s3-auth Move map to guest to directly after the check_password calls

This means we no longer need two different map to guest functions
and have consistent logic with fewer layering violations.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 61029bc95d8cb540256e2e93951d479b5ae6f797..2157d355d204e5caa93420762ffdb64a84aadc01 100644 (file)
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -145,6 +145,10 @@ static NTSTATUS auth_ntlmssp_check_password(struct ntlmssp_state *ntlmssp_state,
        free_user_info(&user_info);
 
        if (!NT_STATUS_IS_OK(nt_status)) {
        free_user_info(&user_info);
 
        if (!NT_STATUS_IS_OK(nt_status)) {

+               nt_status = do_map_to_guest_server_info(nt_status,
+                                                       &auth_ntlmssp_state->server_info,
+                                                       auth_ntlmssp_state->ntlmssp_state->user,
+                                                       auth_ntlmssp_state->ntlmssp_state->domain);

                return nt_status;
        }
 
                return nt_status;
        }
 

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index a261e39b7befa4524529f4e3b82563e85120359f..1621630b876960013725736be0c15bd0171e30e2 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -1580,3 +1580,35 @@ bool is_trusted_domain(const char* dom_name)
        return false;
 }
 
        return false;
 }
 

+
+
+/*
+  on a logon error possibly map the error to success if "map to guest"
+  is set approriately
+*/
+NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
+                                    struct auth_serversupplied_info **server_info,
+                                    const char *user, const char *domain)
+{
+       user = user ? user : "";
+       domain = domain ? domain : "";
+
+       if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
+               if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
+                   (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
+                       DEBUG(3,("No such user %s [%s] - using guest account\n",
+                                user, domain));
+                       status = make_server_info_guest(NULL, server_info);
+               }
+       }
+
+       if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
+               if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
+                       DEBUG(3,("Registered username %s for guest access\n",
+                               user));
+                       status = make_server_info_guest(NULL, server_info);
+               }
+       }
+
+       return status;
+}

diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index d51a3e6444dc6d1f36201471d5b540a77ad1bae8..f2b7875997c2bd3ded757d6264715dcef0fe2c3a 100644 (file)
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -214,6 +214,10 @@ NTSTATUS make_user_info(struct auth_usersupplied_info **ret_user_info,
                        enum auth_password_state password_state);
 void free_user_info(struct auth_usersupplied_info **user_info);
 
                        enum auth_password_state password_state);
 void free_user_info(struct auth_usersupplied_info **user_info);
 

+NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
+                                    struct auth_serversupplied_info **server_info,
+                                    const char *user, const char *domain);
+

 /* The following definitions come from auth/auth_winbind.c  */
 
 NTSTATUS auth_winbind_init(void);
 /* The following definitions come from auth/auth_winbind.c  */
 
 NTSTATUS auth_winbind_init(void);

diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 2df8b435e56df6617838628a272589ef0d1f5ed6..329b8b6aa5255f1415f3af61f36a7f49c11e75cd 100644 (file)
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -46,68 +46,6 @@ struct pending_auth_data {
        DATA_BLOB partial_data;
 };
 
        DATA_BLOB partial_data;
 };
 

-/*
-  on a logon error possibly map the error to success if "map to guest"
-  is set approriately
-*/
-static NTSTATUS do_map_to_guest_server_info(NTSTATUS status,
-                                           struct auth_serversupplied_info **server_info,
-                                           const char *user, const char *domain)
-{
-       user = user ? user : "";
-       domain = domain ? domain : "";
-
-       if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
-               if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
-                   (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
-                       DEBUG(3,("No such user %s [%s] - using guest account\n",
-                                user, domain));
-                       status = make_server_info_guest(NULL, server_info);
-               }
-       }
-
-       if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
-                       DEBUG(3,("Registered username %s for guest access\n",
-                               user));
-                       status = make_server_info_guest(NULL, server_info);
-               }
-       }
-
-       return status;
-}
-
-/*
-  on a logon error possibly map the error to success if "map to guest"
-  is set approriately
-*/
-NTSTATUS do_map_to_guest(NTSTATUS status,
-                       struct auth_session_info **session_info,
-                       const char *user, const char *domain)
-{
-       user = user ? user : "";
-       domain = domain ? domain : "";
-
-       if (NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)) {
-               if ((lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_USER) ||
-                   (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD)) {
-                       DEBUG(3,("No such user %s [%s] - using guest account\n",
-                                user, domain));
-                       status = make_session_info_guest(NULL, session_info);
-               }
-       }
-
-       if (NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
-               if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_PASSWORD) {
-                       DEBUG(3,("Registered username %s for guest access\n",
-                               user));
-                       status = make_session_info_guest(NULL, session_info);
-               }
-       }
-
-       return status;
-}
-

 /****************************************************************************
  Add the standard 'Samba' signature to the end of the session setup.
 ****************************************************************************/
 /****************************************************************************
  Add the standard 'Samba' signature to the end of the session setup.
 ****************************************************************************/


@@ -494,15 +432,6 @@ static void reply_spnego_ntlmssp(struct smb_request *req,
        if (NT_STATUS_IS_OK(nt_status)) {
                nt_status = auth_ntlmssp_steal_session_info(talloc_tos(),
                                        (*auth_ntlmssp_state), &session_info);
        if (NT_STATUS_IS_OK(nt_status)) {
                nt_status = auth_ntlmssp_steal_session_info(talloc_tos(),
                                        (*auth_ntlmssp_state), &session_info);

-       } else {
-               /* Note that this session_info won't have a session
-                * key.  But for map to guest, that's exactly the right
-                * thing - we can't reasonably guess the key the
-                * client wants, as the password was wrong */
-               nt_status = do_map_to_guest(nt_status,
-                                           &session_info,
-                                           auth_ntlmssp_get_username(*auth_ntlmssp_state),
-                                           auth_ntlmssp_get_domain(*auth_ntlmssp_state));

        }
 
        reply_outbuf(req, 4, 0);
        }
 
        reply_outbuf(req, 4, 0);

diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c
index 7a8395325640897f43a1addad03cd3c9b40de56a..511df8639dd957bfd9b3845e4f7ee6838a0763b0 100644 (file)
--- a/source3/smbd/smb2_sesssetup.c
+++ b/source3/smbd/smb2_sesssetup.c
@@ -151,26 +151,6 @@ static int smbd_smb2_session_destructor(struct smbd_smb2_session *session)
        return 0;
 }
 
        return 0;
 }
 

-static NTSTATUS setup_ntlmssp_session_info(struct smbd_smb2_session *session,
-                               NTSTATUS status)
-{
-       if (NT_STATUS_IS_OK(status)) {
-               status = auth_ntlmssp_steal_session_info(session,
-                               session->auth_ntlmssp_state,
-                               &session->session_info);
-       } else {
-               /* Note that this session_info won't have a session
-                * key.  But for map to guest, that's exactly the right
-                * thing - we can't reasonably guess the key the
-                * client wants, as the password was wrong */
-               status = do_map_to_guest(status,
-                       &session->session_info,
-                       auth_ntlmssp_get_username(session->auth_ntlmssp_state),
-                       auth_ntlmssp_get_domain(session->auth_ntlmssp_state));
-       }
-       return status;
-}
-

 #ifdef HAVE_KRB5
 static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
                                        struct smbd_smb2_request *smb2req,
 #ifdef HAVE_KRB5
 static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session,
                                        struct smbd_smb2_request *smb2req,


@@ -606,11 +586,12 @@ static NTSTATUS smbd_smb2_spnego_auth(struct smbd_smb2_session *session,
        status = auth_ntlmssp_update(session->auth_ntlmssp_state,
                                     auth,
                                     &auth_out);
        status = auth_ntlmssp_update(session->auth_ntlmssp_state,
                                     auth,
                                     &auth_out);

-       /* We need to call setup_ntlmssp_session_info() if status==NT_STATUS_OK,
-          or if status is anything except NT_STATUS_MORE_PROCESSING_REQUIRED,
-          as this can trigger map to guest. */
-       if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
-               status = setup_ntlmssp_session_info(session, status);
+       /* If status is NT_STATUS_OK then we need to get the token.
+        * Map to guest is now internal to auth_ntlmssp */
+       if (NT_STATUS_IS_OK(status)) {
+               status = auth_ntlmssp_steal_session_info(session,
+                               session->auth_ntlmssp_state,
+                               &session->session_info);

        }
 
        if (!NT_STATUS_IS_OK(status) &&
        }
 
        if (!NT_STATUS_IS_OK(status) &&


@@ -689,7 +670,9 @@ static NTSTATUS smbd_smb2_raw_ntlmssp_auth(struct smbd_smb2_session *session,
                return status;
        }
 
                return status;
        }
 

-       status = setup_ntlmssp_session_info(session, status);
+       status = auth_ntlmssp_steal_session_info(session,
+                                                session->auth_ntlmssp_state,
+                                                &session->session_info);

 
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(session->auth_ntlmssp_state);
 
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(session->auth_ntlmssp_state);