2 Unix SMB/CIFS implementation.
3 service (connection) opening and closing
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 extern userdom_struct current_user_info;
25 /****************************************************************************
26 Ensure when setting connectpath it is a canonicalized (no ./ // or ../)
27 absolute path stating in / and not ending in /.
28 Observent people will notice a similarity between this and check_path_syntax :-).
29 ****************************************************************************/
31 void set_conn_connectpath(connection_struct *conn, const pstring connectpath)
35 const char *s = connectpath;
36 BOOL start_of_name_component = True;
38 *d++ = '/'; /* Always start with root. */
42 /* Eat multiple '/' */
46 if ((d > destname + 1) && (*s != '\0')) {
49 start_of_name_component = True;
53 if (start_of_name_component) {
54 if ((s[0] == '.') && (s[1] == '.') && (s[2] == '/' || s[2] == '\0')) {
55 /* Uh oh - "/../" or "/..\0" ! */
57 /* Go past the ../ or .. */
61 s += 2; /* Go past the .. */
64 /* If we just added a '/' - delete it */
65 if ((d > destname) && (*(d-1) == '/')) {
70 /* Are we at the start ? Can't go back further if so. */
72 *d++ = '/'; /* Can't delete root */
75 /* Go back one level... */
76 /* Decrement d first as d points to the *next* char to write into. */
77 for (d--; d > destname; d--) {
82 /* We're still at the start of a name component, just the previous one. */
84 } else if ((s[0] == '.') && ((s[1] == '\0') || s[1] == '/')) {
85 /* Component of pathname can't be "." only - skip the '.' . */
99 /* Get the size of the next MB character. */
100 next_codepoint(s,&siz);
121 start_of_name_component = False;
125 /* And must not end in '/' */
126 if (d > destname + 1 && (*(d-1) == '/')) {
130 DEBUG(10,("set_conn_connectpath: service %s, connectpath = %s\n",
131 lp_servicename(SNUM(conn)), destname ));
133 string_set(&conn->connectpath, destname);
136 /****************************************************************************
137 Load parameters specific to a connection/service.
138 ****************************************************************************/
140 BOOL set_current_service(connection_struct *conn, uint16 flags, BOOL do_chdir)
142 static connection_struct *last_conn;
143 static uint16 last_flags;
151 conn->lastused_count++;
156 vfs_ChDir(conn,conn->connectpath) != 0 &&
157 vfs_ChDir(conn,conn->origpath) != 0) {
158 DEBUG(0,("chdir (%s) failed\n",
163 if ((conn == last_conn) && (last_flags == flags)) {
170 /* Obey the client case sensitivity requests - only for clients that support it. */
171 switch (lp_casesensitive(snum)) {
174 /* We need this uglyness due to DOS/Win9x clients that lie about case insensitivity. */
175 enum remote_arch_types ra_type = get_remote_arch();
176 if ((ra_type != RA_SAMBA) && (ra_type != RA_CIFSFS)) {
177 /* Client can't support per-packet case sensitive pathnames. */
178 conn->case_sensitive = False;
180 conn->case_sensitive = !(flags & FLAG_CASELESS_PATHNAMES);
185 conn->case_sensitive = True;
188 conn->case_sensitive = False;
194 /****************************************************************************
195 Add a home service. Returns the new service number or -1 if fail.
196 ****************************************************************************/
198 int add_home_service(const char *service, const char *username, const char *homedir)
202 if (!service || !homedir)
205 if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0)
209 * If this is a winbindd provided username, remove
210 * the domain component before adding the service.
211 * Log a warning if the "path=" parameter does not
212 * include any macros.
216 const char *p = strchr(service,*lp_winbind_separator());
218 /* We only want the 'user' part of the string */
224 if (!lp_add_home(service, iHomeService, username, homedir)) {
228 return lp_servicenumber(service);
232 static int load_registry_service(const char *servicename)
234 struct registry_key *key;
240 struct registry_value *value;
244 if (!lp_registry_shares()) {
248 if (asprintf(&path, "%s\\%s", KEY_SMBCONF, servicename) == -1) {
252 err = reg_open_path(NULL, path, REG_KEY_READ, get_root_nt_token(),
256 if (!W_ERROR_IS_OK(err)) {
260 res = lp_add_service(servicename, -1);
266 W_ERROR_IS_OK(reg_enumvalue(key, key, i, &value_name, &value));
268 switch (value->type) {
271 if (asprintf(&tmp, "%d", value->v.dword) == -1) {
274 lp_do_parameter(res, value_name, tmp);
279 lp_do_parameter(res, value_name, value->v.sz.str);
283 /* Ignore all the rest */
287 TALLOC_FREE(value_name);
297 void load_registry_shares(void)
299 struct registry_key *key;
304 if (!lp_registry_shares()) {
308 err = reg_open_path(NULL, KEY_SMBCONF, REG_KEY_READ,
309 get_root_nt_token(), &key);
310 if (!(W_ERROR_IS_OK(err))) {
314 for (i=0; W_ERROR_IS_OK(reg_enumkey(key, key, i, &name, NULL)); i++) {
315 load_registry_service(name);
324 * Find a service entry.
326 * @param service is modified (to canonical form??)
329 int find_service(fstring service)
333 all_string_sub(service,"\\","/",0);
335 iService = lp_servicenumber(service);
337 /* now handle the special case of a home directory */
339 char *phome_dir = get_user_home_dir(service);
343 * Try mapping the servicename, it may
344 * be a Windows to unix mapped user name.
346 if(map_username(service))
347 phome_dir = get_user_home_dir(service);
350 DEBUG(3,("checking for home directory %s gave %s\n",service,
351 phome_dir?phome_dir:"(NULL)"));
353 iService = add_home_service(service,service /* 'username' */, phome_dir);
356 /* If we still don't have a service, attempt to add it as a printer. */
360 if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) >= 0) {
361 DEBUG(3,("checking whether %s is a valid printer name...\n", service));
362 if (pcap_printername_ok(service)) {
363 DEBUG(3,("%s is a valid printer name\n", service));
364 DEBUG(3,("adding %s as a printer service\n", service));
365 lp_add_printer(service, iPrinterService);
366 iService = lp_servicenumber(service);
368 DEBUG(0,("failed to add %s as a printer service!\n", service));
371 DEBUG(3,("%s is not a valid printer name\n", service));
376 /* Check for default vfs service? Unsure whether to implement this */
380 /* just possibly it's a default service? */
382 char *pdefservice = lp_defaultservice();
383 if (pdefservice && *pdefservice && !strequal(pdefservice,service) && !strstr_m(service,"..")) {
385 * We need to do a local copy here as lp_defaultservice()
386 * returns one of the rotating lp_string buffers that
387 * could get overwritten by the recursive find_service() call
388 * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
391 pstrcpy(defservice, pdefservice);
392 iService = find_service(defservice);
394 all_string_sub(service, "_","/",0);
395 iService = lp_add_service(service, iService);
401 iService = load_registry_service(service);
404 /* Is it a usershare service ? */
405 if (iService < 0 && *lp_usershare_path()) {
406 /* Ensure the name is canonicalized. */
408 iService = load_usershare_service(service);
412 if (!VALID_SNUM(iService)) {
413 DEBUG(0,("Invalid snum %d for %s\n",iService, service));
419 DEBUG(3,("find_service() failed to find service %s\n", service));
425 /****************************************************************************
426 do some basic sainity checks on the share.
427 This function modifies dev, ecode.
428 ****************************************************************************/
430 static NTSTATUS share_sanity_checks(int snum, fstring dev)
433 if (!lp_snum_ok(snum) ||
434 !check_access(smbd_server_fd(),
435 lp_hostsallow(snum), lp_hostsdeny(snum))) {
436 return NT_STATUS_ACCESS_DENIED;
439 if (dev[0] == '?' || !dev[0]) {
440 if (lp_print_ok(snum)) {
441 fstrcpy(dev,"LPT1:");
442 } else if (strequal(lp_fstype(snum), "IPC")) {
451 if (lp_print_ok(snum)) {
452 if (!strequal(dev, "LPT1:")) {
453 return NT_STATUS_BAD_DEVICE_TYPE;
455 } else if (strequal(lp_fstype(snum), "IPC")) {
456 if (!strequal(dev, "IPC")) {
457 return NT_STATUS_BAD_DEVICE_TYPE;
459 } else if (!strequal(dev, "A:")) {
460 return NT_STATUS_BAD_DEVICE_TYPE;
463 /* Behave as a printer if we are supposed to */
464 if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
465 fstrcpy(dev, "LPT1:");
471 static NTSTATUS find_forced_user(connection_struct *conn, BOOL vuser_is_guest, fstring username)
473 int snum = conn->params->service;
474 char *fuser, *found_username;
477 if (!(fuser = talloc_string_sub(conn->mem_ctx, lp_force_user(snum), "%S",
478 lp_servicename(snum)))) {
479 return NT_STATUS_NO_MEMORY;
482 result = create_token_from_username(conn->mem_ctx, fuser, vuser_is_guest,
483 &conn->uid, &conn->gid, &found_username,
484 &conn->nt_user_token);
485 if (!NT_STATUS_IS_OK(result)) {
489 fstrcpy(username, found_username);
492 TALLOC_FREE(found_username);
497 * Go through lookup_name etc to find the force'd group.
499 * Create a new token from src_token, replacing the primary group sid with the
503 static NTSTATUS find_forced_group(BOOL force_user,
504 int snum, const char *username,
508 NTSTATUS result = NT_STATUS_NO_SUCH_GROUP;
511 enum lsa_SidType type;
513 BOOL user_must_be_member = False;
516 ZERO_STRUCTP(pgroup_sid);
519 mem_ctx = talloc_new(NULL);
520 if (mem_ctx == NULL) {
521 DEBUG(0, ("talloc_new failed\n"));
522 return NT_STATUS_NO_MEMORY;
525 groupname = talloc_strdup(mem_ctx, lp_force_group(snum));
526 if (groupname == NULL) {
527 DEBUG(1, ("talloc_strdup failed\n"));
528 result = NT_STATUS_NO_MEMORY;
532 if (groupname[0] == '+') {
533 user_must_be_member = True;
537 groupname = talloc_string_sub(mem_ctx, groupname,
538 "%S", lp_servicename(snum));
540 if (!lookup_name_smbconf(mem_ctx, groupname,
541 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
542 NULL, NULL, &group_sid, &type)) {
543 DEBUG(10, ("lookup_name_smbconf(%s) failed\n",
548 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
549 (type != SID_NAME_WKN_GRP)) {
550 DEBUG(10, ("%s is a %s, not a group\n", groupname,
551 sid_type_lookup(type)));
555 if (!sid_to_gid(&group_sid, &gid)) {
556 DEBUG(10, ("sid_to_gid(%s) for %s failed\n",
557 sid_string_static(&group_sid), groupname));
562 * If the user has been forced and the forced group starts with a '+',
563 * then we only set the group to be the forced group if the forced
564 * user is a member of that group. Otherwise, the meaning of the '+'
568 if (force_user && user_must_be_member) {
569 if (user_in_group_sid(username, &group_sid)) {
570 sid_copy(pgroup_sid, &group_sid);
572 DEBUG(3,("Forced group %s for member %s\n",
573 groupname, username));
575 DEBUG(0,("find_forced_group: forced user %s is not a member "
576 "of forced group %s. Disallowing access.\n",
577 username, groupname ));
578 result = NT_STATUS_MEMBER_NOT_IN_GROUP;
582 sid_copy(pgroup_sid, &group_sid);
584 DEBUG(3,("Forced group %s\n", groupname));
587 result = NT_STATUS_OK;
589 TALLOC_FREE(mem_ctx);
593 /****************************************************************************
594 Make a connection, given the snum to connect to, and the vuser of the
595 connecting user if appropriate.
596 ****************************************************************************/
598 static connection_struct *make_connection_snum(int snum, user_struct *vuser,
603 struct passwd *pass = NULL;
605 connection_struct *conn;
613 SET_STAT_INVALID(st);
615 if (NT_STATUS_IS_ERR(*status = share_sanity_checks(snum, dev))) {
621 DEBUG(0,("Couldn't find free connection.\n"));
622 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
626 conn->params->service = snum;
627 conn->nt_user_token = NULL;
629 if (lp_guest_only(snum)) {
630 const char *guestname = lp_guestaccount();
632 char *found_username = NULL;
635 pass = getpwnam_alloc(NULL, guestname);
637 DEBUG(0,("make_connection_snum: Invalid guest "
638 "account %s??\n",guestname));
640 *status = NT_STATUS_NO_SUCH_USER;
643 status2 = create_token_from_username(conn->mem_ctx, pass->pw_name, True,
644 &conn->uid, &conn->gid,
646 &conn->nt_user_token);
647 if (!NT_STATUS_IS_OK(status2)) {
653 fstrcpy(user, found_username);
654 string_set(&conn->user,user);
655 conn->force_user = True;
656 TALLOC_FREE(found_username);
658 DEBUG(3,("Guest only user %s\n",user));
661 if (!lp_guest_ok(snum)) {
662 DEBUG(2, ("guest user (from session setup) "
663 "not permitted to access this share "
664 "(%s)\n", lp_servicename(snum)));
666 *status = NT_STATUS_ACCESS_DENIED;
670 if (!user_ok_token(vuser->user.unix_name,
671 vuser->nt_user_token, snum)) {
672 DEBUG(2, ("user '%s' (from session setup) not "
673 "permitted to access this share "
674 "(%s)\n", vuser->user.unix_name,
675 lp_servicename(snum)));
677 *status = NT_STATUS_ACCESS_DENIED;
681 conn->vuid = vuser->vuid;
682 conn->uid = vuser->uid;
683 conn->gid = vuser->gid;
684 string_set(&conn->user,vuser->user.unix_name);
685 fstrcpy(user,vuser->user.unix_name);
686 guest = vuser->guest;
687 } else if (lp_security() == SEC_SHARE) {
689 char *found_username = NULL;
691 /* add it as a possible user name if we
692 are in share mode security */
693 add_session_user(lp_servicename(snum));
694 /* shall we let them in? */
695 if (!authorise_login(snum,user,password,&guest)) {
696 DEBUG( 2, ( "Invalid username/password for [%s]\n",
697 lp_servicename(snum)) );
699 *status = NT_STATUS_WRONG_PASSWORD;
702 pass = Get_Pwnam(user);
703 status2 = create_token_from_username(conn->mem_ctx, pass->pw_name, True,
704 &conn->uid, &conn->gid,
706 &conn->nt_user_token);
707 if (!NT_STATUS_IS_OK(status2)) {
712 fstrcpy(user, found_username);
713 string_set(&conn->user,user);
714 TALLOC_FREE(found_username);
715 conn->force_user = True;
717 DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
719 *status = NT_STATUS_ACCESS_DENIED;
723 add_session_user(user);
725 safe_strcpy(conn->client_address, client_addr(),
726 sizeof(conn->client_address)-1);
727 conn->num_files_open = 0;
728 conn->lastused = conn->lastused_count = time(NULL);
730 conn->printer = (strncmp(dev,"LPT",3) == 0);
731 conn->ipc = ( (strncmp(dev,"IPC",3) == 0) ||
732 ( lp_enable_asu_support() && strequal(dev,"ADMIN$")) );
735 /* Case options for the share. */
736 if (lp_casesensitive(snum) == Auto) {
737 /* We will be setting this per packet. Set to be case
738 * insensitive for now. */
739 conn->case_sensitive = False;
741 conn->case_sensitive = (BOOL)lp_casesensitive(snum);
744 conn->case_preserve = lp_preservecase(snum);
745 conn->short_case_preserve = lp_shortpreservecase(snum);
747 conn->veto_list = NULL;
748 conn->hide_list = NULL;
749 conn->veto_oplock_list = NULL;
750 conn->aio_write_behind_list = NULL;
751 string_set(&conn->dirpath,"");
752 string_set(&conn->user,user);
754 conn->read_only = lp_readonly(SNUM(conn));
755 conn->admin_user = False;
758 * If force user is true, then store the given userid and the gid of
759 * the user we're forcing.
760 * For auxiliary groups see below.
763 if (*lp_force_user(snum)) {
766 status2 = find_forced_user(conn,
767 (vuser != NULL) && vuser->guest,
769 if (!NT_STATUS_IS_OK(status2)) {
774 string_set(&conn->user,user);
775 conn->force_user = True;
776 DEBUG(3,("Forced user %s\n",user));
780 * If force group is true, then override
781 * any groupid stored for the connecting user.
784 if (*lp_force_group(snum)) {
788 status2 = find_forced_group(conn->force_user,
790 &group_sid, &conn->gid);
791 if (!NT_STATUS_IS_OK(status2)) {
797 if ((conn->nt_user_token == NULL) && (vuser != NULL)) {
799 /* Not force user and not security=share, but force
800 * group. vuser has a token to copy */
802 conn->nt_user_token = dup_nt_token(
803 NULL, vuser->nt_user_token);
804 if (conn->nt_user_token == NULL) {
805 DEBUG(0, ("dup_nt_token failed\n"));
807 *status = NT_STATUS_NO_MEMORY;
812 /* If conn->nt_user_token is still NULL, we have
813 * security=share. This means ignore the SID, as we had no
814 * vuser to copy from */
816 if (conn->nt_user_token != NULL) {
817 /* Overwrite the primary group sid */
818 sid_copy(&conn->nt_user_token->user_sids[1],
822 conn->force_group = True;
825 if (conn->nt_user_token != NULL) {
828 /* We have a share-specific token from force [user|group].
829 * This means we have to create the list of unix groups from
830 * the list of sids. */
835 for (i=0; i<conn->nt_user_token->num_sids; i++) {
837 DOM_SID *sid = &conn->nt_user_token->user_sids[i];
839 if (!sid_to_gid(sid, &gid)) {
840 DEBUG(10, ("Could not convert SID %s to gid, "
842 sid_string_static(sid)));
845 if (!add_gid_to_array_unique(conn->mem_ctx, gid, &conn->groups,
847 DEBUG(0, ("add_gid_to_array_unique failed\n"));
849 *status = NT_STATUS_NO_MEMORY;
857 pstrcpy(s,lp_pathname(snum));
858 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
859 conn->connectpath, conn->gid,
860 get_current_username(),
861 current_user_info.domain,
863 set_conn_connectpath(conn,s);
864 DEBUG(3,("Connect path is '%s' for service [%s]\n",s,
865 lp_servicename(snum)));
869 * New code to check if there's a share security descripter
870 * added from NT server manager. This is done after the
871 * smb.conf checks are done as we need a uid and token. JRA.
876 NT_USER_TOKEN *token = conn->nt_user_token ?
877 conn->nt_user_token : vuser->nt_user_token;
879 BOOL can_write = share_access_check(token,
880 lp_servicename(snum),
884 if (!share_access_check(token,
885 lp_servicename(snum),
887 /* No access, read or write. */
888 DEBUG(0,("make_connection: connection to %s "
889 "denied due to security "
891 lp_servicename(snum)));
893 *status = NT_STATUS_ACCESS_DENIED;
896 conn->read_only = True;
900 /* Initialise VFS function pointers */
902 if (!smbd_vfs_init(conn)) {
903 DEBUG(0, ("vfs_init failed for service %s\n",
904 lp_servicename(snum)));
906 *status = NT_STATUS_BAD_NETWORK_NAME;
911 * If widelinks are disallowed we need to canonicalise the connect
912 * path here to ensure we don't have any symlinks in the
913 * connectpath. We will be checking all paths on this connection are
914 * below this directory. We must do this after the VFS init as we
915 * depend on the realpath() pointer in the vfs table. JRA.
917 if (!lp_widelinks(snum)) {
919 pstrcpy(s,conn->connectpath);
920 canonicalize_path(conn, s);
921 set_conn_connectpath(conn,s);
924 /* ROOT Activities: */
925 /* check number of connections */
926 if (!claim_connection(conn,
927 lp_servicename(snum),
928 lp_max_connections(snum),
930 DEBUG(1,("too many connections - rejected\n"));
932 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
936 /* Preexecs are done here as they might make the dir we are to ChDir
938 /* execute any "root preexec = " line */
939 if (*lp_rootpreexec(snum)) {
941 pstrcpy(cmd,lp_rootpreexec(snum));
942 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
943 conn->connectpath, conn->gid,
944 get_current_username(),
945 current_user_info.domain,
947 DEBUG(5,("cmd=%s\n",cmd));
948 ret = smbrun(cmd,NULL);
949 if (ret != 0 && lp_rootpreexec_close(snum)) {
950 DEBUG(1,("root preexec gave %d - failing "
951 "connection\n", ret));
952 yield_connection(conn, lp_servicename(snum));
954 *status = NT_STATUS_ACCESS_DENIED;
959 /* USER Activites: */
960 if (!change_to_user(conn, conn->vuid)) {
961 /* No point continuing if they fail the basic checks */
962 DEBUG(0,("Can't become connected user!\n"));
963 yield_connection(conn, lp_servicename(snum));
965 *status = NT_STATUS_LOGON_FAILURE;
969 /* Remember that a different vuid can connect later without these
972 /* Preexecs are done here as they might make the dir we are to ChDir
975 /* execute any "preexec = " line */
976 if (*lp_preexec(snum)) {
978 pstrcpy(cmd,lp_preexec(snum));
979 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
980 conn->connectpath, conn->gid,
981 get_current_username(),
982 current_user_info.domain,
984 ret = smbrun(cmd,NULL);
985 if (ret != 0 && lp_preexec_close(snum)) {
986 DEBUG(1,("preexec gave %d - failing connection\n",
988 change_to_root_user();
989 yield_connection(conn, lp_servicename(snum));
991 *status = NT_STATUS_ACCESS_DENIED;
996 #ifdef WITH_FAKE_KASERVER
997 if (lp_afs_share(snum)) {
1002 /* Add veto/hide lists */
1003 if (!IS_IPC(conn) && !IS_PRINT(conn)) {
1004 set_namearray( &conn->veto_list, lp_veto_files(snum));
1005 set_namearray( &conn->hide_list, lp_hide_files(snum));
1006 set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
1009 /* Invoke VFS make connection hook - do this before the VFS_STAT call
1010 to allow any filesystems needing user credentials to initialize
1013 if (SMB_VFS_CONNECT(conn, lp_servicename(snum), user) < 0) {
1014 DEBUG(0,("make_connection: VFS make connection failed!\n"));
1015 change_to_root_user();
1016 yield_connection(conn, lp_servicename(snum));
1018 *status = NT_STATUS_UNSUCCESSFUL;
1022 /* win2000 does not check the permissions on the directory
1023 during the tree connect, instead relying on permission
1024 check during individual operations. To match this behaviour
1025 I have disabled this chdir check (tridge) */
1026 /* the alternative is just to check the directory exists */
1027 if ((ret = SMB_VFS_STAT(conn, conn->connectpath, &st)) != 0 ||
1028 !S_ISDIR(st.st_mode)) {
1029 if (ret == 0 && !S_ISDIR(st.st_mode)) {
1030 DEBUG(0,("'%s' is not a directory, when connecting to "
1031 "[%s]\n", conn->connectpath,
1032 lp_servicename(snum)));
1034 DEBUG(0,("'%s' does not exist or permission denied "
1035 "when connecting to [%s] Error was %s\n",
1036 conn->connectpath, lp_servicename(snum),
1039 change_to_root_user();
1040 /* Call VFS disconnect hook */
1041 SMB_VFS_DISCONNECT(conn);
1042 yield_connection(conn, lp_servicename(snum));
1044 *status = NT_STATUS_BAD_NETWORK_NAME;
1048 string_set(&conn->origpath,conn->connectpath);
1050 #if SOFTLINK_OPTIMISATION
1051 /* resolve any soft links early if possible */
1052 if (vfs_ChDir(conn,conn->connectpath) == 0) {
1054 pstrcpy(s,conn->connectpath);
1056 set_conn_connectpath(conn,s);
1057 vfs_ChDir(conn,conn->connectpath);
1062 * Print out the 'connected as' stuff here as we need
1063 * to know the effective uid and gid we will be using
1064 * (at least initially).
1067 if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
1068 dbgtext( "%s (%s) ", get_remote_machine_name(),
1069 conn->client_address );
1070 dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
1071 dbgtext( "connect to service %s ", lp_servicename(snum) );
1072 dbgtext( "initially as user %s ", user );
1073 dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
1074 dbgtext( "(pid %d)\n", (int)sys_getpid() );
1077 /* we've finished with the user stuff - go back to root */
1078 change_to_root_user();
1082 /***************************************************************************************
1083 Simple wrapper function for make_connection() to include a call to
1085 **************************************************************************************/
1087 connection_struct *make_connection_with_chdir(const char *service_in,
1089 const char *dev, uint16 vuid,
1092 connection_struct *conn = NULL;
1094 conn = make_connection(service_in, password, dev, vuid, status);
1097 * make_connection() does not change the directory for us any more
1098 * so we have to do it as a separate step --jerry
1101 if ( conn && vfs_ChDir(conn,conn->connectpath) != 0 ) {
1102 DEBUG(0,("move_driver_to_download_area: Can't change "
1103 "directory to %s for [print$] (%s)\n",
1104 conn->connectpath,strerror(errno)));
1105 yield_connection(conn, lp_servicename(SNUM(conn)));
1107 *status = NT_STATUS_UNSUCCESSFUL;
1114 /****************************************************************************
1115 Make a connection to a service.
1118 ****************************************************************************/
1120 connection_struct *make_connection(const char *service_in, DATA_BLOB password,
1121 const char *pdev, uint16 vuid,
1125 user_struct *vuser = NULL;
1132 /* This must ONLY BE CALLED AS ROOT. As it exits this function as
1134 if (!non_root_mode() && (euid = geteuid()) != 0) {
1135 DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot "
1136 "(%u)\n", (unsigned int)euid ));
1137 smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
1140 if (conn_num_open() > 2047) {
1141 *status = NT_STATUS_INSUFF_SERVER_RESOURCES;
1145 if(lp_security() != SEC_SHARE) {
1146 vuser = get_valid_user_struct(vuid);
1148 DEBUG(1,("make_connection: refusing to connect with "
1149 "no session setup\n"));
1150 *status = NT_STATUS_ACCESS_DENIED;
1155 /* Logic to try and connect to the correct [homes] share, preferably
1156 without too many getpwnam() lookups. This is particulary nasty for
1157 winbind usernames, where the share name isn't the same as unix
1160 The snum of the homes share is stored on the vuser at session setup
1164 if (strequal(service_in,HOMES_NAME)) {
1165 if(lp_security() != SEC_SHARE) {
1166 DATA_BLOB no_pw = data_blob(NULL, 0);
1167 if (vuser->homes_snum == -1) {
1168 DEBUG(2, ("[homes] share not available for "
1169 "this user because it was not found "
1170 "or created at session setup "
1172 *status = NT_STATUS_BAD_NETWORK_NAME;
1175 DEBUG(5, ("making a connection to [homes] service "
1176 "created at session setup time\n"));
1177 return make_connection_snum(vuser->homes_snum,
1181 /* Security = share. Try with
1182 * current_user_info.smb_name as the username. */
1183 if (*current_user_info.smb_name) {
1184 fstring unix_username;
1185 fstrcpy(unix_username,
1186 current_user_info.smb_name);
1187 map_username(unix_username);
1188 snum = find_service(unix_username);
1191 DEBUG(5, ("making a connection to 'homes' "
1192 "service %s based on "
1193 "security=share\n", service_in));
1194 return make_connection_snum(snum, NULL,
1199 } else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
1200 && strequal(service_in,
1201 lp_servicename(vuser->homes_snum))) {
1202 DATA_BLOB no_pw = data_blob(NULL, 0);
1203 DEBUG(5, ("making a connection to 'homes' service [%s] "
1204 "created at session setup time\n", service_in));
1205 return make_connection_snum(vuser->homes_snum,
1210 fstrcpy(service, service_in);
1212 strlower_m(service);
1214 snum = find_service(service);
1217 if (strequal(service,"IPC$") ||
1218 (lp_enable_asu_support() && strequal(service,"ADMIN$"))) {
1219 DEBUG(3,("refusing IPC connection to %s\n", service));
1220 *status = NT_STATUS_ACCESS_DENIED;
1224 DEBUG(0,("%s (%s) couldn't find service %s\n",
1225 get_remote_machine_name(), client_addr(), service));
1226 *status = NT_STATUS_BAD_NETWORK_NAME;
1230 /* Handle non-Dfs clients attempting connections to msdfs proxy */
1231 if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
1232 DEBUG(3, ("refusing connection to dfs proxy share '%s' "
1233 "(pointing to %s)\n",
1234 service, lp_msdfs_proxy(snum)));
1235 *status = NT_STATUS_BAD_NETWORK_NAME;
1239 DEBUG(5, ("making a connection to 'normal' service %s\n", service));
1241 return make_connection_snum(snum, vuser,
1246 /****************************************************************************
1248 ****************************************************************************/
1250 void close_cnum(connection_struct *conn, uint16 vuid)
1253 pipe_close_conn(conn);
1255 file_close_conn(conn);
1256 dptr_closecnum(conn);
1259 change_to_root_user();
1261 DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
1262 get_remote_machine_name(),
1263 conn->client_address,
1264 lp_servicename(SNUM(conn))));
1266 /* Call VFS disconnect hook */
1267 SMB_VFS_DISCONNECT(conn);
1269 yield_connection(conn, lp_servicename(SNUM(conn)));
1271 /* make sure we leave the directory available for unmount */
1272 vfs_ChDir(conn, "/");
1274 /* execute any "postexec = " line */
1275 if (*lp_postexec(SNUM(conn)) &&
1276 change_to_user(conn, vuid)) {
1278 pstrcpy(cmd,lp_postexec(SNUM(conn)));
1279 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
1280 conn->connectpath, conn->gid,
1281 get_current_username(),
1282 current_user_info.domain,
1285 change_to_root_user();
1288 change_to_root_user();
1289 /* execute any "root postexec = " line */
1290 if (*lp_rootpostexec(SNUM(conn))) {
1292 pstrcpy(cmd,lp_rootpostexec(SNUM(conn)));
1293 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
1294 conn->connectpath, conn->gid,
1295 get_current_username(),
1296 current_user_info.domain,