From: Andrew Bartlett Date: Fri, 22 Jul 2011 01:33:52 +0000 (+1000) Subject: s3-auth Move map to guest to directly after the check_password calls X-Git-Tag: talloc-2.0.6~106 X-Git-Url: http://git.samba.org/?a=commitdiff_plain;h=8a650243b336f5a85ff119aa40c7744542c005e7;p=ddiss%2Fsamba.git s3-auth Move map to guest to directly after the check_password calls This means we no longer need two different map to guest functions and have consistent logic with fewer layering violations. Andrew Bartlett Signed-off-by: Andrew Tridgell --- diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c index 61029bc95d8..2157d355d20 100644 --- a/source3/auth/auth_ntlmssp.c +++ b/source3/auth/auth_ntlmssp.c @@ -145,6 +145,10 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state, free_user_info(&user_info); if (!NT_STATUS_IS_OK(nt_status)) { + nt_status = do_map_to_guest_server_info(nt_status, + &auth_ntlmssp_state->server_info, + auth_ntlmssp_state->ntlmssp_state->user, + auth_ntlmssp_state->ntlmssp_state->domain); return nt_status; } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index a261e39b7be..1621630b876 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -1580,3 +1580,35 @@ bool is_trusted_domain(const char* dom_name) return false; } + + +/* + on a logon error possibly map the error to success if "map to guest" + is set approriately +*/ +NTSTATUS do_map_to_guest_server_info(NTSTATUS status, + struct auth_serversupplied_info **server_info, + const char *user, const char *domain) +{ + user = user ? user : ""; + domain = domain ? domain : ""; + + if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { + if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || + (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { + DEBUG(3,("No such user %s [%s] - using guest account\n", + user, domain)); + status = make_server_info_guest(NULL, server_info); + } + } + + if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { + if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { + DEBUG(3,("Registered username %s for guest access\n", + user)); + status = make_server_info_guest(NULL, server_info); + } + } + + return status; +} diff --git a/source3/auth/proto.h b/source3/auth/proto.h index d51a3e6444d..f2b7875997c 100644 --- a/source3/auth/proto.h +++ b/source3/auth/proto.h @@ -214,6 +214,10 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info, enum auth_password_state password_state); void free_user_info(struct auth_usersupplied_info **user_info); +NTSTATUS do_map_to_guest_server_info(NTSTATUS status, + struct auth_serversupplied_info **server_info, + const char *user, const char *domain); + /* The following definitions come from auth/auth_winbind.c */ NTSTATUS auth_winbind_init(void); diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 2df8b435e56..329b8b6aa52 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -46,68 +46,6 @@ struct pending_auth_data { DATA_BLOB partial_data; }; -/* - on a logon error possibly map the error to success if "map to guest" - is set approriately -*/ -static NTSTATUS do_map_to_guest_server_info(NTSTATUS status, - struct auth_serversupplied_info **server_info, - const char *user, const char *domain) -{ - user = user ? user : ""; - domain = domain ? domain : ""; - - if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { - if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || - (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { - DEBUG(3,("No such user %s [%s] - using guest account\n", - user, domain)); - status = make_server_info_guest(NULL, server_info); - } - } - - if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { - if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { - DEBUG(3,("Registered username %s for guest access\n", - user)); - status = make_server_info_guest(NULL, server_info); - } - } - - return status; -} - -/* - on a logon error possibly map the error to success if "map to guest" - is set approriately -*/ -NTSTATUS do_map_to_guest(NTSTATUS status, - struct auth_session_info **session_info, - const char *user, const char *domain) -{ - user = user ? user : ""; - domain = domain ? domain : ""; - - if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) { - if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) || - (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) { - DEBUG(3,("No such user %s [%s] - using guest account\n", - user, domain)); - status = make_session_info_guest(NULL, session_info); - } - } - - if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { - if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) { - DEBUG(3,("Registered username %s for guest access\n", - user)); - status = make_session_info_guest(NULL, session_info); - } - } - - return status; -} - /**************************************************************************** Add the standard 'Samba' signature to the end of the session setup. ****************************************************************************/ @@ -494,15 +432,6 @@ static void reply_spnego_ntlmssp(struct smb_request *req, if (NT_STATUS_IS_OK(nt_status)) { nt_status = auth_ntlmssp_steal_session_info(talloc_tos(), (*auth_ntlmssp_state), &session_info); - } else { - /* Note that this session_info won't have a session - * key. But for map to guest, that's exactly the right - * thing - we can't reasonably guess the key the - * client wants, as the password was wrong */ - nt_status = do_map_to_guest(nt_status, - &session_info, - auth_ntlmssp_get_username(*auth_ntlmssp_state), - auth_ntlmssp_get_domain(*auth_ntlmssp_state)); } reply_outbuf(req, 4, 0); diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 7a839532564..511df8639dd 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -151,26 +151,6 @@ static int smbd_smb2_session_destructor(struct smbd_smb2_session *session) return 0; } -static NTSTATUS setup_ntlmssp_session_info(struct smbd_smb2_session *session, - NTSTATUS status) -{ - if (NT_STATUS_IS_OK(status)) { - status = auth_ntlmssp_steal_session_info(session, - session->auth_ntlmssp_state, - &session->session_info); - } else { - /* Note that this session_info won't have a session - * key. But for map to guest, that's exactly the right - * thing - we can't reasonably guess the key the - * client wants, as the password was wrong */ - status = do_map_to_guest(status, - &session->session_info, - auth_ntlmssp_get_username(session->auth_ntlmssp_state), - auth_ntlmssp_get_domain(session->auth_ntlmssp_state)); - } - return status; -} - #ifdef HAVE_KRB5 static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, struct smbd_smb2_request *smb2req, @@ -606,11 +586,12 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session, status = auth_ntlmssp_update(session->auth_ntlmssp_state, auth, &auth_out); - /* We need to call setup_ntlmssp_session_info() if status==NT_STATUS_OK, - or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED, - as this can trigger map to guest. */ - if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { - status = setup_ntlmssp_session_info(session, status); + /* If status is NT_STATUS_OK then we need to get the token. + * Map to guest is now internal to auth_ntlmssp */ + if (NT_STATUS_IS_OK(status)) { + status = auth_ntlmssp_steal_session_info(session, + session->auth_ntlmssp_state, + &session->session_info); } if (!NT_STATUS_IS_OK(status) && @@ -689,7 +670,9 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session, return status; } - status = setup_ntlmssp_session_info(session, status); + status = auth_ntlmssp_steal_session_info(session, + session->auth_ntlmssp_state, + &session->session_info); if (!NT_STATUS_IS_OK(status)) { TALLOC_FREE(session->auth_ntlmssp_state);