#include "printing/pcap.h"
#include "passdb/lookup_sid.h"
#include "auth.h"
+#include "../auth/auth_util.h"
#include "lib/param/loadparm.h"
#include "messages.h"
-
-extern userdom_struct current_user_info;
+#include "lib/afs/afs_funcs.h"
+#include "lib/util_path.h"
static bool canonicalize_connect_path(connection_struct *conn)
{
bool ret;
- char *resolved_name = SMB_VFS_REALPATH(conn,conn->connectpath);
- if (!resolved_name) {
+ struct smb_filename con_fname = { .base_name = conn->connectpath };
+ struct smb_filename *resolved_fname = SMB_VFS_REALPATH(conn, talloc_tos(),
+ &con_fname);
+ if (resolved_fname == NULL) {
return false;
}
- ret = set_conn_connectpath(conn,resolved_name);
- SAFE_FREE(resolved_name);
+ ret = set_conn_connectpath(conn,resolved_fname->base_name);
+ TALLOC_FREE(resolved_fname);
return ret;
}
/****************************************************************************
Ensure when setting connectpath it is a canonicalized (no ./ // or ../)
absolute path stating in / and not ending in /.
- Observent people will notice a similarity between this and check_path_syntax :-).
****************************************************************************/
bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
{
char *destname;
- char *d;
- const char *s = connectpath;
- bool start_of_name_component = true;
if (connectpath == NULL || connectpath[0] == '\0') {
return false;
}
- /* Allocate for strlen + '\0' + possible leading '/' */
- destname = (char *)SMB_MALLOC(strlen(connectpath) + 2);
- if (!destname) {
+ destname = canonicalize_absolute_path(conn, connectpath);
+ if (destname == NULL) {
return false;
}
- d = destname;
-
- *d++ = '/'; /* Always start with root. */
-
- while (*s) {
- if (*s == '/') {
- /* Eat multiple '/' */
- while (*s == '/') {
- s++;
- }
- if ((d > destname + 1) && (*s != '\0')) {
- *d++ = '/';
- }
- start_of_name_component = True;
- continue;
- }
- if (start_of_name_component) {
- if ((s[0] == '.') && (s[1] == '.') && (s[2] == '/' || s[2] == '\0')) {
- /* Uh oh - "/../" or "/..\0" ! */
-
- /* Go past the ../ or .. */
- if (s[2] == '/') {
- s += 3;
- } else {
- s += 2; /* Go past the .. */
- }
-
- /* If we just added a '/' - delete it */
- if ((d > destname) && (*(d-1) == '/')) {
- *(d-1) = '\0';
- d--;
- }
-
- /* Are we at the start ? Can't go back further if so. */
- if (d <= destname) {
- *d++ = '/'; /* Can't delete root */
- continue;
- }
- /* Go back one level... */
- /* Decrement d first as d points to the *next* char to write into. */
- for (d--; d > destname; d--) {
- if (*d == '/') {
- break;
- }
- }
- /* We're still at the start of a name component, just the previous one. */
- continue;
- } else if ((s[0] == '.') && ((s[1] == '\0') || s[1] == '/')) {
- /* Component of pathname can't be "." only - skip the '.' . */
- if (s[1] == '/') {
- s += 2;
- } else {
- s++;
- }
- continue;
- }
- }
+ DBG_DEBUG("service %s, connectpath = %s\n",
+ lp_const_servicename(SNUM(conn)), destname);
- if (!(*s & 0x80)) {
- *d++ = *s++;
- } else {
- size_t siz;
- /* Get the size of the next MB character. */
- next_codepoint(s,&siz);
- switch(siz) {
- case 5:
- *d++ = *s++;
- /*fall through*/
- case 4:
- *d++ = *s++;
- /*fall through*/
- case 3:
- *d++ = *s++;
- /*fall through*/
- case 2:
- *d++ = *s++;
- /*fall through*/
- case 1:
- *d++ = *s++;
- break;
- default:
- break;
- }
- }
- start_of_name_component = false;
- }
- *d = '\0';
-
- /* And must not end in '/' */
- if (d > destname + 1 && (*(d-1) == '/')) {
- *(d-1) = '\0';
+ talloc_free(conn->connectpath);
+ conn->connectpath = destname;
+ /*
+ * Ensure conn->cwd_fname is initialized.
+ * start as conn->connectpath.
+ */
+ TALLOC_FREE(conn->cwd_fname);
+ conn->cwd_fname = synthetic_smb_fname(conn,
+ conn->connectpath,
+ NULL,
+ NULL,
+ 0);
+ if (conn->cwd_fname == NULL) {
+ return false;
}
-
- DEBUG(10,("set_conn_connectpath: service %s, connectpath = %s\n",
- lp_servicename(SNUM(conn)), destname ));
-
- string_set(&conn->connectpath, destname);
- SAFE_FREE(destname);
return true;
}
Load parameters specific to a connection/service.
****************************************************************************/
-bool set_current_service(connection_struct *conn, uint16 flags, bool do_chdir)
+void set_current_case_sensitive(connection_struct *conn, uint16_t flags)
{
int snum;
+ enum remote_arch_types ra_type;
- if (!conn) {
- last_conn = NULL;
- return(False);
- }
-
- conn->lastused_count++;
+ SMB_ASSERT(conn != NULL);
snum = SNUM(conn);
- if (do_chdir &&
- vfs_ChDir(conn,conn->connectpath) != 0 &&
- vfs_ChDir(conn,conn->origpath) != 0) {
- DEBUG(((errno!=EACCES)?0:3),("chdir (%s) failed, reason: %s\n",
- conn->connectpath, strerror(errno)));
- return(False);
- }
-
if ((conn == last_conn) && (last_flags == flags)) {
- return(True);
+ return;
}
last_conn = conn;
last_flags = flags;
- /* Obey the client case sensitivity requests - only for clients that support it. */
- switch (lp_casesensitive(snum)) {
- case Auto:
- {
- /* We need this uglyness due to DOS/Win9x clients that lie about case insensitivity. */
- enum remote_arch_types ra_type = get_remote_arch();
- if ((ra_type != RA_SAMBA) && (ra_type != RA_CIFSFS)) {
- /* Client can't support per-packet case sensitive pathnames. */
- conn->case_sensitive = False;
- } else {
- conn->case_sensitive = !(flags & FLAG_CASELESS_PATHNAMES);
- }
- }
- break;
- case True:
- conn->case_sensitive = True;
- break;
- default:
- conn->case_sensitive = False;
- break;
- }
- return(True);
+ /*
+ * Obey the client case sensitivity requests - only for clients that
+ * support it. */
+ switch (lp_case_sensitive(snum)) {
+ case Auto:
+ /*
+ * We need this uglyness due to DOS/Win9x clients that lie
+ * about case insensitivity. */
+ ra_type = get_remote_arch();
+ if (conn->sconn->using_smb2) {
+ conn->case_sensitive = false;
+ } else if ((ra_type != RA_SAMBA) && (ra_type != RA_CIFSFS)) {
+ /*
+ * Client can't support per-packet case sensitive
+ * pathnames. */
+ conn->case_sensitive = false;
+ } else {
+ conn->case_sensitive =
+ !(flags & FLAG_CASELESS_PATHNAMES);
+ }
+ break;
+ case True:
+ conn->case_sensitive = true;
+ break;
+ default:
+ conn->case_sensitive = false;
+ break;
+ }
+ return;
+}
+
+bool chdir_current_service(connection_struct *conn)
+{
+ const struct smb_filename connectpath_fname = {
+ .base_name = conn->connectpath,
+ };
+ const struct smb_filename origpath_fname = {
+ .base_name = conn->origpath,
+ };
+ int ret;
+
+ conn->lastused_count++;
+
+ ret = vfs_ChDir(conn, &connectpath_fname);
+ if (ret != 0) {
+ DEBUG(((errno!=EACCES)?0:3),
+ ("chdir (%s) failed, reason: %s\n",
+ conn->connectpath, strerror(errno)));
+ return false;
+ }
+
+ ret = vfs_ChDir(conn, &origpath_fname);
+ if (ret != 0) {
+ DEBUG(((errno!=EACCES)?0:3),
+ ("chdir (%s) failed, reason: %s\n",
+ conn->origpath, strerror(errno)));
+ return false;
+ }
+
+ return true;
}
/****************************************************************************
}
if (!lp_snum_ok(snum) ||
- !allow_access(lp_hostsdeny(snum), lp_hostsallow(snum),
+ !allow_access(lp_hosts_deny(snum), lp_hosts_allow(snum),
rhost, raddr)) {
return NT_STATUS_ACCESS_DENIED;
}
if (dev[0] == '?' || !dev[0]) {
- if (lp_print_ok(snum)) {
+ if (lp_printable(snum)) {
fstrcpy(dev,"LPT1:");
} else if (strequal(lp_fstype(snum), "IPC")) {
fstrcpy(dev, "IPC");
}
}
- strupper_m(dev);
+ if (!strupper_m(dev)) {
+ DEBUG(2,("strupper_m %s failed\n", dev));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
- if (lp_print_ok(snum)) {
+ if (lp_printable(snum)) {
if (!strequal(dev, "LPT1:")) {
return NT_STATUS_BAD_DEVICE_TYPE;
}
}
/* Behave as a printer if we are supposed to */
- if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
+ if (lp_printable(snum) && (strcmp(dev, "A:") == 0)) {
fstrcpy(dev, "LPT1:");
}
bool user_must_be_member = False;
gid_t gid;
- groupname = talloc_strdup(talloc_tos(), lp_force_group(snum));
+ groupname = lp_force_group(talloc_tos(), snum);
if (groupname == NULL) {
DEBUG(1, ("talloc_strdup failed\n"));
result = NT_STATUS_NO_MEMORY;
}
groupname = talloc_string_sub(talloc_tos(), groupname,
- "%S", lp_servicename(snum));
+ "%S", lp_const_servicename(snum));
if (groupname == NULL) {
DEBUG(1, ("talloc_string_sub failed\n"));
result = NT_STATUS_NO_MEMORY;
}
if (!sid_to_gid(&group_sid, &gid)) {
+ struct dom_sid_buf buf;
DEBUG(10, ("sid_to_gid(%s) for %s failed\n",
- sid_string_dbg(&group_sid), groupname));
+ dom_sid_str_buf(&group_sid, &buf), groupname));
goto done;
}
static NTSTATUS create_connection_session_info(struct smbd_server_connection *sconn,
TALLOC_CTX *mem_ctx, int snum,
- struct auth_session_info *vuid_serverinfo,
- DATA_BLOB password,
+ struct auth_session_info *session_info,
struct auth_session_info **presult)
{
+ struct auth_session_info *result;
+
if (lp_guest_only(snum)) {
return make_session_info_guest(mem_ctx, presult);
}
- if (vuid_serverinfo != NULL) {
-
- struct auth_session_info *result;
-
- /*
- * This is the normal security != share case where we have a
- * valid vuid from the session setup. */
-
- if (security_session_user_level(vuid_serverinfo, NULL) < SECURITY_USER) {
- if (!lp_guest_ok(snum)) {
- DEBUG(2, ("guest user (from session setup) "
- "not permitted to access this share "
- "(%s)\n", lp_servicename(snum)));
- return NT_STATUS_ACCESS_DENIED;
- }
- } else {
- if (!user_ok_token(vuid_serverinfo->unix_info->unix_name,
- vuid_serverinfo->info->domain_name,
- vuid_serverinfo->security_token, snum)) {
- DEBUG(2, ("user '%s' (from session setup) not "
- "permitted to access this share "
- "(%s)\n",
- vuid_serverinfo->unix_info->unix_name,
- lp_servicename(snum)));
- return NT_STATUS_ACCESS_DENIED;
- }
- }
-
- result = copy_session_info(mem_ctx, vuid_serverinfo);
- if (result == NULL) {
- return NT_STATUS_NO_MEMORY;
+ /*
+ * This is the normal security != share case where we have a
+ * valid vuid from the session setup. */
+
+ if (security_session_user_level(session_info, NULL) < SECURITY_USER) {
+ if (!lp_guest_ok(snum)) {
+ DBG_WARNING("guest user (from session setup) "
+ "not permitted to access this share "
+ "(%s)\n", lp_const_servicename(snum));
+ return NT_STATUS_ACCESS_DENIED;
}
+ } else {
+ if (!user_ok_token(session_info->unix_info->unix_name,
+ session_info->info->domain_name,
+ session_info->security_token, snum)) {
+ DBG_WARNING("user '%s' (from session setup) not "
+ "permitted to access this share "
+ "(%s)\n",
+ session_info->unix_info->unix_name,
+ lp_const_servicename(snum));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
- *presult = result;
- return NT_STATUS_OK;
- }
-
- if (lp_security() == SEC_SHARE) {
-
- fstring user;
- bool guest;
-
- /* add the sharename as a possible user name if we
- are in share mode security */
-
- add_session_user(sconn, lp_servicename(snum));
-
- /* shall we let them in? */
-
- if (!authorise_login(sconn, snum,user,password,&guest)) {
- DEBUG( 2, ( "Invalid username/password for [%s]\n",
- lp_servicename(snum)) );
- return NT_STATUS_WRONG_PASSWORD;
- }
-
- return make_session_info_from_username(mem_ctx, user, guest,
- presult);
- }
+ result = copy_session_info(mem_ctx, session_info);
+ if (result == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
- DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
- return NT_STATUS_ACCESS_DENIED;
+ *presult = result;
+ return NT_STATUS_OK;
}
/****************************************************************************
- set relavent user and group settings corresponding to force user/group
+ Set relevant user and group settings corresponding to force user/group
configuration for the given snum.
****************************************************************************/
{
NTSTATUS status;
- if (*lp_force_user(snum)) {
+ if (*lp_force_user(talloc_tos(), snum)) {
/*
* Replace conn->session_info with a completely faked up one
*/
char *fuser;
+ char *sanitized_username;
struct auth_session_info *forced_serverinfo;
bool guest;
- fuser = talloc_string_sub(conn, lp_force_user(snum), "%S",
+ fuser = talloc_string_sub(conn, lp_force_user(talloc_tos(), snum), "%S",
lp_const_servicename(snum));
if (fuser == NULL) {
return NT_STATUS_NO_MEMORY;
return status;
}
+ /* We don't want to replace the original sanitized_username
+ as it is the original user given in the connect attempt.
+ This is used in '%U' substitutions. */
+ sanitized_username = discard_const_p(char,
+ forced_serverinfo->unix_info->sanitized_username);
+ TALLOC_FREE(sanitized_username);
+ forced_serverinfo->unix_info->sanitized_username =
+ talloc_move(forced_serverinfo->unix_info,
+ &conn->session_info->unix_info->sanitized_username);
+
TALLOC_FREE(conn->session_info);
conn->session_info = forced_serverinfo;
* any groupid stored for the connecting user.
*/
- if (*lp_force_group(snum)) {
+ if (*lp_force_group(talloc_tos(), snum)) {
status = find_forced_group(
conn->force_user, snum, conn->session_info->unix_info->unix_name,
return NT_STATUS_OK;
}
+static NTSTATUS notify_init_sconn(struct smbd_server_connection *sconn)
+{
+ NTSTATUS status;
+
+ if (sconn->notify_ctx != NULL) {
+ return NT_STATUS_OK;
+ }
+
+ sconn->notify_ctx = notify_init(sconn, sconn->msg_ctx,
+ sconn, notify_callback);
+ if (sconn->notify_ctx == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ status = messaging_register(sconn->msg_ctx, sconn,
+ MSG_SMB_NOTIFY_CANCEL_DELETED,
+ smbd_notify_cancel_deleted);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("messaging_register failed: %s\n",
+ nt_errstr(status));
+ TALLOC_FREE(sconn->notify_ctx);
+ return status;
+ }
+
+ status = messaging_register(sconn->msg_ctx, sconn,
+ MSG_SMB_NOTIFY_STARTED,
+ smbd_notifyd_restarted);
+ if (!NT_STATUS_IS_OK(status)) {
+ DBG_DEBUG("messaging_register failed: %s\n",
+ nt_errstr(status));
+ messaging_deregister(sconn->msg_ctx,
+ MSG_SMB_NOTIFY_CANCEL_DELETED, sconn);
+ TALLOC_FREE(sconn->notify_ctx);
+ return status;
+ }
+
+ return NT_STATUS_OK;
+}
+
/****************************************************************************
Make a connection, given the snum to connect to, and the vuser of the
connecting user if appropriate.
****************************************************************************/
-static NTSTATUS make_connection_snum(struct smbd_server_connection *sconn,
+static NTSTATUS make_connection_snum(struct smbXsrv_connection *xconn,
connection_struct *conn,
- int snum, user_struct *vuser,
- DATA_BLOB password,
+ int snum, struct user_struct *vuser,
const char *pdev)
{
+ struct smbd_server_connection *sconn = xconn->client->sconn;
struct smb_filename *smb_fname_cpath = NULL;
fstring dev;
int ret;
bool on_err_call_dis_hook = false;
- bool claimed_connection = false;
uid_t effuid;
gid_t effgid;
NTSTATUS status;
conn->params->service = snum;
status = create_connection_session_info(sconn,
- conn, snum, vuser ? vuser->session_info : NULL, password,
+ conn, snum, vuser->session_info,
&conn->session_info);
if (!NT_STATUS_IS_OK(status)) {
goto err_root_exit;
}
- if ((lp_guest_only(snum)) || (lp_security() == SEC_SHARE)) {
+ if (lp_guest_only(snum)) {
conn->force_user = true;
}
- add_session_user(sconn, conn->session_info->unix_info->unix_name);
-
conn->num_files_open = 0;
conn->lastused = conn->lastused_count = time(NULL);
- conn->used = True;
conn->printer = (strncmp(dev,"LPT",3) == 0);
conn->ipc = ( (strncmp(dev,"IPC",3) == 0) ||
( lp_enable_asu_support() && strequal(dev,"ADMIN$")) );
/* Case options for the share. */
- if (lp_casesensitive(snum) == Auto) {
+ if (lp_case_sensitive(snum) == Auto) {
/* We will be setting this per packet. Set to be case
* insensitive for now. */
conn->case_sensitive = False;
} else {
- conn->case_sensitive = (bool)lp_casesensitive(snum);
+ conn->case_sensitive = (bool)lp_case_sensitive(snum);
}
- conn->case_preserve = lp_preservecase(snum);
- conn->short_case_preserve = lp_shortpreservecase(snum);
+ conn->case_preserve = lp_preserve_case(snum);
+ conn->short_case_preserve = lp_short_preserve_case(snum);
conn->encrypt_level = lp_smb_encrypt(snum);
+ if (conn->encrypt_level > SMB_SIGNING_OFF) {
+ if (lp_smb_encrypt(-1) == SMB_SIGNING_OFF) {
+ if (conn->encrypt_level == SMB_SIGNING_REQUIRED) {
+ DBG_ERR("Service [%s] requires encryption, but "
+ "it is disabled globally!\n",
+ lp_const_servicename(snum));
+ status = NT_STATUS_ACCESS_DENIED;
+ goto err_root_exit;
+ }
+ conn->encrypt_level = SMB_SIGNING_OFF;
+ }
+ }
conn->veto_list = NULL;
conn->hide_list = NULL;
conn->veto_oplock_list = NULL;
conn->aio_write_behind_list = NULL;
- conn->read_only = lp_readonly(SNUM(conn));
+ conn->read_only = lp_read_only(SNUM(conn));
status = set_conn_force_user_group(conn, snum);
if (!NT_STATUS_IS_OK(status)) {
goto err_root_exit;
}
- conn->vuid = (vuser != NULL) ? vuser->vuid : UID_FIELD_INVALID;
+ conn->vuid = vuser->vuid;
{
char *s = talloc_sub_advanced(talloc_tos(),
- lp_servicename(SNUM(conn)),
+ lp_const_servicename(SNUM(conn)),
conn->session_info->unix_info->unix_name,
conn->connectpath,
conn->session_info->unix_token->gid,
conn->session_info->unix_info->sanitized_username,
conn->session_info->info->domain_name,
- lp_pathname(snum));
+ lp_path(talloc_tos(), snum));
if (!s) {
status = NT_STATUS_NO_MEMORY;
goto err_root_exit;
status = NT_STATUS_NO_MEMORY;
goto err_root_exit;
}
- DEBUG(3,("Connect path is '%s' for service [%s]\n",s,
- lp_servicename(snum)));
+ DBG_NOTICE("Connect path is '%s' for service [%s]\n", s,
+ lp_const_servicename(snum));
TALLOC_FREE(s);
}
/*
- * New code to check if there's a share security descripter
- * added from NT server manager. This is done after the
- * smb.conf checks are done as we need a uid and token. JRA.
+ * Set up the share security descriptor.
+ * NOTE - we use the *INCOMING USER* session_info
+ * here, as does (indirectly) change_to_user(),
+ * which can be called on any incoming packet.
+ * This way we set up the share access based
+ * on the authenticated user, not the forced
+ * user. See bug:
*
+ * https://bugzilla.samba.org/show_bug.cgi?id=9878
*/
- share_access_check(conn->session_info->security_token,
- lp_servicename(snum), MAXIMUM_ALLOWED_ACCESS,
- &conn->share_access);
-
- if ((conn->share_access & FILE_WRITE_DATA) == 0) {
- if ((conn->share_access & FILE_READ_DATA) == 0) {
- /* No access, read or write. */
- DEBUG(0,("make_connection: connection to %s "
- "denied due to security "
- "descriptor.\n",
- lp_servicename(snum)));
- status = NT_STATUS_ACCESS_DENIED;
- goto err_root_exit;
- } else {
- conn->read_only = True;
- }
+ status = check_user_share_access(conn,
+ vuser->session_info,
+ &conn->share_access,
+ &conn->read_only);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto err_root_exit;
}
+
/* Initialise VFS function pointers */
if (!smbd_vfs_init(conn)) {
- DEBUG(0, ("vfs_init failed for service %s\n",
- lp_servicename(snum)));
+ DBG_ERR("vfs_init failed for service %s\n",
+ lp_const_servicename(snum));
status = NT_STATUS_BAD_NETWORK_NAME;
goto err_root_exit;
}
*/
if ((lp_max_connections(snum) > 0)
- && (count_current_connections(lp_servicename(SNUM(conn)), True) >=
+ && (count_current_connections(lp_const_servicename(SNUM(conn)), true) >=
lp_max_connections(snum))) {
- DEBUG(1, ("Max connections (%d) exceeded for %s\n",
- lp_max_connections(snum), lp_servicename(snum)));
+ DBG_WARNING("Max connections (%d) exceeded for %s\n",
+ lp_max_connections(snum),
+ lp_const_servicename(snum));
status = NT_STATUS_INSUFFICIENT_RESOURCES;
goto err_root_exit;
}
- /*
- * Get us an entry in the connections db
- */
- if (!claim_connection(conn, lp_servicename(snum))) {
- DEBUG(1, ("Could not store connections entry\n"));
- status = NT_STATUS_INTERNAL_DB_ERROR;
- goto err_root_exit;
- }
- claimed_connection = true;
-
/* Invoke VFS make connection hook - this must be the first
filesystem operation that we do. */
- if (SMB_VFS_CONNECT(conn, lp_servicename(snum),
+ if (SMB_VFS_CONNECT(conn, lp_const_servicename(snum),
conn->session_info->unix_info->unix_name) < 0) {
- DEBUG(0,("make_connection: VFS make connection failed!\n"));
+ DBG_WARNING("SMB_VFS_CONNECT for service '%s' at '%s' failed: %s\n",
+ lp_const_servicename(snum), conn->connectpath,
+ strerror(errno));
status = NT_STATUS_UNSUCCESSFUL;
goto err_root_exit;
}
/* Any error exit after here needs to call the disconnect hook. */
on_err_call_dis_hook = true;
- if ((!conn->printer) && (!conn->ipc)) {
- conn->notify_ctx = notify_init(conn,
- messaging_server_id(sconn->msg_ctx),
- sconn->msg_ctx,
- sconn->ev_ctx,
- conn);
+ if ((!conn->printer) && (!conn->ipc) &&
+ lp_change_notify()) {
+
+ status = notify_init_sconn(sconn);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto err_root_exit;
+ }
+ }
+
+ if (lp_kernel_oplocks(snum)) {
+ init_kernel_oplocks(conn->sconn);
}
/*
/* Preexecs are done here as they might make the dir we are to ChDir
* to below */
/* execute any "root preexec = " line */
- if (*lp_rootpreexec(snum)) {
+ if (*lp_root_preexec(talloc_tos(), snum)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
- lp_servicename(SNUM(conn)),
+ lp_const_servicename(SNUM(conn)),
conn->session_info->unix_info->unix_name,
conn->connectpath,
conn->session_info->unix_token->gid,
conn->session_info->unix_info->sanitized_username,
conn->session_info->info->domain_name,
- lp_rootpreexec(snum));
+ lp_root_preexec(talloc_tos(), snum));
DEBUG(5,("cmd=%s\n",cmd));
- ret = smbrun(cmd,NULL);
+ ret = smbrun(cmd, NULL, NULL);
TALLOC_FREE(cmd);
- if (ret != 0 && lp_rootpreexec_close(snum)) {
+ if (ret != 0 && lp_root_preexec_close(snum)) {
DEBUG(1,("root preexec gave %d - failing "
"connection\n", ret));
status = NT_STATUS_ACCESS_DENIED;
* to below */
/* execute any "preexec = " line */
- if (*lp_preexec(snum)) {
+ if (*lp_preexec(talloc_tos(), snum)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
- lp_servicename(SNUM(conn)),
+ lp_const_servicename(SNUM(conn)),
conn->session_info->unix_info->unix_name,
conn->connectpath,
conn->session_info->unix_token->gid,
conn->session_info->unix_info->sanitized_username,
conn->session_info->info->domain_name,
- lp_preexec(snum));
- ret = smbrun(cmd,NULL);
+ lp_preexec(talloc_tos(), snum));
+ ret = smbrun(cmd, NULL, NULL);
TALLOC_FREE(cmd);
if (ret != 0 && lp_preexec_close(snum)) {
DEBUG(1,("preexec gave %d - failing connection\n",
*/
if (!lp_widelinks(snum)) {
if (!canonicalize_connect_path(conn)) {
- DEBUG(0, ("canonicalize_connect_path failed "
+ DBG_ERR("canonicalize_connect_path failed "
"for service %s, path %s\n",
- lp_servicename(snum),
- conn->connectpath));
+ lp_const_servicename(snum),
+ conn->connectpath);
status = NT_STATUS_BAD_NETWORK_NAME;
goto err_root_exit;
}
/* Add veto/hide lists */
if (!IS_IPC(conn) && !IS_PRINT(conn)) {
- set_namearray( &conn->veto_list, lp_veto_files(snum));
- set_namearray( &conn->hide_list, lp_hide_files(snum));
- set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
+ set_namearray( &conn->veto_list,
+ lp_veto_files(talloc_tos(), snum));
+ set_namearray( &conn->hide_list,
+ lp_hide_files(talloc_tos(), snum));
+ set_namearray( &conn->veto_oplock_list,
+ lp_veto_oplock_files(talloc_tos(), snum));
set_namearray( &conn->aio_write_behind_list,
- lp_aio_write_behind(snum));
+ lp_aio_write_behind(talloc_tos(), snum));
}
- status = create_synthetic_smb_fname(talloc_tos(), conn->connectpath,
- NULL, NULL, &smb_fname_cpath);
- if (!NT_STATUS_IS_OK(status)) {
+ smb_fname_cpath = synthetic_smb_fname(talloc_tos(),
+ conn->connectpath,
+ NULL,
+ NULL,
+ 0);
+ if (smb_fname_cpath == NULL) {
+ status = NT_STATUS_NO_MEMORY;
goto err_root_exit;
}
if ((ret = SMB_VFS_STAT(conn, smb_fname_cpath)) != 0 ||
!S_ISDIR(smb_fname_cpath->st.st_ex_mode)) {
if (ret == 0 && !S_ISDIR(smb_fname_cpath->st.st_ex_mode)) {
- DEBUG(0,("'%s' is not a directory, when connecting to "
+ DBG_ERR("'%s' is not a directory, when connecting to "
"[%s]\n", conn->connectpath,
- lp_servicename(snum)));
+ lp_const_servicename(snum));
} else {
- DEBUG(0,("'%s' does not exist or permission denied "
+ DBG_ERR("'%s' does not exist or permission denied "
"when connecting to [%s] Error was %s\n",
- conn->connectpath, lp_servicename(snum),
- strerror(errno) ));
+ conn->connectpath,
+ lp_const_servicename(snum),
+ strerror(errno));
}
status = NT_STATUS_BAD_NETWORK_NAME;
goto err_root_exit;
}
conn->base_share_dev = smb_fname_cpath->st.st_ex_dev;
- string_set(&conn->origpath,conn->connectpath);
+ talloc_free(conn->origpath);
+ conn->origpath = talloc_strdup(conn, conn->connectpath);
/* Figure out the characteristics of the underlying filesystem. This
* assumes that all the filesystem mounted withing a share path have
* (at least initially).
*/
- if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
+ if( DEBUGLVL( IS_IPC(conn) ? 3 : 2 ) ) {
dbgtext( "%s (%s) ", get_remote_machine_name(),
tsocket_address_string(conn->sconn->remote_address,
talloc_tos()) );
- dbgtext( "%s", srv_is_signing_active(sconn) ? "signed " : "");
- dbgtext( "connect to service %s ", lp_servicename(snum) );
+ dbgtext( "%s", srv_is_signing_active(xconn) ? "signed " : "");
+ dbgtext( "connect to service %s ",
+ lp_const_servicename(snum) );
dbgtext( "initially as user %s ",
conn->session_info->unix_info->unix_name );
dbgtext( "(uid=%d, gid=%d) ", (int)effuid, (int)effgid );
- dbgtext( "(pid %d)\n", (int)sys_getpid() );
+ dbgtext( "(pid %d)\n", (int)getpid() );
}
- return status;
+ conn->tcon_done = true;
+ return NT_STATUS_OK;
err_root_exit:
/* Call VFS disconnect hook */
SMB_VFS_DISCONNECT(conn);
}
- if (claimed_connection) {
- yield_connection(conn, lp_servicename(snum));
- }
return status;
}
Make a connection to a service from SMB1. Internal interface.
****************************************************************************/
-static connection_struct *make_connection_smb1(struct smbd_server_connection *sconn,
- int snum, user_struct *vuser,
- DATA_BLOB password,
+static connection_struct *make_connection_smb1(struct smb_request *req,
+ NTTIME now,
+ int snum, struct user_struct *vuser,
const char *pdev,
NTSTATUS *pstatus)
{
- connection_struct *conn = conn_new(sconn);
+ struct smbXsrv_tcon *tcon;
+ NTSTATUS status;
+ struct connection_struct *conn;
+
+ status = smb1srv_tcon_create(req->xconn, now, &tcon);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("make_connection_smb1: Couldn't find free tcon %s.\n",
+ nt_errstr(status)));
+ *pstatus = status;
+ return NULL;
+ }
+
+ conn = conn_new(req->sconn);
if (!conn) {
+ TALLOC_FREE(tcon);
+
DEBUG(0,("make_connection_smb1: Couldn't find free connection.\n"));
*pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
return NULL;
}
- *pstatus = make_connection_snum(sconn,
+
+ conn->cnum = tcon->global->tcon_wire_id;
+ conn->tcon = tcon;
+
+ *pstatus = make_connection_snum(req->xconn,
conn,
snum,
vuser,
- password,
pdev);
if (!NT_STATUS_IS_OK(*pstatus)) {
conn_free(conn);
+ TALLOC_FREE(tcon);
return NULL;
}
- return conn;
+
+ tcon->global->share_name = lp_servicename(tcon->global, SNUM(conn));
+ if (tcon->global->share_name == NULL) {
+ conn_free(conn);
+ TALLOC_FREE(tcon);
+ *pstatus = NT_STATUS_NO_MEMORY;
+ return NULL;
+ }
+ tcon->global->session_global_id =
+ vuser->session->global->session_global_id;
+
+ tcon->compat = talloc_move(tcon, &conn);
+ tcon->status = NT_STATUS_OK;
+
+ *pstatus = smbXsrv_tcon_update(tcon);
+ if (!NT_STATUS_IS_OK(*pstatus)) {
+ TALLOC_FREE(tcon);
+ return NULL;
+ }
+
+ return tcon->compat;
}
/****************************************************************************
We must set cnum before claiming connection.
****************************************************************************/
-connection_struct *make_connection_smb2(struct smbd_server_connection *sconn,
- struct smbd_smb2_tcon *tcon,
- user_struct *vuser,
- DATA_BLOB password,
+connection_struct *make_connection_smb2(struct smbd_smb2_request *req,
+ struct smbXsrv_tcon *tcon,
+ int snum,
+ struct user_struct *vuser,
const char *pdev,
NTSTATUS *pstatus)
{
+ struct smbd_server_connection *sconn = req->sconn;
connection_struct *conn = conn_new(sconn);
if (!conn) {
DEBUG(0,("make_connection_smb2: Couldn't find free connection.\n"));
*pstatus = NT_STATUS_INSUFFICIENT_RESOURCES;
return NULL;
}
- conn->cnum = tcon->tid;
- *pstatus = make_connection_snum(sconn,
+
+ conn->cnum = tcon->global->tcon_wire_id;
+ conn->tcon = tcon;
+
+ *pstatus = make_connection_snum(req->xconn,
conn,
- tcon->snum,
+ snum,
vuser,
- password,
pdev);
if (!NT_STATUS_IS_OK(*pstatus)) {
conn_free(conn);
* @param service
****************************************************************************/
-connection_struct *make_connection(struct smbd_server_connection *sconn,
- const char *service_in, DATA_BLOB password,
- const char *pdev, uint16 vuid,
+connection_struct *make_connection(struct smb_request *req,
+ NTTIME now,
+ const char *service_in,
+ const char *pdev, uint64_t vuid,
NTSTATUS *status)
{
+ struct smbd_server_connection *sconn = req->sconn;
uid_t euid;
- user_struct *vuser = NULL;
+ struct user_struct *vuser = NULL;
char *service = NULL;
fstring dev;
int snum = -1;
return NULL;
}
- if(lp_security() != SEC_SHARE) {
- vuser = get_valid_user_struct(sconn, vuid);
- if (!vuser) {
- DEBUG(1,("make_connection: refusing to connect with "
- "no session setup\n"));
- *status = NT_STATUS_ACCESS_DENIED;
- return NULL;
- }
+ vuser = get_valid_user_struct(sconn, vuid);
+ if (!vuser) {
+ DEBUG(1,("make_connection: refusing to connect with "
+ "no session setup\n"));
+ *status = NT_STATUS_ACCESS_DENIED;
+ return NULL;
}
/* Logic to try and connect to the correct [homes] share, preferably
*/
if (strequal(service_in,HOMES_NAME)) {
- if(lp_security() != SEC_SHARE) {
- DATA_BLOB no_pw = data_blob_null;
- if (vuser->homes_snum == -1) {
- DEBUG(2, ("[homes] share not available for "
- "this user because it was not found "
- "or created at session setup "
- "time\n"));
- *status = NT_STATUS_BAD_NETWORK_NAME;
- return NULL;
- }
- DEBUG(5, ("making a connection to [homes] service "
- "created at session setup time\n"));
- return make_connection_smb1(sconn,
- vuser->homes_snum,
- vuser, no_pw,
- dev, status);
- } else {
- /* Security = share. Try with
- * current_user_info.smb_name as the username. */
- if (*current_user_info.smb_name) {
- char *unix_username = NULL;
- (void)map_username(talloc_tos(),
- current_user_info.smb_name,
- &unix_username);
- snum = find_service(talloc_tos(),
- unix_username,
- &unix_username);
- if (!unix_username) {
- *status = NT_STATUS_NO_MEMORY;
- }
- return NULL;
- }
- if (snum != -1) {
- DEBUG(5, ("making a connection to 'homes' "
- "service %s based on "
- "security=share\n", service_in));
- return make_connection_smb1(sconn,
- snum, NULL,
- password,
- dev, status);
- }
+ if (vuser->homes_snum == -1) {
+ DEBUG(2, ("[homes] share not available for "
+ "this user because it was not found "
+ "or created at session setup "
+ "time\n"));
+ *status = NT_STATUS_BAD_NETWORK_NAME;
+ return NULL;
}
- } else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
+ DEBUG(5, ("making a connection to [homes] service "
+ "created at session setup time\n"));
+ return make_connection_smb1(req, now,
+ vuser->homes_snum,
+ vuser,
+ dev, status);
+ } else if ((vuser->homes_snum != -1)
&& strequal(service_in,
- lp_servicename(vuser->homes_snum))) {
- DATA_BLOB no_pw = data_blob_null;
+ lp_const_servicename(vuser->homes_snum))) {
DEBUG(5, ("making a connection to 'homes' service [%s] "
"created at session setup time\n", service_in));
- return make_connection_smb1(sconn,
+ return make_connection_smb1(req, now,
vuser->homes_snum,
- vuser, no_pw,
+ vuser,
dev, status);
}
return NULL;
}
- strlower_m(service);
+ if (!strlower_m(service)) {
+ DEBUG(2, ("strlower_m %s failed\n", service));
+ *status = NT_STATUS_INVALID_PARAMETER;
+ return NULL;
+ }
snum = find_service(talloc_tos(), service, &service);
if (!service) {
}
/* Handle non-Dfs clients attempting connections to msdfs proxy */
- if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
+ if (lp_host_msdfs() && (*lp_msdfs_proxy(talloc_tos(), snum) != '\0')) {
DEBUG(3, ("refusing connection to dfs proxy share '%s' "
"(pointing to %s)\n",
- service, lp_msdfs_proxy(snum)));
+ service, lp_msdfs_proxy(talloc_tos(), snum)));
*status = NT_STATUS_BAD_NETWORK_NAME;
return NULL;
}
DEBUG(5, ("making a connection to 'normal' service %s\n", service));
- return make_connection_smb1(sconn, snum, vuser,
- password,
+ return make_connection_smb1(req, now, snum, vuser,
dev, status);
}
Close a cnum.
****************************************************************************/
-void close_cnum(connection_struct *conn, uint16 vuid)
+void close_cnum(connection_struct *conn, uint64_t vuid)
{
+ char rootpath[2] = { '/', '\0'};
+ struct smb_filename root_fname = { .base_name = rootpath };
+
file_close_conn(conn);
if (!IS_IPC(conn)) {
change_to_root_user();
- DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
+ DEBUG(IS_IPC(conn)?3:2, ("%s (%s) closed connection to service %s\n",
get_remote_machine_name(),
tsocket_address_string(conn->sconn->remote_address,
talloc_tos()),
- lp_servicename(SNUM(conn))));
-
- /* Call VFS disconnect hook */
- SMB_VFS_DISCONNECT(conn);
-
- yield_connection(conn, lp_servicename(SNUM(conn)));
+ lp_const_servicename(SNUM(conn))));
/* make sure we leave the directory available for unmount */
- vfs_ChDir(conn, "/");
+ vfs_ChDir(conn, &root_fname);
+
+ /* Call VFS disconnect hook */
+ SMB_VFS_DISCONNECT(conn);
/* execute any "postexec = " line */
- if (*lp_postexec(SNUM(conn)) &&
+ if (*lp_postexec(talloc_tos(), SNUM(conn)) &&
change_to_user(conn, vuid)) {
char *cmd = talloc_sub_advanced(talloc_tos(),
- lp_servicename(SNUM(conn)),
+ lp_const_servicename(SNUM(conn)),
conn->session_info->unix_info->unix_name,
conn->connectpath,
conn->session_info->unix_token->gid,
conn->session_info->unix_info->sanitized_username,
conn->session_info->info->domain_name,
- lp_postexec(SNUM(conn)));
- smbrun(cmd,NULL);
+ lp_postexec(talloc_tos(), SNUM(conn)));
+ smbrun(cmd, NULL, NULL);
TALLOC_FREE(cmd);
change_to_root_user();
}
change_to_root_user();
/* execute any "root postexec = " line */
- if (*lp_rootpostexec(SNUM(conn))) {
+ if (*lp_root_postexec(talloc_tos(), SNUM(conn))) {
char *cmd = talloc_sub_advanced(talloc_tos(),
- lp_servicename(SNUM(conn)),
+ lp_const_servicename(SNUM(conn)),
conn->session_info->unix_info->unix_name,
conn->connectpath,
conn->session_info->unix_token->gid,
conn->session_info->unix_info->sanitized_username,
conn->session_info->info->domain_name,
- lp_rootpostexec(SNUM(conn)));
- smbrun(cmd,NULL);
+ lp_root_postexec(talloc_tos(), SNUM(conn)));
+ smbrun(cmd, NULL, NULL);
TALLOC_FREE(cmd);
}
git.samba.org / kai / samba-autobuild / .git / blobdiff