#include "libads/kerberos_proto.h"
#include "../lib/util/asn1.h"
#include "auth.h"
+#include "../lib/tsocket/tsocket.h"
+#include "../libcli/security/security.h"
static NTSTATUS smbd_smb2_session_setup(struct smbd_smb2_request *smb2req,
uint64_t in_session_id,
return 0;
}
-static NTSTATUS setup_ntlmssp_session_info(struct smbd_smb2_session *session,
- NTSTATUS status)
-{
- if (NT_STATUS_IS_OK(status)) {
- status = auth_ntlmssp_steal_session_info(session,
- session->auth_ntlmssp_state,
- &session->session_info);
- } else {
- /* Note that this session_info won't have a session
- * key. But for map to guest, that's exactly the right
- * thing - we can't reasonably guess the key the
- * client wants, as the password was wrong */
- status = do_map_to_guest(status,
- &session->session_info,
- auth_ntlmssp_get_username(session->auth_ntlmssp_state),
- auth_ntlmssp_get_domain(session->auth_ntlmssp_state));
- }
- return status;
-}
-
#ifdef HAVE_KRB5
static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
struct smbd_smb2_request *smb2req,
}
status = get_user_from_kerberos_info(talloc_tos(),
- smb2req->sconn->client_id.name,
+ session->sconn->remote_hostname,
principal, logon_info,
&username_was_mapped,
&map_domainuser_to_guest,
session->do_signing = true;
}
- if (session->session_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
/* This is a potentially untrusted username */
alpha_strcpy(tmp, user, ". _-$", sizeof(tmp));
- session->session_info->sanitized_username =
+ session->session_info->unix_info->sanitized_username =
talloc_strdup(session->session_info, tmp);
- if (!session->session_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
- register_homes_share(session->session_info->unix_name);
+ register_homes_share(session->session_info->unix_info->unix_name);
}
if (!session_claim(session->sconn, session->compat_vuser)) {
session->do_signing = true;
}
- if (session->session_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) < SECURITY_USER) {
/* we map anonymous to guest internally */
*out_session_flags |= SMB2_SESSION_FLAG_IS_GUEST;
*out_session_flags |= SMB2_SESSION_FLAG_IS_NULL;
auth_ntlmssp_get_username(session->auth_ntlmssp_state),
". _-$",
sizeof(tmp));
- session->session_info->sanitized_username = talloc_strdup(
+ session->session_info->unix_info->sanitized_username = talloc_strdup(
session->session_info, tmp);
- if (!session->compat_vuser->session_info->guest) {
+ if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
- register_homes_share(session->session_info->unix_name);
+ register_homes_share(session->session_info->unix_info->unix_name);
}
if (!session_claim(session->sconn, session->compat_vuser)) {
status = auth_ntlmssp_update(session->auth_ntlmssp_state,
auth,
&auth_out);
- /* We need to call setup_ntlmssp_session_info() if status==NT_STATUS_OK,
- or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED,
- as this can trigger map to guest. */
- if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
- status = setup_ntlmssp_session_info(session, status);
+ /* If status is NT_STATUS_OK then we need to get the token.
+ * Map to guest is now internal to auth_ntlmssp */
+ if (NT_STATUS_IS_OK(status)) {
+ status = auth_ntlmssp_steal_session_info(session,
+ session->auth_ntlmssp_state,
+ &session->session_info);
}
if (!NT_STATUS_IS_OK(status) &&
return status;
}
- status = setup_ntlmssp_session_info(session, status);
+ status = auth_ntlmssp_steal_session_info(session,
+ session->auth_ntlmssp_state,
+ &session->session_info);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE(session->auth_ntlmssp_state);
return NT_STATUS_LOGON_FAILURE;
}
-NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req)
-{
- const uint8_t *inhdr;
- const uint8_t *outhdr;
- int i = req->current_idx;
- uint64_t in_session_id;
- void *p;
- struct smbd_smb2_session *session;
- bool chained_fixup = false;
-
- inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
-
- in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
-
- if (in_session_id == (0xFFFFFFFFFFFFFFFFLL)) {
- if (req->async) {
- /*
- * async request - fill in session_id from
- * already setup request out.vector[].iov_base.
- */
- outhdr = (const uint8_t *)req->out.vector[i].iov_base;
- in_session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID);
- } else if (i > 2) {
- /*
- * Chained request - fill in session_id from
- * the previous request out.vector[].iov_base.
- */
- outhdr = (const uint8_t *)req->out.vector[i-3].iov_base;
- in_session_id = BVAL(outhdr, SMB2_HDR_SESSION_ID);
- chained_fixup = true;
- }
- }
-
- /* lookup an existing session */
- p = idr_find(req->sconn->smb2.sessions.idtree, in_session_id);
- if (p == NULL) {
- return NT_STATUS_USER_SESSION_DELETED;
- }
- session = talloc_get_type_abort(p, struct smbd_smb2_session);
-
- if (!NT_STATUS_IS_OK(session->status)) {
- return NT_STATUS_ACCESS_DENIED;
- }
-
- set_current_user_info(session->session_info->sanitized_username,
- session->session_info->unix_name,
- session->session_info->info3->base.domain.string);
-
- req->session = session;
-
- if (chained_fixup) {
- /* Fix up our own outhdr. */
- outhdr = (const uint8_t *)req->out.vector[i].iov_base;
- SBVAL(discard_const_p(uint8_t, outhdr), SMB2_HDR_SESSION_ID, in_session_id);
- }
- return NT_STATUS_OK;
-}
-
NTSTATUS smbd_smb2_request_process_logoff(struct smbd_smb2_request *req)
{
const uint8_t *inbody;