smb1.negprot.encrypted_passwords;
setnetgrent(group);
while (getnetgrent(&host, &user, &domain)) {
if (user) {
if (user_ok(user, snum) &&
password_ok(actx, enc,
get_session_workgroup(sconn),
user,
sconn->remote_address,
password)) {
endnetgrent();
return(user);
}
}
}
endnetgrent();
}
#endif
#ifdef HAVE_GETGRENT
{
struct group *gptr;
struct auth_context *actx = sconn->smb1.negprot.auth_context;
bool enc = sconn->smb1.negprot.encrypted_passwords;
setgrent();
while ((gptr = (struct group *)getgrent())) {
if (strequal(gptr->gr_name,group))
break;
}
/*
* As user_ok can recurse doing a getgrent(), we must
* copy the member list onto the heap before
* use. Bug pointed out by leon@eatworms.swmed.edu.
*/
if (gptr) {
char *member_list = NULL;
size_t list_len = 0;
char *member;
int i;
for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) {
list_len += strlen(gptr->gr_mem[i])+1;
}
list_len++;
member_list = (char *)SMB_MALLOC(list_len);
if (!member_list) {
endgrent();
return NULL;
}
*member_list = '\0';
member = member_list;
for(i = 0; gptr->gr_mem && gptr->gr_mem[i]; i++) {
size_t member_len = strlen(gptr->gr_mem[i])+1;
DEBUG(10,("validate_group: = gr_mem = "
"%s\n", gptr->gr_mem[i]));
strlcpy(member, gptr->gr_mem[i],
list_len - (member-member_list));
member += member_len;
}
endgrent();
member = member_list;
while (*member) {
if (user_ok(member,snum) &&
password_ok(actx, enc,
get_session_workgroup(sconn),
member,
sconn->remote_address,
password)) {
char *name = talloc_strdup(talloc_tos(),
member);
SAFE_FREE(member_list);
return name;
}
DEBUG(10,("validate_group = member = %s\n",
member));
member += strlen(member) + 1;
}
SAFE_FREE(member_list);
} else {
endgrent();
return NULL;
}
}
#endif
return(NULL);
}
/****************************************************************************
Check for authority to login to a service with a given username/password.
Note this is *NOT* used when logging on using sessionsetup_and_X.
****************************************************************************/
bool authorise_login(struct smbd_server_connection *sconn,
int snum, fstring user, DATA_BLOB password,
bool *guest)
{
bool ok = False;
struct auth_context *actx = sconn->smb1.negprot.auth_context;
bool enc = sconn->smb1.negprot.encrypted_passwords;
#ifdef DEBUG_PASSWORD
DEBUG(100,("authorise_login: checking authorisation on "
"user=%s pass=%s\n", user,password.data));
#endif
*guest = False;
/* there are several possibilities:
1) login as the given user with given password
2) login as a previously registered username with the given
password
3) login as a session list username with the given password
4) login as a previously validated user/password pair
5) login as the "user =" user with given password
6) login as the "user =" user with no password
(guest connection)
7) login as guest user with no password
if the service is guest_only then steps 1 to 5 are skipped
*/
/* now check the list of session users */
if (!ok) {
char *auser;
char *user_list = NULL;
char *saveptr;
if (sconn->smb1.sessions.session_userlist)
user_list = SMB_STRDUP(sconn->smb1.sessions.session_userlist);
else
user_list = SMB_STRDUP("");
if (!user_list)
return(False);
for (auser = strtok_r(user_list, LIST_SEP, &saveptr);
!ok && auser;
auser = strtok_r(NULL, LIST_SEP, &saveptr)) {
fstring user2;
fstrcpy(user2,auser);
if (!user_ok(user2,snum))
continue;
if (password_ok(actx, enc,
get_session_workgroup(sconn),
user2,
sconn->remote_address,
password)) {
ok = True;
strlcpy(user,user2,sizeof(fstring));
DEBUG(3,("authorise_login: ACCEPTED: session "
"list username (%s) and given "
"password ok\n", user));
}
}
SAFE_FREE(user_list);
}
/* check the user= fields and the given password */
if (!ok && lp_username(snum)) {
TALLOC_CTX *ctx = talloc_tos();
char *auser;
char *user_list = talloc_strdup(ctx, lp_username(snum));
char *saveptr;
if (!user_list) {
goto check_guest;
}
user_list = talloc_string_sub(ctx,
user_list,
"%S",
lp_servicename(snum));
if (!user_list) {
goto check_guest;
}
for (auser = strtok_r(user_list, LIST_SEP, &saveptr);
auser && !ok;
auser = strtok_r(NULL, LIST_SEP, &saveptr)) {
if (*auser == '@') {
auser = validate_group(sconn,auser+1,
password,snum);
if (auser) {
ok = True;
fstrcpy(user,auser);
DEBUG(3,("authorise_login: ACCEPTED: "
"group username and given "
"password ok (%s)\n", user));
}
} else {
fstring user2;
fstrcpy(user2,auser);
if (user_ok(user2,snum) &&
password_ok(actx, enc,
get_session_workgroup(sconn),
user2,
sconn->remote_address,
password)) {
ok = True;
strlcpy(user,user2,sizeof(fstring));
DEBUG(3,("authorise_login: ACCEPTED: "
"user list username and "
"given password ok (%s)\n",
user));
}
}
}
}
check_guest:
/* check for a normal guest connection */
if (!ok && GUEST_OK(snum)) {
struct passwd *guest_pw;
fstring guestname;
fstrcpy(guestname,lp_guestaccount());
guest_pw = Get_Pwnam_alloc(talloc_tos(), guestname);
if (guest_pw != NULL) {
strlcpy(user,guestname,sizeof(fstring));
ok = True;
DEBUG(3,("authorise_login: ACCEPTED: guest account "
"and guest ok (%s)\n", user));
} else {
DEBUG(0,("authorise_login: Invalid guest account "
"%s??\n",guestname));
}
TALLOC_FREE(guest_pw);
*guest = True;
}
if (ok && !user_ok(user, snum)) {
DEBUG(0,("authorise_login: rejected invalid user %s\n",user));
ok = False;
}
return(ok);
}

View File

@ -1364,8 +1364,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in
flags = smb_messages[type].flags;
/* In share mode security we must ignore the vuid. */
session_tag = (lp_security() == SEC_SHARE)
? UID_FIELD_INVALID : req->vuid;
session_tag = req->vuid;
conn = req->conn;
DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
@ -3257,10 +3256,6 @@ void smbd_process(struct tevent_context *ev_ctx,
sconn->smb1.sessions.done_sesssetup = false;
sconn->smb1.sessions.max_send = BUFFER_SIZE;
sconn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
/* users from session setup */
sconn->smb1.sessions.session_userlist = NULL;
/* workgroup from session setup. */
sconn->smb1.sessions.session_workgroup = NULL;
/* this holds info on user ids that are already validated for this VC */
sconn->smb1.sessions.validated_users = NULL;
sconn->smb1.sessions.next_vuid = VUID_OFFSET;

View File

@ -707,13 +707,6 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
uint16 vuid,
struct auth_session_info *session_info,
DATA_BLOB response_blob);
void add_session_user(struct smbd_server_connection *sconn, const char *user);
void add_session_workgroup(struct smbd_server_connection *sconn,
const char *workgroup);
const char *get_session_workgroup(struct smbd_server_connection *sconn);
bool authorise_login(struct smbd_server_connection *sconn,
int snum, fstring user, DATA_BLOB password,
bool *guest);
/* The following definitions come from smbd/pipes.c */
@ -986,11 +979,10 @@ struct smbd_smb2_tcon;
connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
struct smbd_smb2_tcon *tcon,
user_struct *vuser,
DATA_BLOB password,
const char *pdev,
NTSTATUS *pstatus);
connection_struct *make_connection(struct smbd_server_connection *sconn,
const char *service_in, DATA_BLOB password,
const char *service_in,
const char *pdev, uint16 vuid,
NTSTATUS *status);
void close_cnum(connection_struct *conn, uint16 vuid);

View File

@ -599,13 +599,6 @@ void reply_special(struct smbd_server_connection *sconn, char *inbuf, size_t inb
break;
}
/* only add the client's machine name to the list
of possibly valid usernames if we are operating
in share mode security */
if (lp_security() == SEC_SHARE) {
add_session_user(sconn, get_remote_machine_name());
}
reload_services(sconn, conn_snum_used, true);
reopen_logs();
@ -656,7 +649,6 @@ void reply_tcon(struct smb_request *req)
int pwlen=0;
NTSTATUS nt_status;
const char *p;
DATA_BLOB password_blob;
TALLOC_CTX *ctx = talloc_tos();
struct smbd_server_connection *sconn = req->sconn;
@ -688,14 +680,10 @@ void reply_tcon(struct smb_request *req)
service = service_buf;
}
password_blob = data_blob(password, pwlen+1);
conn = make_connection(sconn,service,password_blob,dev,
conn = make_connection(sconn,service,dev,
req->vuid,&nt_status);
req->conn = conn;
data_blob_clear_free(&password_blob);
if (!conn) {
reply_nterror(req, nt_status);
END_PROFILE(SMBtcon);
@ -723,7 +711,6 @@ void reply_tcon_and_X(struct smb_request *req)
{
connection_struct *conn = req->conn;
const char *service = NULL;
DATA_BLOB password;
TALLOC_CTX *ctx = talloc_tos();
/* what the cleint thinks the device is */
char *client_devicetype = NULL;
@ -761,27 +748,14 @@ void reply_tcon_and_X(struct smb_request *req)
}
if (sconn->smb1.negprot.encrypted_passwords) {
password = data_blob_talloc(talloc_tos(), req->buf, passlen);
if (lp_security() == SEC_SHARE) {
/*
* Security = share always has a pad byte
* after the password.
*/
p = (const char *)req->buf + passlen + 1;
} else {
p = (const char *)req->buf + passlen;
}
p = (const char *)req->buf + passlen;
} else {
password = data_blob_talloc(talloc_tos(), req->buf, passlen+1);
/* Ensure correct termination */
password.data[passlen]=0;
p = (const char *)req->buf + passlen + 1;
}
p += srvstr_pull_req_talloc(ctx, req, &path, p, STR_TERMINATE);
if (path == NULL) {
data_blob_clear_free(&password);
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBtconX);
return;
@ -794,7 +768,6 @@ void reply_tcon_and_X(struct smb_request *req)
if (*path=='\\') {
q = strchr_m(path+2,'\\');
if (!q) {
data_blob_clear_free(&password);
reply_nterror(req, NT_STATUS_BAD_NETWORK_NAME);
END_PROFILE(SMBtconX);
return;
@ -809,7 +782,6 @@ void reply_tcon_and_X(struct smb_request *req)
MIN(6, smbreq_bufrem(req, p)), STR_ASCII);
if (client_devicetype == NULL) {
data_blob_clear_free(&password);
reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
END_PROFILE(SMBtconX);
return;
@ -817,12 +789,10 @@ void reply_tcon_and_X(struct smb_request *req)
DEBUG(4,("Client requested device type [%s] for share [%s]\n", client_devicetype, service));
conn = make_connection(sconn, service, password, client_devicetype,
conn = make_connection(sconn, service, client_devicetype,
req->vuid, &nt_status);
req->conn =conn;
data_blob_clear_free(&password);
if (!conn) {
reply_nterror(req, nt_status);
END_PROFILE(SMBtconX);
@ -2117,7 +2087,7 @@ void reply_ulogoffX(struct smb_request *req)
/* in user level security we are supposed to close any files
open by this user */
if ((vuser != NULL) && (lp_security() != SEC_SHARE)) {
if (vuser != NULL) {
file_close_user(sconn, req->vuid);
}

View File

@ -381,7 +381,6 @@ static NTSTATUS find_forced_group(bool force_user,
static NTSTATUS create_connection_session_info(struct smbd_server_connection *sconn,
TALLOC_CTX *mem_ctx, int snum,
struct auth_session_info *session_info,
DATA_BLOB password,
struct auth_session_info **presult)
{
if (lp_guest_only(snum)) {
@ -425,29 +424,7 @@ static NTSTATUS create_connection_session_info(struct smbd_server_connection *sc
return NT_STATUS_OK;
}
if (lp_security() == SEC_SHARE) {
fstring user;
bool guest;
/* add the sharename as a possible user name if we
are in share mode security */
add_session_user(sconn, lp_servicename(snum));
/* shall we let them in? */
if (!authorise_login(sconn, snum,user,password,&guest)) {
DEBUG( 2, ( "Invalid username/password for [%s]\n",
lp_servicename(snum)) );
return NT_STATUS_WRONG_PASSWORD;
}
return make_session_info_from_username(mem_ctx, user, guest,
presult);
}
DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
DEBUG(0, ("invalid VUID (vuser)\n"));
return NT_STATUS_ACCESS_DENIED;
}
@ -557,7 +534,6 @@ static void create_share_access_mask(connection_struct *conn, int snum)
static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
connection_struct *conn,
int snum, user_struct *vuser,
DATA_BLOB password,
const char *pdev)
{
struct smb_filename *smb_fname_cpath = NULL;
@ -582,7 +558,7 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
conn->params->service = snum;
status = create_connection_session_info(sconn,
conn, snum, vuser ? vuser->session_info : NULL, password,
conn, snum, vuser ? vuser->session_info : NULL,
&conn->session_info);
if (!NT_STATUS_IS_OK(status)) {
@ -591,12 +567,10 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
goto err_root_exit;
}
if ((lp_guest_only(snum)) || (lp_security() == SEC_SHARE)) {
if (lp_guest_only(snum)) {
conn->force_user = true;
}
add_session_user(sconn, conn->session_info->unix_info->unix_name);
conn->num_files_open = 0;
conn->lastused = conn->lastused_count = time(NULL);
conn->used = True;
@ -630,7 +604,7 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
goto err_root_exit;
}
conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
conn->vuid = vuser->vuid;
{
char *s = talloc_sub_advanced(talloc_tos(),
@ -930,7 +904,6 @@ static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
static connection_struct *make_connection_smb1(struct smbd_server_connection *sconn,
int snum, user_struct *vuser,
DATA_BLOB password,
const char *pdev,
NTSTATUS *pstatus)
{
@ -944,7 +917,6 @@ static connection_struct *make_connection_smb1(struct smbd_server_connection *sc
conn,
snum,
vuser,
password,
pdev);
if (!NT_STATUS_IS_OK(*pstatus)) {
conn_free(conn);
@ -961,7 +933,6 @@ static connection_struct *make_connection_smb1(struct smbd_server_connection *sc
connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
struct smbd_smb2_tcon *tcon,
user_struct *vuser,
DATA_BLOB password,
const char *pdev,
NTSTATUS *pstatus)
{
@ -976,7 +947,6 @@ connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
conn,
tcon->snum,
vuser,
password,
pdev);
if (!NT_STATUS_IS_OK(*pstatus)) {
conn_free(conn);
@ -992,7 +962,7 @@ connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
****************************************************************************/
connection_struct *make_connection(struct smbd_server_connection *sconn,
const char *service_in, DATA_BLOB password,
const char *service_in,
const char *pdev, uint16 vuid,
NTSTATUS *status)
{
@ -1017,14 +987,12 @@ connection_struct *make_connection(struct smbd_server_connection *sconn,
return NULL;
}
if(lp_security() != SEC_SHARE) {
vuser = get_valid_user_struct(sconn, vuid);
if (!vuser) {
DEBUG(1,("make_connection: refusing to connect with "
"no session setup\n"));
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
vuser = get_valid_user_struct(sconn, vuid);
if (!vuser) {
DEBUG(1,("make_connection: refusing to connect with "
"no session setup\n"));
*status = NT_STATUS_ACCESS_DENIED;
return NULL;
}
/* Logic to try and connect to the correct [homes] share, preferably
@ -1037,57 +1005,28 @@ connection_struct *make_connection(struct smbd_server_connection *sconn,
*/
if (strequal(service_in,HOMES_NAME)) {
if(lp_security() != SEC_SHARE) {
DATA_BLOB no_pw = data_blob_null;
if (vuser->homes_snum == -1) {
DEBUG(2, ("[homes] share not available for "
"this user because it was not found "
"or created at session setup "
"time\n"));
*status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
DEBUG(5, ("making a connection to [homes] service "
"created at session setup time\n"));
return make_connection_smb1(sconn,
vuser->homes_snum,
vuser, no_pw,
dev, status);
} else {
/* Security = share. Try with
* current_user_info.smb_name as the username. */
if (*current_user_info.smb_name) {
char *unix_username = NULL;
(void)map_username(talloc_tos(),
current_user_info.smb_name,
&unix_username);
snum = find_service(talloc_tos(),
unix_username,
&unix_username);
if (!unix_username) {
*status = NT_STATUS_NO_MEMORY;
}
return NULL;
}
if (snum != -1) {
DEBUG(5, ("making a connection to 'homes' "
"service %s based on "
"security=share\n", service_in));
return make_connection_smb1(sconn,
snum, NULL,
password,
dev, status);
}
if (vuser->homes_snum == -1) {
DEBUG(2, ("[homes] share not available for "
"this user because it was not found "
"or created at session setup "
"time\n"));
*status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
} else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
DEBUG(5, ("making a connection to [homes] service "
"created at session setup time\n"));
return make_connection_smb1(sconn,
vuser->homes_snum,
vuser,
dev, status);
} else if ((vuser->homes_snum != -1)
&& strequal(service_in,
lp_servicename(vuser->homes_snum))) {
DATA_BLOB no_pw = data_blob_null;
DEBUG(5, ("making a connection to 'homes' service [%s] "
"created at session setup time\n", service_in));
return make_connection_smb1(sconn,
vuser->homes_snum,
vuser, no_pw,
vuser,
dev, status);
}
@ -1134,7 +1073,6 @@ connection_struct *make_connection(struct smbd_server_connection *sconn,
DEBUG(5, ("making a connection to 'normal' service %s\n", service));
return make_connection_smb1(sconn, snum, vuser,
password,
dev, status);
}

View File

@ -561,11 +561,7 @@ void reply_sesssetup_and_X(struct smb_request *req)
if (doencrypt) {
lm_resp = data_blob(p, passlen1);
nt_resp = data_blob(p+passlen1, passlen2);
} else if (lp_security() != SEC_SHARE) {
/*
* In share level we should ignore any passwords, so
* only read them if we're not.
*/
} else {
char *pass = NULL;
bool unic= smb_flag2 & FLAGS2_UNICODE_STRINGS;
@ -673,27 +669,6 @@ void reply_sesssetup_and_X(struct smb_request *req)
reload_services(sconn, conn_snum_used, true);
if (lp_security() == SEC_SHARE) {
char *sub_user_mapped = NULL;
/* In share level we should ignore any passwords */
data_blob_free(&lm_resp);
data_blob_free(&nt_resp);
data_blob_clear_free(&plaintext_password);
(void)map_username(talloc_tos(), sub_user, &sub_user_mapped);
if (!sub_user_mapped) {
reply_nterror(req, NT_STATUS_NO_MEMORY);
END_PROFILE(SMBsesssetupX);
return;
}
fstrcpy(sub_user, sub_user_mapped);
add_session_user(sconn, sub_user);
add_session_workgroup(sconn, domain);
/* Then force it to null for the benfit of the code below */
user = "";
}
if (!*user) {
nt_status = check_guest_password(sconn->remote_address, &server_info);
@ -796,36 +771,31 @@ void reply_sesssetup_and_X(struct smb_request *req)
/* register the name and uid as being validated, so further connections
to a uid can get through without a password, on the same VC */
if (lp_security() == SEC_SHARE) {
sess_vuid = UID_FIELD_INVALID;
TALLOC_FREE(session_info);
} else {
/* Ignore the initial vuid. */
sess_vuid = register_initial_vuid(sconn);
if (sess_vuid == UID_FIELD_INVALID) {
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
reply_nterror(req, nt_status_squash(
NT_STATUS_LOGON_FAILURE));
END_PROFILE(SMBsesssetupX);
return;
}
/* register_existing_vuid keeps the session_info */
sess_vuid = register_existing_vuid(sconn, sess_vuid,
session_info,
nt_resp.data ? nt_resp : lm_resp);
if (sess_vuid == UID_FIELD_INVALID) {
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
reply_nterror(req, nt_status_squash(
NT_STATUS_LOGON_FAILURE));
END_PROFILE(SMBsesssetupX);
return;
}
/* current_user_info is changed on new vuid */
reload_services(sconn, conn_snum_used, true);
/* Ignore the initial vuid. */
sess_vuid = register_initial_vuid(sconn);
if (sess_vuid == UID_FIELD_INVALID) {
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
reply_nterror(req, nt_status_squash(
NT_STATUS_LOGON_FAILURE));
END_PROFILE(SMBsesssetupX);
return;
}
/* register_existing_vuid keeps the session_info */
sess_vuid = register_existing_vuid(sconn, sess_vuid,
session_info,
nt_resp.data ? nt_resp : lm_resp);
if (sess_vuid == UID_FIELD_INVALID) {
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
reply_nterror(req, nt_status_squash(
NT_STATUS_LOGON_FAILURE));
END_PROFILE(SMBsesssetupX);
return;
}
/* current_user_info is changed on new vuid */
reload_services(sconn, conn_snum_used, true);
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);

View File

@ -232,7 +232,7 @@ static NTSTATUS smbd_smb2_tree_connect(struct smbd_smb2_request *req,
compat_conn = make_connection_smb2(req->sconn,
tcon,
req->session->compat_vuser,
data_blob_null, "???",
"???",
&status);
if (compat_conn == NULL) {
TALLOC_FREE(tcon);

View File

@ -288,19 +288,7 @@ bool change_to_user(connection_struct *conn, uint16_t vuid)
vuser = get_valid_user_struct(conn->sconn, vuid);
/*
* We need a separate check in security=share mode due to vuid
* always being UID_FIELD_INVALID. If we don't do this then
* in share mode security we are *always* changing uid's between
* SMB's - this hurts performance - Badly.
*/
if((lp_security() == SEC_SHARE) && (current_user.conn == conn) &&
(current_user.ut.uid == conn->session_info->unix_token->uid)) {
DEBUG(4,("Skipping user change - already "
"user\n"));
return(True);
} else if ((current_user.conn == conn) &&
if ((current_user.conn == conn) &&
(vuser != NULL) && (current_user.vuid == vuid) &&
(current_user.ut.uid == vuser->session_info->unix_token->uid)) {
DEBUG(4,("Skipping user change - already "
@ -308,16 +296,15 @@ bool change_to_user(connection_struct *conn, uint16_t vuid)
return(True);
}
session_info = vuser ? vuser->session_info : conn->session_info;
if (session_info == NULL) {
/* Invalid vuid sent - even with security = share. */
if (vuser == NULL) {
/* Invalid vuid sent */
DEBUG(2,("Invalid vuid %d used on "
"share %s.\n", vuid, lp_servicename(snum) ));
return false;
}
/* security = share sets force_user. */
session_info = vuser->session_info;
if (!conn->force_user && vuser == NULL) {
DEBUG(2,("Invalid vuid used %d in accessing "
"share %s.\n", vuid, lp_servicename(snum) ));

View File

@ -418,10 +418,6 @@ static int traverse_sessionid(const char *key, struct sessionid *session,
d_printf("\nSamba version %s\n",samba_version_string());
d_printf("PID Username Group Machine \n");
d_printf("-------------------------------------------------------------------\n");
if (lp_security() == SEC_SHARE) {
d_printf(" <processes do not show up in "
"anonymous mode>\n");
}
sessionid_traverse_read(traverse_sessionid, NULL);

View File

@ -237,15 +237,6 @@ static bool test_server_role_security_domain(struct torture_context *tctx)
return true;
}
static bool test_server_role_security_share(struct torture_context *tctx)
{
struct loadparm_context *lp_ctx = loadparm_init(tctx);
torture_assert(tctx, lpcfg_set_option(lp_ctx, "security=share"), "lpcfg_set_option failed");
torture_assert_int_equal(tctx, lpcfg_server_role(lp_ctx), ROLE_STANDALONE, "ROLE should be STANDALONE");
torture_assert_int_equal(tctx, lpcfg_security(lp_ctx), SEC_SHARE, "security should be share");
return true;
}
static bool test_server_role_security_server(struct torture_context *tctx)
{
struct loadparm_context *lp_ctx = loadparm_init(tctx);
@ -282,7 +273,6 @@ struct torture_suite *torture_local_loadparm(TALLOC_CTX *mem_ctx)
torture_suite_add_simple_test(suite, "test_server_role_dc_domain_logons_and_not_master", test_server_role_dc_domain_logons_and_not_master);
torture_suite_add_simple_test(suite, "test_server_role_security_ads", test_server_role_security_ads);
torture_suite_add_simple_test(suite, "test_server_role_security_domain", test_server_role_security_domain);
torture_suite_add_simple_test(suite, "test_server_role_security_share", test_server_role_security_share);
torture_suite_add_simple_test(suite, "test_server_role_security_server", test_server_role_security_server);
return suite;