git.samba.org / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Merge Samba3 and Samba4 together
[samba.git] / source3 / smbd / service.c
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 974af8393246a2e867174bfe38e8ff0206acd47c..0b851f1e481b71a3b743474ae65fedcd8c561d05 100644 (file)
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -523,31 +523,6 @@ static NTSTATUS share_sanity_checks(int snum, fstring dev)
        return NT_STATUS_OK;
 }
 
-static NTSTATUS find_forced_user(connection_struct *conn, bool vuser_is_guest, fstring username)
-{
-       int snum = conn->params->service;
-       char *fuser, *found_username;
-       NTSTATUS result;
-
-       if (!(fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
-                                       lp_servicename(snum)))) {
-               return NT_STATUS_NO_MEMORY;
-       }
-
-       result = create_token_from_username(conn, fuser, vuser_is_guest,
-                                           &conn->uid, &conn->gid, &found_username,
-                                           &conn->nt_user_token);
-       if (!NT_STATUS_IS_OK(result)) {
-               return result;
-       }
-
-       fstrcpy(username, found_username);
-
-       TALLOC_FREE(fuser);
-       TALLOC_FREE(found_username);
-       return NT_STATUS_OK;
-}
-
 /*
  * Go through lookup_name etc to find the force'd group.  
  *
@@ -568,9 +543,6 @@ static NTSTATUS find_forced_group(bool force_user,
        bool user_must_be_member = False;
        gid_t gid;
 
-       ZERO_STRUCTP(pgroup_sid);
-       *pgid = (gid_t)-1;
-
        groupname = talloc_strdup(talloc_tos(), lp_force_group(snum));
        if (groupname == NULL) {
                DEBUG(1, ("talloc_strdup failed\n"));
@@ -585,6 +557,11 @@ static NTSTATUS find_forced_group(bool force_user,
 
        groupname = talloc_string_sub(talloc_tos(), groupname,
                                      "%S", lp_servicename(snum));
+       if (groupname == NULL) {
+               DEBUG(1, ("talloc_string_sub failed\n"));
+               result = NT_STATUS_NO_MEMORY;
+               goto done;
+       }
 
        if (!lookup_name_smbconf(talloc_tos(), groupname,
                         LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
@@ -669,6 +646,7 @@ static NTSTATUS create_connection_server_info(TALLOC_CTX *mem_ctx, int snum,
                         }
                 } else {
                         if (!user_ok_token(vuid_serverinfo->unix_name,
+                                          pdb_get_domain(vuid_serverinfo->sam_account),
                                            vuid_serverinfo->ptok, snum)) {
                                 DEBUG(2, ("user '%s' (from session setup) not "
                                           "permitted to access this share "
@@ -748,7 +726,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
        }
 
        conn->params->service = snum;
-       conn->nt_user_token = NULL;
 
        status = create_connection_server_info(
                conn, snum, vuser ? vuser->server_info : NULL, password,
@@ -762,21 +739,11 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
                return NULL;
        }
 
-       if (lp_guest_only(snum)) {
-               string_set(&conn->user, conn->server_info->unix_name);
+       if ((lp_guest_only(snum)) || (lp_security() == SEC_SHARE)) {
                conn->force_user = true;
-               DEBUG(3,("Guest only user %s\n", conn->user));
-       } else if (vuser) {
-               conn->vuid = vuser->vuid;
-               conn->uid = vuser->server_info->uid;
-               conn->gid = vuser->server_info->gid;
-               string_set(&conn->user,vuser->server_info->unix_name);
-       } else if (lp_security() == SEC_SHARE) {
-               string_set(&conn->user, conn->server_info->unix_name);
-               conn->force_user = True;
        }
 
-       add_session_user(conn->user);
+       add_session_user(conn->server_info->unix_name);
 
        safe_strcpy(conn->client_address,
                        client_addr(get_client_fd(),addr,sizeof(addr)), 
@@ -812,105 +779,69 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
        conn->read_only = lp_readonly(SNUM(conn));
        conn->admin_user = False;
 
-       /*
-        * If force user is true, then store the given userid and the gid of
-        * the user we're forcing.
-        * For auxiliary groups see below.
-        */
-       
        if (*lp_force_user(snum)) {
-               status = find_forced_user(conn,
-                               (vuser != NULL) && vuser->server_info->guest,
-                               conn->user);
+
+               /*
+                * Replace conn->server_info with a completely faked up one
+                * from the username we are forced into :-)
+                */
+
+               char *fuser;
+               struct auth_serversupplied_info *forced_serverinfo;
+
+               fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
+                                         lp_servicename(snum));
+               if (fuser == NULL) {
+                       conn_free(conn);
+                       *pstatus = NT_STATUS_NO_MEMORY;
+                       return NULL;
+               }
+
+               status = make_serverinfo_from_username(
+                       conn, fuser, conn->server_info->guest,
+                       &forced_serverinfo);
                if (!NT_STATUS_IS_OK(status)) {
                        conn_free(conn);
                        *pstatus = status;
                        return NULL;
                }
+
+               TALLOC_FREE(conn->server_info);
+               conn->server_info = forced_serverinfo;
+
                conn->force_user = True;
-               DEBUG(3,("Forced user %s\n",conn->user));
+               DEBUG(3,("Forced user %s\n", fuser));
        }
 
        /*
         * If force group is true, then override
         * any groupid stored for the connecting user.
         */
-       
+
        if (*lp_force_group(snum)) {
-               DOM_SID group_sid;
 
-               status = find_forced_group(conn->force_user, snum,
-                                          conn->user,
-                                          &group_sid, &conn->gid);
+               status = find_forced_group(
+                       conn->force_user, snum, conn->server_info->unix_name,
+                       &conn->server_info->ptok->user_sids[1],
+                       &conn->server_info->utok.gid);
+
                if (!NT_STATUS_IS_OK(status)) {
                        conn_free(conn);
                        *pstatus = status;
                        return NULL;
                }
-
-               if ((conn->nt_user_token == NULL) && (vuser != NULL)) {
-
-                       /* Not force user and not security=share, but force
-                        * group. vuser has a token to copy */
-                       
-                       conn->nt_user_token = dup_nt_token(
-                               NULL, vuser->server_info->ptok);
-                       if (conn->nt_user_token == NULL) {
-                               DEBUG(0, ("dup_nt_token failed\n"));
-                               conn_free(conn);
-                               *pstatus = NT_STATUS_NO_MEMORY;
-                               return NULL;
-                       }
-               }
-
-               /* If conn->nt_user_token is still NULL, we have
-                * security=share. This means ignore the SID, as we had no
-                * vuser to copy from */
-
-               if (conn->nt_user_token != NULL) {
-                       /* Overwrite the primary group sid */
-                       sid_copy(&conn->nt_user_token->user_sids[1],
-                                &group_sid);
-
-               }
        }
 
-       if (conn->nt_user_token != NULL) {
-               size_t i;
-
-               /* We have a share-specific token from force [user|group].
-                * This means we have to create the list of unix groups from
-                * the list of sids. */
-
-               conn->ngroups = 0;
-               conn->groups = NULL;
-
-               for (i=0; i<conn->nt_user_token->num_sids; i++) {
-                       gid_t gid;
-                       DOM_SID *sid = &conn->nt_user_token->user_sids[i];
-
-                       if (!sid_to_gid(sid, &gid)) {
-                               DEBUG(10, ("Could not convert SID %s to gid, "
-                                          "ignoring it\n",
-                                          sid_string_dbg(sid)));
-                               continue;
-                       }
-                       if (!add_gid_to_array_unique(conn, gid, &conn->groups,
-                                               &conn->ngroups)) {
-                               DEBUG(0, ("add_gid_to_array_unique failed\n"));
-                               conn_free(conn);
-                               *pstatus = NT_STATUS_NO_MEMORY;
-                               return NULL;
-                       }
-               }
-       }
+       conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
 
        {
                char *s = talloc_sub_advanced(talloc_tos(),
-                                       lp_servicename(SNUM(conn)), conn->user,
-                                       conn->connectpath, conn->gid,
-                                       get_current_username(),
-                                       current_user_info.domain,
+                                       lp_servicename(SNUM(conn)),
+                                       conn->server_info->unix_name,
+                                       conn->connectpath,
+                                       conn->server_info->utok.gid,
+                                       conn->server_info->sanitized_username,
+                                       pdb_get_domain(conn->server_info->sam_account),
                                        lp_pathname(snum));
                if (!s) {
                        conn_free(conn);
@@ -938,32 +869,13 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
 
        {
                bool can_write = False;
-               NT_USER_TOKEN *token = conn->nt_user_token ?
-                       conn->nt_user_token :
-                       (vuser ? vuser->server_info->ptok : NULL);
-
-               /*
-                * I don't believe this can happen. But the
-                * logic above is convoluted enough to confuse
-                * automated checkers, so be sure. JRA.
-                */
-
-               if (token == NULL) {
-                       DEBUG(0,("make_connection: connection to %s "
-                                "denied due to missing "
-                                "NT token.\n",
-                                 lp_servicename(snum)));
-                       conn_free(conn);
-                       *pstatus = NT_STATUS_ACCESS_DENIED;
-                       return NULL;
-               }
 
-               can_write = share_access_check(token,
-                                                   lp_servicename(snum),
-                                                   FILE_WRITE_DATA);
+               can_write = share_access_check(conn->server_info->ptok,
+                                              lp_servicename(snum),
+                                              FILE_WRITE_DATA);
 
                if (!can_write) {
-                       if (!share_access_check(token,
+                       if (!share_access_check(conn->server_info->ptok,
                                                lp_servicename(snum),
                                                FILE_READ_DATA)) {
                                /* No access, read or write. */
@@ -1046,10 +958,12 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
        /* execute any "root preexec = " line */
        if (*lp_rootpreexec(snum)) {
                char *cmd = talloc_sub_advanced(talloc_tos(),
-                                       lp_servicename(SNUM(conn)), conn->user,
-                                       conn->connectpath, conn->gid,
-                                       get_current_username(),
-                                       current_user_info.domain,
+                                       lp_servicename(SNUM(conn)),
+                                       conn->server_info->unix_name,
+                                       conn->connectpath,
+                                       conn->server_info->utok.gid,
+                                       conn->server_info->sanitized_username,
+                                       pdb_get_domain(conn->server_info->sam_account),
                                        lp_rootpreexec(snum));
                DEBUG(5,("cmd=%s\n",cmd));
                ret = smbrun(cmd,NULL);
@@ -1083,10 +997,12 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
        /* execute any "preexec = " line */
        if (*lp_preexec(snum)) {
                char *cmd = talloc_sub_advanced(talloc_tos(),
-                                       lp_servicename(SNUM(conn)), conn->user,
-                                       conn->connectpath, conn->gid,
-                                       get_current_username(),
-                                       current_user_info.domain,
+                                       lp_servicename(SNUM(conn)),
+                                       conn->server_info->unix_name,
+                                       conn->connectpath,
+                                       conn->server_info->utok.gid,
+                                       conn->server_info->sanitized_username,
+                                       pdb_get_domain(conn->server_info->sam_account),
                                        lp_preexec(snum));
                ret = smbrun(cmd,NULL);
                TALLOC_FREE(cmd);
@@ -1109,13 +1025,16 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
                set_namearray( &conn->veto_list, lp_veto_files(snum));
                set_namearray( &conn->hide_list, lp_hide_files(snum));
                set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
+               set_namearray( &conn->aio_write_behind_list,
+                               lp_aio_write_behind(snum));
        }
        
        /* Invoke VFS make connection hook - do this before the VFS_STAT call
           to allow any filesystems needing user credentials to initialize
           themselves. */
 
-       if (SMB_VFS_CONNECT(conn, lp_servicename(snum), conn->user) < 0) {
+       if (SMB_VFS_CONNECT(conn, lp_servicename(snum),
+                           conn->server_info->unix_name) < 0) {
                DEBUG(0,("make_connection: VFS make connection failed!\n"));
                *pstatus = NT_STATUS_UNSUCCESSFUL;
                goto err_root_exit;
@@ -1182,7 +1101,8 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
                         conn->client_address );
                dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
                dbgtext( "connect to service %s ", lp_servicename(snum) );
-               dbgtext( "initially as user %s ", conn->user );
+               dbgtext( "initially as user %s ",
+                        conn->server_info->unix_name );
                dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
                dbgtext( "(pid %d)\n", (int)sys_getpid() );
        }
@@ -1223,7 +1143,7 @@ connection_struct *make_connection_with_chdir(const char *service_in,
         */
         
        if ( conn && vfs_ChDir(conn,conn->connectpath) != 0 ) {
-               DEBUG(0,("move_driver_to_download_area: Can't change "
+               DEBUG(0,("make_connection_with_chdir: Can't change "
                         "directory to %s for [print$] (%s)\n",
                         conn->connectpath,strerror(errno)));
                yield_connection(conn, lp_servicename(SNUM(conn)));
@@ -1402,10 +1322,12 @@ void close_cnum(connection_struct *conn, uint16 vuid)
        if (*lp_postexec(SNUM(conn)) && 
            change_to_user(conn, vuid))  {
                char *cmd = talloc_sub_advanced(talloc_tos(),
-                                       lp_servicename(SNUM(conn)), conn->user,
-                                       conn->connectpath, conn->gid,
-                                       get_current_username(),
-                                       current_user_info.domain,
+                                       lp_servicename(SNUM(conn)),
+                                       conn->server_info->unix_name,
+                                       conn->connectpath,
+                                       conn->server_info->utok.gid,
+                                       conn->server_info->sanitized_username,
+                                       pdb_get_domain(conn->server_info->sam_account),
                                        lp_postexec(SNUM(conn)));
                smbrun(cmd,NULL);
                TALLOC_FREE(cmd);
@@ -1416,10 +1338,12 @@ void close_cnum(connection_struct *conn, uint16 vuid)
        /* execute any "root postexec = " line */
        if (*lp_rootpostexec(SNUM(conn)))  {
                char *cmd = talloc_sub_advanced(talloc_tos(),
-                                       lp_servicename(SNUM(conn)), conn->user,
-                                       conn->connectpath, conn->gid,
-                                       get_current_username(),
-                                       current_user_info.domain,
+                                       lp_servicename(SNUM(conn)),
+                                       conn->server_info->unix_name,
+                                       conn->connectpath,
+                                       conn->server_info->utok.gid,
+                                       conn->server_info->sanitized_username,
+                                       pdb_get_domain(conn->server_info->sam_account),
                                        lp_rootpostexec(SNUM(conn)));
                smbrun(cmd,NULL);
                TALLOC_FREE(cmd);
Samba Shared Repository