return NT_STATUS_OK;
}
-static NTSTATUS find_forced_user(connection_struct *conn, bool vuser_is_guest, fstring username)
-{
- int snum = conn->params->service;
- char *fuser, *found_username;
- NTSTATUS result;
-
- if (!(fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
- lp_servicename(snum)))) {
- return NT_STATUS_NO_MEMORY;
- }
-
- result = create_token_from_username(conn, fuser, vuser_is_guest,
- &conn->uid, &conn->gid, &found_username,
- &conn->nt_user_token);
- if (!NT_STATUS_IS_OK(result)) {
- return result;
- }
-
- fstrcpy(username, found_username);
-
- TALLOC_FREE(fuser);
- TALLOC_FREE(found_username);
- return NT_STATUS_OK;
-}
-
/*
* Go through lookup_name etc to find the force'd group.
*
bool user_must_be_member = False;
gid_t gid;
- ZERO_STRUCTP(pgroup_sid);
- *pgid = (gid_t)-1;
-
groupname = talloc_strdup(talloc_tos(), lp_force_group(snum));
if (groupname == NULL) {
DEBUG(1, ("talloc_strdup failed\n"));
groupname = talloc_string_sub(talloc_tos(), groupname,
"%S", lp_servicename(snum));
+ if (groupname == NULL) {
+ DEBUG(1, ("talloc_string_sub failed\n"));
+ result = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
if (!lookup_name_smbconf(talloc_tos(), groupname,
LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
}
} else {
if (!user_ok_token(vuid_serverinfo->unix_name,
+ pdb_get_domain(vuid_serverinfo->sam_account),
vuid_serverinfo->ptok, snum)) {
DEBUG(2, ("user '%s' (from session setup) not "
"permitted to access this share "
}
conn->params->service = snum;
- conn->nt_user_token = NULL;
status = create_connection_server_info(
conn, snum, vuser ? vuser->server_info : NULL, password,
return NULL;
}
- if (lp_guest_only(snum)) {
- string_set(&conn->user, conn->server_info->unix_name);
+ if ((lp_guest_only(snum)) || (lp_security() == SEC_SHARE)) {
conn->force_user = true;
- DEBUG(3,("Guest only user %s\n", conn->user));
- } else if (vuser) {
- conn->vuid = vuser->vuid;
- conn->uid = vuser->server_info->uid;
- conn->gid = vuser->server_info->gid;
- string_set(&conn->user,vuser->server_info->unix_name);
- } else if (lp_security() == SEC_SHARE) {
- string_set(&conn->user, conn->server_info->unix_name);
- conn->force_user = True;
}
- add_session_user(conn->user);
+ add_session_user(conn->server_info->unix_name);
safe_strcpy(conn->client_address,
client_addr(get_client_fd(),addr,sizeof(addr)),
conn->read_only = lp_readonly(SNUM(conn));
conn->admin_user = False;
- /*
- * If force user is true, then store the given userid and the gid of
- * the user we're forcing.
- * For auxiliary groups see below.
- */
-
if (*lp_force_user(snum)) {
- status = find_forced_user(conn,
- (vuser != NULL) && vuser->server_info->guest,
- conn->user);
+
+ /*
+ * Replace conn->server_info with a completely faked up one
+ * from the username we are forced into :-)
+ */
+
+ char *fuser;
+ struct auth_serversupplied_info *forced_serverinfo;
+
+ fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
+ lp_servicename(snum));
+ if (fuser == NULL) {
+ conn_free(conn);
+ *pstatus = NT_STATUS_NO_MEMORY;
+ return NULL;
+ }
+
+ status = make_serverinfo_from_username(
+ conn, fuser, conn->server_info->guest,
+ &forced_serverinfo);
if (!NT_STATUS_IS_OK(status)) {
conn_free(conn);
*pstatus = status;
return NULL;
}
+
+ TALLOC_FREE(conn->server_info);
+ conn->server_info = forced_serverinfo;
+
conn->force_user = True;
- DEBUG(3,("Forced user %s\n",conn->user));
+ DEBUG(3,("Forced user %s\n", fuser));
}
/*
* If force group is true, then override
* any groupid stored for the connecting user.
*/
-
+
if (*lp_force_group(snum)) {
- DOM_SID group_sid;
- status = find_forced_group(conn->force_user, snum,
- conn->user,
- &group_sid, &conn->gid);
+ status = find_forced_group(
+ conn->force_user, snum, conn->server_info->unix_name,
+ &conn->server_info->ptok->user_sids[1],
+ &conn->server_info->utok.gid);
+
if (!NT_STATUS_IS_OK(status)) {
conn_free(conn);
*pstatus = status;
return NULL;
}
-
- if ((conn->nt_user_token == NULL) && (vuser != NULL)) {
-
- /* Not force user and not security=share, but force
- * group. vuser has a token to copy */
-
- conn->nt_user_token = dup_nt_token(
- NULL, vuser->server_info->ptok);
- if (conn->nt_user_token == NULL) {
- DEBUG(0, ("dup_nt_token failed\n"));
- conn_free(conn);
- *pstatus = NT_STATUS_NO_MEMORY;
- return NULL;
- }
- }
-
- /* If conn->nt_user_token is still NULL, we have
- * security=share. This means ignore the SID, as we had no
- * vuser to copy from */
-
- if (conn->nt_user_token != NULL) {
- /* Overwrite the primary group sid */
- sid_copy(&conn->nt_user_token->user_sids[1],
- &group_sid);
-
- }
}
- if (conn->nt_user_token != NULL) {
- size_t i;
-
- /* We have a share-specific token from force [user|group].
- * This means we have to create the list of unix groups from
- * the list of sids. */
-
- conn->ngroups = 0;
- conn->groups = NULL;
-
- for (i=0; i<conn->nt_user_token->num_sids; i++) {
- gid_t gid;
- DOM_SID *sid = &conn->nt_user_token->user_sids[i];
-
- if (!sid_to_gid(sid, &gid)) {
- DEBUG(10, ("Could not convert SID %s to gid, "
- "ignoring it\n",
- sid_string_dbg(sid)));
- continue;
- }
- if (!add_gid_to_array_unique(conn, gid, &conn->groups,
- &conn->ngroups)) {
- DEBUG(0, ("add_gid_to_array_unique failed\n"));
- conn_free(conn);
- *pstatus = NT_STATUS_NO_MEMORY;
- return NULL;
- }
- }
- }
+ conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
{
char *s = talloc_sub_advanced(talloc_tos(),
- lp_servicename(SNUM(conn)), conn->user,
- conn->connectpath, conn->gid,
- get_current_username(),
- current_user_info.domain,
+ lp_servicename(SNUM(conn)),
+ conn->server_info->unix_name,
+ conn->connectpath,
+ conn->server_info->utok.gid,
+ conn->server_info->sanitized_username,
+ pdb_get_domain(conn->server_info->sam_account),
lp_pathname(snum));
if (!s) {
conn_free(conn);
{
bool can_write = False;
- NT_USER_TOKEN *token = conn->nt_user_token ?
- conn->nt_user_token :
- (vuser ? vuser->server_info->ptok : NULL);
-
- /*
- * I don't believe this can happen. But the
- * logic above is convoluted enough to confuse
- * automated checkers, so be sure. JRA.
- */
-
- if (token == NULL) {
- DEBUG(0,("make_connection: connection to %s "
- "denied due to missing "
- "NT token.\n",
- lp_servicename(snum)));
- conn_free(conn);
- *pstatus = NT_STATUS_ACCESS_DENIED;
- return NULL;
- }
- can_write = share_access_check(token,
- lp_servicename(snum),
- FILE_WRITE_DATA);
+ can_write = share_access_check(conn->server_info->ptok,
+ lp_servicename(snum),
+ FILE_WRITE_DATA);
if (!can_write) {
- if (!share_access_check(token,
+ if (!share_access_check(conn->server_info->ptok,
lp_servicename(snum),
FILE_READ_DATA)) {
/* No access, read or write. */
/* execute any "root preexec = " line */
if (*lp_rootpreexec(snum)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
- lp_servicename(SNUM(conn)), conn->user,
- conn->connectpath, conn->gid,
- get_current_username(),
- current_user_info.domain,
+ lp_servicename(SNUM(conn)),
+ conn->server_info->unix_name,
+ conn->connectpath,
+ conn->server_info->utok.gid,
+ conn->server_info->sanitized_username,
+ pdb_get_domain(conn->server_info->sam_account),
lp_rootpreexec(snum));
DEBUG(5,("cmd=%s\n",cmd));
ret = smbrun(cmd,NULL);
/* execute any "preexec = " line */
if (*lp_preexec(snum)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
- lp_servicename(SNUM(conn)), conn->user,
- conn->connectpath, conn->gid,
- get_current_username(),
- current_user_info.domain,
+ lp_servicename(SNUM(conn)),
+ conn->server_info->unix_name,
+ conn->connectpath,
+ conn->server_info->utok.gid,
+ conn->server_info->sanitized_username,
+ pdb_get_domain(conn->server_info->sam_account),
lp_preexec(snum));
ret = smbrun(cmd,NULL);
TALLOC_FREE(cmd);
set_namearray( &conn->veto_list, lp_veto_files(snum));
set_namearray( &conn->hide_list, lp_hide_files(snum));
set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
+ set_namearray( &conn->aio_write_behind_list,
+ lp_aio_write_behind(snum));
}
/* Invoke VFS make connection hook - do this before the VFS_STAT call
to allow any filesystems needing user credentials to initialize
themselves. */
- if (SMB_VFS_CONNECT(conn, lp_servicename(snum), conn->user) < 0) {
+ if (SMB_VFS_CONNECT(conn, lp_servicename(snum),
+ conn->server_info->unix_name) < 0) {
DEBUG(0,("make_connection: VFS make connection failed!\n"));
*pstatus = NT_STATUS_UNSUCCESSFUL;
goto err_root_exit;
conn->client_address );
dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
dbgtext( "connect to service %s ", lp_servicename(snum) );
- dbgtext( "initially as user %s ", conn->user );
+ dbgtext( "initially as user %s ",
+ conn->server_info->unix_name );
dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
dbgtext( "(pid %d)\n", (int)sys_getpid() );
}
*/
if ( conn && vfs_ChDir(conn,conn->connectpath) != 0 ) {
- DEBUG(0,("move_driver_to_download_area: Can't change "
+ DEBUG(0,("make_connection_with_chdir: Can't change "
"directory to %s for [print$] (%s)\n",
conn->connectpath,strerror(errno)));
yield_connection(conn, lp_servicename(SNUM(conn)));
if (*lp_postexec(SNUM(conn)) &&
change_to_user(conn, vuid)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
- lp_servicename(SNUM(conn)), conn->user,
- conn->connectpath, conn->gid,
- get_current_username(),
- current_user_info.domain,
+ lp_servicename(SNUM(conn)),
+ conn->server_info->unix_name,
+ conn->connectpath,
+ conn->server_info->utok.gid,
+ conn->server_info->sanitized_username,
+ pdb_get_domain(conn->server_info->sam_account),
lp_postexec(SNUM(conn)));
smbrun(cmd,NULL);
TALLOC_FREE(cmd);
/* execute any "root postexec = " line */
if (*lp_rootpostexec(SNUM(conn))) {
char *cmd = talloc_sub_advanced(talloc_tos(),
- lp_servicename(SNUM(conn)), conn->user,
- conn->connectpath, conn->gid,
- get_current_username(),
- current_user_info.domain,
+ lp_servicename(SNUM(conn)),
+ conn->server_info->unix_name,
+ conn->connectpath,
+ conn->server_info->utok.gid,
+ conn->server_info->sanitized_username,
+ pdb_get_domain(conn->server_info->sam_account),
lp_rootpostexec(SNUM(conn)));
smbrun(cmd,NULL);
TALLOC_FREE(cmd);