&server_info->utok.uid,
&server_info->utok.gid,
&server_info->unix_name,
- &server_info->ptok);
+ &server_info->security_token);
} else {
status = create_local_nt_token_from_info3(server_info,
server_info->guest,
server_info->info3,
&server_info->extra,
- &server_info->ptok);
+ &server_info->security_token);
}
if (!NT_STATUS_IS_OK(status)) {
/* Start at index 1, where the groups start. */
- for (i=1; i<server_info->ptok->num_sids; i++) {
+ for (i=1; i<server_info->security_token->num_sids; i++) {
gid_t gid;
- struct dom_sid *sid = &server_info->ptok->sids[i];
+ struct dom_sid *sid = &server_info->security_token->sids[i];
if (!sid_to_gid(sid, &gid)) {
DEBUG(10, ("Could not convert SID %s to gid, "
uid_to_unix_users_sid(server_info->utok.uid, &tmp_sid);
- add_sid_to_array_unique(server_info->ptok, &tmp_sid,
- &server_info->ptok->sids,
- &server_info->ptok->num_sids);
+ add_sid_to_array_unique(server_info->security_token, &tmp_sid,
+ &server_info->security_token->sids,
+ &server_info->security_token->num_sids);
for ( i=0; i<server_info->utok.ngroups; i++ ) {
gid_to_unix_groups_sid(server_info->utok.groups[i], &tmp_sid);
- add_sid_to_array_unique(server_info->ptok, &tmp_sid,
- &server_info->ptok->sids,
- &server_info->ptok->num_sids);
+ add_sid_to_array_unique(server_info->security_token, &tmp_sid,
+ &server_info->security_token->sids,
+ &server_info->security_token->num_sids);
}
- security_token_debug(DBGC_AUTH, 10, server_info->ptok);
+ security_token_debug(DBGC_AUTH, 10, server_info->security_token);
debug_unix_user_token(DBGC_AUTH, 10,
server_info->utok.uid,
server_info->utok.gid,
server_info->utok.ngroups,
server_info->utok.groups);
- status = log_nt_token(server_info->ptok);
+ status = log_nt_token(server_info->security_token);
return status;
}
(*server_info)->system = true;
- status = add_sid_to_array_unique((*server_info)->ptok->sids,
+ status = add_sid_to_array_unique((*server_info)->security_token->sids,
&global_sid_System,
- &(*server_info)->ptok->sids,
- &(*server_info)->ptok->num_sids);
+ &(*server_info)->security_token->sids,
+ &(*server_info)->security_token->num_sids);
if (!NT_STATUS_IS_OK(status)) {
TALLOC_FREE((*server_info));
return status;
dst->utok.groups = NULL;
}
- if (src->ptok) {
- dst->ptok = dup_nt_token(dst, src->ptok);
- if (!dst->ptok) {
+ if (src->security_token) {
+ dst->security_token = dup_nt_token(dst, src->security_token);
+ if (!dst->security_token) {
TALLOC_FREE(dst);
return NULL;
}
/* NT group information taken from the info3 structure */
- struct security_token *ptok;
+ struct security_token *security_token;
/* This is the final session key, as used by SMB signing, and
* (truncated to 16 bytes) encryption on the SAMR and LSA pipes
return false;
}
- user_sid = &conn->server_info->ptok->user_sids[0];
+ user_sid = &conn->server_info->security_token->user_sids[0];
afs_username = talloc_string_sub(talloc_tos(),
afs_username,
"%s",
&psd,
&size,
parent_desc,
- &handle->conn->server_info->ptok->sids[PRIMARY_USER_SID_INDEX],
- &handle->conn->server_info->ptok->sids[PRIMARY_GROUP_SID_INDEX],
+ &handle->conn->server_info->security_token->sids[PRIMARY_USER_SID_INDEX],
+ &handle->conn->server_info->security_token->sids[PRIMARY_GROUP_SID_INDEX],
is_directory);
if (!NT_STATUS_IS_OK(status)) {
return status;
* anonymized if needed, by the calling function.
*/
usersid = dom_sid_string( common_data_count_str,
- &handle->conn->server_info->ptok->sids[0]);
+ &handle->conn->server_info->security_token->sids[0]);
sidstr = smb_traffic_analyzer_anonymize(
common_data_count_str,
/* Always allow root or SE_PRINT_OPERATROR to do anything */
if (server_info->utok.uid == sec_initial_uid()
- || security_token_has_privilege(server_info->ptok, SEC_PRIV_PRINT_OPERATOR)) {
+ || security_token_has_privilege(server_info->security_token, SEC_PRIV_PRINT_OPERATOR)) {
return True;
}
}
/* Check access */
- status = se_access_check(secdesc, server_info->ptok, access_type,
+ status = se_access_check(secdesc, server_info->security_token, access_type,
&access_granted);
DEBUG(4, ("access check was %s\n", NT_STATUS_IS_OK(status) ? "SUCCESS" : "FAILURE"));
if (!NT_STATUS_IS_OK(status) &&
(token_contains_name_in_list(uidtoname(server_info->utok.uid),
server_info->info3->base.domain.string,
- NULL, server_info->ptok,
+ NULL, server_info->security_token,
lp_printer_admin(snum)))) {
talloc_destroy(mem_ctx);
return True;
}
/* Send the named_pipe_auth server the user's full token */
- session_info->security_token = server_info->ptok;
+ session_info->security_token = server_info->security_token;
session_info->session_key = server_info->user_session_key;
val.sam3 = server_info->info3;
return -1;
}
- /* Now override the server_info->ptok with the exact
+ /* Now override the server_info->security_token with the exact
* security_token we were given from the other side,
* regardless of what we just calculated */
- p->server_info->ptok = talloc_move(p->server_info, &session_info->security_token);
+ p->server_info->security_token = talloc_move(p->server_info, &session_info->security_token);
/* Also set the session key to the correct value */
p->server_info->user_session_key = session_info->session_key;
static bool is_priviledged_pipe(struct auth_serversupplied_info *info) {
/* If the user is not root, or has the system token, fail */
if ((info->utok.uid != sec_initial_uid()) &&
- !security_token_is_system(info->ptok)) {
+ !security_token_is_system(info->security_token)) {
return false;
}
elog->logname = talloc_strdup( elog, ELOG_APPL );
/* do the access check */
- if ( !elog_check_access( elog, p->server_info->ptok ) ) {
+ if ( !elog_check_access( elog, p->server_info->security_token ) ) {
TALLOC_FREE( elog );
return NT_STATUS_ACCESS_DENIED;
}
/* now do the access check. Close the tdb if we fail here */
- if ( !elog_check_access( elog, p->server_info->ptok ) ) {
+ if ( !elog_check_access( elog, p->server_info->security_token ) ) {
TALLOC_FREE( elog );
return NT_STATUS_ACCESS_DENIED;
}
NTSTATUS status;
/* Work out max allowed. */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
return status;
}
- status = access_check_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->security_token,
SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
&acc_granted, "_lsa_OpenPolicy2" );
if (!NT_STATUS_IS_OK(status)) {
}
/* Work out max allowed. */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&r->in.access_mask);
return status;
}
- status = access_check_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->security_token,
SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, r->in.access_mask,
&acc_granted, "_lsa_CreateAccount");
if (!NT_STATUS_IS_OK(status)) {
* handle - so don't check against policy handle. */
/* Work out max allowed. */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
return status;
}
- status = access_check_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->security_token,
SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0, des_access,
&acc_granted, "_lsa_OpenAccount" );
if (!NT_STATUS_IS_OK(status)) {
* on the account sid. We don't check here so just use the latter. JRA.
*/
- status = access_check_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->security_token,
SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|LSA_ACCOUNT_VIEW,
&acc_granted, "_lsa_AddAccountRights" );
* and DELETE on the account sid.
*/
- status = access_check_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->security_token,
SEC_PRIV_INVALID, SEC_PRIV_INVALID, 0,
LSA_ACCOUNT_ADJUST_PRIVILEGES|LSA_ACCOUNT_ADJUST_SYSTEM_ACCESS|
LSA_ACCOUNT_VIEW|SEC_STD_DELETE,
case NETLOGON_CONTROL_CHANGE_PASSWORD:
case NETLOGON_CONTROL_REDISCOVER:
if ((geteuid() != sec_initial_uid()) &&
- !nt_token_check_domain_rid(p->server_info->ptok, DOMAIN_RID_ADMINS) &&
- !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->ptok) &&
+ !nt_token_check_domain_rid(p->server_info->security_token, DOMAIN_RID_ADMINS) &&
+ !nt_token_check_sid(&global_sid_Builtin_Administrators, p->server_info->security_token) &&
!(acct_ctrl & (ACB_WSTRUST | ACB_SVRTRUST))) {
return WERR_ACCESS_DENIED;
}
return false;
}
- if ((*server_info)->ptok == NULL) {
+ if ((*server_info)->security_token == NULL) {
DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
return false;
}
return status;
}
- if ((*server_info)->ptok == NULL) {
+ if ((*server_info)->security_token == NULL) {
status = create_local_token(*server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to create local user token (%s)\n",
}
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
* Users with SeAddUser get the ability to manipulate groups
* and aliases.
*/
- if (security_token_has_privilege(p->server_info->ptok, SEC_PRIV_ADD_USERS)) {
+ if (security_token_has_privilege(p->server_info->security_token, SEC_PRIV_ADD_USERS)) {
extra_access |= (SAMR_DOMAIN_ACCESS_CREATE_GROUP |
SAMR_DOMAIN_ACCESS_ENUM_ACCOUNTS |
SAMR_DOMAIN_ACCESS_OPEN_ACCOUNT |
* SAMR_DOMAIN_ACCESS_CREATE_USER access.
*/
- status = access_check_object( psd, p->server_info->ptok,
+ status = access_check_object( psd, p->server_info->security_token,
SEC_PRIV_MACHINE_ACCOUNT, SEC_PRIV_ADD_USERS,
extra_access, des_access,
&acc_granted, "_samr_OpenDomain" );
return NT_STATUS_NO_SUCH_USER;
/* check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
* DOMAIN_RID_ADMINS.
*/
if (acb_info & (ACB_SVRTRUST|ACB_DOMTRUST)) {
- if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->ptok,
+ if (lp_enable_privileges() && nt_token_check_domain_rid(p->server_info->security_token,
DOMAIN_RID_ADMINS)) {
des_access &= ~GENERIC_RIGHTS_USER_WRITE;
extra_access = GENERIC_RIGHTS_USER_WRITE;
TALLOC_FREE(sampass);
- nt_status = access_check_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->security_token,
needed_priv_1, needed_priv_2,
GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_OpenUser");
can_add_account = true;
} else if (acb_info & ACB_WSTRUST) {
needed_priv = SEC_PRIV_MACHINE_ACCOUNT;
- can_add_account = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_MACHINE_ACCOUNT);
+ can_add_account = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_MACHINE_ACCOUNT);
} else if (acb_info & ACB_NORMAL &&
(account[strlen(account)-1] != '$')) {
/* usrmgr.exe (and net rpc trustdom grant) creates a normal user
account for domain trusts and changes the ACB flags later */
needed_priv = SEC_PRIV_ADD_USERS;
- can_add_account = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_ADD_USERS);
+ can_add_account = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_ADD_USERS);
} else if (lp_enable_privileges()) {
/* implicit assumption of a BDC or domain trust account here
* (we already check the flags earlier) */
/* only Domain Admins can add a BDC or domain trust */
can_add_account = nt_token_check_domain_rid(
- p->server_info->ptok,
+ p->server_info->security_token,
DOMAIN_RID_ADMINS );
}
sid_compose(&sid, get_global_sam_sid(), *r->out.rid);
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
* just assume we have all the rights we need ?
*/
- nt_status = access_check_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->security_token,
needed_priv, SEC_PRIV_INVALID,
GENERIC_RIGHTS_USER_WRITE, des_access,
&acc_granted, "_samr_CreateUser2");
was observed from a win98 client trying to enumerate users (when configured
user level access control on shares) --jerry */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
return NT_STATUS_ACCESS_DENIED;
}
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &sam_generic_mapping, NULL, 0);
se_map_generic(&des_access, &sam_generic_mapping);
- nt_status = access_check_object(psd, p->server_info->ptok,
+ nt_status = access_check_object(psd, p->server_info->security_token,
SEC_PRIV_INVALID, SEC_PRIV_INVALID,
0, des_access, &acc_granted, fn);
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &ali_generic_mapping, NULL, 0);
se_map_generic(&des_access,&ali_generic_mapping);
- status = access_check_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->security_token,
SEC_PRIV_ADD_USERS, SEC_PRIV_INVALID,
GENERIC_RIGHTS_ALIAS_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenAlias");
}
/*check if access can be granted as requested by client. */
- map_max_allowed_access(p->server_info->ptok,
+ map_max_allowed_access(p->server_info->security_token,
&p->server_info->utok,
&des_access);
make_samr_object_sd(p->mem_ctx, &psd, &sd_size, &grp_generic_mapping, NULL, 0);
se_map_generic(&des_access,&grp_generic_mapping);
- status = access_check_object(psd, p->server_info->ptok,
+ status = access_check_object(psd, p->server_info->security_token,
SEC_PRIV_ADD_USERS, SEC_PRIV_INVALID, GENERIC_RIGHTS_GROUP_ALL_ACCESS,
des_access, &acc_granted, "_samr_OpenGroup");
return WERR_BADFID;
}
- result = delete_printer_hook(p->mem_ctx, p->server_info->ptok,
+ result = delete_printer_hook(p->mem_ctx, p->server_info->security_token,
Printer->sharename, p->msg_ctx);
if (!W_ERROR_IS_OK(result)) {
return result;
and not a printer admin, then fail */
if ((p->server_info->utok.uid != sec_initial_uid()) &&
- !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
- !nt_token_check_sid(&global_sid_Builtin_Print_Operators, p->server_info->ptok) &&
+ !security_token_has_privilege(p->server_info->security_token, SEC_PRIV_PRINT_OPERATOR) &&
+ !nt_token_check_sid(&global_sid_Builtin_Print_Operators, p->server_info->security_token) &&
!token_contains_name_in_list(
uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
NULL,
- p->server_info->ptok,
+ p->server_info->security_token,
lp_printer_admin(snum))) {
close_printer_handle(p, r->out.handle);
ZERO_STRUCTP(r->out.handle);
}
if (!user_ok_token(uidtoname(p->server_info->utok.uid), NULL,
- p->server_info->ptok, snum) ||
+ p->server_info->security_token, snum) ||
!print_access_check(p->server_info,
p->msg_ctx,
snum,
and not a printer admin, then fail */
if ( (p->server_info->utok.uid != sec_initial_uid())
- && !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR)
+ && !security_token_has_privilege(p->server_info->security_token, SEC_PRIV_PRINT_OPERATOR)
&& !token_contains_name_in_list(
uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
NULL,
- p->server_info->ptok,
+ p->server_info->security_token,
lp_printer_admin(-1)) )
{
return WERR_ACCESS_DENIED;
and not a printer admin, then fail */
if ( (p->server_info->utok.uid != sec_initial_uid())
- && !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR)
+ && !security_token_has_privilege(p->server_info->security_token, SEC_PRIV_PRINT_OPERATOR)
&& !token_contains_name_in_list(
uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
NULL,
- p->server_info->ptok, lp_printer_admin(-1)) )
+ p->server_info->security_token, lp_printer_admin(-1)) )
{
return WERR_ACCESS_DENIED;
}
!strequal(printer->location, old_printer->location)) )
{
/* add_printer_hook() will call reload_services() */
- if (!add_printer_hook(tmp_ctx, p->server_info->ptok,
+ if (!add_printer_hook(tmp_ctx, p->server_info->security_token,
printer, p->client_id->addr,
p->msg_ctx)) {
result = WERR_ACCESS_DENIED;
trying to add a printer like this --jerry */
if (*lp_addprinter_cmd() ) {
- if ( !add_printer_hook(p->mem_ctx, p->server_info->ptok,
+ if ( !add_printer_hook(p->mem_ctx, p->server_info->security_token,
info2, p->client_id->addr,
p->msg_ctx) ) {
return WERR_ACCESS_DENIED;
and not a printer admin, then fail */
if ((p->server_info->utok.uid != sec_initial_uid()) &&
- !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
+ !security_token_has_privilege(p->server_info->security_token, SEC_PRIV_PRINT_OPERATOR) &&
!token_contains_name_in_list(uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
NULL,
- p->server_info->ptok,
+ p->server_info->security_token,
lp_printer_admin(snum))) {
DEBUG(2,("_spoolss_Addform: denied by insufficient permissions.\n"));
return WERR_ACCESS_DENIED;
}
if ((p->server_info->utok.uid != sec_initial_uid()) &&
- !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
+ !security_token_has_privilege(p->server_info->security_token, SEC_PRIV_PRINT_OPERATOR) &&
!token_contains_name_in_list(uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
NULL,
- p->server_info->ptok,
+ p->server_info->security_token,
lp_printer_admin(snum))) {
DEBUG(2,("_spoolss_DeleteForm: denied by insufficient permissions.\n"));
return WERR_ACCESS_DENIED;
and not a printer admin, then fail */
if ((p->server_info->utok.uid != sec_initial_uid()) &&
- !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_PRINT_OPERATOR) &&
+ !security_token_has_privilege(p->server_info->security_token, SEC_PRIV_PRINT_OPERATOR) &&
!token_contains_name_in_list(uidtoname(p->server_info->utok.uid),
p->server_info->info3->base.domain.string,
NULL,
- p->server_info->ptok,
+ p->server_info->security_token,
lp_printer_admin(snum))) {
DEBUG(2,("_spoolss_Setform: denied by insufficient permissions.\n"));
return WERR_ACCESS_DENIED;
switch ( Printer->printer_type ) {
case SPLHND_PORTMON_TCP:
werror = process_xcvtcp_command(p->mem_ctx,
- p->server_info->ptok,
+ p->server_info->security_token,
r->in.function_name,
&r->in.in_data, &out_data,
r->out.needed);
break;
case SPLHND_PORTMON_LOCAL:
werror = process_xcvlocal_command(p->mem_ctx,
- p->server_info->ptok,
+ p->server_info->security_token,
r->in.function_name,
&r->in.in_data, &out_data,
r->out.needed);
if (!lp_access_based_share_enum(snum))
return true;
- return share_access_check(p->server_info->ptok, lp_servicename(snum),
+ return share_access_check(p->server_info->security_token, lp_servicename(snum),
FILE_READ_DATA);
}
}
if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
- p->server_info->ptok)) {
+ p->server_info->security_token)) {
DEBUG(1, ("Enumerating files only allowed for "
"administrators\n"));
return WERR_ACCESS_DENIED;
DEBUG(5,("_srvsvc_NetConnEnum: %d\n", __LINE__));
if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
- p->server_info->ptok)) {
+ p->server_info->security_token)) {
DEBUG(1, ("Enumerating connections only allowed for "
"administrators\n"));
return WERR_ACCESS_DENIED;
DEBUG(5,("_srvsvc_NetSessEnum: %d\n", __LINE__));
if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
- p->server_info->ptok)) {
+ p->server_info->security_token)) {
DEBUG(1, ("Enumerating sessions only allowed for "
"administrators\n"));
return WERR_ACCESS_DENIED;
/* fail out now if you are not root or not a domain admin */
if ((p->server_info->utok.uid != sec_initial_uid()) &&
- ( ! nt_token_check_domain_rid(p->server_info->ptok,
+ ( ! nt_token_check_domain_rid(p->server_info->security_token,
DOMAIN_RID_ADMINS))) {
goto done;
if (lp_print_ok(snum))
return WERR_ACCESS_DENIED;
- is_disk_op = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
+ is_disk_op = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_DISK_OPERATOR);
/* fail out now if you are not root and not a disk op */
*r->out.parm_error = 0;
}
- is_disk_op = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
+ is_disk_op = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_DISK_OPERATOR);
if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op )
return WERR_ACCESS_DENIED;
if (lp_print_ok(snum))
return WERR_ACCESS_DENIED;
- is_disk_op = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
+ is_disk_op = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_DISK_OPERATOR);
if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op )
return WERR_ACCESS_DENIED;
DEBUG(5,("_srvsvc_NetFileClose: %d\n", __LINE__));
- is_disk_op = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_DISK_OPERATOR);
+ is_disk_op = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_DISK_OPERATOR);
if (p->server_info->utok.uid != sec_initial_uid() && !is_disk_op) {
return WERR_ACCESS_DENIED;
return WERR_NOMEM;
se_map_generic( &r->in.access_mask, &scm_generic_map );
- status = svcctl_access_check( sec_desc, p->server_info->ptok,
+ status = svcctl_access_check( sec_desc, p->server_info->security_token,
r->in.access_mask, &access_granted );
if ( !NT_STATUS_IS_OK(status) )
return ntstatus_to_werror( status );
}
se_map_generic( &r->in.access_mask, &svc_generic_map );
- status = svcctl_access_check( sec_desc, p->server_info->ptok,
+ status = svcctl_access_check( sec_desc, p->server_info->security_token,
r->in.access_mask, &access_granted );
if ( !NT_STATUS_IS_OK(status) )
return ntstatus_to_werror( status );
if (parent == NULL) {
result = reg_openhive(p->mem_ctx, subkeyname, access_desired,
- p->server_info->ptok, &key);
+ p->server_info->security_token, &key);
}
else {
result = reg_openkey(p->mem_ctx, parent, subkeyname,
return WERR_NOMEM;
}
- can_shutdown = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_REMOTE_SHUTDOWN);
+ can_shutdown = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_REMOTE_SHUTDOWN);
/* IF someone has privs, run the shutdown script as root. OTHERWISE run it as not root
Take the error return from the script and provide it as the Windows return code. */
if (!*abort_shutdown_script)
return WERR_ACCESS_DENIED;
- can_shutdown = security_token_has_privilege(p->server_info->ptok, SEC_PRIV_REMOTE_SHUTDOWN);
+ can_shutdown = security_token_has_privilege(p->server_info->security_token, SEC_PRIV_REMOTE_SHUTDOWN);
/********** BEGIN SeRemoteShutdownPrivilege BLOCK **********/
/* user must posses SeRestorePrivilege for this this proceed */
- if ( !security_token_has_privilege(p->server_info->ptok, SEC_PRIV_RESTORE)) {
+ if ( !security_token_has_privilege(p->server_info->security_token, SEC_PRIV_RESTORE)) {
return WERR_ACCESS_DENIED;
}
case 101:
/* Level 101 can be allowed from any logged in user */
if (!nt_token_check_sid(&global_sid_Authenticated_Users,
- p->server_info->ptok)) {
+ p->server_info->security_token)) {
DEBUG(1,("User not allowed for NetWkstaGetInfo level "
"101\n"));
DEBUGADD(3,(" - does not have sid for Authenticated "
sid_string_dbg(
&global_sid_Authenticated_Users)));
security_token_debug(DBGC_CLASS, 3,
- p->server_info->ptok);
+ p->server_info->security_token);
return WERR_ACCESS_DENIED;
}
r->out.info->info101 = create_wks_info_101(p->mem_ctx);
case 102:
/* Level 102 Should only be allowed from a domain administrator */
if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
- p->server_info->ptok)) {
+ p->server_info->security_token)) {
DEBUG(1,("User not allowed for NetWkstaGetInfo level "
"102\n"));
DEBUGADD(3,(" - does not have sid for Administrators "
"group %s, sids are:\n",
sid_string_dbg(&global_sid_Builtin_Administrators)));
security_token_debug(DBGC_CLASS, 3,
- p->server_info->ptok);
+ p->server_info->security_token);
return WERR_ACCESS_DENIED;
}
r->out.info->info102 = create_wks_info_102(p->mem_ctx);
{
/* This with any level should only be allowed from a domain administrator */
if (!nt_token_check_sid(&global_sid_Builtin_Administrators,
- p->server_info->ptok)) {
+ p->server_info->security_token)) {
DEBUG(1,("User not allowed for NetWkstaEnumUsers\n"));
DEBUGADD(3,(" - does not have sid for Administrators group "
"%s\n", sid_string_dbg(
&global_sid_Builtin_Administrators)));
- security_token_debug(DBGC_CLASS, 3, p->server_info->ptok);
+ security_token_debug(DBGC_CLASS, 3, p->server_info->security_token);
return WERR_ACCESS_DENIED;
}
char *admin_domain = NULL;
char *admin_account = NULL;
WERROR werr;
- struct security_token *token = p->server_info->ptok;
+ struct security_token *token = p->server_info->security_token;
if (!r->in.domain_name) {
return WERR_INVALID_PARAM;
char *admin_domain = NULL;
char *admin_account = NULL;
WERROR werr;
- struct security_token *token = p->server_info->ptok;
+ struct security_token *token = p->server_info->security_token;
if (!r->in.account || !r->in.encrypted_password) {
return WERR_INVALID_PARAM;
"Real name: %s\n", vuser->server_info->unix_name,
vuser->server_info->info3->base.full_name.string));
- if (!vuser->server_info->ptok) {
+ if (!vuser->server_info->security_token) {
DEBUG(1, ("register_existing_vuid: server_info does not "
"contain a user_token - cannot continue\n"));
goto fail;
} else {
if (!user_ok_token(vuid_serverinfo->unix_name,
vuid_serverinfo->info3->base.domain.string,
- vuid_serverinfo->ptok, snum)) {
+ vuid_serverinfo->security_token, snum)) {
DEBUG(2, ("user '%s' (from session setup) not "
"permitted to access this share "
"(%s)\n",
status = find_forced_group(
conn->force_user, snum, conn->server_info->unix_name,
- &conn->server_info->ptok->sids[1],
+ &conn->server_info->security_token->sids[1],
&conn->server_info->utok.gid);
if (!NT_STATUS_IS_OK(status)) {
{
bool can_write = False;
- can_write = share_access_check(conn->server_info->ptok,
+ can_write = share_access_check(conn->server_info->security_token,
lp_servicename(snum),
FILE_WRITE_DATA);
if (!can_write) {
- if (!share_access_check(conn->server_info->ptok,
+ if (!share_access_check(conn->server_info->security_token,
lp_servicename(snum),
FILE_READ_DATA)) {
/* No access, read or write. */
/* we need to build the token for the user. make_server_info_guest()
already does this */
- if ( !server_info->ptok ) {
+ if ( !server_info->security_token ) {
ret = create_local_token( server_info );
if ( !NT_STATUS_IS_OK(ret) ) {
DEBUG(10,("failed to create local token: %s\n",
return;
}
- if (!server_info->ptok) {
+ if (!server_info->security_token) {
nt_status = create_local_token(server_info);
if (!NT_STATUS_IS_OK(nt_status)) {
/* we need to build the token for the user. make_server_info_guest()
already does this */
- if (!session->server_info->ptok ) {
+ if (!session->server_info->security_token ) {
status = create_local_token(session->server_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(10,("smb2: failed to create local token: %s\n",
* in our list of SIDs.
*/
if (nt_token_check_sid(&global_sid_Builtin_Guests,
- conn->server_info->ptok)) {
+ conn->server_info->security_token)) {
flags |= SMB_WHOAMI_GUEST;
}
* is in our list of SIDs.
*/
if (nt_token_check_sid(&global_sid_Authenticated_Users,
- conn->server_info->ptok)) {
+ conn->server_info->security_token)) {
flags &= ~SMB_WHOAMI_GUEST;
}
+ 4 /* pad/reserved */
+ (conn->server_info->utok.ngroups * 8)
/* groups list */
- + (conn->server_info->ptok->num_sids *
+ + (conn->server_info->security_token->num_sids *
SID_MAX_SIZE)
/* SID list */;
}
SIVAL(pdata, 24, conn->server_info->utok.ngroups);
- SIVAL(pdata, 28, conn->server_info->ptok->num_sids);
+ SIVAL(pdata, 28, conn->server_info->security_token->num_sids);
/* We walk the SID list twice, but this call is fairly
* infrequent, and I don't expect that it's performance
* sensitive -- jpeach
*/
for (i = 0, sid_bytes = 0;
- i < conn->server_info->ptok->num_sids; ++i) {
+ i < conn->server_info->security_token->num_sids; ++i) {
sid_bytes += ndr_size_dom_sid(
- &conn->server_info->ptok->sids[i],
+ &conn->server_info->security_token->sids[i],
0);
}
/* SID list */
for (i = 0;
- i < conn->server_info->ptok->num_sids; ++i) {
+ i < conn->server_info->security_token->num_sids; ++i) {
int sid_len = ndr_size_dom_sid(
- &conn->server_info->ptok->sids[i],
+ &conn->server_info->security_token->sids[i],
0);
sid_linearize(pdata + data_len, sid_len,
- &conn->server_info->ptok->sids[i]);
+ &conn->server_info->security_token->sids[i]);
data_len += sid_len;
}
if (!user_ok_token(server_info->unix_name,
server_info->info3->base.domain.string,
- server_info->ptok, snum))
+ server_info->security_token, snum))
return(False);
readonly_share = is_share_read_only_for_token(
server_info->unix_name,
server_info->info3->base.domain.string,
- server_info->ptok,
+ server_info->security_token,
conn);
if (!readonly_share &&
- !share_access_check(server_info->ptok, lp_servicename(snum),
+ !share_access_check(server_info->security_token, lp_servicename(snum),
FILE_WRITE_DATA)) {
/* smb.conf allows r/w, but the security descriptor denies
* write. Fall back to looking at readonly. */
"security descriptor\n"));
}
- if (!share_access_check(server_info->ptok, lp_servicename(snum),
+ if (!share_access_check(server_info->security_token, lp_servicename(snum),
readonly_share ?
FILE_READ_DATA : FILE_WRITE_DATA)) {
return False;
admin_user = token_contains_name_in_list(
server_info->unix_name,
server_info->info3->base.domain.string,
- NULL, server_info->ptok, lp_admin_users(snum));
+ NULL, server_info->security_token, lp_admin_users(snum));
if (valid_vuid) {
struct vuid_cache_entry *ent =
conn->server_info->utok.gid =
conn->force_group_gid;
gid = conn->force_group_gid;
- gid_to_sid(&conn->server_info->ptok
+ gid_to_sid(&conn->server_info->security_token
->sids[1], gid);
break;
}
} else {
conn->server_info->utok.gid = conn->force_group_gid;
gid = conn->force_group_gid;
- gid_to_sid(&conn->server_info->ptok->sids[1],
+ gid_to_sid(&conn->server_info->security_token->sids[1],
gid);
}
}
current_user.ut.groups = group_list;
set_sec_ctx(uid, gid, current_user.ut.ngroups, current_user.ut.groups,
- conn->server_info->ptok);
+ conn->server_info->security_token);
current_user.conn = conn;
current_user.vuid = vuid;
set_sec_ctx(p->server_info->utok.uid, p->server_info->utok.gid,
p->server_info->utok.ngroups, p->server_info->utok.groups,
- p->server_info->ptok);
+ p->server_info->security_token);
return True;
}