2 Unix SMB/CIFS implementation.
3 service (connection) opening and closing
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 extern userdom_struct current_user_info;
25 /****************************************************************************
26 Ensure when setting connectpath it is a canonicalized (no ./ // or ../)
27 absolute path stating in / and not ending in /.
28 Observent people will notice a similarity between this and check_path_syntax :-).
29 ****************************************************************************/
31 void set_conn_connectpath(connection_struct *conn, const pstring connectpath)
35 const char *s = connectpath;
36 BOOL start_of_name_component = True;
38 *d++ = '/'; /* Always start with root. */
42 /* Eat multiple '/' */
46 if ((d > destname + 1) && (*s != '\0')) {
49 start_of_name_component = True;
53 if (start_of_name_component) {
54 if ((s[0] == '.') && (s[1] == '.') && (s[2] == '/' || s[2] == '\0')) {
55 /* Uh oh - "/../" or "/..\0" ! */
57 /* Go past the ../ or .. */
61 s += 2; /* Go past the .. */
64 /* If we just added a '/' - delete it */
65 if ((d > destname) && (*(d-1) == '/')) {
70 /* Are we at the start ? Can't go back further if so. */
72 *d++ = '/'; /* Can't delete root */
75 /* Go back one level... */
76 /* Decrement d first as d points to the *next* char to write into. */
77 for (d--; d > destname; d--) {
82 /* We're still at the start of a name component, just the previous one. */
84 } else if ((s[0] == '.') && ((s[1] == '\0') || s[1] == '/')) {
85 /* Component of pathname can't be "." only - skip the '.' . */
99 /* Get the size of the next MB character. */
100 next_codepoint(s,&siz);
121 start_of_name_component = False;
125 /* And must not end in '/' */
126 if (d > destname + 1 && (*(d-1) == '/')) {
130 DEBUG(10,("set_conn_connectpath: service %s, connectpath = %s\n",
131 lp_servicename(SNUM(conn)), destname ));
133 string_set(&conn->connectpath, destname);
136 /****************************************************************************
137 Load parameters specific to a connection/service.
138 ****************************************************************************/
140 BOOL set_current_service(connection_struct *conn, uint16 flags, BOOL do_chdir)
142 static connection_struct *last_conn;
143 static uint16 last_flags;
151 conn->lastused_count++;
156 vfs_ChDir(conn,conn->connectpath) != 0 &&
157 vfs_ChDir(conn,conn->origpath) != 0) {
158 DEBUG(0,("chdir (%s) failed\n",
163 if ((conn == last_conn) && (last_flags == flags)) {
170 /* Obey the client case sensitivity requests - only for clients that support it. */
171 switch (lp_casesensitive(snum)) {
174 /* We need this uglyness due to DOS/Win9x clients that lie about case insensitivity. */
175 enum remote_arch_types ra_type = get_remote_arch();
176 if ((ra_type != RA_SAMBA) && (ra_type != RA_CIFSFS)) {
177 /* Client can't support per-packet case sensitive pathnames. */
178 conn->case_sensitive = False;
180 conn->case_sensitive = !(flags & FLAG_CASELESS_PATHNAMES);
185 conn->case_sensitive = True;
188 conn->case_sensitive = False;
194 /****************************************************************************
195 Add a home service. Returns the new service number or -1 if fail.
196 ****************************************************************************/
198 int add_home_service(const char *service, const char *username, const char *homedir)
202 if (!service || !homedir)
205 if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0)
209 * If this is a winbindd provided username, remove
210 * the domain component before adding the service.
211 * Log a warning if the "path=" parameter does not
212 * include any macros.
216 const char *p = strchr(service,*lp_winbind_separator());
218 /* We only want the 'user' part of the string */
224 if (!lp_add_home(service, iHomeService, username, homedir)) {
228 return lp_servicenumber(service);
232 static int load_registry_service(const char *servicename)
234 struct registry_key *key;
240 struct registry_value *value;
244 if (!lp_registry_shares()) {
248 if (asprintf(&path, "%s\\%s", KEY_SMBCONF, servicename) == -1) {
252 err = reg_open_path(NULL, path, REG_KEY_READ, get_root_nt_token(),
256 if (!W_ERROR_IS_OK(err)) {
260 res = lp_add_service(servicename, -1);
266 W_ERROR_IS_OK(reg_enumvalue(key, key, i, &value_name, &value));
268 switch (value->type) {
271 if (asprintf(&tmp, "%d", value->v.dword) == -1) {
274 lp_do_parameter(res, value_name, tmp);
279 lp_do_parameter(res, value_name, value->v.sz.str);
283 /* Ignore all the rest */
287 TALLOC_FREE(value_name);
297 void load_registry_shares(void)
299 struct registry_key *key;
304 if (!lp_registry_shares()) {
308 err = reg_open_path(NULL, KEY_SMBCONF, REG_KEY_READ,
309 get_root_nt_token(), &key);
310 if (!(W_ERROR_IS_OK(err))) {
314 for (i=0; W_ERROR_IS_OK(reg_enumkey(key, key, i, &name, NULL)); i++) {
315 load_registry_service(name);
324 * Find a service entry.
326 * @param service is modified (to canonical form??)
329 int find_service(fstring service)
333 all_string_sub(service,"\\","/",0);
335 iService = lp_servicenumber(service);
337 /* now handle the special case of a home directory */
339 char *phome_dir = get_user_home_dir(service);
343 * Try mapping the servicename, it may
344 * be a Windows to unix mapped user name.
346 if(map_username(service))
347 phome_dir = get_user_home_dir(service);
350 DEBUG(3,("checking for home directory %s gave %s\n",service,
351 phome_dir?phome_dir:"(NULL)"));
353 iService = add_home_service(service,service /* 'username' */, phome_dir);
356 /* If we still don't have a service, attempt to add it as a printer. */
360 if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) >= 0) {
361 DEBUG(3,("checking whether %s is a valid printer name...\n", service));
362 if (pcap_printername_ok(service)) {
363 DEBUG(3,("%s is a valid printer name\n", service));
364 DEBUG(3,("adding %s as a printer service\n", service));
365 lp_add_printer(service, iPrinterService);
366 iService = lp_servicenumber(service);
368 DEBUG(0,("failed to add %s as a printer service!\n", service));
371 DEBUG(3,("%s is not a valid printer name\n", service));
376 /* Check for default vfs service? Unsure whether to implement this */
380 /* just possibly it's a default service? */
382 char *pdefservice = lp_defaultservice();
383 if (pdefservice && *pdefservice && !strequal(pdefservice,service) && !strstr_m(service,"..")) {
385 * We need to do a local copy here as lp_defaultservice()
386 * returns one of the rotating lp_string buffers that
387 * could get overwritten by the recursive find_service() call
388 * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
391 pstrcpy(defservice, pdefservice);
392 iService = find_service(defservice);
394 all_string_sub(service, "_","/",0);
395 iService = lp_add_service(service, iService);
401 iService = load_registry_service(service);
404 /* Is it a usershare service ? */
405 if (iService < 0 && *lp_usershare_path()) {
406 /* Ensure the name is canonicalized. */
408 iService = load_usershare_service(service);
412 if (!VALID_SNUM(iService)) {
413 DEBUG(0,("Invalid snum %d for %s\n",iService, service));
419 DEBUG(3,("find_service() failed to find service %s\n", service));
425 /****************************************************************************
426 do some basic sainity checks on the share.
427 This function modifies dev, ecode.
428 ****************************************************************************/
430 static NTSTATUS share_sanity_checks(int snum, fstring dev)
433 if (!lp_snum_ok(snum) ||
434 !check_access(smbd_server_fd(),
435 lp_hostsallow(snum), lp_hostsdeny(snum))) {
436 return NT_STATUS_ACCESS_DENIED;
439 if (dev[0] == '?' || !dev[0]) {
440 if (lp_print_ok(snum)) {
441 fstrcpy(dev,"LPT1:");
442 } else if (strequal(lp_fstype(snum), "IPC")) {
451 if (lp_print_ok(snum)) {
452 if (!strequal(dev, "LPT1:")) {
453 return NT_STATUS_BAD_DEVICE_TYPE;
455 } else if (strequal(lp_fstype(snum), "IPC")) {
456 if (!strequal(dev, "IPC")) {
457 return NT_STATUS_BAD_DEVICE_TYPE;
459 } else if (!strequal(dev, "A:")) {
460 return NT_STATUS_BAD_DEVICE_TYPE;
463 /* Behave as a printer if we are supposed to */
464 if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
465 fstrcpy(dev, "LPT1:");
471 static NTSTATUS find_forced_user(int snum, BOOL vuser_is_guest,
472 uid_t *uid, gid_t *gid, fstring username,
473 struct nt_user_token **token)
476 char *fuser, *found_username;
477 struct nt_user_token *tmp_token;
480 if (!(mem_ctx = talloc_new(NULL))) {
481 DEBUG(0, ("talloc_new failed\n"));
482 return NT_STATUS_NO_MEMORY;
485 if (!(fuser = talloc_string_sub(mem_ctx, lp_force_user(snum), "%S",
486 lp_servicename(snum)))) {
487 TALLOC_FREE(mem_ctx);
488 return NT_STATUS_NO_MEMORY;
492 result = create_token_from_username(mem_ctx, fuser, vuser_is_guest,
493 uid, gid, &found_username,
495 if (!NT_STATUS_IS_OK(result)) {
496 TALLOC_FREE(mem_ctx);
500 if (!(*token = dup_nt_token(NULL, tmp_token))) {
501 TALLOC_FREE(mem_ctx);
502 return NT_STATUS_NO_MEMORY;
505 fstrcpy(username, found_username);
507 TALLOC_FREE(mem_ctx);
512 * Go through lookup_name etc to find the force'd group.
514 * Create a new token from src_token, replacing the primary group sid with the
518 static NTSTATUS find_forced_group(BOOL force_user,
519 int snum, const char *username,
523 NTSTATUS result = NT_STATUS_NO_SUCH_GROUP;
526 enum lsa_SidType type;
528 BOOL user_must_be_member = False;
531 ZERO_STRUCTP(pgroup_sid);
534 mem_ctx = talloc_new(NULL);
535 if (mem_ctx == NULL) {
536 DEBUG(0, ("talloc_new failed\n"));
537 return NT_STATUS_NO_MEMORY;
540 groupname = talloc_strdup(mem_ctx, lp_force_group(snum));
541 if (groupname == NULL) {
542 DEBUG(1, ("talloc_strdup failed\n"));
543 result = NT_STATUS_NO_MEMORY;
547 if (groupname[0] == '+') {
548 user_must_be_member = True;
552 groupname = talloc_string_sub(mem_ctx, groupname,
553 "%S", lp_servicename(snum));
555 if (!lookup_name_smbconf(mem_ctx, groupname,
556 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
557 NULL, NULL, &group_sid, &type)) {
558 DEBUG(10, ("lookup_name_smbconf(%s) failed\n",
563 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
564 (type != SID_NAME_WKN_GRP)) {
565 DEBUG(10, ("%s is a %s, not a group\n", groupname,
566 sid_type_lookup(type)));
570 if (!sid_to_gid(&group_sid, &gid)) {
571 DEBUG(10, ("sid_to_gid(%s) for %s failed\n",
572 sid_string_static(&group_sid), groupname));
577 * If the user has been forced and the forced group starts with a '+',
578 * then we only set the group to be the forced group if the forced
579 * user is a member of that group. Otherwise, the meaning of the '+'
583 if (force_user && user_must_be_member) {
584 if (user_in_group_sid(username, &group_sid)) {
585 sid_copy(pgroup_sid, &group_sid);
587 DEBUG(3,("Forced group %s for member %s\n",
588 groupname, username));
590 DEBUG(0,("find_forced_group: forced user %s is not a member "
591 "of forced group %s. Disallowing access.\n",
592 username, groupname ));
593 result = NT_STATUS_MEMBER_NOT_IN_GROUP;
597 sid_copy(pgroup_sid, &group_sid);
599 DEBUG(3,("Forced group %s\n", groupname));
602 result = NT_STATUS_OK;
604 TALLOC_FREE(mem_ctx);
608 /****************************************************************************
609 Make a connection, given the snum to connect to, and the vuser of the
610 connecting user if appropriate.
611 ****************************************************************************/
613 static connection_struct *make_connection_snum(int snum, user_struct *vuser,
618 struct passwd *pass = NULL;
620 connection_struct *conn;
628 SET_STAT_INVALID(st);
630 if (NT_STATUS_IS_ERR(*status = share_sanity_checks(snum, dev))) {
636 DEBUG(0,("Couldn't find free connection.\n"));
637 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
641 conn->nt_user_token = NULL;
643 if (lp_guest_only(snum)) {
644 const char *guestname = lp_guestaccount();
646 char *found_username;
648 pass = getpwnam_alloc(NULL, guestname);
650 DEBUG(0,("make_connection_snum: Invalid guest "
651 "account %s??\n",guestname));
653 *status = NT_STATUS_NO_SUCH_USER;
656 status2 = create_token_from_username(NULL, pass->pw_name, True,
657 &conn->uid, &conn->gid,
659 &conn->nt_user_token);
660 if (!NT_STATUS_IS_OK(status2)) {
665 fstrcpy(user, found_username);
666 string_set(&conn->user,user);
667 conn->force_user = True;
669 DEBUG(3,("Guest only user %s\n",user));
672 if (!lp_guest_ok(snum)) {
673 DEBUG(2, ("guest user (from session setup) "
674 "not permitted to access this share "
675 "(%s)\n", lp_servicename(snum)));
677 *status = NT_STATUS_ACCESS_DENIED;
681 if (!user_ok_token(vuser->user.unix_name,
682 vuser->nt_user_token, snum)) {
683 DEBUG(2, ("user '%s' (from session setup) not "
684 "permitted to access this share "
685 "(%s)\n", vuser->user.unix_name,
686 lp_servicename(snum)));
688 *status = NT_STATUS_ACCESS_DENIED;
692 conn->vuid = vuser->vuid;
693 conn->uid = vuser->uid;
694 conn->gid = vuser->gid;
695 string_set(&conn->user,vuser->user.unix_name);
696 fstrcpy(user,vuser->user.unix_name);
697 guest = vuser->guest;
698 } else if (lp_security() == SEC_SHARE) {
700 char *found_username;
701 /* add it as a possible user name if we
702 are in share mode security */
703 add_session_user(lp_servicename(snum));
704 /* shall we let them in? */
705 if (!authorise_login(snum,user,password,&guest)) {
706 DEBUG( 2, ( "Invalid username/password for [%s]\n",
707 lp_servicename(snum)) );
709 *status = NT_STATUS_WRONG_PASSWORD;
712 pass = Get_Pwnam(user);
713 status2 = create_token_from_username(NULL, pass->pw_name, True,
714 &conn->uid, &conn->gid,
716 &conn->nt_user_token);
717 if (!NT_STATUS_IS_OK(status2)) {
722 fstrcpy(user, found_username);
723 string_set(&conn->user,user);
724 conn->force_user = True;
726 DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
728 *status = NT_STATUS_ACCESS_DENIED;
732 add_session_user(user);
734 safe_strcpy(conn->client_address, client_addr(),
735 sizeof(conn->client_address)-1);
736 conn->num_files_open = 0;
737 conn->lastused = conn->lastused_count = time(NULL);
738 conn->params->service = snum;
740 conn->printer = (strncmp(dev,"LPT",3) == 0);
741 conn->ipc = ( (strncmp(dev,"IPC",3) == 0) ||
742 ( lp_enable_asu_support() && strequal(dev,"ADMIN$")) );
745 /* Case options for the share. */
746 if (lp_casesensitive(snum) == Auto) {
747 /* We will be setting this per packet. Set to be case
748 * insensitive for now. */
749 conn->case_sensitive = False;
751 conn->case_sensitive = (BOOL)lp_casesensitive(snum);
754 conn->case_preserve = lp_preservecase(snum);
755 conn->short_case_preserve = lp_shortpreservecase(snum);
757 conn->veto_list = NULL;
758 conn->hide_list = NULL;
759 conn->veto_oplock_list = NULL;
760 conn->aio_write_behind_list = NULL;
761 string_set(&conn->dirpath,"");
762 string_set(&conn->user,user);
764 conn->read_only = lp_readonly(SNUM(conn));
765 conn->admin_user = False;
768 * If force user is true, then store the given userid and the gid of
769 * the user we're forcing.
770 * For auxiliary groups see below.
773 if (*lp_force_user(snum)) {
776 status2 = find_forced_user(snum,
777 (vuser != NULL) && vuser->guest,
778 &conn->uid, &conn->gid, user,
779 &conn->nt_user_token);
780 if (!NT_STATUS_IS_OK(status2)) {
785 string_set(&conn->user,user);
786 conn->force_user = True;
787 DEBUG(3,("Forced user %s\n",user));
791 * If force group is true, then override
792 * any groupid stored for the connecting user.
795 if (*lp_force_group(snum)) {
799 status2 = find_forced_group(conn->force_user,
801 &group_sid, &conn->gid);
802 if (!NT_STATUS_IS_OK(status2)) {
808 if ((conn->nt_user_token == NULL) && (vuser != NULL)) {
810 /* Not force user and not security=share, but force
811 * group. vuser has a token to copy */
813 conn->nt_user_token = dup_nt_token(
814 NULL, vuser->nt_user_token);
815 if (conn->nt_user_token == NULL) {
816 DEBUG(0, ("dup_nt_token failed\n"));
818 *status = NT_STATUS_NO_MEMORY;
823 /* If conn->nt_user_token is still NULL, we have
824 * security=share. This means ignore the SID, as we had no
825 * vuser to copy from */
827 if (conn->nt_user_token != NULL) {
828 /* Overwrite the primary group sid */
829 sid_copy(&conn->nt_user_token->user_sids[1],
833 conn->force_group = True;
836 if (conn->nt_user_token != NULL) {
839 /* We have a share-specific token from force [user|group].
840 * This means we have to create the list of unix groups from
841 * the list of sids. */
846 for (i=0; i<conn->nt_user_token->num_sids; i++) {
848 DOM_SID *sid = &conn->nt_user_token->user_sids[i];
850 if (!sid_to_gid(sid, &gid)) {
851 DEBUG(10, ("Could not convert SID %s to gid, "
853 sid_string_static(sid)));
856 if (!add_gid_to_array_unique(NULL, gid, &conn->groups,
858 DEBUG(0, ("add_gid_to_array_unique failed\n"));
860 *status = NT_STATUS_NO_MEMORY;
868 pstrcpy(s,lp_pathname(snum));
869 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
870 conn->connectpath, conn->gid,
871 get_current_username(),
872 current_user_info.domain,
874 set_conn_connectpath(conn,s);
875 DEBUG(3,("Connect path is '%s' for service [%s]\n",s,
876 lp_servicename(snum)));
880 * New code to check if there's a share security descripter
881 * added from NT server manager. This is done after the
882 * smb.conf checks are done as we need a uid and token. JRA.
887 NT_USER_TOKEN *token = conn->nt_user_token ?
888 conn->nt_user_token : vuser->nt_user_token;
890 BOOL can_write = share_access_check(token,
891 lp_servicename(snum),
895 if (!share_access_check(token,
896 lp_servicename(snum),
898 /* No access, read or write. */
899 DEBUG(0,("make_connection: connection to %s "
900 "denied due to security "
902 lp_servicename(snum)));
904 *status = NT_STATUS_ACCESS_DENIED;
907 conn->read_only = True;
911 /* Initialise VFS function pointers */
913 if (!smbd_vfs_init(conn)) {
914 DEBUG(0, ("vfs_init failed for service %s\n",
915 lp_servicename(snum)));
917 *status = NT_STATUS_BAD_NETWORK_NAME;
922 * If widelinks are disallowed we need to canonicalise the connect
923 * path here to ensure we don't have any symlinks in the
924 * connectpath. We will be checking all paths on this connection are
925 * below this directory. We must do this after the VFS init as we
926 * depend on the realpath() pointer in the vfs table. JRA.
928 if (!lp_widelinks(snum)) {
930 pstrcpy(s,conn->connectpath);
931 canonicalize_path(conn, s);
932 set_conn_connectpath(conn,s);
935 /* ROOT Activities: */
936 /* check number of connections */
937 if (!claim_connection(conn,
938 lp_servicename(snum),
939 lp_max_connections(snum),
941 DEBUG(1,("too many connections - rejected\n"));
943 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
947 /* Preexecs are done here as they might make the dir we are to ChDir
949 /* execute any "root preexec = " line */
950 if (*lp_rootpreexec(snum)) {
952 pstrcpy(cmd,lp_rootpreexec(snum));
953 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
954 conn->connectpath, conn->gid,
955 get_current_username(),
956 current_user_info.domain,
958 DEBUG(5,("cmd=%s\n",cmd));
959 ret = smbrun(cmd,NULL);
960 if (ret != 0 && lp_rootpreexec_close(snum)) {
961 DEBUG(1,("root preexec gave %d - failing "
962 "connection\n", ret));
963 yield_connection(conn, lp_servicename(snum));
965 *status = NT_STATUS_ACCESS_DENIED;
970 /* USER Activites: */
971 if (!change_to_user(conn, conn->vuid)) {
972 /* No point continuing if they fail the basic checks */
973 DEBUG(0,("Can't become connected user!\n"));
974 yield_connection(conn, lp_servicename(snum));
976 *status = NT_STATUS_LOGON_FAILURE;
980 /* Remember that a different vuid can connect later without these
983 /* Preexecs are done here as they might make the dir we are to ChDir
986 /* execute any "preexec = " line */
987 if (*lp_preexec(snum)) {
989 pstrcpy(cmd,lp_preexec(snum));
990 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
991 conn->connectpath, conn->gid,
992 get_current_username(),
993 current_user_info.domain,
995 ret = smbrun(cmd,NULL);
996 if (ret != 0 && lp_preexec_close(snum)) {
997 DEBUG(1,("preexec gave %d - failing connection\n",
999 change_to_root_user();
1000 yield_connection(conn, lp_servicename(snum));
1002 *status = NT_STATUS_ACCESS_DENIED;
1007 #ifdef WITH_FAKE_KASERVER
1008 if (lp_afs_share(snum)) {
1013 /* Add veto/hide lists */
1014 if (!IS_IPC(conn) && !IS_PRINT(conn)) {
1015 set_namearray( &conn->veto_list, lp_veto_files(snum));
1016 set_namearray( &conn->hide_list, lp_hide_files(snum));
1017 set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
1020 /* Invoke VFS make connection hook - do this before the VFS_STAT call
1021 to allow any filesystems needing user credentials to initialize
1024 if (SMB_VFS_CONNECT(conn, lp_servicename(snum), user) < 0) {
1025 DEBUG(0,("make_connection: VFS make connection failed!\n"));
1026 change_to_root_user();
1027 yield_connection(conn, lp_servicename(snum));
1029 *status = NT_STATUS_UNSUCCESSFUL;
1033 /* win2000 does not check the permissions on the directory
1034 during the tree connect, instead relying on permission
1035 check during individual operations. To match this behaviour
1036 I have disabled this chdir check (tridge) */
1037 /* the alternative is just to check the directory exists */
1038 if ((ret = SMB_VFS_STAT(conn, conn->connectpath, &st)) != 0 ||
1039 !S_ISDIR(st.st_mode)) {
1040 if (ret == 0 && !S_ISDIR(st.st_mode)) {
1041 DEBUG(0,("'%s' is not a directory, when connecting to "
1042 "[%s]\n", conn->connectpath,
1043 lp_servicename(snum)));
1045 DEBUG(0,("'%s' does not exist or permission denied "
1046 "when connecting to [%s] Error was %s\n",
1047 conn->connectpath, lp_servicename(snum),
1050 change_to_root_user();
1051 /* Call VFS disconnect hook */
1052 SMB_VFS_DISCONNECT(conn);
1053 yield_connection(conn, lp_servicename(snum));
1055 *status = NT_STATUS_BAD_NETWORK_NAME;
1059 string_set(&conn->origpath,conn->connectpath);
1061 #if SOFTLINK_OPTIMISATION
1062 /* resolve any soft links early if possible */
1063 if (vfs_ChDir(conn,conn->connectpath) == 0) {
1065 pstrcpy(s,conn->connectpath);
1067 set_conn_connectpath(conn,s);
1068 vfs_ChDir(conn,conn->connectpath);
1073 * Print out the 'connected as' stuff here as we need
1074 * to know the effective uid and gid we will be using
1075 * (at least initially).
1078 if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
1079 dbgtext( "%s (%s) ", get_remote_machine_name(),
1080 conn->client_address );
1081 dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
1082 dbgtext( "connect to service %s ", lp_servicename(snum) );
1083 dbgtext( "initially as user %s ", user );
1084 dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
1085 dbgtext( "(pid %d)\n", (int)sys_getpid() );
1088 /* Setup the minimum value for a change notify wait time (seconds). */
1089 set_change_notify_timeout(lp_change_notify_timeout(snum));
1091 /* we've finished with the user stuff - go back to root */
1092 change_to_root_user();
1096 /***************************************************************************************
1097 Simple wrapper function for make_connection() to include a call to
1099 **************************************************************************************/
1101 connection_struct *make_connection_with_chdir(const char *service_in,
1103 const char *dev, uint16 vuid,
1106 connection_struct *conn = NULL;
1108 conn = make_connection(service_in, password, dev, vuid, status);
1111 * make_connection() does not change the directory for us any more
1112 * so we have to do it as a separate step --jerry
1115 if ( conn && vfs_ChDir(conn,conn->connectpath) != 0 ) {
1116 DEBUG(0,("move_driver_to_download_area: Can't change "
1117 "directory to %s for [print$] (%s)\n",
1118 conn->connectpath,strerror(errno)));
1119 yield_connection(conn, lp_servicename(SNUM(conn)));
1121 *status = NT_STATUS_UNSUCCESSFUL;
1128 /****************************************************************************
1129 Make a connection to a service.
1132 ****************************************************************************/
1134 connection_struct *make_connection(const char *service_in, DATA_BLOB password,
1135 const char *pdev, uint16 vuid,
1139 user_struct *vuser = NULL;
1146 /* This must ONLY BE CALLED AS ROOT. As it exits this function as
1148 if (!non_root_mode() && (euid = geteuid()) != 0) {
1149 DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot "
1150 "(%u)\n", (unsigned int)euid ));
1151 smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
1154 if (conn_num_open() > 2047) {
1155 *status = NT_STATUS_INSUFF_SERVER_RESOURCES;
1159 if(lp_security() != SEC_SHARE) {
1160 vuser = get_valid_user_struct(vuid);
1162 DEBUG(1,("make_connection: refusing to connect with "
1163 "no session setup\n"));
1164 *status = NT_STATUS_ACCESS_DENIED;
1169 /* Logic to try and connect to the correct [homes] share, preferably
1170 without too many getpwnam() lookups. This is particulary nasty for
1171 winbind usernames, where the share name isn't the same as unix
1174 The snum of the homes share is stored on the vuser at session setup
1178 if (strequal(service_in,HOMES_NAME)) {
1179 if(lp_security() != SEC_SHARE) {
1180 DATA_BLOB no_pw = data_blob(NULL, 0);
1181 if (vuser->homes_snum == -1) {
1182 DEBUG(2, ("[homes] share not available for "
1183 "this user because it was not found "
1184 "or created at session setup "
1186 *status = NT_STATUS_BAD_NETWORK_NAME;
1189 DEBUG(5, ("making a connection to [homes] service "
1190 "created at session setup time\n"));
1191 return make_connection_snum(vuser->homes_snum,
1195 /* Security = share. Try with
1196 * current_user_info.smb_name as the username. */
1197 if (*current_user_info.smb_name) {
1198 fstring unix_username;
1199 fstrcpy(unix_username,
1200 current_user_info.smb_name);
1201 map_username(unix_username);
1202 snum = find_service(unix_username);
1205 DEBUG(5, ("making a connection to 'homes' "
1206 "service %s based on "
1207 "security=share\n", service_in));
1208 return make_connection_snum(snum, NULL,
1213 } else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
1214 && strequal(service_in,
1215 lp_servicename(vuser->homes_snum))) {
1216 DATA_BLOB no_pw = data_blob(NULL, 0);
1217 DEBUG(5, ("making a connection to 'homes' service [%s] "
1218 "created at session setup time\n", service_in));
1219 return make_connection_snum(vuser->homes_snum,
1224 fstrcpy(service, service_in);
1226 strlower_m(service);
1228 snum = find_service(service);
1231 if (strequal(service,"IPC$") ||
1232 (lp_enable_asu_support() && strequal(service,"ADMIN$"))) {
1233 DEBUG(3,("refusing IPC connection to %s\n", service));
1234 *status = NT_STATUS_ACCESS_DENIED;
1238 DEBUG(0,("%s (%s) couldn't find service %s\n",
1239 get_remote_machine_name(), client_addr(), service));
1240 *status = NT_STATUS_BAD_NETWORK_NAME;
1244 /* Handle non-Dfs clients attempting connections to msdfs proxy */
1245 if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
1246 DEBUG(3, ("refusing connection to dfs proxy share '%s' "
1247 "(pointing to %s)\n",
1248 service, lp_msdfs_proxy(snum)));
1249 *status = NT_STATUS_BAD_NETWORK_NAME;
1253 DEBUG(5, ("making a connection to 'normal' service %s\n", service));
1255 return make_connection_snum(snum, vuser,
1260 /****************************************************************************
1262 ****************************************************************************/
1264 void close_cnum(connection_struct *conn, uint16 vuid)
1267 pipe_close_conn(conn);
1269 file_close_conn(conn);
1270 dptr_closecnum(conn);
1273 change_to_root_user();
1275 DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
1276 get_remote_machine_name(),
1277 conn->client_address,
1278 lp_servicename(SNUM(conn))));
1280 /* Call VFS disconnect hook */
1281 SMB_VFS_DISCONNECT(conn);
1283 yield_connection(conn, lp_servicename(SNUM(conn)));
1285 /* make sure we leave the directory available for unmount */
1286 vfs_ChDir(conn, "/");
1288 /* execute any "postexec = " line */
1289 if (*lp_postexec(SNUM(conn)) &&
1290 change_to_user(conn, vuid)) {
1292 pstrcpy(cmd,lp_postexec(SNUM(conn)));
1293 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
1294 conn->connectpath, conn->gid,
1295 get_current_username(),
1296 current_user_info.domain,
1299 change_to_root_user();
1302 change_to_root_user();
1303 /* execute any "root postexec = " line */
1304 if (*lp_rootpostexec(SNUM(conn))) {
1306 pstrcpy(cmd,lp_rootpostexec(SNUM(conn)));
1307 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
1308 conn->connectpath, conn->gid,
1309 get_current_username(),
1310 current_user_info.domain,