s3-auth Use struct auth_user_info_unix for unix_name and sanitized_username

[ira/wip.git] / source3 / smbd / password.c

diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index e85f23074f0853f2c24f41179de3d694ccd9b676..08b53a818ee33b09f2c0a3de3da8ed93bc5f1d30 100644 (file)
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -19,7 +19,22 @@
 */
 
 #include "includes.h"
+#include "system/passwd.h"
+#include "smbd/smbd.h"
 #include "smbd/globals.h"
+#include "../librpc/gen_ndr/netlogon.h"
+#include "auth.h"
+
+/* Fix up prototypes for OSX 10.4, where they're missing */
+#ifndef HAVE_SETNETGRENT_PROTOTYPE
+extern int setnetgrent(const char* netgroup);
+#endif
+#ifndef HAVE_GETNETGRENT_PROTOTYPE
+extern int getnetgrent(char **host, char **user, char **domain);
+#endif
+#ifndef HAVE_ENDNETGRENT_PROTOTYPE
+extern void endnetgrent(void);
+#endif
 
 enum server_allocated_state { SERVER_ALLOCATED_REQUIRED_YES,
                                SERVER_ALLOCATED_REQUIRED_NO,
@@ -41,12 +56,12 @@ static user_struct *get_valid_user_struct_internal(
                if (vuid == usp->vuid) {
                        switch (server_allocated) {
                                case SERVER_ALLOCATED_REQUIRED_YES:
-                                       if (usp->server_info == NULL) {
+                                       if (usp->session_info == NULL) {
                                                continue;
                                        }
                                        break;
                                case SERVER_ALLOCATED_REQUIRED_NO:
-                                       if (usp->server_info != NULL) {
+                                       if (usp->session_info != NULL) {
                                                continue;
                                        }
                                case SERVER_ALLOCATED_REQUIRED_ANY:
@@ -109,7 +124,7 @@ void invalidate_vuid(struct smbd_server_connection *sconn, uint16 vuid)
        session_yield(vuser);
 
        if (vuser->auth_ntlmssp_state) {
-               auth_ntlmssp_end(&vuser->auth_ntlmssp_state);
+               TALLOC_FREE(vuser->auth_ntlmssp_state);
        }
 
        DLIST_REMOVE(sconn->smb1.sessions.validated_users, vuser);
@@ -128,7 +143,7 @@ void invalidate_vuid(struct smbd_server_connection *sconn, uint16 vuid)
 
 void invalidate_all_vuids(struct smbd_server_connection *sconn)
 {
-       if (sconn->allow_smb2) {
+       if (sconn->using_smb2) {
                return;
        }
 
@@ -210,7 +225,7 @@ int register_homes_share(const char *username)
                return result;
        }
 
-       pwd = getpwnam_alloc(talloc_tos(), username);
+       pwd = Get_Pwnam_alloc(talloc_tos(), username);
 
        if ((pwd == NULL) || (pwd->pw_dir[0] == '\0')) {
                DEBUG(3, ("No home directory defined for user '%s'\n",
@@ -230,7 +245,7 @@ int register_homes_share(const char *username)
 
 /**
  *  register that a valid login has been performed, establish 'session'.
- *  @param server_info The token returned from the authentication process.
+ *  @param session_info The token returned from the authentication process.
  *   (now 'owned' by register_existing_vuid)
  *
  *  @param session_key The User session key for the login session (now also
@@ -248,7 +263,7 @@ int register_homes_share(const char *username)
 
 int register_existing_vuid(struct smbd_server_connection *sconn,
                        uint16 vuid,
-                       struct auth_serversupplied_info *server_info,
+                       struct auth3_session_info *session_info,
                        DATA_BLOB response_blob,
                        const char *smb_name)
 {
@@ -261,37 +276,44 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
        }
 
        /* Use this to keep tabs on all our info from the authentication */
-       vuser->server_info = talloc_move(vuser, &server_info);
+       vuser->session_info = talloc_move(vuser, &session_info);
 
        /* This is a potentially untrusted username */
        alpha_strcpy(tmp, smb_name, ". _-$", sizeof(tmp));
 
-       vuser->server_info->sanitized_username = talloc_strdup(
-               vuser->server_info, tmp);
+       vuser->session_info->unix_info->sanitized_username = talloc_strdup(
+               vuser->session_info, tmp);
+
+       /* Make clear that we require the optional unix_token and unix_info in the source3 code */
+       SMB_ASSERT(vuser->session_info->unix_token);
+       SMB_ASSERT(vuser->session_info->unix_info);
 
        DEBUG(10,("register_existing_vuid: (%u,%u) %s %s %s guest=%d\n",
-                 (unsigned int)vuser->server_info->utok.uid,
-                 (unsigned int)vuser->server_info->utok.gid,
-                 vuser->server_info->unix_name,
-                 vuser->server_info->sanitized_username,
-                 vuser->server_info->info3->base.domain.string,
-                 vuser->server_info->guest ));
+                 (unsigned int)vuser->session_info->unix_token->uid,
+                 (unsigned int)vuser->session_info->unix_token->gid,
+                 vuser->session_info->unix_info->unix_name,
+                 vuser->session_info->unix_info->sanitized_username,
+                 vuser->session_info->info3->base.domain.string,
+                 vuser->session_info->guest ));
 
        DEBUG(3, ("register_existing_vuid: User name: %s\t"
-                 "Real name: %s\n", vuser->server_info->unix_name,
-                 vuser->server_info->info3->base.full_name.string));
+                 "Real name: %s\n", vuser->session_info->unix_info->unix_name,
+                 vuser->session_info->info3->base.full_name.string));
 
-       if (!vuser->server_info->ptok) {
-               DEBUG(1, ("register_existing_vuid: server_info does not "
+       if (!vuser->session_info->security_token) {
+               DEBUG(1, ("register_existing_vuid: session_info does not "
                        "contain a user_token - cannot continue\n"));
                goto fail;
        }
 
+       /* Make clear that we require the optional unix_token in the source3 code */
+       SMB_ASSERT(vuser->session_info->unix_token);
+
        DEBUG(3,("register_existing_vuid: UNIX uid %d is UNIX user %s, "
-               "and will be vuid %u\n", (int)vuser->server_info->utok.uid,
-                vuser->server_info->unix_name, vuser->vuid));
+               "and will be vuid %u\n", (int)vuser->session_info->unix_token->uid,
+                vuser->session_info->unix_info->unix_name, vuser->vuid));
 
-       if (!session_claim(vuser)) {
+       if (!session_claim(sconn, vuser)) {
                DEBUG(1, ("register_existing_vuid: Failed to claim session "
                        "for vuid=%d\n",
                        vuser->vuid));
@@ -306,25 +328,25 @@ int register_existing_vuid(struct smbd_server_connection *sconn,
 
        vuser->homes_snum = -1;
 
-       if (!vuser->server_info->guest) {
+       if (!vuser->session_info->guest) {
                vuser->homes_snum = register_homes_share(
-                       vuser->server_info->unix_name);
+                       vuser->session_info->unix_info->unix_name);
        }
 
-       if (srv_is_signing_negotiated(smbd_server_conn) &&
-           !vuser->server_info->guest) {
+       if (srv_is_signing_negotiated(sconn) &&
+           !vuser->session_info->guest) {
                /* Try and turn on server signing on the first non-guest
                 * sessionsetup. */
-               srv_set_signing(smbd_server_conn,
-                               vuser->server_info->user_session_key,
+               srv_set_signing(sconn,
+                               vuser->session_info->session_key,
                                response_blob);
        }
 
        /* fill in the current_user_info struct */
        set_current_user_info(
-               vuser->server_info->sanitized_username,
-               vuser->server_info->unix_name,
-               vuser->server_info->info3->base.domain.string);
+               vuser->session_info->unix_info->sanitized_username,
+               vuser->session_info->unix_info->unix_name,
+               vuser->session_info->info3->base.domain.string);
 
        return vuser->vuid;
 
@@ -423,7 +445,7 @@ static bool user_ok(const char *user, int snum)
                         * around to pass to str_list_sub_basic() */
 
                        if ( invalid && str_list_sub_basic(invalid, "", "") ) {
-                               ret = !user_in_list(user,
+                               ret = !user_in_list(talloc_tos(), user,
                                                    (const char **)invalid);
                        }
                }
@@ -440,7 +462,7 @@ static bool user_ok(const char *user, int snum)
                         * around to pass to str_list_sub_basic() */
 
                        if ( valid && str_list_sub_basic(valid, "", "") ) {
-                               ret = user_in_list(user,
+                               ret = user_in_list(talloc_tos(), user,
                                                   (const char **)valid);
                        }
                }
@@ -453,7 +475,7 @@ static bool user_ok(const char *user, int snum)
                if (user_list &&
                    str_list_substitute(user_list, "%S",
                                        lp_servicename(snum))) {
-                       ret = user_in_list(user,
+                       ret = user_in_list(talloc_tos(), user,
                                           (const char **)user_list);
                }
                TALLOC_FREE(user_list);
@@ -480,7 +502,9 @@ static char *validate_group(struct smbd_server_connection *sconn,
                                if (user_ok(user, snum) &&
                                    password_ok(actx, enc,
                                                get_session_workgroup(sconn),
-                                               user,password)) {
+                                               user,
+                                               sconn->remote_address,
+                                               password)) {
                                        endnetgrent();
                                        return(user);
                                }
@@ -534,7 +558,7 @@ static char *validate_group(struct smbd_server_connection *sconn,
                                DEBUG(10,("validate_group: = gr_mem = "
                                          "%s\n", gptr->gr_mem[i]));
 
-                               safe_strcpy(member, gptr->gr_mem[i],
+                               strlcpy(member, gptr->gr_mem[i],
                                        list_len - (member-member_list));
                                member += member_len;
                        }
@@ -546,7 +570,9 @@ static char *validate_group(struct smbd_server_connection *sconn,
                                if (user_ok(member,snum) &&
                                    password_ok(actx, enc,
                                                get_session_workgroup(sconn),
-                                               member,password)) {
+                                               member,
+                                               sconn->remote_address,
+                                               password)) {
                                        char *name = talloc_strdup(talloc_tos(),
                                                                member);
                                        SAFE_FREE(member_list);
@@ -627,9 +653,11 @@ bool authorise_login(struct smbd_server_connection *sconn,
 
                        if (password_ok(actx, enc,
                                        get_session_workgroup(sconn),
-                                       user2,password)) {
+                                       user2,
+                                       sconn->remote_address,
+                                       password)) {
                                ok = True;
-                               fstrcpy(user,user2);
+                               strlcpy(user,user2,sizeof(fstring));
                                DEBUG(3,("authorise_login: ACCEPTED: session "
                                         "list username (%s) and given "
                                         "password ok\n", user));
@@ -678,9 +706,11 @@ bool authorise_login(struct smbd_server_connection *sconn,
                                if (user_ok(user2,snum) &&
                                    password_ok(actx, enc,
                                                get_session_workgroup(sconn),
-                                               user2,password)) {
+                                               user2,
+                                               sconn->remote_address,
+                                               password)) {
                                        ok = True;
-                                       fstrcpy(user,user2);
+                                       strlcpy(user,user2,sizeof(fstring));
                                        DEBUG(3,("authorise_login: ACCEPTED: "
                                                 "user list username and "
                                                 "given password ok (%s)\n",
@@ -699,7 +729,7 @@ bool authorise_login(struct smbd_server_connection *sconn,
                fstrcpy(guestname,lp_guestaccount());
                guest_pw = Get_Pwnam_alloc(talloc_tos(), guestname);
                if (guest_pw != NULL) {
-                       fstrcpy(user,guestname);
+                       strlcpy(user,guestname,sizeof(fstring));
                        ok = True;
                        DEBUG(3,("authorise_login: ACCEPTED: guest account "
                                 "and guest ok (%s)\n", user));