auth: Set NETLOGON_GUEST and use it to determine guest status

These additional measures should help ensure we do not accidentily upgrade
a guest to an authenticated user in the future.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>

diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index ee27e966f666461ff024f4248f81c03fb9e16cf0..59fcf7ad5d3affef0e5e9c5a9985e983233b9423 100644 (file)
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -237,7 +237,8 @@ NTSTATUS make_user_info_SamBaseInfo(TALLOC_CTX *mem_ctx,
        info->bad_password_count = base->bad_password_count;
        info->acct_flags = base->acct_flags;
 
-       info->authenticated = authenticated;
+       /* Only set authenticated if both NETLOGON_GUEST is not set, and authenticated is set */
+       info->authenticated = (authenticated && (!(base->user_flags & NETLOGON_GUEST)));
 
        *_user_info = info;
        return NT_STATUS_OK;

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 0627911aeb445290b83e70a4204c41bdc596f159..d5ca1a206b9092079e406dfb58c6d3468926b3b7 100644 (file)
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -809,6 +809,9 @@ static NTSTATUS get_guest_info3(TALLOC_CTX *mem_ctx,
        /* Primary gid */
        info3->base.primary_gid = BUILTIN_RID_GUESTS;
 
+       /* Set as guest */
+       info3->base.user_flags = NETLOGON_GUEST;
+
        TALLOC_FREE(pwd);
        return NT_STATUS_OK;
 }