summaryrefslogtreecommitdiffstats
path: root/source3
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2002-08-20 01:54:28 +0000
committerAndrew Bartlett <abartlet@samba.org>2002-08-20 01:54:28 +0000
commit8674440d81f703cb59979426c92ed54de8e5f2ed (patch)
tree033da6bfa721b02c1a087ee478d3593997f30e2a /source3
parent03615599919f94c5ed56e9824343b02f4f3e0b71 (diff)
downloadsamba-8674440d81f703cb59979426c92ed54de8e5f2ed.tar.gz
samba-8674440d81f703cb59979426c92ed54de8e5f2ed.tar.xz
samba-8674440d81f703cb59979426c92ed54de8e5f2ed.zip
Based orginally by work by Kai, this patch moves our NT_TOKEN generation into
our authenticaion code - removing some of the duplication from the current code. This also gets us *much* closer to supporting a real SAM backend, becouse the SAM can give us the right info then. This also changes our service.c code, so that we do a VUID (rather than uid) cache on the connection struct, and do full NT ACL/NT_TOKEN checks (or cached equivilant) on every packet, for the same r or rw mode the whole share was open for. Andrew Bartlett (This used to be commit d8122cee059fc7098bfa7e42e638a9958b3ac902)
Diffstat (limited to 'source3')
-rw-r--r--source3/auth/auth_builtin.c9
-rw-r--r--source3/auth/auth_sam.c6
-rw-r--r--source3/auth/auth_server.c4
-rw-r--r--source3/auth/auth_util.c494
-rw-r--r--source3/auth/auth_winbind.c2
-rw-r--r--source3/include/local.h2
-rw-r--r--source3/include/smb.h7
-rw-r--r--source3/rpc_server/srv_pipe.c35
-rw-r--r--source3/rpc_server/srv_srvsvc_nt.c6
-rw-r--r--source3/smbd/conn.c24
-rw-r--r--source3/smbd/password.c156
-rw-r--r--source3/smbd/service.c35
-rw-r--r--source3/smbd/sesssetup.c4
-rw-r--r--source3/smbd/uid.c38
14 files changed, 536 insertions, 286 deletions
diff --git a/source3/auth/auth_builtin.c b/source3/auth/auth_builtin.c
index 5ce7075ab9f..bba1ad98bdc 100644
--- a/source3/auth/auth_builtin.c
+++ b/source3/auth/auth_builtin.c
@@ -41,13 +41,8 @@ static NTSTATUS check_guest_security(const struct auth_context *auth_context,
NTSTATUS nt_status = NT_STATUS_LOGON_FAILURE;
if (!(user_info->internal_username.str
- && *user_info->internal_username.str)) {
- if (make_server_info_guest(server_info)) {
- nt_status = NT_STATUS_OK;
- } else {
- nt_status = NT_STATUS_NO_SUCH_USER;
- }
- }
+ && *user_info->internal_username.str))
+ nt_status = make_server_info_guest(server_info);
return nt_status;
}
diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index 155370546a5..50f1e5dac9e 100644
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -403,9 +403,9 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
return nt_status;
}
- if (!make_server_info_sam(server_info, sampass)) {
- DEBUG(0,("failed to malloc memory for server_info\n"));
- return NT_STATUS_NO_MEMORY;
+ if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) {
+ DEBUG(0,("failed to malloc memory for server_info ret: %s\n", nt_errstr(nt_status)));
+ return nt_status;
}
lm_hash = pdb_get_lanman_passwd((*server_info)->sam_account);
diff --git a/source3/auth/auth_server.c b/source3/auth/auth_server.c
index f227c9125c2..0ed905e79c8 100644
--- a/source3/auth/auth_server.c
+++ b/source3/auth/auth_server.c
@@ -375,9 +375,7 @@ use this machine as the password server.\n"));
if NT_STATUS_IS_OK(nt_status) {
struct passwd *pass = Get_Pwnam(user_info->internal_username.str);
if (pass) {
- if (!make_server_info_pw(server_info, pass)) {
- nt_status = NT_STATUS_NO_MEMORY;
- }
+ nt_status = make_server_info_pw(server_info, pass);
} else {
nt_status = NT_STATUS_NO_SUCH_USER;
}
diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index f914d918715..51b8005634e 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -26,6 +26,11 @@
#define DBGC_CLASS DBGC_AUTH
extern pstring global_myname;
+extern DOM_SID global_sid_World;
+extern DOM_SID global_sid_Network;
+extern DOM_SID global_sid_Builtin_Guests;
+extern DOM_SID global_sid_Authenticated_Users;
+
/****************************************************************************
Create a UNIX user on demand.
@@ -455,37 +460,298 @@ BOOL make_user_info_guest(auth_usersupplied_info **user_info)
auth_flags, True);
}
+/****************************************************************************
+ prints a NT_USER_TOKEN to debug output.
+****************************************************************************/
+
+void debug_nt_user_token(int dbg_class, int dbg_lev, NT_USER_TOKEN *token)
+{
+ fstring sid_str;
+ int i;
+
+ DEBUGC(dbg_class, dbg_lev, ("NT user token of user %s\n",
+ sid_to_string(sid_str, &token->user_sids[0]) ));
+ DEBUGADDC(dbg_class, dbg_lev, ("contains %i SIDs\n", token->num_sids));
+ for (i = 0; i < token->num_sids; i++)
+ DEBUGADDC(dbg_class, dbg_lev, ("SID[%3i]: %s\n", i,
+ sid_to_string(sid_str, &token->user_sids[i])));
+}
+
+/****************************************************************************
+ Create the SID list for this user.
+****************************************************************************/
+
+static NTSTATUS create_nt_user_token(const DOM_SID *user_sid, const DOM_SID *group_sid,
+ int n_groupSIDs, DOM_SID *groupSIDs,
+ BOOL is_guest, NT_USER_TOKEN **token)
+{
+ NTSTATUS nt_status = NT_STATUS_OK;
+ NT_USER_TOKEN *ptoken;
+ int i;
+ int sid_ndx;
+
+ if ((ptoken = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) {
+ DEBUG(0, ("create_nt_token: Out of memory allocating token\n"));
+ nt_status = NT_STATUS_NO_MEMORY;
+ return nt_status;
+ }
+
+ ZERO_STRUCTP(ptoken);
+
+ ptoken->num_sids = n_groupSIDs + 5;
+
+ if ((ptoken->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptoken->num_sids )) == NULL) {
+ DEBUG(0, ("create_nt_token: Out of memory allocating SIDs\n"));
+ nt_status = NT_STATUS_NO_MEMORY;
+ return nt_status;
+ }
+
+ memset((char*)ptoken->user_sids,0,sizeof(DOM_SID) * ptoken->num_sids);
+
+ /*
+ * Note - user SID *MUST* be first in token !
+ * se_access_check depends on this.
+ *
+ * Primary group SID is second in token. Convention.
+ */
+
+ sid_copy(&ptoken->user_sids[PRIMARY_USER_SID_INDEX], user_sid);
+ if (group_sid)
+ sid_copy(&ptoken->user_sids[PRIMARY_GROUP_SID_INDEX], group_sid);
+
+ /*
+ * Finally add the "standard" SIDs.
+ * The only difference between guest and "anonymous" (which we
+ * don't really support) is the addition of Authenticated_Users.
+ */
+
+ sid_copy(&ptoken->user_sids[2], &global_sid_World);
+ sid_copy(&ptoken->user_sids[3], &global_sid_Network);
+
+ if (is_guest)
+ sid_copy(&ptoken->user_sids[4], &global_sid_Builtin_Guests);
+ else
+ sid_copy(&ptoken->user_sids[4], &global_sid_Authenticated_Users);
+
+ sid_ndx = 5; /* next available spot */
+
+ for (i = 0; i < n_groupSIDs; i++) {
+ int check_sid_idx;
+ for (check_sid_idx = 1; check_sid_idx < ptoken->num_sids; check_sid_idx++) {
+ if (sid_equal(&ptoken->user_sids[check_sid_idx],
+ &groupSIDs[i])) {
+ break;
+ }
+ }
+
+ if (check_sid_idx >= ptoken->num_sids) /* Not found already */ {
+ sid_copy(&ptoken->user_sids[sid_ndx++], &groupSIDs[i]);
+ } else {
+ ptoken->num_sids--;
+ }
+ }
+
+ debug_nt_user_token(DBGC_AUTH, 10, ptoken);
+
+ *token = ptoken;
+
+ return nt_status;
+}
+
+/****************************************************************************
+ Create the SID list for this user.
+****************************************************************************/
+
+NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest)
+{
+ DOM_SID user_sid;
+ DOM_SID group_sid;
+ DOM_SID *group_sids;
+ NT_USER_TOKEN *token;
+ int i;
+
+ if (!uid_to_sid(&user_sid, uid)) {
+ return NULL;
+ }
+ if (!gid_to_sid(&group_sid, gid)) {
+ return NULL;
+ }
+
+ group_sids = malloc(sizeof(DOM_SID) * ngroups);
+ if (!group_sids) {
+ DEBUG(0, ("create_nt_token: malloc() failed for DOM_SID list!\n"));
+ return NULL;
+ }
+
+ for (i = 0; i < ngroups; i++) {
+ if (!gid_to_sid(&(group_sids)[i], (groups)[i])) {
+ DEBUG(1, ("create_nt_token: failed to convert gid %ld to a sid!\n", (long int)groups[i]));
+ SAFE_FREE(group_sids);
+ return NULL;
+ }
+ }
+
+ if (!NT_STATUS_IS_OK(create_nt_user_token(&user_sid, &group_sid,
+ ngroups, group_sids, is_guest, &token))) {
+ SAFE_FREE(group_sids);
+ return NULL;
+ }
+
+ SAFE_FREE(group_sids);
+
+ return token;
+}
+
+/******************************************************************************
+ * this function returns the groups (SIDs) of the local SAM the user is in.
+ * If this samba server is a DC of the domain the user belongs to, it returns
+ * both domain groups and local / builtin groups. If the user is in a trusted
+ * domain, or samba is a member server of a domain, then this function returns
+ * local and builtin groups the user is a member of.
+ *
+ * currently this is a hack, as there is no sam implementation that is capable
+ * of groups.
+ ******************************************************************************/
+
+static NTSTATUS get_user_groups_from_local_sam(const DOM_SID *user_sid,
+ int *n_groups, DOM_SID **groups, gid_t **unix_groups)
+{
+ uid_t uid;
+ enum SID_NAME_USE snu;
+ fstring str;
+ int n_unix_groups;
+ int i;
+ struct passwd *usr;
+
+ *n_groups = 0;
+ *groups = NULL;
+
+ if (!sid_to_uid(user_sid, &uid, &snu)) {
+ DEBUG(2, ("get_user_groups_from_local_sam: Failed to convert user SID %s to a uid!\n", sid_to_string(str, user_sid)));
+ return NT_STATUS_NO_SUCH_USER;
+ }
+
+ usr = getpwuid_alloc(uid);
+
+ n_unix_groups = groups_max();
+ if ((*unix_groups = malloc( sizeof(gid_t) * groups_max() ) ) == NULL) {
+ DEBUG(0, ("get_user_groups_from_local_sam: Out of memory allocating unix group list\n"));
+ passwd_free(&usr);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) {
+ *unix_groups = realloc(unix_groups, sizeof(gid_t) * n_unix_groups);
+ if (sys_getgrouplist(usr->pw_name, usr->pw_gid, *unix_groups, &n_unix_groups) == -1) {
+ DEBUG(0, ("get_user_groups_from_local_sam: failed to get the unix group list\n"));
+ SAFE_FREE(unix_groups);
+ passwd_free(&usr);
+ return NT_STATUS_NO_SUCH_USER; /* what should this return value be? */
+ }
+ }
+
+ passwd_free(&usr);
+
+ DEBUG(5,("get_user_groups_from_local_sam: user is in the unix following groups\n"));
+ for (i = 0; i < n_unix_groups; i++)
+ DEBUGADD(5,("supplementary group gid:%ld\n",(long int)(*unix_groups)[i]));
+
+ *groups = malloc(sizeof(DOM_SID) * n_unix_groups);
+ if (!*groups) {
+ DEBUG(0, ("get_user_group_from_local_sam: malloc() failed for DOM_SID list!\n"));
+ SAFE_FREE(unix_groups);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *n_groups = n_unix_groups;
+
+ for (i = 0; i < *n_groups; i++) {
+ if (!gid_to_sid(&(*groups)[i], (*unix_groups)[i])) {
+ DEBUG(1, ("get_user_groups_from_local_sam: failed to convert gid %ld to a sid!\n", (long int)unix_groups[i+1]));
+ SAFE_FREE(groups);
+ SAFE_FREE(unix_groups);
+ return NT_STATUS_NO_SUCH_USER;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
/***************************************************************************
Make a user_info struct
***************************************************************************/
-static BOOL make_server_info(auth_serversupplied_info **server_info)
+static NTSTATUS make_server_info(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass)
{
*server_info = malloc(sizeof(**server_info));
if (!*server_info) {
DEBUG(0,("make_server_info: malloc failed!\n"));
- return False;
+ return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCTP(*server_info);
- return True;
+
+ (*server_info)->sam_fill_level = SAM_FILL_ALL;
+ (*server_info)->sam_account = sampass;
+
+ return NT_STATUS_OK;
}
/***************************************************************************
Make (and fill) a user_info struct from a SAM_ACCOUNT
***************************************************************************/
-BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *sampass)
+NTSTATUS make_server_info_sam(auth_serversupplied_info **server_info,
+ SAM_ACCOUNT *sampass)
{
- if (!make_server_info(server_info)) {
- return False;
+ NTSTATUS nt_status = NT_STATUS_OK;
+ const DOM_SID *user_sid = pdb_get_user_sid(sampass);
+ const DOM_SID *group_sid = pdb_get_group_sid(sampass);
+ int n_groupSIDs = 0;
+ DOM_SID *groupSIDs = NULL;
+ gid_t *unix_groups = NULL;
+ NT_USER_TOKEN *token;
+ BOOL is_guest;
+ uint32 rid;
+
+ if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sampass))) {
+ return nt_status;
}
+
+ if (!NT_STATUS_IS_OK(nt_status
+ = get_user_groups_from_local_sam(pdb_get_user_sid(sampass),
+ &n_groupSIDs, &groupSIDs, &unix_groups)))
+ {
+ DEBUG(4,("get_user_groups_from_local_sam failed\n"));
+ free_server_info(server_info);
+ return nt_status;
+ }
+
+ is_guest = (sid_peek_rid(user_sid, &rid) && rid == DOMAIN_USER_RID_GUEST);
- (*server_info)->sam_fill_level = SAM_FILL_ALL;
- (*server_info)->sam_account = sampass;
+ if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(user_sid, group_sid,
+ n_groupSIDs, groupSIDs, is_guest,
+ &token)))
+ {
+ DEBUG(4,("create_nt_user_token failed\n"));
+ SAFE_FREE(groupSIDs);
+ SAFE_FREE(unix_groups);
+ free_server_info(server_info);
+ return nt_status;
+ }
+
+ SAFE_FREE(groupSIDs);
+
+ (*server_info)->n_groups = n_groupSIDs;
+ (*server_info)->groups = unix_groups;
+
+ (*server_info)->ptok = token;
+
+ debug_nt_user_token(DBGC_AUTH, 5, token);
DEBUG(5,("make_server_info_sam: made server info for user %s\n",
pdb_get_username((*server_info)->sam_account)));
- return True;
+
+ return nt_status;
}
/***************************************************************************
@@ -493,75 +759,42 @@ BOOL make_server_info_sam(auth_serversupplied_info **server_info, SAM_ACCOUNT *s
to a SAM_ACCOUNT
***************************************************************************/
-BOOL make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd)
+NTSTATUS make_server_info_pw(auth_serversupplied_info **server_info, const struct passwd *pwd)
{
+ NTSTATUS nt_status;
SAM_ACCOUNT *sampass = NULL;
- if (!NT_STATUS_IS_OK(pdb_init_sam_pw(&sampass, pwd))) {
- return False;
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam_pw(&sampass, pwd))) {
+ return nt_status;
}
return make_server_info_sam(server_info, sampass);
}
/***************************************************************************
- Free a user_info struct
+ Make (and fill) a user_info struct for a guest login.
***************************************************************************/
-void free_user_info(auth_usersupplied_info **user_info)
+NTSTATUS make_server_info_guest(auth_serversupplied_info **server_info)
{
- DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
- if (*user_info != NULL) {
- if ((*user_info)->smb_name.str) {
- DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str));
- }
- SAFE_FREE((*user_info)->smb_name.str);
- SAFE_FREE((*user_info)->internal_username.str);
- SAFE_FREE((*user_info)->client_domain.str);
- SAFE_FREE((*user_info)->domain.str);
- SAFE_FREE((*user_info)->wksta_name.str);
- data_blob_free(&(*user_info)->lm_resp);
- data_blob_free(&(*user_info)->nt_resp);
- SAFE_FREE((*user_info)->interactive_password);
- data_blob_clear_free(&(*user_info)->plaintext_password);
- ZERO_STRUCT(**user_info);
+ NTSTATUS nt_status;
+ SAM_ACCOUNT *sampass = NULL;
+ DOM_SID guest_sid;
+
+ if (!NT_STATUS_IS_OK(nt_status = pdb_init_sam(&sampass))) {
+ return nt_status;
}
- SAFE_FREE(*user_info);
-}
-/***************************************************************************
- Clear out a server_info struct that has been allocated
-***************************************************************************/
+ sid_copy(&guest_sid, get_global_sam_sid());
+ sid_append_rid(&guest_sid, DOMAIN_USER_RID_GUEST);
-void free_server_info(auth_serversupplied_info **server_info)
-{
- if (*server_info != NULL) {
- pdb_free_sam(&(*server_info)->sam_account);
-
- /* call pam_end here, unless we know we are keeping it */
- delete_nt_token( &(*server_info)->ptok );
- ZERO_STRUCT(**server_info);
+ if (!pdb_getsampwsid(sampass, &guest_sid)) {
+ return NT_STATUS_NO_SUCH_USER;
}
- SAFE_FREE(*server_info);
-}
-/***************************************************************************
- Make a server_info struct for a guest user
-***************************************************************************/
+ nt_status = make_server_info_sam(server_info, sampass);
-BOOL make_server_info_guest(auth_serversupplied_info **server_info)
-{
- struct passwd *pass = getpwnam_alloc(lp_guestaccount());
-
- if (pass) {
- if (!make_server_info_pw(server_info, pass)) {
- passwd_free(&pass);
- return False;
- }
- (*server_info)->guest = True;
- passwd_free(&pass);
- return True;
- }
- DEBUG(0,("make_server_info_guest: getpwnam_alloc() failed on guest account!\n"));
- return False;
+ (*server_info)->guest = True;
+
+ return nt_status;
}
/***************************************************************************
@@ -589,6 +822,15 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
uid_t uid;
gid_t gid;
+ int n_lgroupSIDs;
+ DOM_SID *lgroupSIDs = NULL;
+
+ gid_t *unix_groups = NULL;
+ NT_USER_TOKEN *token;
+
+ DOM_SID *all_group_SIDs;
+ int i;
+
/*
Here is where we should check the list of
trusted domains, and verify that the SID
@@ -698,50 +940,116 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
return NT_STATUS_NO_MEMORY;
}
- if (!make_server_info_sam(server_info, sam_account)) {
- DEBUG(0, ("make_server_info_info3: make_server_info_sam failed!\n"));
+ if (!NT_STATUS_IS_OK(nt_status = make_server_info(server_info, sam_account))) {
+ DEBUG(4, ("make_server_info failed!\n"));
pdb_free_sam(&sam_account);
- return NT_STATUS_NO_MEMORY;
+ return nt_status;
}
/* Store the user group information in the server_info
returned to the caller. */
- if (info3->num_groups2 != 0) {
- int i;
- NT_USER_TOKEN *ptok;
- auth_serversupplied_info *pserver_info = *server_info;
-
- if ((pserver_info->ptok = malloc( sizeof(NT_USER_TOKEN) ) ) == NULL) {
- DEBUG(0, ("domain_client_validate: out of memory allocating rid group membership\n"));
- nt_status = NT_STATUS_NO_MEMORY;
- free_server_info(server_info);
- return nt_status;
- }
-
- ptok = pserver_info->ptok;
- ptok->num_sids = (size_t)info3->num_groups2;
-
- if ((ptok->user_sids = (DOM_SID *)malloc( sizeof(DOM_SID) * ptok->num_sids )) == NULL) {
- DEBUG(0, ("domain_client_validate: Out of memory allocating group SIDS\n"));
- nt_status = NT_STATUS_NO_MEMORY;
- free_server_info(server_info);
+ if (!NT_STATUS_IS_OK(nt_status
+ = get_user_groups_from_local_sam(&user_sid,
+ &n_lgroupSIDs,
+ &lgroupSIDs,
+ &unix_groups)))
+ {
+ DEBUG(4,("get_user_groups_from_local_sam failed\n"));
+ return nt_status;
+ }
+
+ (*server_info)->groups = unix_groups;
+ (*server_info)->n_groups = n_lgroupSIDs;
+
+ /* Create a 'combined' list of all SIDs we might want in the SD */
+ all_group_SIDs = malloc(sizeof(DOM_SID) * (n_lgroupSIDs+info3->num_groups2));
+ if (!all_group_SIDs) {
+ DEBUG(0, ("create_nt_token_info3: malloc() failed for DOM_SID list!\n"));
+ SAFE_FREE(lgroupSIDs);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Copy the 'local' sids */
+ memcpy(all_group_SIDs, lgroupSIDs, sizeof(DOM_SID) * n_lgroupSIDs);
+ SAFE_FREE(lgroupSIDs);
+
+ /* and create (by appending rids) the 'domain' sids */
+ for (i = 0; i < info3->num_groups2; i++) {
+ sid_copy(&all_group_SIDs[i+n_lgroupSIDs+1], &(info3->dom_sid.sid));
+ if (!sid_append_rid(&all_group_SIDs[i+n_lgroupSIDs+1], info3->gids[i].g_rid)) {
+ nt_status = NT_STATUS_INVALID_PARAMETER;
+ DEBUG(3,("create_nt_token_info3: could not append additional group rid 0x%x\n",
+ info3->gids[i].g_rid));
+ SAFE_FREE(lgroupSIDs);
return nt_status;
}
-
- for (i = 0; i < ptok->num_sids; i++) {
- sid_copy(&ptok->user_sids[i], &(info3->dom_sid.sid));
- if (!sid_append_rid(&ptok->user_sids[i], info3->gids[i].g_rid)) {
- nt_status = NT_STATUS_INVALID_PARAMETER;
- free_server_info(server_info);
- return nt_status;
- }
- }
}
+
+ /* Where are the 'global' sids... */
+
+ /* can the user be guest? if yes, where is it stored? */
+ if (!NT_STATUS_IS_OK(nt_status = create_nt_user_token(&user_sid, &group_sid,
+ n_lgroupSIDs+info3->num_groups2, all_group_SIDs,
+ False, &token))) {
+ DEBUG(4,("create_nt_user_token failed\n"));
+ SAFE_FREE(all_group_SIDs);
+ return nt_status;
+ }
+
+ (*server_info)->ptok = token;
+
+ SAFE_FREE(all_group_SIDs);
+
+ debug_nt_user_token(DBGC_AUTH, 5, token);
+
return NT_STATUS_OK;
}
/***************************************************************************
+ Free a user_info struct
+***************************************************************************/
+
+void free_user_info(auth_usersupplied_info **user_info)
+{
+ DEBUG(5,("attempting to free (and zero) a user_info structure\n"));
+ if (*user_info != NULL) {
+ if ((*user_info)->smb_name.str) {
+ DEBUG(10,("structure was created for %s\n", (*user_info)->smb_name.str));
+ }
+ SAFE_FREE((*user_info)->smb_name.str);
+ SAFE_FREE((*user_info)->internal_username.str);
+ SAFE_FREE((*user_info)->client_domain.str);
+ SAFE_FREE((*user_info)->domain.str);
+ SAFE_FREE((*user_info)->wksta_name.str);
+ data_blob_free(&(*user_info)->lm_resp);
+ data_blob_free(&(*user_info)->nt_resp);
+ SAFE_FREE((*user_info)->interactive_password);
+ data_blob_clear_free(&(*user_info)->plaintext_password);
+ ZERO_STRUCT(**user_info);
+ }
+ SAFE_FREE(*user_info);
+}
+
+/***************************************************************************
+ Clear out a server_info struct that has been allocated
+***************************************************************************/
+
+void free_server_info(auth_serversupplied_info **server_info)
+{
+ DEBUG(5,("attempting to free (and zero) a server_info structure\n"));
+ if (*server_info != NULL) {
+ pdb_free_sam(&(*server_info)->sam_account);
+
+ /* call pam_end here, unless we know we are keeping it */
+ delete_nt_token( &(*server_info)->ptok );
+ SAFE_FREE((*server_info)->groups);
+ ZERO_STRUCT(**server_info);
+ }
+ SAFE_FREE(*server_info);
+}
+
+/***************************************************************************
Make an auth_methods struct
***************************************************************************/
diff --git a/source3/auth/auth_winbind.c b/source3/auth/auth_winbind.c
index 5bdccd39f3e..10788721fde 100644
--- a/source3/auth/auth_winbind.c
+++ b/source3/auth/auth_winbind.c
@@ -4,7 +4,7 @@
Winbind authentication mechnism
Copyright (C) Tim Potter 2000
- Copyright (C) Andrew Bartlett 2001
+ Copyright (C) Andrew Bartlett 2001 - 2002
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff --git a/source3/include/local.h b/source3/include/local.h
index 46349cfa6da..15231e92ee2 100644
--- a/source3/include/local.h
+++ b/source3/include/local.h
@@ -117,7 +117,7 @@
#endif
/* the size of the uid cache used to reduce valid user checks */
-#define UID_CACHE_SIZE 4
+#define VUID_CACHE_SIZE 32
/* the following control timings of various actions. Don't change
them unless you know what you are doing. These are all in seconds */
diff --git a/source3/include/smb.h b/source3/include/smb.h
index 263dd67c548..1ff0f1c3286 100644
--- a/source3/include/smb.h
+++ b/source3/include/smb.h
@@ -430,9 +430,9 @@ typedef struct
time_t status_time;
} dir_status_struct;
-struct uid_cache {
+struct vuid_cache {
int entries;
- uid_t list[UID_CACHE_SIZE];
+ uint16 list[VUID_CACHE_SIZE];
};
typedef struct
@@ -461,7 +461,8 @@ typedef struct connection_struct
unsigned cnum; /* an index passed over the wire */
int service;
BOOL force_user;
- struct uid_cache uid_cache;
+ BOOL force_group;
+ struct vuid_cache vuid_cache;
void *dirptr;
BOOL printer;
BOOL ipc;
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index b7be415abcd..62e10c99652 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -427,27 +427,30 @@ failed authentication on named pipe %s.\n", domain, user_name, wks, p->name ));
memcpy(p->session_key, server_info->session_key, sizeof(p->session_key));
- uid = pdb_get_uid(server_info->sam_account);
- gid = pdb_get_gid(server_info->sam_account);
-
- p->pipe_user.uid = uid;
- p->pipe_user.gid = gid;
-
- /* Set up pipe user group membership. */
- initialise_groups(p->pipe_user_name, p->pipe_user.uid, p->pipe_user.gid);
- get_current_groups(p->pipe_user.gid, &p->pipe_user.ngroups, &p->pipe_user.groups);
+ p->pipe_user.uid = pdb_get_uid(server_info->sam_account);
+ p->pipe_user.gid = pdb_get_gid(server_info->sam_account);
+
+ p->pipe_user.ngroups = server_info->n_groups;
+ if (p->pipe_user.ngroups) {
+ if (!(p->pipe_user.groups = memdup(server_info->groups, sizeof(gid_t) * p->pipe_user.ngroups))) {
+ DEBUG(0,("failed to memdup group list to p->pipe_user.groups\n"));
+ free_server_info(&server_info);
+ return False;
+ }
+ }
if (server_info->ptok)
- add_supplementary_nt_login_groups(&p->pipe_user.ngroups, &p->pipe_user.groups, &server_info->ptok);
-
- /* Create an NT_USER_TOKEN struct for this user. */
- p->pipe_user.nt_user_token = create_nt_token(p->pipe_user.uid,p->pipe_user.gid,
- p->pipe_user.ngroups, p->pipe_user.groups,
- server_info->guest, server_info->ptok);
+ p->pipe_user.nt_user_token = dup_nt_token(server_info->ptok);
+ else {
+ DEBUG(1,("Error: Authmodule failed to provide nt_user_token\n"));
+ p->pipe_user.nt_user_token = NULL;
+ free_server_info(&server_info);
+ return False;
+ }
p->ntlmssp_auth_validated = True;
- pdb_free_sam(&server_info->sam_account);
+ free_server_info(&server_info);
return True;
}
diff --git a/source3/rpc_server/srv_srvsvc_nt.c b/source3/rpc_server/srv_srvsvc_nt.c
index 5c1038949b5..69945b50b84 100644
--- a/source3/rpc_server/srv_srvsvc_nt.c
+++ b/source3/rpc_server/srv_srvsvc_nt.c
@@ -338,10 +338,10 @@ BOOL share_access_check(connection_struct *conn, int snum, user_struct *vuser, u
if (!psd)
goto out;
- if (vuser)
- token = vuser->nt_user_token;
- else
+ if (conn->nt_user_token)
token = conn->nt_user_token;
+ else
+ token = vuser->nt_user_token;
ret = se_access_check(psd, token, desired_access, &granted, &status);
diff --git a/source3/smbd/conn.c b/source3/smbd/conn.c
index d70e50f8995..22407348e82 100644
--- a/source3/smbd/conn.c
+++ b/source3/smbd/conn.c
@@ -131,7 +131,7 @@ void conn_close_all(void)
connection_struct *conn, *next;
for (conn=Connections;conn;conn=next) {
next=conn->next;
- close_cnum(conn, (uint16)-1);
+ close_cnum(conn, conn->vuid);
}
}
@@ -158,6 +158,27 @@ BOOL conn_idle_all(time_t t, int deadtime)
}
/****************************************************************************
+clear a vuid out of the validity cache, and as the 'owner' of a connection.
+****************************************************************************/
+void conn_clear_vuid_cache(uint16 vuid)
+{
+ connection_struct *conn;
+ int i;
+
+ for (conn=Connections;conn;conn=conn->next) {
+ if (conn->vuid == vuid) {
+ conn->vuid = UID_FIELD_INVALID;
+ }
+
+ for (i=0;i<conn->vuid_cache.entries && i< VUID_CACHE_SIZE;i++) {
+ if (conn->vuid_cache.list[i] == vuid) {
+ conn->vuid_cache.list[i] = UID_FIELD_INVALID;
+ }
+ }
+ }
+}
+
+/****************************************************************************
Free a conn structure.
****************************************************************************/
@@ -191,7 +212,6 @@ void conn_free(connection_struct *conn)
conn->ngroups = 0;
}
- delete_nt_token(&conn->nt_user_token);
free_namearray(conn->veto_list);
free_namearray(conn->hide_list);
free_namearray(conn->veto_oplock_list);
diff --git a/source3/smbd/password.c b/source3/smbd/password.c
index cfac7cf695f..f3a09e8c643 100644
--- a/source3/smbd/password.c
+++ b/source3/smbd/password.c
@@ -69,6 +69,10 @@ void invalidate_vuid(uint16 vuid)
DLIST_REMOVE(validated_users, vuser);
+ /* clear the vuid from the 'cache' on each connection, and
+ from the vuid 'owner' of connections */
+ conn_clear_vuid_cache(vuid);
+
SAFE_FREE(vuser->groups);
delete_nt_token(&vuser->nt_user_token);
SAFE_FREE(vuser);
@@ -90,95 +94,6 @@ void invalidate_all_vuids(void)
}
/****************************************************************************
- Create the SID list for this user.
-****************************************************************************/
-
-NT_USER_TOKEN *create_nt_token(uid_t uid, gid_t gid, int ngroups, gid_t *groups, BOOL is_guest, NT_USER_TOKEN *sup_tok)
-{
- extern DOM_SID global_sid_World;
- extern DOM_SID global_sid_Network;
- extern DOM_SID global_sid_Builtin_Guests;
- extern DOM_SID global_sid_Authenticated_Users;
- NT_USER_TOKEN *token;
- DOM_SID *psids;
- int i, psid_ndx = 0;
- size_t num_sids = 0;
- fstring sid_str;
-
- if ((token = (NT_USER_TOKEN *)malloc( sizeof(NT_USER_TOKEN) ) ) == NULL)
- return NULL;
-
- ZERO_STRUCTP(token);
-
- /* We always have uid/gid plus World and Network and Authenticated Users or Guest SIDs. */
- num_sids = 5 + ngroups;
-
- if (sup_tok && sup_tok->num_sids)
- num_sids += sup_tok->num_sids;
-
- if ((token->user_sids = (DOM_SID *)malloc( num_sids*sizeof(DOM_SID))) == NULL) {
- SAFE_FREE(token);
- return NULL;
- }
-
- psids = token->user_sids;
-
- /*
- * Note - user SID *MUST* be first in token !
- * se_access_check depends on this.
- */
-
- uid_to_sid( &psids[PRIMARY_USER_SID_INDEX], uid);
- psid_ndx++;
-
- /*
- * Primary group SID is second in token. Convention.
- */
-
- gid_to_sid( &psids[PRIMARY_GROUP_SID_INDEX], gid);
- psid_ndx++;
-
- /* Now add the group SIDs. */
-
- for (i = 0; i < ngroups; i++) {
- if (groups[i] != gid) {
- gid_to_sid( &psids[psid_ndx++], groups[i]);
- }
- }
-
- if (sup_tok) {
- /* Now add the additional SIDs from the supplimentary token. */
- for (i = 0; i < sup_tok->num_sids; i++)
- sid_copy( &psids[psid_ndx++], &sup_tok->user_sids[i] );
- }
-
- /*
- * Finally add the "standard" SIDs.
- * The only difference between guest and "anonymous" (which we
- * don't really support) is the addition of Authenticated_Users.
- */
-
- sid_copy( &psids[psid_ndx++], &global_sid_World);
- sid_copy( &psids[psid_ndx++], &global_sid_Network);
-
- if (is_guest)
- sid_copy( &psids[psid_ndx++], &global_sid_Builtin_Guests);
- else
- sid_copy( &psids[psid_ndx++], &global_sid_Authenticated_Users);
-
- token->num_sids = psid_ndx;
-
- /* Dump list of sids in token */
-
- for (i = 0; i < token->num_sids; i++) {
- DEBUG(5, ("user token sid %s\n",
- sid_to_string(sid_str, &token->user_sids[i])));
- }
-
- return token;
-}
-
-/****************************************************************************
register a uid/name pair as being valid and that a valid password
has been given. vuid is biased by an offset. This allows us to
tell random client vuid's (normally zero) from valid vuids.
@@ -187,8 +102,6 @@ tell random client vuid's (normally zero) from valid vuids.
int register_vuid(auth_serversupplied_info *server_info, const char *smb_name)
{
user_struct *vuser = NULL;
- uid_t uid;
- gid_t gid;
/* Ensure no vuid gets registered in share level security. */
if(lp_security() == SEC_SHARE)
@@ -205,15 +118,6 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name)
ZERO_STRUCTP(vuser);
- if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
- DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT (flags:%x)\n", pdb_get_init_flag(server_info->sam_account)));
- free(vuser);
- return UID_FIELD_INVALID;
- }
-
- uid = pdb_get_uid(server_info->sam_account);
- gid = pdb_get_gid(server_info->sam_account);
-
/* Allocate a free vuid. Yes this is a linear search... :-) */
while( get_valid_user_struct(next_vuid) != NULL ) {
next_vuid++;
@@ -225,18 +129,38 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name)
DEBUG(10,("register_vuid: allocated vuid = %u\n", (unsigned int)next_vuid ));
vuser->vuid = next_vuid;
- vuser->uid = uid;
- vuser->gid = gid;
+
+ /* the next functions should be done by a SID mapping system (SMS) as
+ * the new real sam db won't have reference to unix uids or gids
+ */
+ if (!IS_SAM_UNIX_USER(server_info->sam_account)) {
+ DEBUG(0,("Attempted session setup with invalid user. No uid/gid in SAM_ACCOUNT (flags:%x)\n", pdb_get_init_flag(server_info->sam_account)));
+ free(vuser);
+ return UID_FIELD_INVALID;
+ }
+
+ vuser->uid = pdb_get_uid(server_info->sam_account);
+ vuser->gid = pdb_get_gid(server_info->sam_account);
+
+ vuser->n_groups = server_info->n_groups;
+ if (vuser->n_groups) {
+ if (!(vuser->groups = memdup(server_info->groups, sizeof(gid_t) * vuser->n_groups))) {
+ DEBUG(0,("register_vuid: failed to memdup vuser->groups\n"));
+ free(vuser);
+ return UID_FIELD_INVALID;
+ }
+ }
+
vuser->guest = server_info->guest;
- fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account));
- fstrcpy(vuser->user.smb_name, smb_name);
+ fstrcpy(vuser->user.unix_name, pdb_get_username(server_info->sam_account));
+ fstrcpy(vuser->user.smb_name, smb_name);
fstrcpy(vuser->user.domain, pdb_get_domain(server_info->sam_account));
fstrcpy(vuser->user.full_name, pdb_get_fullname(server_info->sam_account));
{
/* Keep the homedir handy */
const char *homedir = pdb_get_homedir(server_info->sam_account);
- const char *unix_homedir = pdb_get_unix_homedir(server_info->sam_account);
+ const char *unix_homedir = pdb_get_unix_homedir(server_info->sam_account); /* should be optained by SMS */
const char *logon_script = pdb_get_logon_script(server_info->sam_account);
if (homedir) {
vuser->homedir = smb_xstrdup(homedir);
@@ -260,19 +184,13 @@ int register_vuid(auth_serversupplied_info *server_info, const char *smb_name)
DEBUG(3, ("User name: %s\tReal name: %s\n",vuser->user.unix_name,vuser->user.full_name));
- vuser->n_groups = 0;
- vuser->groups = NULL;
-
- /* Find all the groups this uid is in and store them.
- Used by change_to_user() */
- initialise_groups(vuser->user.unix_name, vuser->uid, vuser->gid);
- get_current_groups(vuser->gid, &vuser->n_groups, &vuser->groups);
-
- if (server_info->ptok)
- add_supplementary_nt_login_groups(&vuser->n_groups, &vuser->groups, &server_info->ptok);
-
- /* Create an NT_USER_TOKEN struct for this user. */
- vuser->nt_user_token = create_nt_token(vuser->uid, vuser->gid, vuser->n_groups, vuser->groups, vuser->guest, server_info->ptok);
+ if (server_info->ptok) {
+ vuser->nt_user_token = dup_nt_token(server_info->ptok);
+ } else {
+ DEBUG(1, ("server_info does not contain a user_token - cannot continue\n"));
+ free(vuser);
+ return UID_FIELD_INVALID;
+ }
DEBUG(3,("UNIX uid %d is UNIX user %s, and will be vuid %u\n",(int)vuser->uid,vuser->user.unix_name, vuser->vuid));
@@ -451,7 +369,7 @@ static char *validate_group(char *group, DATA_BLOB password,int snum)
Note this is *NOT* used when logging on using sessionsetup_and_X.
****************************************************************************/
-BOOL authorise_login(int snum,char *user, DATA_BLOB password,
+BOOL authorise_login(int snum, fstring user, DATA_BLOB password,
BOOL *guest)
{
BOOL ok = False;
diff --git a/source3/smbd/service.c b/source3/smbd/service.c
index 6f83a2d3b75..7c38cf57934 100644
--- a/source3/smbd/service.c
+++ b/source3/smbd/service.c
@@ -305,6 +305,7 @@ static void set_admin_user(connection_struct *conn)
#endif
) {
conn->admin_user = True;
+ conn->force_user = True; /* Admin users are effectivly 'forced' */
DEBUG(0,("%s logged in as admin user (root privileges)\n",conn->user));
} else {
conn->admin_user = False;
@@ -329,7 +330,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
{
struct passwd *pass = NULL;
BOOL guest = False;
- BOOL force = False;
connection_struct *conn;
struct stat st;
fstring user;
@@ -349,7 +349,6 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
if (lp_guest_only(snum)) {
const char *guestname = lp_guestaccount();
guest = True;
- force = True;
pass = getpwnam_alloc(guestname);
if (!pass) {
DEBUG(0,("authorise_login: Invalid guest account %s??\n",guestname));
@@ -397,7 +396,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
return NULL;
}
pass = Get_Pwnam(user);
- conn->force_user = force;
+ conn->force_user = True;
conn->uid = pass->pw_uid;
conn->gid = pass->pw_gid;
string_set(&conn->user, pass->pw_name);
@@ -434,7 +433,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
/*
* If force user is true, then store the
- * given userid and also the primary groupid
+ * given userid and also the groups
* of the user we're forcing.
*/
@@ -492,6 +491,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
gid = nametogid(gname);
if (gid != (gid_t)-1) {
+
/*
* If the user has been forced and the forced group starts
* with a '+', then we only set the group to be the forced
@@ -507,6 +507,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
conn->gid = gid;
DEBUG(3,("Forced group %s\n",gname));
}
+ conn->force_group = True;
} else {
DEBUG(1,("Couldn't find group %s\n",gname));
conn_free(conn);
@@ -524,23 +525,27 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser,
DEBUG(3,("Connect path is '%s' for service [%s]\n",s, lp_servicename(snum)));
}
- /* groups stuff added by ih */
- conn->ngroups = 0;
- conn->groups = NULL;
-
- /* Find all the groups this uid is in and
- store them. Used by change_to_user() */
- initialise_groups(conn->user, conn->uid, conn->gid);
- get_current_groups(conn->gid, &conn->ngroups,&conn->groups);
+ if (conn->force_user || conn->force_group) {
+
+ /* groups stuff added by ih */
+ conn->ngroups = 0;
+ conn->groups = NULL;
+
+ /* Find all the groups this uid is in and
+ store them. Used by change_to_user() */
+ initialise_groups(conn->user, conn->uid, conn->gid);
+ get_current_groups(conn->gid, &conn->ngroups,&conn->groups);
- conn->nt_user_token = create_nt_token(conn->uid, conn->gid,
- conn->ngroups, conn->groups,
- guest, NULL);
+ conn->nt_user_token = create_nt_token(conn->uid, conn->gid,
+ conn->ngroups, conn->groups,
+ guest);
+ }
/*
* New code to check if there's a share security descripter
* added from NT server manager. This is done after the
* smb.conf checks are done as we need a uid and token. JRA.
+ *
*/
{
diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c
index 77f93812dd5..a49982dcfe8 100644
--- a/source3/smbd/sesssetup.c
+++ b/source3/smbd/sesssetup.c
@@ -177,9 +177,9 @@ static int reply_spnego_kerberos(connection_struct *conn,
return ERROR_NT(NT_STATUS_NO_SUCH_USER);
}
- if (!make_server_info_pw(&server_info,pw)) {
+ if (!NT_STATUS_IS_OK(ret = make_server_info_pw(&server_info,pw))) {
DEBUG(1,("make_server_info_from_pw failed!\n"));
- return ERROR_NT(NT_STATUS_NO_MEMORY);
+ return ERROR_NT(ret);
}
sess_vuid = register_vuid(server_info, user);
diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c
index c0bacf8f910..6f91065cebc 100644
--- a/source3/smbd/uid.c
+++ b/source3/smbd/uid.c
@@ -59,18 +59,26 @@ BOOL change_to_guest(void)
static BOOL check_user_ok(connection_struct *conn, user_struct *vuser,int snum)
{
int i;
- for (i=0;i<conn->uid_cache.entries;i++)
- if (conn->uid_cache.list[i] == vuser->uid)
+ for (i=0;i<conn->vuid_cache.entries && i< VUID_CACHE_SIZE;i++)
+ if (conn->vuid_cache.list[i] == vuser->vuid)
return(True);
+ if ((conn->force_user || conn->force_group)
+ && (conn->vuid != vuser->vuid)) {
+ return False;
+ }
+
if (!user_ok(vuser->user.unix_name,snum))
return(False);
- i = conn->uid_cache.entries % UID_CACHE_SIZE;
- conn->uid_cache.list[i] = vuser->uid;
+ if (!share_access_check(conn, snum, vuser, conn->read_only ? FILE_READ_DATA : FILE_WRITE_DATA)) {
+ return False;
+ }
+
+ i = conn->vuid_cache.entries % VUID_CACHE_SIZE;
+ conn->vuid_cache.list[i] = vuser->vuid;
- if (conn->uid_cache.entries < UID_CACHE_SIZE)
- conn->uid_cache.entries++;
+ conn->vuid_cache.entries++;
return(True);
}
@@ -115,27 +123,21 @@ BOOL change_to_user(connection_struct *conn, uint16 vuid)
snum = SNUM(conn);
- if((vuser != NULL) && !check_user_ok(conn, vuser, snum))
- return False;
-
- if (conn->force_user ||
- conn->admin_user ||
- (lp_security() == SEC_SHARE)) {
+ if (conn->force_user) /* security = share sets this too */ {
uid = conn->uid;
gid = conn->gid;
current_user.groups = conn->groups;
current_user.ngroups = conn->ngroups;
token = conn->nt_user_token;
- } else {
- if (!vuser) {
- DEBUG(2,("change_to_user: Invalid vuid used %d\n",vuid));
- return(False);
- }
+ } else if ((vuser) && check_user_ok(conn, vuser, snum)) {
uid = vuser->uid;
gid = vuser->gid;
current_user.ngroups = vuser->n_groups;
current_user.groups = vuser->groups;
token = vuser->nt_user_token;
+ } else {
+ DEBUG(2,("change_to_user: Invalid vuid used %d or vuid not permitted access to share.\n",vuid));
+ return False;
}
/*
@@ -175,7 +177,7 @@ BOOL change_to_user(connection_struct *conn, uint16 vuid)
if (vuser && vuser->guest)
is_guest = True;
- token = create_nt_token(uid, gid, current_user.ngroups, current_user.groups, is_guest, NULL);
+ token = create_nt_token(uid, gid, current_user.ngroups, current_user.groups, is_guest);
must_free_token = True;
}