2 Unix SMB/CIFS implementation.
3 service (connection) opening and closing
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 extern userdom_struct current_user_info;
24 static bool canonicalize_connect_path(connection_struct *conn)
26 #ifdef REALPATH_TAKES_NULL
28 char *resolved_name = SMB_VFS_REALPATH(conn,conn->connectpath,NULL);
32 ret = set_conn_connectpath(conn,resolved_name);
33 SAFE_FREE(resolved_name);
36 char resolved_name_buf[PATH_MAX+1];
37 char *resolved_name = SMB_VFS_REALPATH(conn,conn->connectpath,resolved_name_buf);
41 return set_conn_connectpath(conn,resolved_name);
42 #endif /* REALPATH_TAKES_NULL */
45 /****************************************************************************
46 Ensure when setting connectpath it is a canonicalized (no ./ // or ../)
47 absolute path stating in / and not ending in /.
48 Observent people will notice a similarity between this and check_path_syntax :-).
49 ****************************************************************************/
51 bool set_conn_connectpath(connection_struct *conn, const char *connectpath)
55 const char *s = connectpath;
56 bool start_of_name_component = true;
58 destname = SMB_STRDUP(connectpath);
64 *d++ = '/'; /* Always start with root. */
68 /* Eat multiple '/' */
72 if ((d > destname + 1) && (*s != '\0')) {
75 start_of_name_component = True;
79 if (start_of_name_component) {
80 if ((s[0] == '.') && (s[1] == '.') && (s[2] == '/' || s[2] == '\0')) {
81 /* Uh oh - "/../" or "/..\0" ! */
83 /* Go past the ../ or .. */
87 s += 2; /* Go past the .. */
90 /* If we just added a '/' - delete it */
91 if ((d > destname) && (*(d-1) == '/')) {
96 /* Are we at the start ? Can't go back further if so. */
98 *d++ = '/'; /* Can't delete root */
101 /* Go back one level... */
102 /* Decrement d first as d points to the *next* char to write into. */
103 for (d--; d > destname; d--) {
108 /* We're still at the start of a name component, just the previous one. */
110 } else if ((s[0] == '.') && ((s[1] == '\0') || s[1] == '/')) {
111 /* Component of pathname can't be "." only - skip the '.' . */
125 /* Get the size of the next MB character. */
126 next_codepoint(s,&siz);
147 start_of_name_component = false;
151 /* And must not end in '/' */
152 if (d > destname + 1 && (*(d-1) == '/')) {
156 DEBUG(10,("set_conn_connectpath: service %s, connectpath = %s\n",
157 lp_servicename(SNUM(conn)), destname ));
159 string_set(&conn->connectpath, destname);
164 /****************************************************************************
165 Load parameters specific to a connection/service.
166 ****************************************************************************/
168 bool set_current_service(connection_struct *conn, uint16 flags, bool do_chdir)
170 static connection_struct *last_conn;
171 static uint16 last_flags;
179 conn->lastused_count++;
184 vfs_ChDir(conn,conn->connectpath) != 0 &&
185 vfs_ChDir(conn,conn->origpath) != 0) {
186 DEBUG(0,("chdir (%s) failed\n",
191 if ((conn == last_conn) && (last_flags == flags)) {
198 /* Obey the client case sensitivity requests - only for clients that support it. */
199 switch (lp_casesensitive(snum)) {
202 /* We need this uglyness due to DOS/Win9x clients that lie about case insensitivity. */
203 enum remote_arch_types ra_type = get_remote_arch();
204 if ((ra_type != RA_SAMBA) && (ra_type != RA_CIFSFS)) {
205 /* Client can't support per-packet case sensitive pathnames. */
206 conn->case_sensitive = False;
208 conn->case_sensitive = !(flags & FLAG_CASELESS_PATHNAMES);
213 conn->case_sensitive = True;
216 conn->case_sensitive = False;
222 static int load_registry_service(const char *servicename)
224 struct registry_key *key;
230 struct registry_value *value;
234 if (!lp_registry_shares()) {
238 if (asprintf(&path, "%s\\%s", KEY_SMBCONF, servicename) == -1) {
242 err = reg_open_path(NULL, path, REG_KEY_READ, get_root_nt_token(),
246 if (!W_ERROR_IS_OK(err)) {
250 res = lp_add_service(servicename, -1);
256 W_ERROR_IS_OK(reg_enumvalue(key, key, i, &value_name, &value));
258 switch (value->type) {
261 if (asprintf(&tmp, "%d", value->v.dword) == -1) {
264 lp_do_parameter(res, value_name, tmp);
269 lp_do_parameter(res, value_name, value->v.sz.str);
273 /* Ignore all the rest */
277 TALLOC_FREE(value_name);
287 void load_registry_shares(void)
289 struct registry_key *key;
294 if (!lp_registry_shares()) {
298 err = reg_open_path(NULL, KEY_SMBCONF, REG_KEY_READ,
299 get_root_nt_token(), &key);
300 if (!(W_ERROR_IS_OK(err))) {
304 for (i=0; W_ERROR_IS_OK(reg_enumkey(key, key, i, &name, NULL)); i++) {
305 load_registry_service(name);
313 /****************************************************************************
314 Add a home service. Returns the new service number or -1 if fail.
315 ****************************************************************************/
317 int add_home_service(const char *service, const char *username, const char *homedir)
321 if (!service || !homedir)
324 if ((iHomeService = lp_servicenumber(HOMES_NAME)) < 0) {
325 if ((iHomeService = load_registry_service(HOMES_NAME)) < 0) {
331 * If this is a winbindd provided username, remove
332 * the domain component before adding the service.
333 * Log a warning if the "path=" parameter does not
334 * include any macros.
338 const char *p = strchr(service,*lp_winbind_separator());
340 /* We only want the 'user' part of the string */
346 if (!lp_add_home(service, iHomeService, username, homedir)) {
350 return lp_servicenumber(service);
355 * Find a service entry.
357 * @param service is modified (to canonical form??)
360 int find_service(fstring service)
364 all_string_sub(service,"\\","/",0);
366 iService = lp_servicenumber(service);
368 /* now handle the special case of a home directory */
370 char *phome_dir = get_user_home_dir(talloc_tos(), service);
374 * Try mapping the servicename, it may
375 * be a Windows to unix mapped user name.
377 if(map_username(service))
378 phome_dir = get_user_home_dir(
379 talloc_tos(), service);
382 DEBUG(3,("checking for home directory %s gave %s\n",service,
383 phome_dir?phome_dir:"(NULL)"));
385 iService = add_home_service(service,service /* 'username' */, phome_dir);
388 /* If we still don't have a service, attempt to add it as a printer. */
392 if ((iPrinterService = lp_servicenumber(PRINTERS_NAME)) < 0) {
393 iPrinterService = load_registry_service(PRINTERS_NAME);
395 if (iPrinterService) {
396 DEBUG(3,("checking whether %s is a valid printer name...\n", service));
397 if (pcap_printername_ok(service)) {
398 DEBUG(3,("%s is a valid printer name\n", service));
399 DEBUG(3,("adding %s as a printer service\n", service));
400 lp_add_printer(service, iPrinterService);
401 iService = lp_servicenumber(service);
403 DEBUG(0,("failed to add %s as a printer service!\n", service));
406 DEBUG(3,("%s is not a valid printer name\n", service));
411 /* Check for default vfs service? Unsure whether to implement this */
416 iService = load_registry_service(service);
419 /* Is it a usershare service ? */
420 if (iService < 0 && *lp_usershare_path()) {
421 /* Ensure the name is canonicalized. */
423 iService = load_usershare_service(service);
426 /* just possibly it's a default service? */
428 char *pdefservice = lp_defaultservice();
429 if (pdefservice && *pdefservice && !strequal(pdefservice,service) && !strstr_m(service,"..")) {
431 * We need to do a local copy here as lp_defaultservice()
432 * returns one of the rotating lp_string buffers that
433 * could get overwritten by the recursive find_service() call
434 * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
436 char *defservice = SMB_STRDUP(pdefservice);
442 /* Disallow anything except explicit share names. */
443 if (strequal(defservice,HOMES_NAME) ||
444 strequal(defservice, PRINTERS_NAME) ||
445 strequal(defservice, "IPC$")) {
446 SAFE_FREE(defservice);
450 iService = find_service(defservice);
452 all_string_sub(service, "_","/",0);
453 iService = lp_add_service(service, iService);
455 SAFE_FREE(defservice);
460 if (!VALID_SNUM(iService)) {
461 DEBUG(0,("Invalid snum %d for %s\n",iService, service));
469 DEBUG(3,("find_service() failed to find service %s\n", service));
475 /****************************************************************************
476 do some basic sainity checks on the share.
477 This function modifies dev, ecode.
478 ****************************************************************************/
480 static NTSTATUS share_sanity_checks(int snum, fstring dev)
483 if (!lp_snum_ok(snum) ||
484 !check_access(smbd_server_fd(),
485 lp_hostsallow(snum), lp_hostsdeny(snum))) {
486 return NT_STATUS_ACCESS_DENIED;
489 if (dev[0] == '?' || !dev[0]) {
490 if (lp_print_ok(snum)) {
491 fstrcpy(dev,"LPT1:");
492 } else if (strequal(lp_fstype(snum), "IPC")) {
501 if (lp_print_ok(snum)) {
502 if (!strequal(dev, "LPT1:")) {
503 return NT_STATUS_BAD_DEVICE_TYPE;
505 } else if (strequal(lp_fstype(snum), "IPC")) {
506 if (!strequal(dev, "IPC")) {
507 return NT_STATUS_BAD_DEVICE_TYPE;
509 } else if (!strequal(dev, "A:")) {
510 return NT_STATUS_BAD_DEVICE_TYPE;
513 /* Behave as a printer if we are supposed to */
514 if (lp_print_ok(snum) && (strcmp(dev, "A:") == 0)) {
515 fstrcpy(dev, "LPT1:");
521 static NTSTATUS find_forced_user(connection_struct *conn, bool vuser_is_guest, fstring username)
523 int snum = conn->params->service;
524 char *fuser, *found_username;
527 if (!(fuser = talloc_string_sub(conn->mem_ctx, lp_force_user(snum), "%S",
528 lp_servicename(snum)))) {
529 return NT_STATUS_NO_MEMORY;
532 result = create_token_from_username(conn->mem_ctx, fuser, vuser_is_guest,
533 &conn->uid, &conn->gid, &found_username,
534 &conn->nt_user_token);
535 if (!NT_STATUS_IS_OK(result)) {
539 fstrcpy(username, found_username);
542 TALLOC_FREE(found_username);
547 * Go through lookup_name etc to find the force'd group.
549 * Create a new token from src_token, replacing the primary group sid with the
553 static NTSTATUS find_forced_group(bool force_user,
554 int snum, const char *username,
558 NTSTATUS result = NT_STATUS_NO_SUCH_GROUP;
561 enum lsa_SidType type;
563 bool user_must_be_member = False;
566 ZERO_STRUCTP(pgroup_sid);
569 mem_ctx = talloc_new(NULL);
570 if (mem_ctx == NULL) {
571 DEBUG(0, ("talloc_new failed\n"));
572 return NT_STATUS_NO_MEMORY;
575 groupname = talloc_strdup(mem_ctx, lp_force_group(snum));
576 if (groupname == NULL) {
577 DEBUG(1, ("talloc_strdup failed\n"));
578 result = NT_STATUS_NO_MEMORY;
582 if (groupname[0] == '+') {
583 user_must_be_member = True;
587 groupname = talloc_string_sub(mem_ctx, groupname,
588 "%S", lp_servicename(snum));
590 if (!lookup_name_smbconf(mem_ctx, groupname,
591 LOOKUP_NAME_ALL|LOOKUP_NAME_GROUP,
592 NULL, NULL, &group_sid, &type)) {
593 DEBUG(10, ("lookup_name_smbconf(%s) failed\n",
598 if ((type != SID_NAME_DOM_GRP) && (type != SID_NAME_ALIAS) &&
599 (type != SID_NAME_WKN_GRP)) {
600 DEBUG(10, ("%s is a %s, not a group\n", groupname,
601 sid_type_lookup(type)));
605 if (!sid_to_gid(&group_sid, &gid)) {
606 DEBUG(10, ("sid_to_gid(%s) for %s failed\n",
607 sid_string_dbg(&group_sid), groupname));
612 * If the user has been forced and the forced group starts with a '+',
613 * then we only set the group to be the forced group if the forced
614 * user is a member of that group. Otherwise, the meaning of the '+'
618 if (force_user && user_must_be_member) {
619 if (user_in_group_sid(username, &group_sid)) {
620 sid_copy(pgroup_sid, &group_sid);
622 DEBUG(3,("Forced group %s for member %s\n",
623 groupname, username));
625 DEBUG(0,("find_forced_group: forced user %s is not a member "
626 "of forced group %s. Disallowing access.\n",
627 username, groupname ));
628 result = NT_STATUS_MEMBER_NOT_IN_GROUP;
632 sid_copy(pgroup_sid, &group_sid);
634 DEBUG(3,("Forced group %s\n", groupname));
637 result = NT_STATUS_OK;
639 TALLOC_FREE(mem_ctx);
643 /****************************************************************************
644 Make a connection, given the snum to connect to, and the vuser of the
645 connecting user if appropriate.
646 ****************************************************************************/
648 static connection_struct *make_connection_snum(int snum, user_struct *vuser,
653 struct passwd *pass = NULL;
655 connection_struct *conn;
660 char addr[INET6_ADDRSTRLEN];
661 bool on_err_call_dis_hook = false;
665 SET_STAT_INVALID(st);
667 if (NT_STATUS_IS_ERR(*status = share_sanity_checks(snum, dev))) {
673 DEBUG(0,("Couldn't find free connection.\n"));
674 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
678 conn->params->service = snum;
679 conn->nt_user_token = NULL;
681 if (lp_guest_only(snum)) {
682 const char *guestname = lp_guestaccount();
684 char *found_username = NULL;
687 pass = getpwnam_alloc(NULL, guestname);
689 DEBUG(0,("make_connection_snum: Invalid guest "
690 "account %s??\n",guestname));
692 *status = NT_STATUS_NO_SUCH_USER;
695 status2 = create_token_from_username(conn->mem_ctx, pass->pw_name, True,
696 &conn->uid, &conn->gid,
698 &conn->nt_user_token);
699 if (!NT_STATUS_IS_OK(status2)) {
705 fstrcpy(user, found_username);
706 string_set(&conn->user,user);
707 conn->force_user = True;
708 TALLOC_FREE(found_username);
710 DEBUG(3,("Guest only user %s\n",user));
713 if (!lp_guest_ok(snum)) {
714 DEBUG(2, ("guest user (from session setup) "
715 "not permitted to access this share "
716 "(%s)\n", lp_servicename(snum)));
718 *status = NT_STATUS_ACCESS_DENIED;
722 if (!user_ok_token(vuser->user.unix_name,
723 vuser->nt_user_token, snum)) {
724 DEBUG(2, ("user '%s' (from session setup) not "
725 "permitted to access this share "
726 "(%s)\n", vuser->user.unix_name,
727 lp_servicename(snum)));
729 *status = NT_STATUS_ACCESS_DENIED;
733 conn->vuid = vuser->vuid;
734 conn->uid = vuser->uid;
735 conn->gid = vuser->gid;
736 string_set(&conn->user,vuser->user.unix_name);
737 fstrcpy(user,vuser->user.unix_name);
738 guest = vuser->guest;
739 } else if (lp_security() == SEC_SHARE) {
741 char *found_username = NULL;
743 /* add it as a possible user name if we
744 are in share mode security */
745 add_session_user(lp_servicename(snum));
746 /* shall we let them in? */
747 if (!authorise_login(snum,user,password,&guest)) {
748 DEBUG( 2, ( "Invalid username/password for [%s]\n",
749 lp_servicename(snum)) );
751 *status = NT_STATUS_WRONG_PASSWORD;
754 pass = Get_Pwnam_alloc(talloc_tos(), user);
755 status2 = create_token_from_username(conn->mem_ctx, pass->pw_name, True,
756 &conn->uid, &conn->gid,
758 &conn->nt_user_token);
760 if (!NT_STATUS_IS_OK(status2)) {
765 fstrcpy(user, found_username);
766 string_set(&conn->user,user);
767 TALLOC_FREE(found_username);
768 conn->force_user = True;
770 DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
772 *status = NT_STATUS_ACCESS_DENIED;
776 add_session_user(user);
778 safe_strcpy(conn->client_address,
779 client_addr(get_client_fd(),addr,sizeof(addr)),
780 sizeof(conn->client_address)-1);
781 conn->num_files_open = 0;
782 conn->lastused = conn->lastused_count = time(NULL);
784 conn->printer = (strncmp(dev,"LPT",3) == 0);
785 conn->ipc = ( (strncmp(dev,"IPC",3) == 0) ||
786 ( lp_enable_asu_support() && strequal(dev,"ADMIN$")) );
789 /* Case options for the share. */
790 if (lp_casesensitive(snum) == Auto) {
791 /* We will be setting this per packet. Set to be case
792 * insensitive for now. */
793 conn->case_sensitive = False;
795 conn->case_sensitive = (bool)lp_casesensitive(snum);
798 conn->case_preserve = lp_preservecase(snum);
799 conn->short_case_preserve = lp_shortpreservecase(snum);
801 conn->encrypt_level = lp_smb_encrypt(snum);
803 conn->veto_list = NULL;
804 conn->hide_list = NULL;
805 conn->veto_oplock_list = NULL;
806 conn->aio_write_behind_list = NULL;
807 string_set(&conn->dirpath,"");
808 string_set(&conn->user,user);
810 conn->read_only = lp_readonly(SNUM(conn));
811 conn->admin_user = False;
814 * If force user is true, then store the given userid and the gid of
815 * the user we're forcing.
816 * For auxiliary groups see below.
819 if (*lp_force_user(snum)) {
822 status2 = find_forced_user(conn,
823 (vuser != NULL) && vuser->guest,
825 if (!NT_STATUS_IS_OK(status2)) {
830 string_set(&conn->user,user);
831 conn->force_user = True;
832 DEBUG(3,("Forced user %s\n",user));
836 * If force group is true, then override
837 * any groupid stored for the connecting user.
840 if (*lp_force_group(snum)) {
844 status2 = find_forced_group(conn->force_user,
846 &group_sid, &conn->gid);
847 if (!NT_STATUS_IS_OK(status2)) {
853 if ((conn->nt_user_token == NULL) && (vuser != NULL)) {
855 /* Not force user and not security=share, but force
856 * group. vuser has a token to copy */
858 conn->nt_user_token = dup_nt_token(
859 NULL, vuser->nt_user_token);
860 if (conn->nt_user_token == NULL) {
861 DEBUG(0, ("dup_nt_token failed\n"));
863 *status = NT_STATUS_NO_MEMORY;
868 /* If conn->nt_user_token is still NULL, we have
869 * security=share. This means ignore the SID, as we had no
870 * vuser to copy from */
872 if (conn->nt_user_token != NULL) {
873 /* Overwrite the primary group sid */
874 sid_copy(&conn->nt_user_token->user_sids[1],
878 conn->force_group = True;
881 if (conn->nt_user_token != NULL) {
884 /* We have a share-specific token from force [user|group].
885 * This means we have to create the list of unix groups from
886 * the list of sids. */
891 for (i=0; i<conn->nt_user_token->num_sids; i++) {
893 DOM_SID *sid = &conn->nt_user_token->user_sids[i];
895 if (!sid_to_gid(sid, &gid)) {
896 DEBUG(10, ("Could not convert SID %s to gid, "
898 sid_string_dbg(sid)));
901 if (!add_gid_to_array_unique(conn->mem_ctx, gid, &conn->groups,
903 DEBUG(0, ("add_gid_to_array_unique failed\n"));
905 *status = NT_STATUS_NO_MEMORY;
912 char *s = talloc_sub_advanced(talloc_tos(),
913 lp_servicename(SNUM(conn)), conn->user,
914 conn->connectpath, conn->gid,
915 get_current_username(),
916 current_user_info.domain,
920 *status = NT_STATUS_NO_MEMORY;
924 if (!set_conn_connectpath(conn,s)) {
927 *status = NT_STATUS_NO_MEMORY;
930 DEBUG(3,("Connect path is '%s' for service [%s]\n",s,
931 lp_servicename(snum)));
936 * New code to check if there's a share security descripter
937 * added from NT server manager. This is done after the
938 * smb.conf checks are done as we need a uid and token. JRA.
943 bool can_write = False;
944 NT_USER_TOKEN *token = conn->nt_user_token ?
945 conn->nt_user_token :
946 (vuser ? vuser->nt_user_token : NULL);
949 * I don't believe this can happen. But the
950 * logic above is convoluted enough to confuse
951 * automated checkers, so be sure. JRA.
955 DEBUG(0,("make_connection: connection to %s "
956 "denied due to missing "
958 lp_servicename(snum)));
960 *status = NT_STATUS_ACCESS_DENIED;
964 can_write = share_access_check(token,
965 lp_servicename(snum),
969 if (!share_access_check(token,
970 lp_servicename(snum),
972 /* No access, read or write. */
973 DEBUG(0,("make_connection: connection to %s "
974 "denied due to security "
976 lp_servicename(snum)));
978 *status = NT_STATUS_ACCESS_DENIED;
981 conn->read_only = True;
985 /* Initialise VFS function pointers */
987 if (!smbd_vfs_init(conn)) {
988 DEBUG(0, ("vfs_init failed for service %s\n",
989 lp_servicename(snum)));
991 *status = NT_STATUS_BAD_NETWORK_NAME;
996 * If widelinks are disallowed we need to canonicalise the connect
997 * path here to ensure we don't have any symlinks in the
998 * connectpath. We will be checking all paths on this connection are
999 * below this directory. We must do this after the VFS init as we
1000 * depend on the realpath() pointer in the vfs table. JRA.
1002 if (!lp_widelinks(snum)) {
1003 if (!canonicalize_connect_path(conn)) {
1004 DEBUG(0, ("canonicalize_connect_path failed "
1005 "for service %s, path %s\n",
1006 lp_servicename(snum),
1007 conn->connectpath));
1009 *status = NT_STATUS_BAD_NETWORK_NAME;
1014 if ((!conn->printer) && (!conn->ipc)) {
1015 conn->notify_ctx = notify_init(conn->mem_ctx, server_id_self(),
1016 smbd_messaging_context(),
1017 smbd_event_context(),
1021 /* ROOT Activities: */
1023 * Enforce the max connections parameter.
1026 if ((lp_max_connections(snum) > 0)
1027 && (count_current_connections(lp_servicename(SNUM(conn)), True) >=
1028 lp_max_connections(snum))) {
1030 DEBUG(1, ("Max connections (%d) exceeded for %s\n",
1031 lp_max_connections(snum), lp_servicename(snum)));
1033 *status = NT_STATUS_INSUFFICIENT_RESOURCES;
1038 * Get us an entry in the connections db
1040 if (!claim_connection(conn, lp_servicename(snum), 0)) {
1041 DEBUG(1, ("Could not store connections entry\n"));
1043 *status = NT_STATUS_INTERNAL_DB_ERROR;
1047 /* Preexecs are done here as they might make the dir we are to ChDir
1049 /* execute any "root preexec = " line */
1050 if (*lp_rootpreexec(snum)) {
1051 char *cmd = talloc_sub_advanced(talloc_tos(),
1052 lp_servicename(SNUM(conn)), conn->user,
1053 conn->connectpath, conn->gid,
1054 get_current_username(),
1055 current_user_info.domain,
1056 lp_rootpreexec(snum));
1057 DEBUG(5,("cmd=%s\n",cmd));
1058 ret = smbrun(cmd,NULL);
1060 if (ret != 0 && lp_rootpreexec_close(snum)) {
1061 DEBUG(1,("root preexec gave %d - failing "
1062 "connection\n", ret));
1063 yield_connection(conn, lp_servicename(snum));
1065 *status = NT_STATUS_ACCESS_DENIED;
1070 /* USER Activites: */
1071 if (!change_to_user(conn, conn->vuid)) {
1072 /* No point continuing if they fail the basic checks */
1073 DEBUG(0,("Can't become connected user!\n"));
1074 yield_connection(conn, lp_servicename(snum));
1076 *status = NT_STATUS_LOGON_FAILURE;
1080 /* Remember that a different vuid can connect later without these
1083 /* Preexecs are done here as they might make the dir we are to ChDir
1086 /* execute any "preexec = " line */
1087 if (*lp_preexec(snum)) {
1088 char *cmd = talloc_sub_advanced(talloc_tos(),
1089 lp_servicename(SNUM(conn)), conn->user,
1090 conn->connectpath, conn->gid,
1091 get_current_username(),
1092 current_user_info.domain,
1094 ret = smbrun(cmd,NULL);
1096 if (ret != 0 && lp_preexec_close(snum)) {
1097 DEBUG(1,("preexec gave %d - failing connection\n",
1099 *status = NT_STATUS_ACCESS_DENIED;
1104 #ifdef WITH_FAKE_KASERVER
1105 if (lp_afs_share(snum)) {
1110 /* Add veto/hide lists */
1111 if (!IS_IPC(conn) && !IS_PRINT(conn)) {
1112 set_namearray( &conn->veto_list, lp_veto_files(snum));
1113 set_namearray( &conn->hide_list, lp_hide_files(snum));
1114 set_namearray( &conn->veto_oplock_list, lp_veto_oplocks(snum));
1117 /* Invoke VFS make connection hook - do this before the VFS_STAT call
1118 to allow any filesystems needing user credentials to initialize
1121 if (SMB_VFS_CONNECT(conn, lp_servicename(snum), user) < 0) {
1122 DEBUG(0,("make_connection: VFS make connection failed!\n"));
1123 *status = NT_STATUS_UNSUCCESSFUL;
1127 /* Any error exit after here needs to call the disconnect hook. */
1128 on_err_call_dis_hook = true;
1130 /* win2000 does not check the permissions on the directory
1131 during the tree connect, instead relying on permission
1132 check during individual operations. To match this behaviour
1133 I have disabled this chdir check (tridge) */
1134 /* the alternative is just to check the directory exists */
1135 if ((ret = SMB_VFS_STAT(conn, conn->connectpath, &st)) != 0 ||
1136 !S_ISDIR(st.st_mode)) {
1137 if (ret == 0 && !S_ISDIR(st.st_mode)) {
1138 DEBUG(0,("'%s' is not a directory, when connecting to "
1139 "[%s]\n", conn->connectpath,
1140 lp_servicename(snum)));
1142 DEBUG(0,("'%s' does not exist or permission denied "
1143 "when connecting to [%s] Error was %s\n",
1144 conn->connectpath, lp_servicename(snum),
1147 *status = NT_STATUS_BAD_NETWORK_NAME;
1151 string_set(&conn->origpath,conn->connectpath);
1153 #if SOFTLINK_OPTIMISATION
1154 /* resolve any soft links early if possible */
1155 if (vfs_ChDir(conn,conn->connectpath) == 0) {
1156 TALLOC_CTX *ctx = talloc_tos();
1157 char *s = vfs_GetWd(ctx,s);
1159 *status = map_nt_error_from_unix(errno);
1162 if (!set_conn_connectpath(conn,s)) {
1163 *status = NT_STATUS_NO_MEMORY;
1166 vfs_ChDir(conn,conn->connectpath);
1170 /* Figure out the characteristics of the underlying filesystem. This
1171 * assumes that all the filesystem mounted withing a share path have
1172 * the same characteristics, which is likely but not guaranteed.
1175 conn->fs_capabilities = SMB_VFS_FS_CAPABILITIES(conn);
1178 * Print out the 'connected as' stuff here as we need
1179 * to know the effective uid and gid we will be using
1180 * (at least initially).
1183 if( DEBUGLVL( IS_IPC(conn) ? 3 : 1 ) ) {
1184 dbgtext( "%s (%s) ", get_remote_machine_name(),
1185 conn->client_address );
1186 dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
1187 dbgtext( "connect to service %s ", lp_servicename(snum) );
1188 dbgtext( "initially as user %s ", user );
1189 dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
1190 dbgtext( "(pid %d)\n", (int)sys_getpid() );
1193 /* we've finished with the user stuff - go back to root */
1194 change_to_root_user();
1199 change_to_root_user();
1200 if (on_err_call_dis_hook) {
1201 /* Call VFS disconnect hook */
1202 SMB_VFS_DISCONNECT(conn);
1204 yield_connection(conn, lp_servicename(snum));
1209 /***************************************************************************************
1210 Simple wrapper function for make_connection() to include a call to
1212 **************************************************************************************/
1214 connection_struct *make_connection_with_chdir(const char *service_in,
1216 const char *dev, uint16 vuid,
1219 connection_struct *conn = NULL;
1221 conn = make_connection(service_in, password, dev, vuid, status);
1224 * make_connection() does not change the directory for us any more
1225 * so we have to do it as a separate step --jerry
1228 if ( conn && vfs_ChDir(conn,conn->connectpath) != 0 ) {
1229 DEBUG(0,("move_driver_to_download_area: Can't change "
1230 "directory to %s for [print$] (%s)\n",
1231 conn->connectpath,strerror(errno)));
1232 yield_connection(conn, lp_servicename(SNUM(conn)));
1234 *status = NT_STATUS_UNSUCCESSFUL;
1241 /****************************************************************************
1242 Make a connection to a service.
1245 ****************************************************************************/
1247 connection_struct *make_connection(const char *service_in, DATA_BLOB password,
1248 const char *pdev, uint16 vuid,
1252 user_struct *vuser = NULL;
1256 char addr[INET6_ADDRSTRLEN];
1260 /* This must ONLY BE CALLED AS ROOT. As it exits this function as
1262 if (!non_root_mode() && (euid = geteuid()) != 0) {
1263 DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot "
1264 "(%u)\n", (unsigned int)euid ));
1265 smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
1268 if (conn_num_open() > 2047) {
1269 *status = NT_STATUS_INSUFF_SERVER_RESOURCES;
1273 if(lp_security() != SEC_SHARE) {
1274 vuser = get_valid_user_struct(vuid);
1276 DEBUG(1,("make_connection: refusing to connect with "
1277 "no session setup\n"));
1278 *status = NT_STATUS_ACCESS_DENIED;
1283 /* Logic to try and connect to the correct [homes] share, preferably
1284 without too many getpwnam() lookups. This is particulary nasty for
1285 winbind usernames, where the share name isn't the same as unix
1288 The snum of the homes share is stored on the vuser at session setup
1292 if (strequal(service_in,HOMES_NAME)) {
1293 if(lp_security() != SEC_SHARE) {
1294 DATA_BLOB no_pw = data_blob_null;
1295 if (vuser->homes_snum == -1) {
1296 DEBUG(2, ("[homes] share not available for "
1297 "this user because it was not found "
1298 "or created at session setup "
1300 *status = NT_STATUS_BAD_NETWORK_NAME;
1303 DEBUG(5, ("making a connection to [homes] service "
1304 "created at session setup time\n"));
1305 return make_connection_snum(vuser->homes_snum,
1309 /* Security = share. Try with
1310 * current_user_info.smb_name as the username. */
1311 if (*current_user_info.smb_name) {
1312 fstring unix_username;
1313 fstrcpy(unix_username,
1314 current_user_info.smb_name);
1315 map_username(unix_username);
1316 snum = find_service(unix_username);
1319 DEBUG(5, ("making a connection to 'homes' "
1320 "service %s based on "
1321 "security=share\n", service_in));
1322 return make_connection_snum(snum, NULL,
1327 } else if ((lp_security() != SEC_SHARE) && (vuser->homes_snum != -1)
1328 && strequal(service_in,
1329 lp_servicename(vuser->homes_snum))) {
1330 DATA_BLOB no_pw = data_blob_null;
1331 DEBUG(5, ("making a connection to 'homes' service [%s] "
1332 "created at session setup time\n", service_in));
1333 return make_connection_snum(vuser->homes_snum,
1338 fstrcpy(service, service_in);
1340 strlower_m(service);
1342 snum = find_service(service);
1345 if (strequal(service,"IPC$") ||
1346 (lp_enable_asu_support() && strequal(service,"ADMIN$"))) {
1347 DEBUG(3,("refusing IPC connection to %s\n", service));
1348 *status = NT_STATUS_ACCESS_DENIED;
1352 DEBUG(0,("%s (%s) couldn't find service %s\n",
1353 get_remote_machine_name(),
1354 client_addr(get_client_fd(),addr,sizeof(addr)),
1356 *status = NT_STATUS_BAD_NETWORK_NAME;
1360 /* Handle non-Dfs clients attempting connections to msdfs proxy */
1361 if (lp_host_msdfs() && (*lp_msdfs_proxy(snum) != '\0')) {
1362 DEBUG(3, ("refusing connection to dfs proxy share '%s' "
1363 "(pointing to %s)\n",
1364 service, lp_msdfs_proxy(snum)));
1365 *status = NT_STATUS_BAD_NETWORK_NAME;
1369 DEBUG(5, ("making a connection to 'normal' service %s\n", service));
1371 return make_connection_snum(snum, vuser,
1376 /****************************************************************************
1378 ****************************************************************************/
1380 void close_cnum(connection_struct *conn, uint16 vuid)
1383 pipe_close_conn(conn);
1385 file_close_conn(conn);
1386 dptr_closecnum(conn);
1389 change_to_root_user();
1391 DEBUG(IS_IPC(conn)?3:1, ("%s (%s) closed connection to service %s\n",
1392 get_remote_machine_name(),
1393 conn->client_address,
1394 lp_servicename(SNUM(conn))));
1396 /* Call VFS disconnect hook */
1397 SMB_VFS_DISCONNECT(conn);
1399 yield_connection(conn, lp_servicename(SNUM(conn)));
1401 /* make sure we leave the directory available for unmount */
1402 vfs_ChDir(conn, "/");
1404 /* execute any "postexec = " line */
1405 if (*lp_postexec(SNUM(conn)) &&
1406 change_to_user(conn, vuid)) {
1407 char *cmd = talloc_sub_advanced(talloc_tos(),
1408 lp_servicename(SNUM(conn)), conn->user,
1409 conn->connectpath, conn->gid,
1410 get_current_username(),
1411 current_user_info.domain,
1412 lp_postexec(SNUM(conn)));
1415 change_to_root_user();
1418 change_to_root_user();
1419 /* execute any "root postexec = " line */
1420 if (*lp_rootpostexec(SNUM(conn))) {
1421 char *cmd = talloc_sub_advanced(talloc_tos(),
1422 lp_servicename(SNUM(conn)), conn->user,
1423 conn->connectpath, conn->gid,
1424 get_current_username(),
1425 current_user_info.domain,
1426 lp_rootpostexec(SNUM(conn)));