r7395: * new feature 'map to guest = bad uid' (based on patch from

  aruna.prabakar@hp.com).

This re-enables the Samba 2.2 behavior where a user that was
successfully authenticated by a remote DC would be mapped
to the guest account if there was not existing UNIX account
for that user and we could not create one.

diff --git a/source/auth/auth.c b/source/auth/auth.c
index b777e97cc9da35ce182f3f7d6053042a5cf69f7a..61f638fcd0b70b37e2a56759bfc3db50a7268b0c 100644 (file)
--- a/source/auth/auth.c
+++ b/source/auth/auth.c
@@ -279,6 +279,8 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
                }
        }
 
+       /* successful authentication */
+       
        if (NT_STATUS_IS_OK(nt_status)) {
                unix_username = (*server_info)->unix_name;
                if (!(*server_info)->guest) {
@@ -304,14 +306,22 @@ static NTSTATUS check_ntlm_password(const struct auth_context *auth_context,
                               user_info->internal_username.str, 
                               unix_username));
                }
+               
+               return nt_status;
        }
-
-       if (!NT_STATUS_IS_OK(nt_status)) {
+       
+       /* failed authentication; check for guest lapping */
+       
+       if ( lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID ) {
+               make_server_info_guest(server_info); 
+               nt_status = NT_STATUS_OK;
+        } else {
                DEBUG(2, ("check_ntlm_password:  Authentication for user [%s] -> [%s] FAILED with error %s\n", 
-                         user_info->smb_name.str, user_info->internal_username.str, 
-                         nt_errstr(nt_status)));
-               ZERO_STRUCTP(server_info);
+               user_info->smb_name.str, user_info->internal_username.str, 
+               nt_errstr(nt_status)));
+               ZERO_STRUCTP(server_info); 
        }
+       
        return nt_status;
 }
 

diff --git a/source/include/smb.h b/source/include/smb.h
index 35ae5723b05ee3b88685729c00cbc5097edbb4ce..4bf967bf35dab74a5fcf04fe95c0766f60c8fd42 100644 (file)
--- a/source/include/smb.h
+++ b/source/include/smb.h
@@ -1648,12 +1648,6 @@ struct unix_error_map {
        NTSTATUS nt_error;
 };
 
-/*
-#include "ntdomain.h"
-
-#include "client.h"
-*/
-
 /*
  * Size of new password account encoding string.  This is enough space to
  * hold 11 ACB characters, plus the surrounding [] and a terminating null.
@@ -1683,9 +1677,10 @@ struct unix_error_map {
    level security.
 */
 
-#define NEVER_MAP_TO_GUEST 0
-#define MAP_TO_GUEST_ON_BAD_USER 1
-#define MAP_TO_GUEST_ON_BAD_PASSWORD 2
+#define NEVER_MAP_TO_GUEST             0
+#define MAP_TO_GUEST_ON_BAD_USER       1
+#define MAP_TO_GUEST_ON_BAD_PASSWORD   2
+#define MAP_TO_GUEST_ON_BAD_UID        3
 
 #define SAFE_NETBIOS_CHARS ". -_"
 

diff --git a/source/param/loadparm.c b/source/param/loadparm.c
index 2c6a93483d59716b1b0a6672f5d7b9b0103a5765..7089bbfd6ab36383422bdd737f9b37cdbcd86854 100644 (file)
--- a/source/param/loadparm.c
+++ b/source/param/loadparm.c
@@ -763,6 +763,7 @@ static const struct enum_list enum_map_to_guest[] = {
        {NEVER_MAP_TO_GUEST, "Never"},
        {MAP_TO_GUEST_ON_BAD_USER, "Bad User"},
        {MAP_TO_GUEST_ON_BAD_PASSWORD, "Bad Password"},
+        {MAP_TO_GUEST_ON_BAD_UID, "Bad Uid"},
        {-1, NULL}
 };
 

diff --git a/source/smbd/sesssetup.c b/source/smbd/sesssetup.c
index 6f963fc603c10308f6d7b5e243738ebbd23093c5..5808de9788d821aaa0897f870723e7fc0d358be0 100644 (file)
--- a/source/smbd/sesssetup.c
+++ b/source/smbd/sesssetup.c
@@ -144,7 +144,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
        char *client, *p, *domain;
        fstring netbios_domain_name;
        struct passwd *pw;
-       char *user;
+       fstring user;
        int sess_vuid;
        NTSTATUS ret;
        DATA_BLOB auth_data;
@@ -154,6 +154,7 @@ static int reply_spnego_kerberos(connection_struct *conn,
        uint8 tok_id[2];
        DATA_BLOB nullblob = data_blob(NULL, 0);
        fstring real_username;
+       BOOL map_domainuser_to_guest = False;
 
        ZERO_STRUCT(ticket);
        ZERO_STRUCT(auth_data);
@@ -238,37 +239,52 @@ static int reply_spnego_kerberos(connection_struct *conn,
                }
        }
 
-       asprintf(&user, "%s%c%s", domain, *lp_winbind_separator(), client);
+       fstr_sprintf(user, "%s%c%s", domain, *lp_winbind_separator(), client);
        
        /* lookup the passwd struct, create a new user if necessary */
 
        map_username( user );
 
        pw = smb_getpwnam( user, real_username, True );
-       
        if (!pw) {
-               DEBUG(1,("Username %s is invalid on this system\n",user));
-               SAFE_FREE(user);
-               SAFE_FREE(client);
-               data_blob_free(&ap_rep);
-               data_blob_free(&session_key);
-               return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+
+               /* this was originally the behavior of Samba 2.2, if a user
+                  did not have a local uid but has been authenticated, then 
+                  map them to a guest account */
+
+               if (lp_map_to_guest() == MAP_TO_GUEST_ON_BAD_UID){ 
+                       map_domainuser_to_guest = True;
+                       fstrcpy(user,lp_guestaccount());
+                       pw = smb_getpwnam( user, real_username, True );
+               } 
+
+               /* extra sanity check that the guest account is valid */
+
+               if ( !pw ) {
+                       DEBUG(1,("Username %s is invalid on this system\n", user));
+                       SAFE_FREE(client);
+                       data_blob_free(&ap_rep);
+                       data_blob_free(&session_key);
+                       return ERROR_NT(NT_STATUS_LOGON_FAILURE);
+               }
        }
 
        /* setup the string used by %U */
        
        sub_set_smb_name( real_username );
        reload_services(True);
-       
-       if (!NT_STATUS_IS_OK(ret = make_server_info_pw(&server_info, real_username, pw))) 
-       {
-               DEBUG(1,("make_server_info_from_pw failed!\n"));
-               SAFE_FREE(user);
-               SAFE_FREE(client);
-               data_blob_free(&ap_rep);
-               data_blob_free(&session_key);
-               passwd_free(&pw);
-               return ERROR_NT(ret);
+       if ( map_domainuser_to_guest ) {
+               make_server_info_guest(&server_info);
+       } else {
+               ret = make_server_info_pw(&server_info, real_username, pw);
+               if ( !NT_STATUS_IS_OK(ret) ) {
+                       DEBUG(1,("make_server_info_from_pw failed!\n"));
+                       SAFE_FREE(client);
+                       data_blob_free(&ap_rep);
+                       data_blob_free(&session_key);
+                       passwd_free(&pw);
+                       return ERROR_NT(ret);
+               }
        }
        passwd_free(&pw);
 
@@ -284,7 +300,6 @@ static int reply_spnego_kerberos(connection_struct *conn,
           A better interface would copy it.... */
        sess_vuid = register_vuid(server_info, session_key, nullblob, client);
 
-       SAFE_FREE(user);
        SAFE_FREE(client);
 
        if (sess_vuid == -1) {