diff options
-rw-r--r-- | source3/auth/auth_compat.c | 7 | ||||
-rw-r--r-- | source3/auth/auth_util.c | 7 | ||||
-rw-r--r-- | source3/include/proto.h | 39 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 10 | ||||
-rw-r--r-- | source3/smbd/globals.c | 12 | ||||
-rw-r--r-- | source3/smbd/globals.h | 27 | ||||
-rw-r--r-- | source3/smbd/lanman.c | 13 | ||||
-rw-r--r-- | source3/smbd/map_username.c | 4 | ||||
-rw-r--r-- | source3/smbd/password.c | 191 | ||||
-rw-r--r-- | source3/smbd/process.c | 13 | ||||
-rw-r--r-- | source3/smbd/reply.c | 12 | ||||
-rw-r--r-- | source3/smbd/server.c | 4 | ||||
-rw-r--r-- | source3/smbd/service.c | 42 | ||||
-rw-r--r-- | source3/smbd/sesssetup.c | 57 | ||||
-rw-r--r-- | source3/smbd/share_access.c | 4 | ||||
-rw-r--r-- | source3/smbd/uid.c | 3 |
16 files changed, 261 insertions, 184 deletions
diff --git a/source3/auth/auth_compat.c b/source3/auth/auth_compat.c index d8087e65887..77a994828f4 100644 --- a/source3/auth/auth_compat.c +++ b/source3/auth/auth_compat.c @@ -97,6 +97,7 @@ return True if the password is correct, False otherwise ****************************************************************************/ bool password_ok(struct auth_context *actx, bool global_encrypted, + const char *session_workgroup, const char *smb_name, DATA_BLOB password_blob) { @@ -109,11 +110,11 @@ bool password_ok(struct auth_context *actx, bool global_encrypted, * but fall-through as required. * Vista sends NTLMv2 here - we need to try the client given workgroup. */ - if (get_session_workgroup()) { - if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, get_session_workgroup(), null_password, password_blob, null_password, encrypted))) { + if (session_workgroup) { + if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, null_password, password_blob, null_password, encrypted))) { return True; } - if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, get_session_workgroup(), password_blob, null_password, null_password, encrypted))) { + if (NT_STATUS_IS_OK(pass_check_smb(actx, smb_name, session_workgroup, password_blob, null_password, null_password, encrypted))) { return True; } } diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 9d29987c0dc..d53da7867c7 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -22,6 +22,7 @@ */ #include "includes.h" +#include "smbd/globals.h" #include "../libcli/auth/libcli_auth.h" #undef DBGC_CLASS @@ -198,12 +199,13 @@ NTSTATUS make_user_info_map(auth_usersupplied_info **user_info, DATA_BLOB *plaintext, bool encrypted) { + struct smbd_server_connection *sconn = smbd_server_conn; const char *domain; NTSTATUS result; bool was_mapped; fstring internal_username; fstrcpy(internal_username, smb_name); - was_mapped = map_username(internal_username); + was_mapped = map_username(sconn, internal_username); DEBUG(5, ("Mapping user [%s]\\[%s] from workstation [%s]\n", client_domain, smb_name, wksta_name)); @@ -1487,6 +1489,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, struct samu *account, bool *username_was_mapped) { + struct smbd_server_connection *sconn = smbd_server_conn; NTSTATUS nt_status; fstring dom_user, lower_username; fstring real_username; @@ -1500,7 +1503,7 @@ static NTSTATUS fill_sam_account(TALLOC_CTX *mem_ctx, /* Get the passwd struct. Try to create the account is necessary. */ - *username_was_mapped = map_username( dom_user ); + *username_was_mapped = map_username(sconn, dom_user); if ( !(passwd = smb_getpwnam( NULL, dom_user, real_username, True )) ) return NT_STATUS_NO_SUCH_USER; diff --git a/source3/include/proto.h b/source3/include/proto.h index 8726e979271..22659339a98 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -40,6 +40,7 @@ NTSTATUS auth_builtin_init(void); NTSTATUS check_plaintext_password(const char *smb_name, DATA_BLOB plaintext_password, auth_serversupplied_info **server_info); bool password_ok(struct auth_context *actx, bool global_encrypted, + const char *session_workgroup, const char *smb_name, DATA_BLOB password_blob); /* The following definitions come from auth/auth_domain.c */ @@ -6427,7 +6428,7 @@ const struct mangle_fns *posix_mangle_init(void); /* The following definitions come from smbd/map_username.c */ -bool map_username(fstring user); +bool map_username(struct smbd_server_connection *sconn, fstring user); /* The following definitions come from smbd/message.c */ @@ -6672,22 +6673,29 @@ struct kernel_oplocks *onefs_init_kernel_oplocks(TALLOC_CTX *mem_ctx); /* The following definitions come from smbd/password.c */ -user_struct *get_valid_user_struct(uint16 vuid); -bool is_partial_auth_vuid(uint16 vuid); -user_struct *get_partial_auth_user_struct(uint16 vuid); -void invalidate_vuid(uint16 vuid); -void invalidate_all_vuids(void); -int register_initial_vuid(void); -int register_existing_vuid(uint16 vuid, +user_struct *get_valid_user_struct(struct smbd_server_connection *sconn, + uint16 vuid); +bool is_partial_auth_vuid(struct smbd_server_connection *sconn, uint16 vuid); +user_struct *get_partial_auth_user_struct(struct smbd_server_connection *sconn, + uint16 vuid); +void invalidate_vuid(struct smbd_server_connection *sconn, uint16 vuid); +void invalidate_all_vuids(struct smbd_server_connection *sconn); +int register_initial_vuid(struct smbd_server_connection *sconn); +int register_existing_vuid(struct smbd_server_connection *sconn, + uint16 vuid, auth_serversupplied_info *server_info, DATA_BLOB response_blob, const char *smb_name); -void add_session_user(const char *user); -void add_session_workgroup(const char *workgroup); -const char *get_session_workgroup(void); -bool user_in_netgroup(const char *user, const char *ngname); -bool user_in_list(const char *user,const char **list); -bool authorise_login(int snum, fstring user, DATA_BLOB password, +void add_session_user(struct smbd_server_connection *sconn, const char *user); +void add_session_workgroup(struct smbd_server_connection *sconn, + const char *workgroup); +const char *get_session_workgroup(struct smbd_server_connection *sconn); +bool user_in_netgroup(struct smbd_server_connection *sconn, + const char *user, const char *ngname); +bool user_in_list(struct smbd_server_connection *sconn, + const char *user,const char **list); +bool authorise_login(struct smbd_server_connection *sconn, + int snum, fstring user, DATA_BLOB password, bool *guest); /* The following definitions come from smbd/pipes.c */ @@ -6949,7 +6957,8 @@ bool set_current_service(connection_struct *conn, uint16 flags, bool do_chdir); void load_registry_shares(void); int add_home_service(const char *service, const char *username, const char *homedir); int find_service(fstring service); -connection_struct *make_connection(const char *service_in, DATA_BLOB password, +connection_struct *make_connection(struct smbd_server_connection *sconn, + const char *service_in, DATA_BLOB password, const char *pdev, uint16 vuid, NTSTATUS *status); void close_cnum(connection_struct *conn, uint16 vuid); diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 26bc44c6ff3..b5b5f5e5292 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -32,6 +32,7 @@ */ #include "includes.h" +#include "smbd/globals.h" #include "../libcli/auth/libcli_auth.h" #undef DBGC_CLASS @@ -1920,6 +1921,7 @@ NTSTATUS _samr_ChangePasswordUser(pipes_struct *p, NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, struct samr_ChangePasswordUser2 *r) { + struct smbd_server_connection *sconn = smbd_server_conn; NTSTATUS status; fstring user_name; fstring wks; @@ -1936,7 +1938,7 @@ NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, * function. */ - (void)map_username(user_name); + (void)map_username(sconn, user_name); /* * UNIX username case mangling not required, pass_oem_change @@ -1966,6 +1968,7 @@ NTSTATUS _samr_ChangePasswordUser2(pipes_struct *p, NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p, struct samr_OemChangePasswordUser2 *r) { + struct smbd_server_connection *sconn = smbd_server_conn; NTSTATUS status; fstring user_name; const char *wks = NULL; @@ -1984,7 +1987,7 @@ NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p, * function. */ - (void)map_username(user_name); + (void)map_username(sconn, user_name); /* * UNIX username case mangling not required, pass_oem_change @@ -2018,6 +2021,7 @@ NTSTATUS _samr_OemChangePasswordUser2(pipes_struct *p, NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p, struct samr_ChangePasswordUser3 *r) { + struct smbd_server_connection *sconn = smbd_server_conn; NTSTATUS status; fstring user_name; const char *wks = NULL; @@ -2040,7 +2044,7 @@ NTSTATUS _samr_ChangePasswordUser3(pipes_struct *p, * function. */ - (void)map_username(user_name); + (void)map_username(sconn, user_name); /* * UNIX username case mangling not required, pass_oem_change diff --git a/source3/smbd/globals.c b/source3/smbd/globals.c index 352fe3571aa..4796823e306 100644 --- a/source3/smbd/globals.c +++ b/source3/smbd/globals.c @@ -95,18 +95,6 @@ struct msg_state *smbd_msg_state = NULL; bool logged_ioctl_message = false; -/* users from session setup */ -char *session_userlist = NULL; -/* workgroup from session setup. */ -char *session_workgroup = NULL; -/* this holds info on user ids that are already validated for this VC */ -user_struct *validated_users = NULL; -uint16_t next_vuid = VUID_OFFSET; -int num_validated_vuids = 0; -#ifdef HAVE_NETGROUP -char *my_yp_domain = NULL; -#endif - int trans_num = 0; pid_t mypid = 0; time_t last_smb_conf_reload_time = 0; diff --git a/source3/smbd/globals.h b/source3/smbd/globals.h index c538ecf64f8..8ddf17c5953 100644 --- a/source3/smbd/globals.h +++ b/source3/smbd/globals.h @@ -93,18 +93,6 @@ extern struct msg_state *smbd_msg_state; extern bool logged_ioctl_message; -/* users from session setup */ -extern char *session_userlist; -/* workgroup from session setup. */ -extern char *session_workgroup; -/* this holds info on user ids that are already validated for this VC */ -extern user_struct *validated_users; -extern uint16_t next_vuid; -extern int num_validated_vuids; -#ifdef HAVE_NETGROUP -extern char *my_yp_domain; -#endif - extern int trans_num; extern pid_t mypid; @@ -334,6 +322,21 @@ struct smbd_server_connection { */ int max_send; uint16_t last_session_tag; + + /* users from session setup */ + char *session_userlist; + /* workgroup from session setup. */ + char *session_workgroup; + /* + * this holds info on user ids that are already + * validated for this VC + */ + user_struct *validated_users; + uint16_t next_vuid; + int num_validated_vuids; +#ifdef HAVE_NETGROUP + char *my_yp_domain; +#endif } sessions; struct smb_signing_state *signing_state; /* List to store partial SPNEGO auth fragments. */ diff --git a/source3/smbd/lanman.c b/source3/smbd/lanman.c index 1672c518ac2..88ac096c82b 100644 --- a/source3/smbd/lanman.c +++ b/source3/smbd/lanman.c @@ -26,6 +26,7 @@ */ #include "includes.h" +#include "smbd/globals.h" #ifdef CHECK_TYPES #undef CHECK_TYPES @@ -2673,6 +2674,7 @@ static bool api_SamOEMChangePassword(connection_struct *conn,uint16 vuid, char **rdata,char **rparam, int *rdata_len,int *rparam_len) { + struct smbd_server_connection *sconn = smbd_server_conn; fstring user; char *p = get_safe_str_ptr(param,tpscnt,param,2); *rparam_len = 2; @@ -2730,7 +2732,7 @@ static bool api_SamOEMChangePassword(connection_struct *conn,uint16 vuid, * function. */ - (void)map_username(user); + (void)map_username(sconn, user); if (NT_STATUS_IS_OK(pass_oem_change(user, (uchar*) data, (uchar *)&data[516], NULL, NULL, NULL))) { SSVAL(*rparam,0,NERR_Success); @@ -3452,6 +3454,7 @@ static bool api_RNetUserGetInfo(connection_struct *conn, uint16 vuid, char **rdata,char **rparam, int *rdata_len,int *rparam_len) { + struct smbd_server_connection *sconn = smbd_server_conn; char *str1 = get_safe_str_ptr(param,tpscnt,param,2); char *str2 = skip_string(param,tpscnt,str1); char *UserName = skip_string(param,tpscnt,str2); @@ -3464,7 +3467,7 @@ static bool api_RNetUserGetInfo(connection_struct *conn, uint16 vuid, /* get NIS home of a previously validated user - simeon */ /* With share level security vuid will always be zero. Don't depend on vuser being non-null !!. JRA */ - user_struct *vuser = get_valid_user_struct(vuid); + user_struct *vuser = get_valid_user_struct(sconn, vuid); if(vuser != NULL) { DEBUG(3,(" Username of UID %d is %s\n", (int)vuser->server_info->utok.uid, @@ -3707,6 +3710,7 @@ static bool api_WWkstaUserLogon(connection_struct *conn,uint16 vuid, char **rdata,char **rparam, int *rdata_len,int *rparam_len) { + struct smbd_server_connection *sconn = smbd_server_conn; char *str1 = get_safe_str_ptr(param,tpscnt,param,2); char *str2 = skip_string(param,tpscnt,str1); char *p = skip_string(param,tpscnt,str2); @@ -3715,7 +3719,7 @@ static bool api_WWkstaUserLogon(connection_struct *conn,uint16 vuid, char* name; /* With share level security vuid will always be zero. Don't depend on vuser being non-null !!. JRA */ - user_struct *vuser = get_valid_user_struct(vuid); + user_struct *vuser = get_valid_user_struct(sconn, vuid); if (!str1 || !str2 || !p) { return False; @@ -4654,6 +4658,7 @@ void api_reply(connection_struct *conn, uint16 vuid, int tdscnt, int tpscnt, int mdrcnt, int mprcnt) { + struct smbd_server_connection *sconn = smbd_server_conn; int api_command; char *rdata = NULL; char *rparam = NULL; @@ -4702,7 +4707,7 @@ void api_reply(connection_struct *conn, uint16 vuid, /* Check whether this api call can be done anonymously */ if (api_commands[i].auth_user && lp_restrict_anonymous()) { - user_struct *user = get_valid_user_struct(vuid); + user_struct *user = get_valid_user_struct(sconn, vuid); if (!user || user->server_info->guest) { reply_nterror(req, NT_STATUS_ACCESS_DENIED); diff --git a/source3/smbd/map_username.c b/source3/smbd/map_username.c index fde2a3c4d3a..24b4ddd2718 100644 --- a/source3/smbd/map_username.c +++ b/source3/smbd/map_username.c @@ -68,7 +68,7 @@ static bool set_last_from_to(const char *from, const char *to) return true; } -bool map_username(fstring user) +bool map_username(struct smbd_server_connection *sconn, fstring user) { XFILE *f; char *mapfile = lp_username_map(); @@ -184,7 +184,7 @@ bool map_username(fstring user) } if (strchr_m(dosname,'*') || - user_in_list(user, (const char **)dosuserlist)) { + user_in_list(sconn, user, (const char **)dosuserlist)) { DEBUG(3,("Mapped user %s to %s\n",user,unixname)); mapped_user = True; diff --git a/source3/smbd/password.c b/source3/smbd/password.c index 460cba35a0f..abe348e02b4 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -25,7 +25,9 @@ enum server_allocated_state { SERVER_ALLOCATED_REQUIRED_YES, SERVER_ALLOCATED_REQUIRED_NO, SERVER_ALLOCATED_REQUIRED_ANY}; -static user_struct *get_valid_user_struct_internal(uint16 vuid, +static user_struct *get_valid_user_struct_internal( + struct smbd_server_connection *sconn, + uint16 vuid, enum server_allocated_state server_allocated) { user_struct *usp; @@ -34,7 +36,8 @@ static user_struct *get_valid_user_struct_internal(uint16 vuid, if (vuid == UID_FIELD_INVALID) return NULL; - for (usp=validated_users;usp;usp=usp->next,count++) { + usp=sconn->smb1.sessions.validated_users; + for (;usp;usp=usp->next,count++) { if (vuid == usp->vuid) { switch (server_allocated) { case SERVER_ALLOCATED_REQUIRED_YES: @@ -50,7 +53,8 @@ static user_struct *get_valid_user_struct_internal(uint16 vuid, break; } if (count > 10) { - DLIST_PROMOTE(validated_users, usp); + DLIST_PROMOTE(sconn->smb1.sessions.validated_users, + usp); } return usp; } @@ -65,24 +69,26 @@ static user_struct *get_valid_user_struct_internal(uint16 vuid, tell random client vuid's (normally zero) from valid vuids. ****************************************************************************/ -user_struct *get_valid_user_struct(uint16 vuid) +user_struct *get_valid_user_struct(struct smbd_server_connection *sconn, + uint16 vuid) { - return get_valid_user_struct_internal(vuid, + return get_valid_user_struct_internal(sconn, vuid, SERVER_ALLOCATED_REQUIRED_YES); } -bool is_partial_auth_vuid(uint16 vuid) +bool is_partial_auth_vuid(struct smbd_server_connection *sconn, uint16 vuid) { - return (get_partial_auth_user_struct(vuid) != NULL); + return (get_partial_auth_user_struct(sconn, vuid) != NULL); } /**************************************************************************** Get the user struct of a partial NTLMSSP login ****************************************************************************/ -user_struct *get_partial_auth_user_struct(uint16 vuid) +user_struct *get_partial_auth_user_struct(struct smbd_server_connection *sconn, + uint16 vuid) { - return get_valid_user_struct_internal(vuid, + return get_valid_user_struct_internal(sconn, vuid, SERVER_ALLOCATED_REQUIRED_NO); } @@ -90,11 +96,11 @@ user_struct *get_partial_auth_user_struct(uint16 vuid) Invalidate a uid. ****************************************************************************/ -void invalidate_vuid(uint16 vuid) +void invalidate_vuid(struct smbd_server_connection *sconn, uint16 vuid) { user_struct *vuser = NULL; - vuser = get_valid_user_struct_internal(vuid, + vuser = get_valid_user_struct_internal(sconn, vuid, SERVER_ALLOCATED_REQUIRED_ANY); if (vuser == NULL) { return; @@ -106,24 +112,25 @@ void invalidate_vuid(uint16 vuid) auth_ntlmssp_end(&vuser->auth_ntlmssp_state); } - DLIST_REMOVE(validated_users, vuser); + DLIST_REMOVE(sconn->smb1.sessions.validated_users, vuser); /* clear the vuid from the 'cache' on each connection, and from the vuid 'owner' of connections */ conn_clear_vuid_caches(vuid); TALLOC_FREE(vuser); - num_validated_vuids--; + sconn->smb1.sessions.num_validated_vuids--; } /**************************************************************************** Invalidate all vuid entries for this process. ****************************************************************************/ -void invalidate_all_vuids(void) +void invalidate_all_vuids(struct smbd_server_connection *sconn) { - while (validated_users != NULL) { - invalidate_vuid(validated_users->vuid); + while (sconn->smb1.sessions.validated_users != NULL) { + invalidate_vuid(sconn, + sconn->smb1.sessions.validated_users->vuid); } } @@ -141,7 +148,7 @@ static void increment_next_vuid(uint16_t *vuid) Create a new partial auth user struct. *****************************************************/ -int register_initial_vuid(void) +int register_initial_vuid(struct smbd_server_connection *sconn) { user_struct *vuser; @@ -152,7 +159,7 @@ int register_initial_vuid(void) } /* Limit allowed vuids to 16bits - VUID_OFFSET. */ - if (num_validated_vuids >= 0xFFFF-VUID_OFFSET) { + if (sconn->smb1.sessions.num_validated_vuids >= 0xFFFF-VUID_OFFSET) { return UID_FIELD_INVALID; } @@ -163,25 +170,26 @@ int register_initial_vuid(void) } /* Allocate a free vuid. Yes this is a linear search... */ - while( get_valid_user_struct_internal(next_vuid, + while( get_valid_user_struct_internal(sconn, + sconn->smb1.sessions.next_vuid, SERVER_ALLOCATED_REQUIRED_ANY) != NULL ) { - increment_next_vuid(&next_vuid); + increment_next_vuid(&sconn->smb1.sessions.next_vuid); } DEBUG(10,("register_initial_vuid: allocated vuid = %u\n", - (unsigned int)next_vuid )); + (unsigned int)sconn->smb1.sessions.next_vuid )); - vuser->vuid = next_vuid; + vuser->vuid = sconn->smb1.sessions.next_vuid; /* * This happens in an unfinished NTLMSSP session setup. We * need to allocate a vuid between the first and second calls * to NTLMSSP. */ - increment_next_vuid(&next_vuid); - num_validated_vuids++; + increment_next_vuid(&sconn->smb1.sessions.next_vuid); + sconn->smb1.sessions.num_validated_vuids++; - DLIST_ADD(validated_users, vuser); + DLIST_ADD(sconn->smb1.sessions.validated_users, vuser); return vuser->vuid; } @@ -234,7 +242,8 @@ static int register_homes_share(const char *username) * */ -int register_existing_vuid(uint16 vuid, +int register_existing_vuid(struct smbd_server_connection *sconn, + uint16 vuid, auth_serversupplied_info *server_info, DATA_BLOB response_blob, const char *smb_name) @@ -242,7 +251,7 @@ int register_existing_vuid(uint16 vuid, fstring tmp; user_struct *vuser; - vuser = get_partial_auth_user_struct(vuid); + vuser = get_partial_auth_user_struct(sconn, vuid); if (!vuser) { goto fail; } @@ -318,7 +327,7 @@ int register_existing_vuid(uint16 vuid, fail: if (vuser) { - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); } return UID_FIELD_INVALID; } @@ -327,7 +336,8 @@ int register_existing_vuid(uint16 vuid, Add a name to the session users list. ****************************************************************************/ -void add_session_user(const char *user) +void add_session_user(struct smbd_server_connection *sconn, + const char *user) { struct passwd *pw; char *tmp; @@ -338,28 +348,29 @@ void add_session_user(const char *user) return; } - if (session_userlist == NULL) { - session_userlist = SMB_STRDUP(pw->pw_name); + if (sconn->smb1.sessions.session_userlist == NULL) { + sconn->smb1.sessions.session_userlist = SMB_STRDUP(pw->pw_name); goto done; } - if (in_list(pw->pw_name,session_userlist,False) ) { + if (in_list(pw->pw_name,sconn->smb1.sessions.session_userlist,false)) { goto done; } - if (strlen(session_userlist) > 128 * 1024) { + if (strlen(sconn->smb1.sessions.session_userlist) > 128 * 1024) { DEBUG(3,("add_session_user: session userlist already " "too large.\n")); goto done; } - if (asprintf(&tmp, "%s %s", session_userlist, pw->pw_name) == -1) { + if (asprintf(&tmp, "%s %s", + sconn->smb1.sessions.session_userlist, pw->pw_name) == -1) { DEBUG(3, ("asprintf failed\n")); goto done; } - SAFE_FREE(session_userlist); - session_userlist = tmp; + SAFE_FREE(sconn->smb1.sessions.session_userlist); + sconn->smb1.sessions.session_userlist = tmp; done: TALLOC_FREE(pw); } @@ -369,12 +380,13 @@ void add_session_user(const char *user) what Vista uses for the NTLMv2 calculation. ****************************************************************************/ -void add_session_workgroup(const char *workgroup) +void add_session_workgroup(struct smbd_server_connection *sconn, + const char *workgroup) { - if (session_workgroup) { - SAFE_FREE(session_workgroup); + if (sconn->smb1.sessions.session_workgroup) { + SAFE_FREE(sconn->smb1.sessions.session_workgroup); } - session_workgroup = smb_xstrdup(workgroup); + sconn->smb1.sessions.session_workgroup = smb_xstrdup(workgroup); } /**************************************************************************** @@ -382,9 +394,9 @@ void add_session_workgroup(const char *workgroup) what Vista uses for the NTLMv2 calculation. ****************************************************************************/ -const char *get_session_workgroup(void) +const char *get_session_workgroup(struct smbd_server_connection *sconn) { - return session_workgroup; + return sconn->smb1.sessions.session_workgroup; } /**************************************************************************** @@ -392,25 +404,30 @@ const char *get_session_workgroup(void) try lower case. ****************************************************************************/ -bool user_in_netgroup(const char *user, const char *ngname) +bool user_in_netgroup(struct smbd_server_connection *sconn, + const char *user, const char *ngname) { #ifdef HAVE_NETGROUP fstring lowercase_user; - if (my_yp_domain == NULL) - yp_get_default_domain(&my_yp_domain); + if (sconn->smb1.sessions.my_yp_domain == NULL) { + yp_get_default_domain(&sconn->smb1.sessions.my_yp_domain); + } - if(my_yp_domain == NULL) { + if (sconn->smb1.sessions.my_yp_domain == NULL) { DEBUG(5,("Unable to get default yp domain, " "let's try without specifying it\n")); } DEBUG(5,("looking for user %s of domain %s in netgroup %s\n", - user, my_yp_domain?my_yp_domain:"(ANY)", ngname)); + user, + sconn->smb1.sessions.my_yp_domain? + sconn->smb1.sessions.my_yp_domain:"(ANY)", + ngname)); - if (innetgr(ngname, NULL, user, my_yp_domain)) { + if (innetgr(ngname, NULL, user, sconn->smb1.sessions.my_yp_domain)) { DEBUG(5,("user_in_netgroup: Found\n")); - return (True); + return true; } else { /* @@ -422,15 +439,19 @@ bool user_in_netgroup(const char *user, const char *ngname) strlower_m(lowercase_user); DEBUG(5,("looking for user %s of domain %s in netgroup %s\n", - lowercase_user, my_yp_domain?my_yp_domain:"(ANY)", ngname)); + lowercase_user, + sconn->smb1.sessions.my_yp_domain? + sconn->smb1.sessions.my_yp_domain:"(ANY)", + ngname)); - if (innetgr(ngname, NULL, lowercase_user, my_yp_domain)) { + if (innetgr(ngname, NULL, lowercase_user, + sconn->smb1.sessions.my_yp_domain)) { DEBUG(5,("user_in_netgroup: Found\n")); - return (True); + return true; } } #endif /* HAVE_NETGROUP */ - return False; + return false; } /**************************************************************************** @@ -438,7 +459,8 @@ bool user_in_netgroup(const char *user, const char *ngname) and netgroup lists. ****************************************************************************/ -bool user_in_list(const char *user,const char **list) +bool user_in_list(struct smbd_server_connection *sconn, + const char *user,const char **list) { if (!list || !*list) return False; @@ -466,7 +488,7 @@ bool user_in_list(const char *user,const char **list) * Old behaviour. Check netgroup list * followed by UNIX list. */ - if(user_in_netgroup(user, *list +1)) + if(user_in_netgroup(sconn, user, *list +1)) return True; if(user_in_group(user, *list +1)) return True; @@ -478,7 +500,7 @@ bool user_in_list(const char *user,const char **list) */ if(user_in_group(user, *list +2)) return True; - if(user_in_netgroup(user, *list +2)) + if(user_in_netgroup(sconn, user, *list +2)) return True; } else { @@ -497,7 +519,7 @@ bool user_in_list(const char *user,const char **list) /* * Search netgroup list followed by UNIX list. */ - if(user_in_netgroup(user, *list +2)) + if(user_in_netgroup(sconn, user, *list +2)) return True; if(user_in_group(user, *list +2)) return True; @@ -505,7 +527,7 @@ bool user_in_list(const char *user,const char **list) /* * Just search netgroup list. */ - if(user_in_netgroup(user, *list +1)) + if(user_in_netgroup(sconn, user, *list +1)) return True; } } @@ -519,7 +541,8 @@ bool user_in_list(const char *user,const char **list) Check if a username is valid. ****************************************************************************/ -static bool user_ok(const char *user, int snum) +static bool user_ok(struct smbd_server_connection *sconn, + const char *user, int snum) { char **valid, **invalid; bool ret; @@ -536,7 +559,7 @@ static bool user_ok(const char *user, int snum) * around to pass to str_list_sub_basic() */ if ( invalid && str_list_sub_basic(invalid, "", "") ) { - ret = !user_in_list(user, + ret = !user_in_list(sconn, user, (const char **)invalid); } } @@ -552,7 +575,8 @@ static bool user_ok(const char *user, int snum) * around to pass to str_list_sub_basic() */ if ( valid && str_list_sub_basic(valid, "", "") ) { - ret = user_in_list(user, (const char **)valid); + ret = user_in_list(sconn, user, + (const char **)valid); } } } @@ -564,7 +588,8 @@ static bool user_ok(const char *user, int snum) if (user_list && str_list_substitute(user_list, "%S", lp_servicename(snum))) { - ret = user_in_list(user, (const char **)user_list); + ret = user_in_list(sconn, user, + (const char **)user_list); } TALLOC_FREE(user_list); } @@ -576,19 +601,21 @@ static bool user_ok(const char *user, int snum) Validate a group username entry. Return the username or NULL. ****************************************************************************/ -static char *validate_group(char *group, DATA_BLOB password,int snum) +static char *validate_group(struct smbd_server_connection *sconn, + char *group, DATA_BLOB password,int snum) { #ifdef HAVE_NETGROUP { char *host, *user, *domain; - struct smbd_server_connection *sconn = smbd_server_conn; struct auth_context *actx = sconn->smb1.negprot.auth_context; bool enc = sconn->smb1.negprot.encrypted_passwords; setnetgrent(group); while (getnetgrent(&host, &user, &domain)) { if (user) { - if (user_ok(user, snum) && - password_ok(actx, enc, user,password)) { + if (user_ok(sconn, user, snum) && + password_ok(actx, enc, + get_session_workgroup(sconn), + user,password)) { endnetgrent(); return(user); } @@ -601,7 +628,6 @@ static char *validate_group(char *group, DATA_BLOB password,int snum) #ifdef HAVE_GETGRENT { struct group *gptr; - struct smbd_server_connection *sconn = smbd_server_conn; struct auth_context *actx = sconn->smb1.negprot.auth_context; bool enc = sconn->smb1.negprot.encrypted_passwords; @@ -652,8 +678,10 @@ static char *validate_group(char *group, DATA_BLOB password,int snum) member = member_list; while (*member) { - if (user_ok(member,snum) && - password_ok(actx, enc, member,password)) { + if (user_ok(sconn, member,snum) && + password_ok(actx, enc, + get_session_workgroup(sconn), + member,password)) { char *name = talloc_strdup(talloc_tos(), member); SAFE_FREE(member_list); @@ -681,11 +709,11 @@ static char *validate_group(char *group, DATA_BLOB password,int snum) Note this is *NOT* used when logging on using sessionsetup_and_X. ****************************************************************************/ -bool authorise_login(int snum, fstring user, DATA_BLOB password, +bool authorise_login(struct smbd_server_connection *sconn, + int snum, fstring user, DATA_BLOB password, bool *guest) { bool ok = False; - struct smbd_server_connection *sconn = smbd_server_conn; struct auth_context *actx = sconn->smb1.negprot.auth_context; bool enc = sconn->smb1.negprot.encrypted_passwords; @@ -716,8 +744,8 @@ bool authorise_login(int snum, fstring user, DATA_BLOB password, char *user_list = NULL; char *saveptr; - if ( session_userlist ) - user_list = SMB_STRDUP(session_userlist); + if (sconn->smb1.sessions.session_userlist) + user_list = SMB_STRDUP(sconn->smb1.sessions.session_userlist); else user_list = SMB_STRDUP(""); @@ -729,10 +757,12 @@ bool authorise_login(int snum, fstring user, DATA_BLOB password, auser = strtok_r(NULL, LIST_SEP, &saveptr)) { fstring user2; fstrcpy(user2,auser); - if (!user_ok(user2,snum)) + if (!user_ok(sconn,user2,snum)) continue; - if (password_ok(actx, enc, user2,password)) { + if (password_ok(actx, enc, + get_session_workgroup(sconn), + user2,password)) { ok = True; fstrcpy(user,user2); DEBUG(3,("authorise_login: ACCEPTED: session " @@ -768,7 +798,8 @@ bool authorise_login(int snum, fstring user, DATA_BLOB password, auser && !ok; auser = strtok_r(NULL, LIST_SEP, &saveptr)) { if (*auser == '@') { - auser = validate_group(auser+1,password,snum); + auser = validate_group(sconn,auser+1, + password,snum); if (auser) { ok = True; fstrcpy(user,auser); @@ -779,8 +810,10 @@ bool authorise_login(int snum, fstring user, DATA_BLOB password, } else { fstring user2; fstrcpy(user2,auser); - if (user_ok(user2,snum) && - password_ok(actx, enc, user2,password)) { + if (user_ok(sconn,user2,snum) && + password_ok(actx, enc, + get_session_workgroup(sconn), + user2,password)) { ok = True; fstrcpy(user,user2); DEBUG(3,("authorise_login: ACCEPTED: " @@ -813,7 +846,7 @@ bool authorise_login(int snum, fstring user, DATA_BLOB password, *guest = True; } - if (ok && !user_ok(user, snum)) { + if (ok && !user_ok(sconn, user, snum)) { DEBUG(0,("authorise_login: rejected invalid user %s\n",user)); ok = False; } diff --git a/source3/smbd/process.c b/source3/smbd/process.c index f66f114c7b5..8061f1908f7 100644 --- a/source3/smbd/process.c +++ b/source3/smbd/process.c @@ -1275,7 +1275,7 @@ static connection_struct *switch_message(uint8 type, struct smb_request *req, in sconn->smb1.sessions.last_session_tag = session_tag; if(session_tag != UID_FIELD_INVALID) { - vuser = get_valid_user_struct(session_tag); + vuser = get_valid_user_struct(sconn, session_tag); if (vuser) { set_current_user_info( vuser->server_info->sanitized_username, @@ -2165,6 +2165,17 @@ void smbd_process(void) smbd_server_conn->smb1.sessions.done_sesssetup = false; smbd_server_conn->smb1.sessions.max_send = BUFFER_SIZE; smbd_server_conn->smb1.sessions.last_session_tag = UID_FIELD_INVALID; + /* users from session setup */ + smbd_server_conn->smb1.sessions.session_userlist = NULL; + /* workgroup from session setup. */ + smbd_server_conn->smb1.sessions.session_workgroup = NULL; + /* this holds info on user ids that are already validated for this VC */ + smbd_server_conn->smb1.sessions.validated_users = NULL; + smbd_server_conn->smb1.sessions.next_vuid = VUID_OFFSET; + smbd_server_conn->smb1.sessions.num_validated_vuids = 0; +#ifdef HAVE_NETGROUP + smbd_server_conn->smb1.sessions.my_yp_domain = NULL; +#endif smbd_server_conn->smb1.fde = event_add_fd(smbd_event_context(), smbd_server_conn, diff --git a/source3/smbd/reply.c b/source3/smbd/reply.c index f93386a1e59..095585a276b 100644 --- a/source3/smbd/reply.c +++ b/source3/smbd/reply.c @@ -562,7 +562,7 @@ void reply_special(char *inbuf) of possibly valid usernames if we are operating in share mode security */ if (lp_security() == SEC_SHARE) { - add_session_user(get_remote_machine_name()); + add_session_user(sconn, get_remote_machine_name()); } reload_services(True); @@ -644,7 +644,8 @@ void reply_tcon(struct smb_request *req) password_blob = data_blob(password, pwlen+1); - conn = make_connection(service,password_blob,dev,req->vuid,&nt_status); + conn = make_connection(sconn,service,password_blob,dev, + req->vuid,&nt_status); req->conn = conn; data_blob_clear_free(&password_blob); @@ -770,7 +771,7 @@ void reply_tcon_and_X(struct smb_request *req) DEBUG(4,("Client requested device type [%s] for share [%s]\n", client_devicetype, service)); - conn = make_connection(service, password, client_devicetype, + conn = make_connection(sconn, service, password, client_devicetype, req->vuid, &nt_status); req->conn =conn; @@ -2014,11 +2015,12 @@ void reply_open_and_X(struct smb_request *req) void reply_ulogoffX(struct smb_request *req) { + struct smbd_server_connection *sconn = smbd_server_conn; user_struct *vuser; START_PROFILE(SMBulogoffX); - vuser = get_valid_user_struct(req->vuid); + vuser = get_valid_user_struct(sconn, req->vuid); if(vuser == NULL) { DEBUG(3,("ulogoff, vuser id %d does not map to user.\n", @@ -2031,7 +2033,7 @@ void reply_ulogoffX(struct smb_request *req) file_close_user(req->vuid); } - invalidate_vuid(req->vuid); + invalidate_vuid(sconn, req->vuid); reply_outbuf(req, 2, 0); diff --git a/source3/smbd/server.c b/source3/smbd/server.c index b357b97f8a1..32b200b392f 100644 --- a/source3/smbd/server.c +++ b/source3/smbd/server.c @@ -800,7 +800,9 @@ static void exit_server_common(enum server_exit_reason how, had_open_conn = conn_close_all(); - invalidate_all_vuids(); + if (sconn) { + invalidate_all_vuids(sconn); + } /* 3 second timeout. */ print_notify_send_messages(smbd_messaging_context(), 3); diff --git a/source3/smbd/service.c b/source3/smbd/service.c index 75c19ce131f..898e4290e65 100644 --- a/source3/smbd/service.c +++ b/source3/smbd/service.c @@ -301,6 +301,7 @@ int add_home_service(const char *service, const char *username, const char *home int find_service(fstring service) { int iService; + struct smbd_server_connection *sconn = smbd_server_conn; all_string_sub(service,"\\","/",0); @@ -315,7 +316,7 @@ int find_service(fstring service) * Try mapping the servicename, it may * be a Windows to unix mapped user name. */ - if(map_username(service)) + if(map_username(sconn, service)) phome_dir = get_user_home_dir( talloc_tos(), service); } @@ -556,7 +557,8 @@ static NTSTATUS find_forced_group(bool force_user, Create an auth_serversupplied_info structure for a connection_struct ****************************************************************************/ -static NTSTATUS create_connection_server_info(TALLOC_CTX *mem_ctx, int snum, +static NTSTATUS create_connection_server_info(struct smbd_server_connection *sconn, + TALLOC_CTX *mem_ctx, int snum, struct auth_serversupplied_info *vuid_serverinfo, DATA_BLOB password, struct auth_serversupplied_info **presult) @@ -610,11 +612,11 @@ static NTSTATUS create_connection_server_info(TALLOC_CTX *mem_ctx, int snum, /* add the sharename as a possible user name if we are in share mode security */ - add_session_user(lp_servicename(snum)); + add_session_user(sconn, lp_servicename(snum)); /* shall we let them in? */ - if (!authorise_login(snum,user,password,&guest)) { + if (!authorise_login(sconn, snum,user,password,&guest)) { DEBUG( 2, ( "Invalid username/password for [%s]\n", lp_servicename(snum)) ); return NT_STATUS_WRONG_PASSWORD; @@ -634,10 +636,12 @@ static NTSTATUS create_connection_server_info(TALLOC_CTX *mem_ctx, int snum, connecting user if appropriate. ****************************************************************************/ -static connection_struct *make_connection_snum(int snum, user_struct *vuser, - DATA_BLOB password, - const char *pdev, - NTSTATUS *pstatus) +static connection_struct *make_connection_snum( + struct smbd_server_connection *sconn, + int snum, user_struct *vuser, + DATA_BLOB password, + const char *pdev, + NTSTATUS *pstatus) { connection_struct *conn; SMB_STRUCT_STAT st; @@ -663,7 +667,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, conn->params->service = snum; - status = create_connection_server_info( + status = create_connection_server_info(sconn, conn, snum, vuser ? vuser->server_info : NULL, password, &conn->server_info); @@ -679,7 +683,7 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, conn->force_user = true; } - add_session_user(conn->server_info->unix_name); + add_session_user(sconn, conn->server_info->unix_name); safe_strcpy(conn->client_address, client_addr(get_client_fd(),addr,sizeof(addr)), @@ -1073,7 +1077,8 @@ static connection_struct *make_connection_snum(int snum, user_struct *vuser, * @param service ****************************************************************************/ -connection_struct *make_connection(const char *service_in, DATA_BLOB password, +connection_struct *make_connection(struct smbd_server_connection *sconn, + const char *service_in, DATA_BLOB password, const char *pdev, uint16 vuid, NTSTATUS *status) { @@ -1100,7 +1105,7 @@ connection_struct *make_connection(const char *service_in, DATA_BLOB password, } if(lp_security() != SEC_SHARE) { - vuser = get_valid_user_struct(vuid); + vuser = get_valid_user_struct(sconn, vuid); if (!vuser) { DEBUG(1,("make_connection: refusing to connect with " "no session setup\n")); @@ -1131,7 +1136,8 @@ connection_struct *make_connection(const char *service_in, DATA_BLOB password, } DEBUG(5, ("making a connection to [homes] service " "created at session setup time\n")); - return make_connection_snum(vuser->homes_snum, + return make_connection_snum(sconn, + vuser->homes_snum, vuser, no_pw, dev, status); } else { @@ -1141,14 +1147,15 @@ connection_struct *make_connection(const char *service_in, DATA_BLOB password, fstring unix_username; fstrcpy(unix_username, current_user_info.smb_name); - map_username(unix_username); + map_username(sconn, unix_username); snum = find_service(unix_username); } if (snum != -1) { DEBUG(5, ("making a connection to 'homes' " "service %s based on " "security=share\n", service_in)); - return make_connection_snum(snum, NULL, + return make_connection_snum(sconn, + snum, NULL, password, dev, status); } @@ -1159,7 +1166,8 @@ connection_struct *make_connection(const char *service_in, DATA_BLOB password, DATA_BLOB no_pw = data_blob_null; DEBUG(5, ("making a connection to 'homes' service [%s] " "created at session setup time\n", service_in)); - return make_connection_snum(vuser->homes_snum, + return make_connection_snum(sconn, + vuser->homes_snum, vuser, no_pw, dev, status); } @@ -1197,7 +1205,7 @@ connection_struct *make_connection(const char *service_in, DATA_BLOB password, DEBUG(5, ("making a connection to 'normal' service %s\n", service)); - return make_connection_snum(snum, vuser, + return make_connection_snum(sconn, snum, vuser, password, dev, status); } diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index be883303448..3988105fa41 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -252,6 +252,7 @@ static void reply_spnego_kerberos(struct smb_request *req, bool map_domainuser_to_guest = False; bool username_was_mapped; struct PAC_LOGON_INFO *logon_info = NULL; + struct smbd_server_connection *sconn = smbd_server_conn; ZERO_STRUCT(ticket); ZERO_STRUCT(ap_rep); @@ -415,7 +416,7 @@ static void reply_spnego_kerberos(struct smb_request *req, /* lookup the passwd struct, create a new user if necessary */ - username_was_mapped = map_username( user ); + username_was_mapped = map_username(sconn, user); pw = smb_getpwnam( mem_ctx, user, real_username, True ); @@ -526,8 +527,8 @@ static void reply_spnego_kerberos(struct smb_request *req, } } - if (!is_partial_auth_vuid(sess_vuid)) { - sess_vuid = register_initial_vuid(); + if (!is_partial_auth_vuid(sconn, sess_vuid)) { + sess_vuid = register_initial_vuid(sconn); } data_blob_free(&server_info->user_session_key); @@ -539,7 +540,8 @@ static void reply_spnego_kerberos(struct smb_request *req, * no need to free after this on success. A better interface would copy * it.... */ - sess_vuid = register_existing_vuid(sess_vuid, + sess_vuid = register_existing_vuid(sconn, + sess_vuid, server_info, nullblob, client); @@ -601,6 +603,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, { DATA_BLOB response; struct auth_serversupplied_info *server_info = NULL; + struct smbd_server_connection *sconn = smbd_server_conn; if (NT_STATUS_IS_OK(nt_status)) { server_info = (*auth_ntlmssp_state)->server_info; @@ -618,7 +621,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, if (NT_STATUS_IS_OK(nt_status)) { DATA_BLOB nullblob = data_blob_null; - if (!is_partial_auth_vuid(vuid)) { + if (!is_partial_auth_vuid(sconn, vuid)) { nt_status = NT_STATUS_LOGON_FAILURE; goto out; } @@ -631,7 +634,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, (*auth_ntlmssp_state)->ntlmssp_state->session_key.length); /* register_existing_vuid keeps the server info */ - if (register_existing_vuid(vuid, + if (register_existing_vuid(sconn, vuid, server_info, nullblob, (*auth_ntlmssp_state)->ntlmssp_state->user) != vuid) { @@ -673,7 +676,7 @@ static void reply_spnego_ntlmssp(struct smb_request *req, auth_ntlmssp_end(auth_ntlmssp_state); if (!NT_STATUS_IS_OK(nt_status)) { /* Kill the intermediate vuid */ - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); } } } @@ -759,11 +762,12 @@ static void reply_spnego_negotiate(struct smb_request *req, DATA_BLOB chal; char *kerb_mech = NULL; NTSTATUS status; + struct smbd_server_connection *sconn = smbd_server_conn; status = parse_spnego_mechanisms(blob1, &secblob, &kerb_mech); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); reply_nterror(req, nt_status_squash(status)); return; } @@ -780,7 +784,7 @@ static void reply_spnego_negotiate(struct smb_request *req, data_blob_free(&secblob); if (destroy_vuid) { /* Kill the intermediate vuid */ - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); } SAFE_FREE(kerb_mech); return; @@ -803,7 +807,7 @@ static void reply_spnego_negotiate(struct smb_request *req, status = auth_ntlmssp_start(auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); reply_nterror(req, nt_status_squash(status)); return; } @@ -835,13 +839,14 @@ static void reply_spnego_auth(struct smb_request *req, DATA_BLOB auth_reply = data_blob_null; DATA_BLOB secblob = data_blob_null; NTSTATUS status = NT_STATUS_LOGON_FAILURE; + struct smbd_server_connection *sconn = smbd_server_conn; if (!spnego_parse_auth(blob1, &auth)) { #if 0 file_save("auth.dat", blob1.data, blob1.length); #endif /* Kill the intermediate vuid */ - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); reply_nterror(req, nt_status_squash( NT_STATUS_LOGON_FAILURE)); @@ -856,7 +861,7 @@ static void reply_spnego_auth(struct smb_request *req, if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); reply_nterror(req, nt_status_squash(status)); return; } @@ -873,7 +878,7 @@ static void reply_spnego_auth(struct smb_request *req, data_blob_free(&auth); if (destroy_vuid) { /* Kill the intermediate vuid */ - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); } SAFE_FREE(kerb_mech); return; @@ -884,7 +889,7 @@ static void reply_spnego_auth(struct smb_request *req, if (kerb_mech) { /* Kill the intermediate vuid */ - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); DEBUG(3,("reply_spnego_auth: network " "misconfiguration, client sent us a " "krb5 ticket and kerberos security " @@ -902,7 +907,7 @@ static void reply_spnego_auth(struct smb_request *req, status = auth_ntlmssp_start(auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); reply_nterror(req, nt_status_squash(status)); return; } @@ -1213,7 +1218,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) } /* Did we get a valid vuid ? */ - if (!is_partial_auth_vuid(vuid)) { + if (!is_partial_auth_vuid(sconn, vuid)) { /* No, then try and see if this is an intermediate sessionsetup * for a large SPNEGO packet. */ struct pending_auth_data *pad; @@ -1227,9 +1232,9 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) } /* Do we have a valid vuid now ? */ - if (!is_partial_auth_vuid(vuid)) { + if (!is_partial_auth_vuid(sconn, vuid)) { /* No, start a new authentication setup. */ - vuid = register_initial_vuid(); + vuid = register_initial_vuid(sconn); if (vuid == UID_FIELD_INVALID) { data_blob_free(&blob1); reply_nterror(req, nt_status_squash( @@ -1238,7 +1243,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) } } - vuser = get_partial_auth_user_struct(vuid); + vuser = get_partial_auth_user_struct(sconn, vuid); /* This MUST be valid. */ if (!vuser) { smb_panic("reply_sesssetup_and_X_spnego: invalid vuid."); @@ -1254,7 +1259,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { /* Real error - kill the intermediate vuid */ - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); } data_blob_free(&blob1); reply_nterror(req, nt_status_squash(status)); @@ -1288,7 +1293,7 @@ static void reply_sesssetup_and_X_spnego(struct smb_request *req) status = auth_ntlmssp_start(&vuser->auth_ntlmssp_state); if (!NT_STATUS_IS_OK(status)) { /* Kill the intermediate vuid */ - invalidate_vuid(vuid); + invalidate_vuid(sconn, vuid); data_blob_free(&blob1); reply_nterror(req, nt_status_squash(status)); return; @@ -1649,9 +1654,9 @@ void reply_sesssetup_and_X(struct smb_request *req) data_blob_free(&nt_resp); data_blob_clear_free(&plaintext_password); - map_username(sub_user); - add_session_user(sub_user); - add_session_workgroup(domain); + map_username(sconn, sub_user); + add_session_user(sconn, sub_user); + add_session_workgroup(sconn, domain); /* Then force it to null for the benfit of the code below */ user = ""; } @@ -1770,7 +1775,7 @@ void reply_sesssetup_and_X(struct smb_request *req) TALLOC_FREE(server_info); } else { /* Ignore the initial vuid. */ - sess_vuid = register_initial_vuid(); + sess_vuid = register_initial_vuid(sconn); if (sess_vuid == UID_FIELD_INVALID) { data_blob_free(&nt_resp); data_blob_free(&lm_resp); @@ -1780,7 +1785,7 @@ void reply_sesssetup_and_X(struct smb_request *req) return; } /* register_existing_vuid keeps the server info */ - sess_vuid = register_existing_vuid(sess_vuid, + sess_vuid = register_existing_vuid(sconn, sess_vuid, server_info, nt_resp.data ? nt_resp : lm_resp, sub_user); diff --git a/source3/smbd/share_access.c b/source3/smbd/share_access.c index c72251b5a77..5d779b9c811 100644 --- a/source3/smbd/share_access.c +++ b/source3/smbd/share_access.c @@ -18,6 +18,7 @@ */ #include "includes.h" +#include "smbd/globals.h" /* * No prefix means direct username @@ -72,6 +73,7 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx, const char *prefix; DOM_SID sid; enum lsa_SidType type; + struct smbd_server_connection *sconn = smbd_server_conn; if (username != NULL) { name = talloc_sub_basic(mem_ctx, username, domain, name); @@ -128,7 +130,7 @@ static bool token_contains_name(TALLOC_CTX *mem_ctx, continue; } if (*prefix == '&') { - if (user_in_netgroup(username, name)) { + if (user_in_netgroup(sconn, username, name)) { return True; } continue; diff --git a/source3/smbd/uid.c b/source3/smbd/uid.c index 72837ff967c..2ec50cd4d83 100644 --- a/source3/smbd/uid.c +++ b/source3/smbd/uid.c @@ -224,7 +224,8 @@ void conn_clear_vuid_cache(connection_struct *conn, uint16_t vuid) bool change_to_user(connection_struct *conn, uint16 vuid) { const struct auth_serversupplied_info *server_info = NULL; - user_struct *vuser = get_valid_user_struct(vuid); + struct smbd_server_connection *sconn = smbd_server_conn; + user_struct *vuser = get_valid_user_struct(sconn, vuid); int snum; gid_t gid; uid_t uid; |