/*
- Unix SMB/Netbios implementation.
- Version 1.9.
+ Unix SMB/CIFS implementation.
Password and authentication handling
Copyright (C) Andrew Tridgell 1992-1998
#include "includes.h"
-extern int DEBUGLEVEL;
-extern int Protocol;
-extern struct in_addr ipzero;
-
/* users from session setup */
static pstring session_users="";
-extern pstring global_myname;
-extern fstring global_myworkgroup;
-
/* this holds info on user ids that are already validated for this VC */
static user_struct *validated_users;
static int next_vuid = VUID_OFFSET;
if (vuser == NULL)
return;
- session_yield(vuid);
+ SAFE_FREE(vuser->homedir);
+
+ session_yield(vuser);
DLIST_REMOVE(validated_users, vuser);
- safe_free(vuser->groups);
+ /* clear the vuid from the 'cache' on each connection, and
+ from the vuid 'owner' of connections */
+ conn_clear_vuid_cache(vuid);
+
+ SAFE_FREE(vuser->groups);
delete_nt_token(&vuser->nt_user_token);
- safe_free(vuser);
+ SAFE_FREE(vuser);
num_validated_vuids--;
}
}
}
-/****************************************************************************
-return a validated username
-****************************************************************************/
-char *validated_username(uint16 vuid)
-{
- user_struct *vuser = get_valid_user_struct(vuid);
- if (vuser == NULL)
- return 0;
- return(vuser->user.unix_name);
-}
-
-/****************************************************************************
-return a validated domain
-****************************************************************************/
-char *validated_domain(uint16 vuid)
-{
- user_struct *vuser = get_valid_user_struct(vuid);
- if (vuser == NULL)
- return 0;
- return(vuser->user.domain);
-}
-
-
-/****************************************************************************
- Create the SID list for this user.
-****************************************************************************/
-
-NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest)
-{
- extern DOM_SID global_sid_World;
- extern DOM_SID global_sid_Network;
- extern DOM_SID global_sid_Builtin_Guests;
- extern DOM_SID global_sid_Authenticated_Users;
- NT_USER_TOKEN *token;
- DOM_SID *psids;
- int i, psid_ndx = 0;
- size_t num_sids = 0;
- fstring sid_str;
-
- if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL)
- return NULL;
-
- ZERO_STRUCTP(token);
-
- /* We always have uid/gid plus World and Network and Authenticated Users or Guest SIDs. */
- num_sids = 5 + ngroups;
-
- if ((token->user_sids = (DOM_SID *)malloc( num_sids*sizeof(DOM_SID))) == NULL) {
- free(token);
- return NULL;
- }
-
- psids = token->user_sids;
-
- /*
- * Note - user SID *MUST* be first in token !
- * se_access_check depends on this.
- */
-
- uid_to_sid( &psids[psid_ndx++], uid);
-
- /*
- * Primary group SID is second in token. Convention.
- */
-
- gid_to_sid( &psids[psid_ndx++], gid);
-
- /* Now add the group SIDs. */
-
- for (i = 0; i < ngroups; i++) {
- if (groups[i] != gid) {
- gid_to_sid( &psids[psid_ndx++], groups[i]);
- }
- }
-
- /*
- * Finally add the "standard" SIDs.
- * The only difference between guest and "anonymous" (which we
- * don't really support) is the addition of Authenticated_Users.
- */
-
- sid_copy( &psids[psid_ndx++], &global_sid_World);
- sid_copy( &psids[psid_ndx++], &global_sid_Network);
-
- if (is_guest)
- sid_copy( &psids[psid_ndx++], &global_sid_Builtin_Guests);
- else
- sid_copy( &psids[psid_ndx++], &global_sid_Authenticated_Users);
-
- token->num_sids = psid_ndx;
-
- /* Dump list of sids in token */
-
- for (i = 0; i < token->num_sids; i++) {
- DEBUG(5, ("user token sid %s\n",
- sid_to_string(sid_str, &token->user_sids[i])));
- }
-
- return token;
-}
-
/****************************************************************************
register a uid/name pair as being valid and that a valid password
has been given. vuid is biased by an offset. This allows us to
tell random client vuid's (normally zero) from valid vuids.
****************************************************************************/
-int register_vuid(uid_t uid,gid_t gid, char *unix_name, char *requested_name,
- char *domain,BOOL guest, char* full_name)
+int register_vuid(auth_serversupplied_info *server_info, const char *smb_name)
{
user_struct *vuser = NULL;
ZERO_STRUCTP(vuser);
- DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n", (unsigned int)uid, (unsigned int)gid,
- unix_name, requested_name, domain, guest ));
-
/* Allocate a free vuid. Yes this is a linear search... :-) */
while( get_valid_user_struct(next_vuid) != NULL ) {
next_vuid++;
DEBUG(10,("register_vuid: allocated vuid = %u\n", (unsigned int)next_vuid ));
vuser->vuid = next_vuid;
- vuser->uid = uid;
- vuser->gid = gid;
- vuser->guest = guest;
- fstrcpy(vuser->user.unix_name,unix_name);
- fstrcpy(vuser->user.smb_name,requested_name);
- fstrcpy(vuser->user.domain,domain);
- fstrcpy(vuser->user.full_name, full_name);
- DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,vuser->user.full_name));
- vuser->n_groups = 0;
- vuser->groups = NULL;
+ /* the next functions should be done by a SID mapping system (SMS) as
+ * the new real sam db won't have reference to unix uids or gids
+ */
+ if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
+ DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT\n"));
+ free(vuser);
+ return UID_FIELD_INVALID;
+ }
+
+ vuser->uid = pdb_get_uid(server_info->sam_account);
+ vuser->gid = pdb_get_gid(server_info->sam_account);
+
+ vuser->n_groups = server_info->n_groups;
+ if (vuser->n_groups) {
+ if (!(vuser->groups = memdup(server_info->groups, sizeof(gid_t) * vuser->n_groups))) {
+ DEBUG(0,("register_vuid: failed to memdup vuser->groups\n"));
+ free(vuser);
+ return UID_FIELD_INVALID;
+ }
+ }
+
+ vuser->guest = server_info->guest;
+ fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account));
+ fstrcpy(vuser->user.smb_name, smb_name);
+ fstrcpy(vuser->user.domain, pdb_get_domain(server_info->sam_account));
+ fstrcpy(vuser->user.full_name, pdb_get_fullname(server_info->sam_account));
+
+ {
+ /* Keep the homedir handy */
+ const char *homedir = pdb_get_homedir(server_info->sam_account);
+ const char *unix_homedir = pdb_get_unix_homedir(server_info->sam_account); /* should be optained by SMS */
+ const char *logon_script = pdb_get_logon_script(server_info->sam_account);
+ if (homedir) {
+ vuser->homedir = smb_xstrdup(homedir);
+ }
+
+ if (unix_homedir) {
+ vuser->unix_homedir = smb_xstrdup(unix_homedir);
+ }
+
+ if (logon_script) {
+ vuser->logon_script = smb_xstrdup(logon_script);
+ }
+ }
+
+ memcpy(vuser->session_key, server_info->session_key, sizeof(vuser->session_key));
+
+ DEBUG(10,("register_vuid: (%u,%u) %s %s %s guest=%d\n",
+ (unsigned int)vuser->uid,
+ (unsigned int)vuser->gid,
+ vuser->user.unix_name, vuser->user.smb_name, vuser->user.domain, vuser->guest ));
+
+ DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,vuser->user.full_name));
- /* Find all the groups this uid is in and store them.
- Used by become_user() */
- initialise_groups(unix_name, uid, gid);
- get_current_groups( &vuser->n_groups, &vuser->groups);
+ if (server_info->ptok) {
+ vuser->nt_user_token = dup_nt_token(server_info->ptok);
+ } else {
+ DEBUG(1, ("server_info does not contain a user_token - cannot continue\n"));
+ free(vuser);
+ return UID_FIELD_INVALID;
+ }
- /* Create an NT_USER_TOKEN struct for this user. */
- vuser->nt_user_token = create_nt_token(uid,gid, vuser->n_groups, vuser->groups, guest);
+ DEBUG(3,("UNIX uid %d is UNIX user %s, and will be vuid %u\n",(int)vuser->uid,vuser->user.unix_name, vuser->vuid));
next_vuid++;
num_validated_vuids++;
DLIST_ADD(validated_users, vuser);
- if (!session_claim(vuser->vuid)) {
+ if (!session_claim(vuser)) {
DEBUG(1,("Failed to claim session for vuid=%d\n", vuser->vuid));
invalidate_vuid(vuser->vuid);
return -1;
}
+ /* Register a home dir service for this user */
+ if ((!vuser->guest) && vuser->unix_homedir && *(vuser->unix_homedir)) {
+ DEBUG(3, ("Adding/updating homes service for user '%s' using home direcotry: '%s'\n",
+ vuser->user.unix_name, vuser->unix_homedir));
+ vuser->homes_snum = add_home_service(vuser->user.unix_name, vuser->user.unix_name, vuser->unix_homedir);
+ } else {
+ vuser->homes_snum = -1;
+ }
+
return vuser->vuid;
}
/****************************************************************************
add a name to the session users list
****************************************************************************/
-void add_session_user(char *user)
+void add_session_user(const char *user)
{
fstring suser;
- StrnCpy(suser,user,sizeof(suser)-1);
+ struct passwd *passwd;
- if (!Get_Pwnam(suser,True)) return;
+ if (!(passwd = Get_Pwnam(user))) return;
+
+ StrnCpy(suser,passwd->pw_name,sizeof(suser)-1);
if (suser && *suser && !in_list(suser,session_users,False))
{
/****************************************************************************
check if a username is valid
****************************************************************************/
-BOOL user_ok(char *user,int snum)
+BOOL user_ok(const char *user,int snum)
{
char **valid, **invalid;
BOOL ret;
ret = True;
if (lp_invalid_users(snum)) {
- lp_list_copy(&invalid, lp_invalid_users(snum));
- if (invalid && lp_list_substitute(invalid, "%S", lp_servicename(snum))) {
+ str_list_copy(&invalid, lp_invalid_users(snum));
+ if (invalid && str_list_substitute(invalid, "%S", lp_servicename(snum))) {
ret = !user_in_list(user, invalid);
}
}
- if (invalid) lp_list_free (&invalid);
+ if (invalid) str_list_free (&invalid);
if (ret && lp_valid_users(snum)) {
- lp_list_copy(&valid, lp_valid_users(snum));
- if (valid && lp_list_substitute(valid, "%S", lp_servicename(snum))) {
+ str_list_copy(&valid, lp_valid_users(snum));
+ if (valid && str_list_substitute(valid, "%S", lp_servicename(snum))) {
ret = user_in_list(user,valid);
}
}
- if (valid) lp_list_free (&valid);
+ if (valid) str_list_free (&valid);
if (ret && lp_onlyuser(snum)) {
- char **user_list = lp_list_make (lp_username(snum));
- if (user_list && lp_list_substitute(user_list, "%S", lp_servicename(snum))) {
+ char **user_list = str_list_make (lp_username(snum), NULL);
+ if (user_list && str_list_substitute(user_list, "%S", lp_servicename(snum))) {
ret = user_in_list(user, user_list);
}
- if (user_list) lp_list_free (&user_list);
+ if (user_list) str_list_free (&user_list);
}
return(ret);
/****************************************************************************
validate a group username entry. Return the username or NULL
****************************************************************************/
-static char *validate_group(char *group,char *password,int pwlen,int snum)
+static char *validate_group(char *group, DATA_BLOB password,int snum)
{
#ifdef HAVE_NETGROUP
{
while (getnetgrent(&host, &user, &domain)) {
if (user) {
if (user_ok(user, snum) &&
- password_ok(user,password,pwlen)) {
+ password_ok(user,password)) {
endnetgrent();
return(user);
}
static fstring name;
fstrcpy(name,member);
if (user_ok(name,snum) &&
- password_ok(name,password,pwlen)) {
+ password_ok(name,password)) {
endgrent();
return(&name[0]);
}
Note this is *NOT* used when logging on using sessionsetup_and_X.
****************************************************************************/
-BOOL authorise_login(int snum,char *user,char *password, int pwlen,
- BOOL *guest,BOOL *force,uint16 vuid)
+BOOL authorise_login(int snum, fstring user, DATA_BLOB password,
+ BOOL *guest)
{
BOOL ok = False;
- user_struct *vuser = get_valid_user_struct(vuid);
-
+
#if DEBUG_PASSWORD
DEBUG(100,("authorise_login: checking authorisation on user=%s pass=%s\n",
- user,password));
+ user,password.data));
#endif
*guest = False;
- if (GUEST_ONLY(snum))
- *force = True;
-
- if (!GUEST_ONLY(snum) && (lp_security() > SEC_SHARE)) {
-
- /*
- * We should just use the given vuid from a sessionsetup_and_X.
- */
-
- if (!vuser) {
- DEBUG(1,("authorise_login: refusing user %s with no session setup\n",
- user));
- return False;
- }
-
- if (!vuser->guest && user_ok(vuser->user.unix_name,snum)) {
- fstrcpy(user,vuser->user.unix_name);
- *guest = False;
- DEBUG(3,("authorise_login: ACCEPTED: validated uid ok as non-guest \
-(user=%s)\n", user));
- return True;
- }
- }
-
/* there are several possibilities:
1) login as the given user with given password
2) login as a previously registered username with the given password
if the service is guest_only then steps 1 to 5 are skipped
*/
- if (!(GUEST_ONLY(snum) && GUEST_OK(snum))) {
- /* check the given username and password */
- if (!ok && (*user) && user_ok(user,snum)) {
- ok = password_ok(user,password, pwlen);
- if (ok)
- DEBUG(3,("authorise_login: ACCEPTED: given username (%s) password ok\n",
- user ));
- }
-
- /* check for a previously registered guest username */
- if (!ok && (vuser != 0) && vuser->guest) {
- if (user_ok(vuser->user.unix_name,snum) &&
- password_ok(vuser->user.unix_name, password, pwlen)) {
- fstrcpy(user, vuser->user.unix_name);
- vuser->guest = False;
- DEBUG(3,("authorise_login: ACCEPTED: given password with registered user %s\n", user));
+ /* now check the list of session users */
+ if (!ok) {
+ char *auser;
+ char *user_list = strdup(session_users);
+ if (!user_list)
+ return(False);
+
+ for (auser=strtok(user_list,LIST_SEP); !ok && auser;
+ auser = strtok(NULL,LIST_SEP)) {
+ fstring user2;
+ fstrcpy(user2,auser);
+ if (!user_ok(user2,snum))
+ continue;
+
+ if (password_ok(user2,password)) {
ok = True;
+ fstrcpy(user,user2);
+ DEBUG(3,("authorise_login: ACCEPTED: session list username (%s) \
+and given password ok\n", user));
}
}
-
- /* now check the list of session users */
- if (!ok) {
- char *auser;
- char *user_list = strdup(session_users);
- if (!user_list)
- return(False);
-
- for (auser=strtok(user_list,LIST_SEP); !ok && auser;
- auser = strtok(NULL,LIST_SEP)) {
+
+ SAFE_FREE(user_list);
+ }
+
+ /* check the user= fields and the given password */
+ if (!ok && lp_username(snum)) {
+ char *auser;
+ pstring user_list;
+ StrnCpy(user_list,lp_username(snum),sizeof(pstring));
+
+ pstring_sub(user_list,"%S",lp_servicename(snum));
+
+ for (auser=strtok(user_list,LIST_SEP); auser && !ok;
+ auser = strtok(NULL,LIST_SEP)) {
+ if (*auser == '@') {
+ auser = validate_group(auser+1,password,snum);
+ if (auser) {
+ ok = True;
+ fstrcpy(user,auser);
+ DEBUG(3,("authorise_login: ACCEPTED: group username \
+and given password ok (%s)\n", user));
+ }
+ } else {
fstring user2;
fstrcpy(user2,auser);
- if (!user_ok(user2,snum))
- continue;
-
- if (password_ok(user2,password, pwlen)) {
+ if (user_ok(user2,snum) && password_ok(user2,password)) {
ok = True;
fstrcpy(user,user2);
- DEBUG(3,("authorise_login: ACCEPTED: session list username (%s) \
-and given password ok\n", user));
- }
- }
-
- free(user_list);
- }
-
- /* check for a previously validated username/password pair */
- if (!ok && (lp_security() > SEC_SHARE) && (vuser != 0) && !vuser->guest &&
- user_ok(vuser->user.unix_name,snum)) {
- fstrcpy(user,vuser->user.unix_name);
- *guest = False;
- DEBUG(3,("authorise_login: ACCEPTED: validated uid (%s) as non-guest\n",
- user));
- ok = True;
- }
-
- /* check the user= fields and the given password */
- if (!ok && lp_username(snum)) {
- char *auser;
- pstring user_list;
- StrnCpy(user_list,lp_username(snum),sizeof(pstring));
-
- pstring_sub(user_list,"%S",lp_servicename(snum));
-
- for (auser=strtok(user_list,LIST_SEP); auser && !ok;
- auser = strtok(NULL,LIST_SEP)) {
- if (*auser == '@') {
- auser = validate_group(auser+1,password,pwlen,snum);
- if (auser) {
- ok = True;
- fstrcpy(user,auser);
- DEBUG(3,("authorise_login: ACCEPTED: group username \
+ DEBUG(3,("authorise_login: ACCEPTED: user list username \
and given password ok (%s)\n", user));
- }
- } else {
- fstring user2;
- fstrcpy(user2,auser);
- if (user_ok(user2,snum) && password_ok(user2,password,pwlen)) {
- ok = True;
- fstrcpy(user,user2);
- DEBUG(3,("authorise_login: ACCEPTED: user list username \
-and given password ok (%s)\n", user));
- }
}
}
}
- } /* not guest only */
+ }
/* check for a normal guest connection */
if (!ok && GUEST_OK(snum)) {
fstring guestname;
- StrnCpy(guestname,lp_guestaccount(snum),sizeof(guestname)-1);
- if (Get_Pwnam(guestname,True)) {
+ StrnCpy(guestname,lp_guestaccount(),sizeof(guestname)-1);
+ if (Get_Pwnam(guestname)) {
fstrcpy(user,guestname);
ok = True;
DEBUG(3,("authorise_login: ACCEPTED: guest account and guest ok (%s)\n",