2 Unix SMB/CIFS implementation.
3 service (connection) opening and closing
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 extern userdom_struct current_user_info;
25 /****************************************************************************
26 Ensure when setting connectpath it is a canonicalized (no ./ // or ../)
27 absolute path stating in / and not ending in /.
28 Observent people will notice a similarity between this and check_path_syntax :-).
29 ****************************************************************************/
31 void set_conn_connectpath(connection_struct *conn, const pstring connectpath)
35 const char *s = connectpath;
36 BOOL start_of_name_component = True;
38 *d++ = '/'; /* Always start with root. */
42 /* Eat multiple '/' */
46 if ((d > destname + 1) && (*s != '\0')) {
49 start_of_name_component = True;
53 if (start_of_name_component) {
54 if ((s[0] == '.') && (s[1] == '.') && (s[2] == '/' || s[2] == '\0')) {
55 /* Uh oh - "/../" or "/..\0" ! */
57 /* Go past the ../ or .. */
61 s += 2; /* Go past the .. */
64 /* If we just added a '/' - delete it */
65 if ((d > destname) && (*(d-1) == '/')) {
70 /* Are we at the start ? Can't go back further if so. */
72 *d++ = '/'; /* Can't delete root */
75 /* Go back one level... */
76 /* Decrement d first as d points to the *next* char to write into. */
77 for (d--; d > destname; d--) {
82 /* We're still at the start of a name component, just the previous one. */
84 } else if ((s[0] == '.') && ((s[1] == '\0') || s[1] == '/')) {
85 /* Component of pathname can't be "." only - skip the '.' . */
99 /* Get the size of the next MB character. */
100 next_codepoint(s,&siz);
121 start_of_name_component = False;
125 /* And must not end in '/' */
126 if (d > destname + 1 && (*(d-1) == '/')) {
130 DEBUG(10,("set_conn_connectpath: service %s, connectpath = %s\n",
131 lp_servicename(SNUM(conn)), destname ));
133 string_set(&conn->connectpath, destname);
136 /****************************************************************************
137 Load parameters specific to a connection/service.
138 ****************************************************************************/
140 BOOL set_current_service(connection_struct *conn, uint16 flags, BOOL do_chdir)
142 static connection_struct *last_conn;
143 static uint16 last_flags;
151 conn->lastused_count++;
156 vfs_ChDir(conn,conn->connectpath) != 0 &&
157 vfs_ChDir(conn,conn->origpath) != 0) {
158 DEBUG(0,("chdir (%s) failed\n",
163 if ((conn == last_conn) && (last_flags == flags)) {
170 /* Obey the client case sensitivity requests - only for clients that support it. */
171 switch (lp_casesensitive(snum)) {
174 /* We need this uglyness due to DOS/Win9x clients that lie about case insensitivity. */
175 enum remote_arch_types ra_type = get_remote_arch();
176 if ((ra_type != RA_SAMBA) && (ra_type != RA_CIFSFS)) {
177 /* Client can't support per-packet case sensitive pathnames. */
178 conn->case_sensitive = False;
180 conn->case_sensitive = !(flags & FLAG_CASELESS_PATHNAMES);
185 conn->case_sensitive = True;
188 conn->case_sensitive = False;
194 /****************************************************************************
195 Add a home service. Returns the new service number or -1 if fail.
196 ****************************************************************************/
198 int add_home_service(const char *service, const char *username, const char *homedir)
202 if (!service || !homedir)
205 if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0)
209 * If this is a winbindd provided username, remove
210 * the domain component before adding the service.
211 * Log a warning if the "path=" parameter does not
212 * include any macros.
216 const char *p = strchr(service,*lp_winbind_separator());
218 /* We only want the 'user' part of the string */
224 if (!lp_add_home(service, iHomeService, username, homedir)) {
228 return lp_servicenumber(service);
232 static int load_registry_service(const char *servicename)
239 uint32 i, num_values;
241 struct registry_value **values = NULL;
245 if (!lp_registry_shares()) {
249 if (asprintf(&path, "%s\\%s", KEY_SMBCONF, servicename) == -1) {
253 err = regkey_open_internal(NULL, NULL, &key, path, get_root_nt_token(),
257 if (!W_ERROR_IS_OK(err)) {
261 status = registry_fetch_values(NULL, key, &num_values, &value_names,
266 if (!NT_STATUS_IS_OK(status)) {
270 res = lp_add_service(servicename, -1);
275 for (i=0; i<num_values; i++) {
276 switch (values[i]->type) {
279 if (asprintf(&val, "%d", values[i]->v.dword) == -1) {
282 lp_do_parameter(res, value_names[i], val);
287 lp_do_parameter(res, value_names[i],
288 values[i]->v.sz.str);
292 /* Ignore all the rest */
297 TALLOC_FREE(value_names);
303 TALLOC_FREE(value_names);
308 void load_registry_shares(void)
315 if (!lp_registry_shares()) {
319 if (!(keys = TALLOC_ZERO_P(NULL, REGSUBKEY_CTR))) {
323 err = regkey_open_internal(keys, NULL, &key, KEY_SMBCONF,
324 get_root_nt_token(), REG_KEY_READ);
325 if (!(W_ERROR_IS_OK(err))) {
329 if (fetch_reg_keys(key, keys) == -1) {
333 for (i=0; i<keys->num_subkeys; i++) {
334 load_registry_service(keys->subkeys[i]);
343 * Find a service entry.
345 * @param service is modified (to canonical form??)
348 int find_service(fstring service)
352 all_string_sub(service,"\\","/",0);
354 iService = lp_servicenumber(service);
356 /* now handle the special case of a home directory */
358 char *phome_dir = get_user_home_dir(service);
362 * Try mapping the servicename, it may
363 * be a Windows to unix mapped user name.
365 if(map_username(service))
366 phome_dir = get_user_home_dir(service);
369 DEBUG(3,("checking for home directory %s gave %s\n",service,
370 phome_dir?phome_dir:"(NULL)"));
372 iService = add_home_service(service,service /* 'username' */, phome_dir);
375 /* If we still don't have a service, attempt to add it as a printer. */
379 if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) >= 0) {
380 DEBUG(3,("checking whether %s is a valid printer name...\n", service));
381 if (pcap_printername_ok(service)) {
382 DEBUG(3,("%s is a valid printer name\n", service));
383 DEBUG(3,("adding %s as a printer service\n", service));
384 lp_add_printer(service, iPrinterService);
385 iService = lp_servicenumber(service);
387 DEBUG(0,("failed to add %s as a printer service!\n", service));
390 DEBUG(3,("%s is not a valid printer name\n", service));
395 /* Check for default vfs service? Unsure whether to implement this */
399 /* just possibly it's a default service? */
401 char *pdefservice = lp_defaultservice();
402 if (pdefservice && *pdefservice && !strequal(pdefservice,service) && !strstr_m(service,"..")) {
404 * We need to do a local copy here as lp_defaultservice()
405 * returns one of the rotating lp_string buffers that
406 * could get overwritten by the recursive find_service() call
407 * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
410 pstrcpy(defservice, pdefservice);
411 iService = find_service(defservice);
413 all_string_sub(service, "_","/",0);
414 iService = lp_add_service(service, iService);
420 iService = load_registry_service(service);
423 /* Is it a usershare service ? */
424 if (iService < 0 && *lp_usershare_path()) {
425 /* Ensure the name is canonicalized. */
427 iService = load_usershare_service(service);
431 if (!VALID_SNUM(iService)) {
432 DEBUG(0,("Invalid snum %d for %s\n",iService, service));
438 DEBUG(3,("find_service() failed to find service %s\n", service));
444 /****************************************************************************
445 do some basic sainity checks on the share.
446 This function modifies dev, ecode.
447 ****************************************************************************/
449 static NTSTATUS share_sanity_checks(int snum, fstring dev)
452 if (!lp_snum_ok(snum) ||
453 !check_access(smbd_server_fd(),
454 lp_hostsallow(snum), lp_hostsdeny(snum))) {
455 return NT_STATUS_ACCESS_DENIED;
458 if (dev[0] == '?' || !dev[0]) {
459 if (lp_print_ok(snum)) {
460 fstrcpy(dev,"LPT1:");
461 } else if (strequal(lp_fstype(snum), "IPC")) {
470 if (lp_print_ok(snum)) {
471 if (!strequal(dev, "LPT1:")) {
472 return NT_STATUS_BAD_DEVICE_TYPE;
474 } else if (strequal(lp_fstype(snum), "IPC")) {
475 if (!strequal(dev, "IPC")) {
476 return NT_STATUS_BAD_DEVICE_TYPE;
478 } else if (!strequal(dev, "A:")) {
479 return NT_STATUS_BAD_DEVICE_TYPE;
482 /* Behave as a printer if we are supposed to */
483 if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
484 fstrcpy(dev, "LPT1:");
490 static NTSTATUS find_forced_user(int snum, BOOL vuser_is_guest,
491 uid_t *uid, gid_t *gid, fstring username,
492 struct nt_user_token **token)
495 char *fuser, *found_username;
496 struct nt_user_token *tmp_token;
499 if (!(mem_ctx = talloc_new(NULL))) {
500 DEBUG(0, ("talloc_new failed\n"));
501 return NT_STATUS_NO_MEMORY;
504 if (!(fuser = talloc_string_sub(mem_ctx, lp_force_user(snum), "%S",
505 lp_servicename(snum)))) {
506 TALLOC_FREE(mem_ctx);
507 return NT_STATUS_NO_MEMORY;
511 result = create_token_from_username(mem_ctx, fuser, vuser_is_guest,
512 uid, gid, &found_username,
514 if (!NT_STATUS_IS_OK(result)) {
515 TALLOC_FREE(mem_ctx);
519 if (!(*token = dup_nt_token(NULL, tmp_token))) {
520 TALLOC_FREE(mem_ctx);
521 return NT_STATUS_NO_MEMORY;
524 fstrcpy(username, found_username);
526 TALLOC_FREE(mem_ctx);
531 * Go through lookup_name etc to find the force'd group.
533 * Create a new token from src_token, replacing the primary group sid with the
537 static NTSTATUS find_forced_group(BOOL force_user,
538 int snum, const char *username,
542 NTSTATUS result = NT_STATUS_NO_SUCH_GROUP;
545 enum lsa_SidType type;
547 BOOL user_must_be_member = False;
550 ZERO_STRUCTP(pgroup_sid);
553 mem_ctx = talloc_new(NULL);
554 if (mem_ctx == NULL) {
555 DEBUG(0, ("talloc_new failed\n"));
556 return NT_STATUS_NO_MEMORY;
559 groupname = talloc_strdup(mem_ctx, lp_force_group(snum));
560 if (groupname == NULL) {
561 DEBUG(1, ("talloc_strdup failed\n"));
562 result = NT_STATUS_NO_MEMORY;
566 if (groupname[0] == '+') {
567 user_must_be_member = True;
571 groupname = talloc_string_sub(mem_ctx, groupname,
572 "%S", lp_servicename(snum));
574 if (!lookup_name_smbconf(mem_ctx, groupname,
575 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
576 NULL, NULL, &group_sid, &type)) {
577 DEBUG(10, ("lookup_name_smbconf(%s) failed\n",
582 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
583 (type != SID_NAME_WKN_GRP)) {
584 DEBUG(10, ("%s is a %s, not a group\n", groupname,
585 sid_type_lookup(type)));
589 if (!sid_to_gid(&group_sid, &gid)) {
590 DEBUG(10, ("sid_to_gid(%s) for %s failed\n",
591 sid_string_static(&group_sid), groupname));
596 * If the user has been forced and the forced group starts with a '+',
597 * then we only set the group to be the forced group if the forced
598 * user is a member of that group. Otherwise, the meaning of the '+'
602 if (force_user && user_must_be_member) {
603 if (user_in_group_sid(username, &group_sid)) {
604 sid_copy(pgroup_sid, &group_sid);
606 DEBUG(3,("Forced group %s for member %s\n",
607 groupname, username));
609 DEBUG(0,("find_forced_group: forced user %s is not a member "
610 "of forced group %s. Disallowing access.\n",
611 username, groupname ));
612 result = NT_STATUS_MEMBER_NOT_IN_GROUP;
616 sid_copy(pgroup_sid, &group_sid);
618 DEBUG(3,("Forced group %s\n", groupname));
621 result = NT_STATUS_OK;
623 TALLOC_FREE(mem_ctx);
627 /****************************************************************************
628 Make a connection, given the snum to connect to, and the vuser of the
629 connecting user if appropriate.
630 ****************************************************************************/
632 static connection_struct *make_connection_snum(int snum, user_struct *vuser,
637 struct passwd *pass = NULL;
639 connection_struct *conn;
647 SET_STAT_INVALID(st);
649 if (NT_STATUS_IS_ERR(*status = share_sanity_checks(snum, dev))) {
655 DEBUG(0,("Couldn't find free connection.\n"));
656 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
660 conn->nt_user_token = NULL;
662 if (lp_guest_only(snum)) {
663 const char *guestname = lp_guestaccount();
665 char *found_username;
667 pass = getpwnam_alloc(NULL, guestname);
669 DEBUG(0,("make_connection_snum: Invalid guest "
670 "account %s??\n",guestname));
672 *status = NT_STATUS_NO_SUCH_USER;
675 status2 = create_token_from_username(NULL, pass->pw_name, True,
676 &conn->uid, &conn->gid,
678 &conn->nt_user_token);
679 if (!NT_STATUS_IS_OK(status2)) {
684 fstrcpy(user, found_username);
685 string_set(&conn->user,user);
686 conn->force_user = True;
688 DEBUG(3,("Guest only user %s\n",user));
691 if (!lp_guest_ok(snum)) {
692 DEBUG(2, ("guest user (from session setup) "
693 "not permitted to access this share "
694 "(%s)\n", lp_servicename(snum)));
696 *status = NT_STATUS_ACCESS_DENIED;
700 if (!user_ok_token(vuser->user.unix_name,
701 vuser->nt_user_token, snum)) {
702 DEBUG(2, ("user '%s' (from session setup) not "
703 "permitted to access this share "
704 "(%s)\n", vuser->user.unix_name,
705 lp_servicename(snum)));
707 *status = NT_STATUS_ACCESS_DENIED;
711 conn->vuid = vuser->vuid;
712 conn->uid = vuser->uid;
713 conn->gid = vuser->gid;
714 string_set(&conn->user,vuser->user.unix_name);
715 fstrcpy(user,vuser->user.unix_name);
716 guest = vuser->guest;
717 } else if (lp_security() == SEC_SHARE) {
719 char *found_username;
720 /* add it as a possible user name if we
721 are in share mode security */
722 add_session_user(lp_servicename(snum));
723 /* shall we let them in? */
724 if (!authorise_login(snum,user,password,&guest)) {
725 DEBUG( 2, ( "Invalid username/password for [%s]\n",
726 lp_servicename(snum)) );
728 *status = NT_STATUS_WRONG_PASSWORD;
731 pass = Get_Pwnam(user);
732 status2 = create_token_from_username(NULL, pass->pw_name, True,
733 &conn->uid, &conn->gid,
735 &conn->nt_user_token);
736 if (!NT_STATUS_IS_OK(status2)) {
741 fstrcpy(user, found_username);
742 string_set(&conn->user,user);
743 conn->force_user = True;
745 DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
747 *status = NT_STATUS_ACCESS_DENIED;
751 add_session_user(user);
753 safe_strcpy(conn->client_address, client_addr(),
754 sizeof(conn->client_address)-1);
755 conn->num_files_open = 0;
756 conn->lastused = conn->lastused_count = time(NULL);
757 conn->params->service = snum;
759 conn->printer = (strncmp(dev,"LPT",3) == 0);
760 conn->ipc = ( (strncmp(dev,"IPC",3) == 0) ||
761 ( lp_enable_asu_support() && strequal(dev,"ADMIN$")) );
764 /* Case options for the share. */
765 if (lp_casesensitive(snum) == Auto) {
766 /* We will be setting this per packet. Set to be case
767 * insensitive for now. */
768 conn->case_sensitive = False;
770 conn->case_sensitive = (BOOL)lp_casesensitive(snum);
773 conn->case_preserve = lp_preservecase(snum);
774 conn->short_case_preserve = lp_shortpreservecase(snum);
776 conn->veto_list = NULL;
777 conn->hide_list = NULL;
778 conn->veto_oplock_list = NULL;
779 conn->aio_write_behind_list = NULL;
780 string_set(&conn->dirpath,"");
781 string_set(&conn->user,user);
783 conn->read_only = lp_readonly(SNUM(conn));
784 conn->admin_user = False;
787 * If force user is true, then store the given userid and the gid of
788 * the user we're forcing.
789 * For auxiliary groups see below.
792 if (*lp_force_user(snum)) {
795 status2 = find_forced_user(snum,
796 (vuser != NULL) && vuser->guest,
797 &conn->uid, &conn->gid, user,
798 &conn->nt_user_token);
799 if (!NT_STATUS_IS_OK(status2)) {
804 string_set(&conn->user,user);
805 conn->force_user = True;
806 DEBUG(3,("Forced user %s\n",user));
810 * If force group is true, then override
811 * any groupid stored for the connecting user.
814 if (*lp_force_group(snum)) {
818 status2 = find_forced_group(conn->force_user,
820 &group_sid, &conn->gid);
821 if (!NT_STATUS_IS_OK(status2)) {
827 if ((conn->nt_user_token == NULL) && (vuser != NULL)) {
829 /* Not force user and not security=share, but force
830 * group. vuser has a token to copy */
832 conn->nt_user_token = dup_nt_token(
833 NULL, vuser->nt_user_token);
834 if (conn->nt_user_token == NULL) {
835 DEBUG(0, ("dup_nt_token failed\n"));
837 *status = NT_STATUS_NO_MEMORY;
842 /* If conn->nt_user_token is still NULL, we have
843 * security=share. This means ignore the SID, as we had no
844 * vuser to copy from */
846 if (conn->nt_user_token != NULL) {
847 /* Overwrite the primary group sid */
848 sid_copy(&conn->nt_user_token->user_sids[1],
852 conn->force_group = True;
855 if (conn->nt_user_token != NULL) {
858 /* We have a share-specific token from force [user|group].
859 * This means we have to create the list of unix groups from
860 * the list of sids. */
865 for (i=0; i<conn->nt_user_token->num_sids; i++) {
867 DOM_SID *sid = &conn->nt_user_token->user_sids[i];
869 if (!sid_to_gid(sid, &gid)) {
870 DEBUG(10, ("Could not convert SID %s to gid, "
872 sid_string_static(sid)));
875 add_gid_to_array_unique(NULL, gid, &conn->groups,
882 pstrcpy(s,lp_pathname(snum));
883 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
884 conn->connectpath, conn->gid,
885 get_current_username(),
886 current_user_info.domain,
888 set_conn_connectpath(conn,s);
889 DEBUG(3,("Connect path is '%s' for service [%s]\n",s,
890 lp_servicename(snum)));
894 * New code to check if there's a share security descripter
895 * added from NT server manager. This is done after the
896 * smb.conf checks are done as we need a uid and token. JRA.
901 NT_USER_TOKEN *token = conn->nt_user_token ?
902 conn->nt_user_token : vuser->nt_user_token;
904 BOOL can_write = share_access_check(token,
905 lp_servicename(snum),
909 if (!share_access_check(token,
910 lp_servicename(snum),
912 /* No access, read or write. */
913 DEBUG(0,("make_connection: connection to %s "
914 "denied due to security "
916 lp_servicename(snum)));
918 *status = NT_STATUS_ACCESS_DENIED;
921 conn->read_only = True;
925 /* Initialise VFS function pointers */
927 if (!smbd_vfs_init(conn)) {
928 DEBUG(0, ("vfs_init failed for service %s\n",
929 lp_servicename(snum)));
931 *status = NT_STATUS_BAD_NETWORK_NAME;
936 * If widelinks are disallowed we need to canonicalise the connect
937 * path here to ensure we don't have any symlinks in the
938 * connectpath. We will be checking all paths on this connection are
939 * below this directory. We must do this after the VFS init as we
940 * depend on the realpath() pointer in the vfs table. JRA.
942 if (!lp_widelinks(snum)) {
944 pstrcpy(s,conn->connectpath);
945 canonicalize_path(conn, s);
946 set_conn_connectpath(conn,s);
949 /* ROOT Activities: */
950 /* check number of connections */
951 if (!claim_connection(conn,
952 lp_servicename(snum),
953 lp_max_connections(snum),
955 DEBUG(1,("too many connections - rejected\n"));
957 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
961 /* Preexecs are done here as they might make the dir we are to ChDir
963 /* execute any "root preexec = " line */
964 if (*lp_rootpreexec(snum)) {
966 pstrcpy(cmd,lp_rootpreexec(snum));
967 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
968 conn->connectpath, conn->gid,
969 get_current_username(),
970 current_user_info.domain,
972 DEBUG(5,("cmd=%s\n",cmd));
973 ret = smbrun(cmd,NULL);
974 if (ret != 0 && lp_rootpreexec_close(snum)) {
975 DEBUG(1,("root preexec gave %d - failing "
976 "connection\n", ret));
977 yield_connection(conn, lp_servicename(snum));
979 *status = NT_STATUS_ACCESS_DENIED;
984 /* USER Activites: */
985 if (!change_to_user(conn, conn->vuid)) {
986 /* No point continuing if they fail the basic checks */
987 DEBUG(0,("Can't become connected user!\n"));
988 yield_connection(conn, lp_servicename(snum));
990 *status = NT_STATUS_LOGON_FAILURE;
994 /* Remember that a different vuid can connect later without these
997 /* Preexecs are done here as they might make the dir we are to ChDir
1000 /* execute any "preexec = " line */
1001 if (*lp_preexec(snum)) {
1003 pstrcpy(cmd,lp_preexec(snum));
1004 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
1005 conn->connectpath, conn->gid,
1006 get_current_username(),
1007 current_user_info.domain,
1009 ret = smbrun(cmd,NULL);
1010 if (ret != 0 && lp_preexec_close(snum)) {
1011 DEBUG(1,("preexec gave %d - failing connection\n",
1013 change_to_root_user();
1014 yield_connection(conn, lp_servicename(snum));
1016 *status = NT_STATUS_ACCESS_DENIED;
1021 #ifdef WITH_FAKE_KASERVER
1022 if (lp_afs_share(snum)) {
1027 /* Add veto/hide lists */
1028 if (!IS_IPC(conn) && !IS_PRINT(conn)) {
1029 set_namearray( &conn->veto_list, lp_veto_files(snum));
1030 set_namearray( &conn->hide_list, lp_hide_files(snum));
1031 set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
1034 /* Invoke VFS make connection hook - do this before the VFS_STAT call
1035 to allow any filesystems needing user credentials to initialize
1038 if (SMB_VFS_CONNECT(conn, lp_servicename(snum), user) < 0) {
1039 DEBUG(0,("make_connection: VFS make connection failed!\n"));
1040 change_to_root_user();
1041 yield_connection(conn, lp_servicename(snum));
1043 *status = NT_STATUS_UNSUCCESSFUL;
1047 /* win2000 does not check the permissions on the directory
1048 during the tree connect, instead relying on permission
1049 check during individual operations. To match this behaviour
1050 I have disabled this chdir check (tridge) */
1051 /* the alternative is just to check the directory exists */
1052 if ((ret = SMB_VFS_STAT(conn, conn->connectpath, &st)) != 0 ||
1053 !S_ISDIR(st.st_mode)) {
1054 if (ret == 0 && !S_ISDIR(st.st_mode)) {
1055 DEBUG(0,("'%s' is not a directory, when connecting to "
1056 "[%s]\n", conn->connectpath,
1057 lp_servicename(snum)));
1059 DEBUG(0,("'%s' does not exist or permission denied "
1060 "when connecting to [%s] Error was %s\n",
1061 conn->connectpath, lp_servicename(snum),
1064 change_to_root_user();
1065 /* Call VFS disconnect hook */
1066 SMB_VFS_DISCONNECT(conn);
1067 yield_connection(conn, lp_servicename(snum));
1069 *status = NT_STATUS_BAD_NETWORK_NAME;
1073 string_set(&conn->origpath,conn->connectpath);
1075 #if SOFTLINK_OPTIMISATION
1076 /* resolve any soft links early if possible */
1077 if (vfs_ChDir(conn,conn->connectpath) == 0) {
1079 pstrcpy(s,conn->connectpath);
1081 set_conn_connectpath(conn,s);
1082 vfs_ChDir(conn,conn->connectpath);
1087 * Print out the 'connected as' stuff here as we need
1088 * to know the effective uid and gid we will be using
1089 * (at least initially).
1092 if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
1093 dbgtext( "%s (%s) ", get_remote_machine_name(),
1094 conn->client_address );
1095 dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
1096 dbgtext( "connect to service %s ", lp_servicename(snum) );
1097 dbgtext( "initially as user %s ", user );
1098 dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
1099 dbgtext( "(pid %d)\n", (int)sys_getpid() );
1102 /* Setup the minimum value for a change notify wait time (seconds). */
1103 set_change_notify_timeout(lp_change_notify_timeout(snum));
1105 /* we've finished with the user stuff - go back to root */
1106 change_to_root_user();
1110 /***************************************************************************************
1111 Simple wrapper function for make_connection() to include a call to
1113 **************************************************************************************/
1115 connection_struct *make_connection_with_chdir(const char *service_in,
1117 const char *dev, uint16 vuid,
1120 connection_struct *conn = NULL;
1122 conn = make_connection(service_in, password, dev, vuid, status);
1125 * make_connection() does not change the directory for us any more
1126 * so we have to do it as a separate step --jerry
1129 if ( conn && vfs_ChDir(conn,conn->connectpath) != 0 ) {
1130 DEBUG(0,("move_driver_to_download_area: Can't change "
1131 "directory to %s for [print$] (%s)\n",
1132 conn->connectpath,strerror(errno)));
1133 yield_connection(conn, lp_servicename(SNUM(conn)));
1135 *status = NT_STATUS_UNSUCCESSFUL;
1142 /****************************************************************************
1143 Make a connection to a service.
1146 ****************************************************************************/
1148 connection_struct *make_connection(const char *service_in, DATA_BLOB password,
1149 const char *pdev, uint16 vuid,
1153 user_struct *vuser = NULL;
1160 /* This must ONLY BE CALLED AS ROOT. As it exits this function as
1162 if (!non_root_mode() && (euid = geteuid()) != 0) {
1163 DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot "
1164 "(%u)\n", (unsigned int)euid ));
1165 smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
1168 if (conn_num_open() > 2047) {
1169 *status = NT_STATUS_INSUFF_SERVER_RESOURCES;
1173 if(lp_security() != SEC_SHARE) {
1174 vuser = get_valid_user_struct(vuid);
1176 DEBUG(1,("make_connection: refusing to connect with "
1177 "no session setup\n"));
1178 *status = NT_STATUS_ACCESS_DENIED;
1183 /* Logic to try and connect to the correct [homes] share, preferably
1184 without too many getpwnam() lookups. This is particulary nasty for
1185 winbind usernames, where the share name isn't the same as unix
1188 The snum of the homes share is stored on the vuser at session setup
1192 if (strequal(service_in,HOMES_NAME)) {
1193 if(lp_security() != SEC_SHARE) {
1194 DATA_BLOB no_pw = data_blob(NULL, 0);
1195 if (vuser->homes_snum == -1) {
1196 DEBUG(2, ("[homes] share not available for "
1197 "this user because it was not found "
1198 "or created at session setup "
1200 *status = NT_STATUS_BAD_NETWORK_NAME;
1203 DEBUG(5, ("making a connection to [homes] service "
1204 "created at session setup time\n"));
1205 return make_connection_snum(vuser->homes_snum,
1209 /* Security = share. Try with
1210 * current_user_info.smb_name as the username. */
1211 if (*current_user_info.smb_name) {
1212 fstring unix_username;
1213 fstrcpy(unix_username,
1214 current_user_info.smb_name);
1215 map_username(unix_username);
1216 snum = find_service(unix_username);
1219 DEBUG(5, ("making a connection to 'homes' "
1220 "service %s based on "
1221 "security=share\n", service_in));
1222 return make_connection_snum(snum, NULL,
1227 } else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
1228 && strequal(service_in,
1229 lp_servicename(vuser->homes_snum))) {
1230 DATA_BLOB no_pw = data_blob(NULL, 0);
1231 DEBUG(5, ("making a connection to 'homes' service [%s] "
1232 "created at session setup time\n", service_in));
1233 return make_connection_snum(vuser->homes_snum,
1238 fstrcpy(service, service_in);
1240 strlower_m(service);
1242 snum = find_service(service);
1245 if (strequal(service,"IPC$") ||
1246 (lp_enable_asu_support() && strequal(service,"ADMIN$"))) {
1247 DEBUG(3,("refusing IPC connection to %s\n", service));
1248 *status = NT_STATUS_ACCESS_DENIED;
1252 DEBUG(0,("%s (%s) couldn't find service %s\n",
1253 get_remote_machine_name(), client_addr(), service));
1254 *status = NT_STATUS_BAD_NETWORK_NAME;
1258 /* Handle non-Dfs clients attempting connections to msdfs proxy */
1259 if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
1260 DEBUG(3, ("refusing connection to dfs proxy share '%s' "
1261 "(pointing to %s)\n",
1262 service, lp_msdfs_proxy(snum)));
1263 *status = NT_STATUS_BAD_NETWORK_NAME;
1267 DEBUG(5, ("making a connection to 'normal' service %s\n", service));
1269 return make_connection_snum(snum, vuser,
1274 /****************************************************************************
1276 ****************************************************************************/
1278 void close_cnum(connection_struct *conn, uint16 vuid)
1281 pipe_close_conn(conn);
1283 file_close_conn(conn);
1284 dptr_closecnum(conn);
1287 change_to_root_user();
1289 DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
1290 get_remote_machine_name(),
1291 conn->client_address,
1292 lp_servicename(SNUM(conn))));
1294 /* Call VFS disconnect hook */
1295 SMB_VFS_DISCONNECT(conn);
1297 yield_connection(conn, lp_servicename(SNUM(conn)));
1299 /* make sure we leave the directory available for unmount */
1300 vfs_ChDir(conn, "/");
1302 /* execute any "postexec = " line */
1303 if (*lp_postexec(SNUM(conn)) &&
1304 change_to_user(conn, vuid)) {
1306 pstrcpy(cmd,lp_postexec(SNUM(conn)));
1307 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
1308 conn->connectpath, conn->gid,
1309 get_current_username(),
1310 current_user_info.domain,
1313 change_to_root_user();
1316 change_to_root_user();
1317 /* execute any "root postexec = " line */
1318 if (*lp_rootpostexec(SNUM(conn))) {
1320 pstrcpy(cmd,lp_rootpostexec(SNUM(conn)));
1321 standard_sub_advanced(lp_servicename(SNUM(conn)), conn->user,
1322 conn->connectpath, conn->gid,
1323 get_current_username(),
1324 current_user_info.domain,