nt_status = create_local_token(mem_ctx,
auth_ntlmssp_state->server_info,
&auth_ntlmssp_state->ntlmssp_state->session_key,
+ auth_ntlmssp_state->ntlmssp_state->user,
session_info);
if (!NT_STATUS_IS_OK(nt_status)) {
NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
const struct auth_serversupplied_info *server_info,
DATA_BLOB *session_key,
+ const char *smb_username, /* for ->sanitized_username, for %U subs */
struct auth_session_info **session_info_out)
{
struct security_token *t;
struct dom_sid tmp_sid;
struct auth_session_info *session_info;
struct wbcUnixId *ids;
+ fstring tmp;
/* Ensure we can't possible take a code path leading to a
* null defref. */
return NT_STATUS_NO_MEMORY;
}
- session_info->unix_info->sanitized_username = talloc_strdup(session_info, server_info->sanitized_username);
- if (!session_info->unix_info->sanitized_username) {
- TALLOC_FREE(session_info);
- return NT_STATUS_NO_MEMORY;
- }
+ /* This is a potentially untrusted username for use in %U */
+ alpha_strcpy(tmp, smb_username, ". _-$", sizeof(tmp));
+ session_info->unix_info->sanitized_username =
+ talloc_strdup(session_info->unix_info, tmp);
session_info->unix_info->system = server_info->system;
struct netr_SamInfo3 info3;
TALLOC_CTX *tmp_ctx;
NTSTATUS status;
- fstring tmp;
tmp_ctx = talloc_stackframe();
if (tmp_ctx == NULL) {
/* This should not be done here (we should produce a server
* info, and later construct a session info from it), but for
* now this does not change the previous behavior */
- status = create_local_token(tmp_ctx, *server_info, NULL, session_info);
+ status = create_local_token(tmp_ctx, *server_info, NULL,
+ (*server_info)->info3->base.account_name.string,
+ session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("create_local_token failed: %s\n",
nt_errstr(status)));
all zeros! */
(*session_info)->session_key = data_blob(zeros, sizeof(zeros));
- alpha_strcpy(tmp, (*server_info)->info3->base.account_name.string,
- ". _-$", sizeof(tmp));
- (*session_info)->unix_info->sanitized_username = talloc_strdup(*session_info, tmp);
-
status = NT_STATUS_OK;
done:
TALLOC_FREE(tmp_ctx);
status = make_server_info_pw(&result, pwd->pw_name, pwd);
- TALLOC_FREE(pwd);
-
if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(pwd);
return status;
}
result->guest = is_guest;
/* Now turn the server_info into a session_info with the full token etc */
- status = create_local_token(mem_ctx, result, NULL, session_info);
+ status = create_local_token(mem_ctx, result, NULL, pwd->pw_name, session_info);
+ TALLOC_FREE(pwd);
talloc_free(result);
return status;
}
NTSTATUS create_local_token(TALLOC_CTX *mem_ctx,
const struct auth_serversupplied_info *server_info,
DATA_BLOB *session_key,
+ const char *smb_name,
struct auth_session_info **session_info_out);
NTSTATUS create_token_from_username(TALLOC_CTX *mem_ctx, const char *username,
bool is_guest,
server_info->nss_token |= username_was_mapped;
- status = create_local_token(mem_ctx, server_info, session_key, session_info);
+ status = create_local_token(mem_ctx, server_info, session_key, ntuser, session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("failed to create local token: %s\n",
const DATA_BLOB *sig);
bool auth_ntlmssp_negotiated_sign(struct auth_ntlmssp_state *ans);
bool auth_ntlmssp_negotiated_seal(struct auth_ntlmssp_state *ans);
-const char *auth_ntlmssp_get_username(struct auth_ntlmssp_state *ans);
-const char *auth_ntlmssp_get_domain(struct auth_ntlmssp_state *ans);
NTSTATUS auth_ntlmssp_set_username(struct auth_ntlmssp_state *ans,
const char *user);
NTSTATUS auth_ntlmssp_set_domain(struct auth_ntlmssp_state *ans,
return ans->ntlmssp_state->neg_flags & NTLMSSP_NEGOTIATE_SEAL;
}
-/* Needed for 'smb username' processing */
-const char *auth_ntlmssp_get_username(struct auth_ntlmssp_state *ans)
-{
- if (ans->gensec_security) {
- return ""; /* We can't get at this value, and it's just for the %U macros */
- }
- return ans->ntlmssp_state->user;
-}
-
NTSTATUS auth_ntlmssp_set_username(struct auth_ntlmssp_state *ans,
const char *user)
{
* Some internal functions need a local token to determine access to
* resources.
*/
- status = create_local_token(p, server_info, &session_info->session_key, &p->session_info);
+ status = create_local_token(p, server_info, &session_info->session_key, info3->base.account_name.string,
+ &p->session_info);
talloc_free(server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to init local auth token\n"));
int register_existing_vuid(struct smbd_server_connection *sconn,
uint16 vuid,
struct auth_session_info *session_info,
- DATA_BLOB response_blob,
- const char *smb_name)
+ DATA_BLOB response_blob)
{
- fstring tmp;
user_struct *vuser;
bool guest = security_session_user_level(session_info, NULL) < SECURITY_USER;
/* Use this to keep tabs on all our info from the authentication */
vuser->session_info = talloc_move(vuser, &session_info);
- /* This is a potentially untrusted username */
- alpha_strcpy(tmp, smb_name, ". _-$", sizeof(tmp));
-
- vuser->session_info->unix_info->sanitized_username = talloc_strdup(
- vuser->session_info, tmp);
-
/* Make clear that we require the optional unix_token and unix_info in the source3 code */
SMB_ASSERT(vuser->session_info->unix_token);
SMB_ASSERT(vuser->session_info->unix_info);
int register_existing_vuid(struct smbd_server_connection *sconn,
uint16 vuid,
struct auth_session_info *session_info,
- DATA_BLOB response_blob,
- const char *smb_name);
+ DATA_BLOB response_blob);
void add_session_user(struct smbd_server_connection *sconn, const char *user);
void add_session_workgroup(struct smbd_server_connection *sconn,
const char *workgroup);
* it.... */
sess_vuid = register_existing_vuid(sconn, sess_vuid,
- session_info, nullblob, user);
+ session_info, nullblob);
reply_outbuf(req, 4, 0);
SSVAL(req->outbuf,smb_uid,sess_vuid);
/* register_existing_vuid keeps the server info */
if (register_existing_vuid(sconn, vuid,
- session_info, nullblob,
- auth_ntlmssp_get_username(*auth_ntlmssp_state)) !=
+ session_info, nullblob) !=
vuid) {
/* The problem is, *auth_ntlmssp_state points
* into the vuser this will have
return;
}
- nt_status = create_local_token(req, server_info, NULL, &session_info);
+ nt_status = create_local_token(req, server_info, NULL, sub_user, &session_info);
TALLOC_FREE(server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
/* register_existing_vuid keeps the session_info */
sess_vuid = register_existing_vuid(sconn, sess_vuid,
session_info,
- nt_resp.data ? nt_resp : lm_resp,
- sub_user);
+ nt_resp.data ? nt_resp : lm_resp);
if (sess_vuid == UID_FIELD_INVALID) {
data_blob_free(&nt_resp);
data_blob_free(&lm_resp);
struct passwd *pw = NULL;
NTSTATUS status;
char *real_username;
- fstring tmp;
bool username_was_mapped = false;
bool map_domainuser_to_guest = false;
session->compat_vuser->vuid = session->vuid;
DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
- /* This is a potentially untrusted username */
- alpha_strcpy(tmp, user, ". _-$", sizeof(tmp));
- session->session_info->unix_info->sanitized_username =
- talloc_strdup(session->session_info, tmp);
-
if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
register_homes_share(session->session_info->unix_info->unix_name);
uint16_t *out_session_flags,
uint64_t *out_session_id)
{
- fstring tmp;
-
if ((in_security_mode & SMB2_NEGOTIATE_SIGNING_REQUIRED) ||
lp_server_signing() == Required) {
session->do_signing = true;
session->compat_vuser->vuid = session->vuid;
DLIST_ADD(session->sconn->smb1.sessions.validated_users, session->compat_vuser);
- /* This is a potentially untrusted username */
- alpha_strcpy(tmp,
- auth_ntlmssp_get_username(session->auth_ntlmssp_state),
- ". _-$",
- sizeof(tmp));
- session->session_info->unix_info->sanitized_username = talloc_strdup(
- session->session_info, tmp);
-
if (security_session_user_level(session->session_info, NULL) >= SECURITY_USER) {
session->compat_vuser->homes_snum =
register_homes_share(session->session_info->unix_info->unix_name);