BOOL pdb_generate_sam_sid(void);
+/*The following definitions come from passdb/pampass.c */
+
+BOOL PAM_session(BOOL instance, const connection_struct *conn, char *tty);
+BOOL pam_passcheck(char * user, char * password);
+BOOL pam_passcheck( char * user, char * password );
+
/*The following definitions come from passdb/pass_check.c */
void dfs_unlogin(void);
BOOL share_info_db_init(void);
void map_generic_share_sd_bits(SEC_DESC *psd);
-BOOL share_access_check(int snum, uint16 vuid, uint32 desired_access);
+BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 desired_access);
uint32 _srv_net_srv_get_info(pipes_struct *p, SRV_Q_NET_SRV_GET_INFO *q_u, SRV_R_NET_SRV_GET_INFO *r_u);
uint32 _srv_net_file_enum(pipes_struct *p, SRV_Q_NET_FILE_ENUM *q_u, SRV_R_NET_FILE_ENUM *r_u);
uint32 _srv_net_conn_enum(pipes_struct *p, SRV_Q_NET_CONN_ENUM *q_u, SRV_R_NET_CONN_ENUM *r_u);
Can this user access with share with the required permissions ?
********************************************************************/
-BOOL share_access_check(int snum, uint16 vuid, uint32 desired_access)
+BOOL share_access_check(connection_struct *conn, int snum, uint16 vuid, uint32 desired_access)
{
uint32 granted, status;
TALLOC_CTX *mem_ctx = NULL;
if (!psd)
goto out;
+ ZERO_STRUCT(tmp_user);
if (vuser) {
- ZERO_STRUCT(tmp_user);
tmp_user.vuid = vuid;
tmp_user.uid = vuser->uid;
tmp_user.gid = vuser->gid;
tmp_user.ngroups = vuser->n_groups;
tmp_user.groups = vuser->groups;
tmp_user.nt_user_token = vuser->nt_user_token;
- puser = &tmp_user;
+ } else {
+ tmp_user.vuid = vuid;
+ tmp_user.uid = conn->uid;
+ tmp_user.gid = conn->gid;
+ tmp_user.ngroups = conn->ngroups;
+ tmp_user.groups = conn->groups;
+ tmp_user.nt_user_token = conn->nt_user_token;
}
+ puser = &tmp_user;
+
ret = se_access_check(psd, puser, desired_access, &granted, &status);
out:
conn->read_only = lp_readonly(snum);
- /*
- * New code to check if there's a share security descripter
- * added from NT server manager. This is an additional check
- * before the smb.conf checks are done. JRA.
- */
-
- {
- BOOL can_write = share_access_check(snum, vuid, FILE_WRITE_DATA);
-
- if (!can_write) {
- if (!share_access_check(snum, vuid, FILE_READ_DATA)) {
- /* No access, read or write. */
- *ecode = ERRaccess;
- DEBUG(0,( "make_connection: connection to %s denied due to security descriptor.\n",
- service ));
- conn_free(conn);
- return NULL;
- } else {
- conn->read_only = True;
- }
- }
- }
{
pstring list;
conn->ngroups, conn->groups,
guest);
+ /*
+ * New code to check if there's a share security descripter
+ * added from NT server manager. This is done after the
+ * smb.conf checks are done as we need a uid and token. JRA.
+ */
+
+ {
+ BOOL can_write = share_access_check(conn, snum, vuid, FILE_WRITE_DATA);
+
+ if (!can_write) {
+ if (!share_access_check(conn, snum, vuid, FILE_READ_DATA)) {
+ /* No access, read or write. */
+ *ecode = ERRaccess;
+ DEBUG(0,( "make_connection: connection to %s denied due to security descriptor.\n",
+ service ));
+ conn_free(conn);
+ return NULL;
+ } else {
+ conn->read_only = True;
+ }
+ }
+ }
/* Initialise VFS function pointers */
if (*lp_vfsobj(SNUM(conn))) {