2 Unix SMB/CIFS implementation.
3 service (connection) opening and closing
4 Copyright (C) Andrew Tridgell 1992-1998
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
23 extern userdom_struct current_user_info
;
25 /****************************************************************************
26 Ensure when setting connectpath it is a canonicalized (no ./ // or ../)
27 absolute path stating in / and not ending in /.
28 Observent people will notice a similarity between this and check_path_syntax :-).
29 ****************************************************************************/
31 void set_conn_connectpath(connection_struct
*conn
, const pstring connectpath
)
35 const char *s
= connectpath
;
36 BOOL start_of_name_component
= True
;
38 *d
++ = '/'; /* Always start with root. */
42 /* Eat multiple '/' */
46 if ((d
> destname
+ 1) && (*s
!= '\0')) {
49 start_of_name_component
= True
;
53 if (start_of_name_component
) {
54 if ((s
[0] == '.') && (s
[1] == '.') && (s
[2] == '/' || s
[2] == '\0')) {
55 /* Uh oh - "/../" or "/..\0" ! */
57 /* Go past the ../ or .. */
61 s
+= 2; /* Go past the .. */
64 /* If we just added a '/' - delete it */
65 if ((d
> destname
) && (*(d
-1) == '/')) {
70 /* Are we at the start ? Can't go back further if so. */
72 *d
++ = '/'; /* Can't delete root */
75 /* Go back one level... */
76 /* Decrement d first as d points to the *next* char to write into. */
77 for (d
--; d
> destname
; d
--) {
82 /* We're still at the start of a name component, just the previous one. */
84 } else if ((s
[0] == '.') && ((s
[1] == '\0') || s
[1] == '/')) {
85 /* Component of pathname can't be "." only - skip the '.' . */
98 switch(next_mb_char_size(s
)) {
112 start_of_name_component
= False
;
116 /* And must not end in '/' */
117 if (d
> destname
+ 1 && (*(d
-1) == '/')) {
121 DEBUG(10,("set_conn_connectpath: service %s, connectpath = %s\n",
122 lp_servicename(SNUM(conn
)), destname
));
124 string_set(&conn
->connectpath
, destname
);
127 /****************************************************************************
128 Load parameters specific to a connection/service.
129 ****************************************************************************/
131 BOOL
set_current_service(connection_struct
*conn
, uint16 flags
, BOOL do_chdir
)
133 static connection_struct
*last_conn
;
134 static uint16 last_flags
;
142 conn
->lastused_count
++;
147 vfs_ChDir(conn
,conn
->connectpath
) != 0 &&
148 vfs_ChDir(conn
,conn
->origpath
) != 0) {
149 DEBUG(0,("chdir (%s) failed\n",
154 if ((conn
== last_conn
) && (last_flags
== flags
)) {
161 /* Obey the client case sensitivity requests - only for clients that support it. */
162 switch (lp_casesensitive(snum
)) {
165 /* We need this uglyness due to DOS/Win9x clients that lie about case insensitivity. */
166 enum remote_arch_types ra_type
= get_remote_arch();
167 if ((ra_type
!= RA_SAMBA
) && (ra_type
!= RA_CIFSFS
)) {
168 /* Client can't support per-packet case sensitive pathnames. */
169 conn
->case_sensitive
= False
;
171 conn
->case_sensitive
= !(flags
& FLAG_CASELESS_PATHNAMES
);
176 conn
->case_sensitive
= True
;
179 conn
->case_sensitive
= False
;
185 /****************************************************************************
186 Add a home service. Returns the new service number or -1 if fail.
187 ****************************************************************************/
189 int add_home_service(const char *service
, const char *username
, const char *homedir
)
193 if (!service
|| !homedir
)
196 if ((iHomeService
= lp_servicenumber(HOMES_NAME
)) < 0)
200 * If this is a winbindd provided username, remove
201 * the domain component before adding the service.
202 * Log a warning if the "path=" parameter does not
203 * include any macros.
207 const char *p
= strchr(service
,*lp_winbind_separator());
209 /* We only want the 'user' part of the string */
215 if (!lp_add_home(service
, iHomeService
, username
, homedir
)) {
219 return lp_servicenumber(service
);
225 * Find a service entry.
227 * @param service is modified (to canonical form??)
230 int find_service(fstring service
)
234 all_string_sub(service
,"\\","/",0);
236 iService
= lp_servicenumber(service
);
238 /* now handle the special case of a home directory */
240 char *phome_dir
= get_user_home_dir(service
);
244 * Try mapping the servicename, it may
245 * be a Windows to unix mapped user name.
247 if(map_username(service
))
248 phome_dir
= get_user_home_dir(service
);
251 DEBUG(3,("checking for home directory %s gave %s\n",service
,
252 phome_dir
?phome_dir
:"(NULL)"));
254 iService
= add_home_service(service
,service
/* 'username' */, phome_dir
);
257 /* If we still don't have a service, attempt to add it as a printer. */
261 if ((iPrinterService
= lp_servicenumber(PRINTERS_NAME
)) >= 0) {
262 DEBUG(3,("checking whether %s is a valid printer name...\n", service
));
263 if (pcap_printername_ok(service
)) {
264 DEBUG(3,("%s is a valid printer name\n", service
));
265 DEBUG(3,("adding %s as a printer service\n", service
));
266 lp_add_printer(service
, iPrinterService
);
267 iService
= lp_servicenumber(service
);
269 DEBUG(0,("failed to add %s as a printer service!\n", service
));
272 DEBUG(3,("%s is not a valid printer name\n", service
));
277 /* Check for default vfs service? Unsure whether to implement this */
281 /* just possibly it's a default service? */
283 char *pdefservice
= lp_defaultservice();
284 if (pdefservice
&& *pdefservice
&& !strequal(pdefservice
,service
) && !strstr_m(service
,"..")) {
286 * We need to do a local copy here as lp_defaultservice()
287 * returns one of the rotating lp_string buffers that
288 * could get overwritten by the recursive find_service() call
289 * below. Fix from Josef Hinteregger <joehtg@joehtg.co.at>.
292 pstrcpy(defservice
, pdefservice
);
293 iService
= find_service(defservice
);
295 all_string_sub(service
, "_","/",0);
296 iService
= lp_add_service(service
, iService
);
301 /* Is it a usershare service ? */
302 if (iService
< 0 && *lp_usershare_path()) {
303 /* Ensure the name is canonicalized. */
305 iService
= load_usershare_service(service
);
309 if (!VALID_SNUM(iService
)) {
310 DEBUG(0,("Invalid snum %d for %s\n",iService
, service
));
316 DEBUG(3,("find_service() failed to find service %s\n", service
));
322 /****************************************************************************
323 do some basic sainity checks on the share.
324 This function modifies dev, ecode.
325 ****************************************************************************/
327 static NTSTATUS
share_sanity_checks(int snum
, fstring dev
)
330 if (!lp_snum_ok(snum
) ||
331 !check_access(smbd_server_fd(),
332 lp_hostsallow(snum
), lp_hostsdeny(snum
))) {
333 return NT_STATUS_ACCESS_DENIED
;
336 if (dev
[0] == '?' || !dev
[0]) {
337 if (lp_print_ok(snum
)) {
338 fstrcpy(dev
,"LPT1:");
339 } else if (strequal(lp_fstype(snum
), "IPC")) {
348 if (lp_print_ok(snum
)) {
349 if (!strequal(dev
, "LPT1:")) {
350 return NT_STATUS_BAD_DEVICE_TYPE
;
352 } else if (strequal(lp_fstype(snum
), "IPC")) {
353 if (!strequal(dev
, "IPC")) {
354 return NT_STATUS_BAD_DEVICE_TYPE
;
356 } else if (!strequal(dev
, "A:")) {
357 return NT_STATUS_BAD_DEVICE_TYPE
;
360 /* Behave as a printer if we are supposed to */
361 if (lp_print_ok(snum
) && (strcmp(dev
, "A:") == 0)) {
362 fstrcpy(dev
, "LPT1:");
368 static NTSTATUS
find_forced_user(int snum
, BOOL vuser_is_guest
,
369 uid_t
*uid
, gid_t
*gid
, fstring username
,
370 struct nt_user_token
**token
)
373 char *fuser
, *found_username
;
376 mem_ctx
= talloc_new(NULL
);
377 if (mem_ctx
== NULL
) {
378 DEBUG(0, ("talloc_new failed\n"));
379 return NT_STATUS_NO_MEMORY
;
382 fuser
= talloc_string_sub(mem_ctx
, lp_force_user(snum
), "%S",
383 lp_servicename(snum
));
385 result
= NT_STATUS_NO_MEMORY
;
389 result
= create_token_from_username(mem_ctx
, fuser
, vuser_is_guest
,
390 uid
, gid
, &found_username
,
392 if (!NT_STATUS_IS_OK(result
)) {
396 talloc_steal(NULL
, *token
);
397 fstrcpy(username
, found_username
);
399 result
= NT_STATUS_OK
;
401 TALLOC_FREE(mem_ctx
);
406 * Go through lookup_name etc to find the force'd group.
408 * Create a new token from src_token, replacing the primary group sid with the
412 static NTSTATUS
find_forced_group(BOOL force_user
,
413 int snum
, const char *username
,
417 NTSTATUS result
= NT_STATUS_NO_SUCH_GROUP
;
420 enum SID_NAME_USE type
;
422 BOOL user_must_be_member
= False
;
425 mem_ctx
= talloc_new(NULL
);
426 if (mem_ctx
== NULL
) {
427 DEBUG(0, ("talloc_new failed\n"));
428 return NT_STATUS_NO_MEMORY
;
431 groupname
= talloc_strdup(mem_ctx
, lp_force_group(snum
));
432 if (groupname
== NULL
) {
433 DEBUG(1, ("talloc_strdup failed\n"));
434 result
= NT_STATUS_NO_MEMORY
;
438 if (groupname
[0] == '+') {
439 user_must_be_member
= True
;
443 groupname
= talloc_string_sub(mem_ctx
, groupname
,
444 "%S", lp_servicename(snum
));
446 if (!lookup_name(mem_ctx
, groupname
,
447 LOOKUP_NAME_ALL
|LOOKUP_NAME_GROUP
,
448 NULL
, NULL
, &group_sid
, &type
)) {
449 DEBUG(10, ("lookup_name(%s) failed\n",
454 if ((type
!= SID_NAME_DOM_GRP
) && (type
!= SID_NAME_ALIAS
) &&
455 (type
!= SID_NAME_WKN_GRP
)) {
456 DEBUG(10, ("%s is a %s, not a group\n", groupname
,
457 sid_type_lookup(type
)));
461 if (!sid_to_gid(&group_sid
, &gid
)) {
462 DEBUG(10, ("sid_to_gid(%s) for %s failed\n",
463 sid_string_static(&group_sid
), groupname
));
468 * If the user has been forced and the forced group starts with a '+',
469 * then we only set the group to be the forced group if the forced
470 * user is a member of that group. Otherwise, the meaning of the '+'
474 if (force_user
&& user_must_be_member
) {
475 if (user_in_group_sid(username
, &group_sid
)) {
476 sid_copy(pgroup_sid
, &group_sid
);
478 DEBUG(3,("Forced group %s for member %s\n",
479 groupname
, username
));
482 sid_copy(pgroup_sid
, &group_sid
);
484 DEBUG(3,("Forced group %s\n", groupname
));
487 result
= NT_STATUS_OK
;
489 TALLOC_FREE(mem_ctx
);
493 /****************************************************************************
494 Make a connection, given the snum to connect to, and the vuser of the
495 connecting user if appropriate.
496 ****************************************************************************/
498 static connection_struct
*make_connection_snum(int snum
, user_struct
*vuser
,
503 struct passwd
*pass
= NULL
;
505 connection_struct
*conn
;
513 SET_STAT_INVALID(st
);
515 if (NT_STATUS_IS_ERR(*status
= share_sanity_checks(snum
, dev
))) {
521 DEBUG(0,("Couldn't find free connection.\n"));
522 *status
= NT_STATUS_INSUFFICIENT_RESOURCES
;
526 if (lp_guest_only(snum
)) {
527 const char *guestname
= lp_guestaccount();
529 pass
= getpwnam_alloc(NULL
, guestname
);
531 DEBUG(0,("make_connection_snum: Invalid guest "
532 "account %s??\n",guestname
));
534 *status
= NT_STATUS_NO_SUCH_USER
;
537 fstrcpy(user
,pass
->pw_name
);
538 conn
->force_user
= True
;
539 conn
->uid
= pass
->pw_uid
;
540 conn
->gid
= pass
->pw_gid
;
541 string_set(&conn
->user
,pass
->pw_name
);
543 DEBUG(3,("Guest only user %s\n",user
));
546 if (!lp_guest_ok(snum
)) {
547 DEBUG(2, ("guest user (from session setup) "
548 "not permitted to access this share "
549 "(%s)\n", lp_servicename(snum
)));
551 *status
= NT_STATUS_ACCESS_DENIED
;
555 if (!user_ok_token(vuser
->user
.unix_name
,
556 vuser
->nt_user_token
, snum
)) {
557 DEBUG(2, ("user '%s' (from session setup) not "
558 "permitted to access this share "
559 "(%s)\n", vuser
->user
.unix_name
,
560 lp_servicename(snum
)));
562 *status
= NT_STATUS_ACCESS_DENIED
;
566 conn
->vuid
= vuser
->vuid
;
567 conn
->uid
= vuser
->uid
;
568 conn
->gid
= vuser
->gid
;
569 string_set(&conn
->user
,vuser
->user
.unix_name
);
570 fstrcpy(user
,vuser
->user
.unix_name
);
571 guest
= vuser
->guest
;
572 } else if (lp_security() == SEC_SHARE
) {
573 /* add it as a possible user name if we
574 are in share mode security */
575 add_session_user(lp_servicename(snum
));
576 /* shall we let them in? */
577 if (!authorise_login(snum
,user
,password
,&guest
)) {
578 DEBUG( 2, ( "Invalid username/password for [%s]\n",
579 lp_servicename(snum
)) );
581 *status
= NT_STATUS_WRONG_PASSWORD
;
584 pass
= Get_Pwnam(user
);
585 conn
->force_user
= True
;
586 conn
->uid
= pass
->pw_uid
;
587 conn
->gid
= pass
->pw_gid
;
588 string_set(&conn
->user
, pass
->pw_name
);
589 fstrcpy(user
, pass
->pw_name
);
592 DEBUG(0, ("invalid VUID (vuser) but not in security=share\n"));
594 *status
= NT_STATUS_ACCESS_DENIED
;
598 add_session_user(user
);
600 safe_strcpy(conn
->client_address
, client_addr(),
601 sizeof(conn
->client_address
)-1);
602 conn
->num_files_open
= 0;
603 conn
->lastused
= conn
->lastused_count
= time(NULL
);
604 conn
->service
= snum
;
606 conn
->printer
= (strncmp(dev
,"LPT",3) == 0);
607 conn
->ipc
= ( (strncmp(dev
,"IPC",3) == 0) ||
608 ( lp_enable_asu_support() && strequal(dev
,"ADMIN$")) );
611 /* Case options for the share. */
612 if (lp_casesensitive(snum
) == Auto
) {
613 /* We will be setting this per packet. Set to be case
614 * insensitive for now. */
615 conn
->case_sensitive
= False
;
617 conn
->case_sensitive
= (BOOL
)lp_casesensitive(snum
);
620 conn
->case_preserve
= lp_preservecase(snum
);
621 conn
->short_case_preserve
= lp_shortpreservecase(snum
);
623 conn
->veto_list
= NULL
;
624 conn
->hide_list
= NULL
;
625 conn
->veto_oplock_list
= NULL
;
626 conn
->aio_write_behind_list
= NULL
;
627 string_set(&conn
->dirpath
,"");
628 string_set(&conn
->user
,user
);
629 conn
->nt_user_token
= NULL
;
631 conn
->read_only
= lp_readonly(conn
->service
);
632 conn
->admin_user
= False
;
635 * If force user is true, then store the given userid and the gid of
636 * the user we're forcing.
637 * For auxiliary groups see below.
640 if (*lp_force_user(snum
)) {
643 status2
= find_forced_user(snum
,
644 (vuser
!= NULL
) && vuser
->guest
,
645 &conn
->uid
, &conn
->gid
, user
,
646 &conn
->nt_user_token
);
647 if (!NT_STATUS_IS_OK(status2
)) {
652 string_set(&conn
->user
,user
);
653 conn
->force_user
= True
;
654 DEBUG(3,("Forced user %s\n",user
));
658 * If force group is true, then override
659 * any groupid stored for the connecting user.
662 if (*lp_force_group(snum
)) {
666 status2
= find_forced_group(conn
->force_user
,
668 &group_sid
, &conn
->gid
);
669 if (!NT_STATUS_IS_OK(status2
)) {
675 if ((conn
->nt_user_token
== NULL
) && (vuser
!= NULL
)) {
677 /* Not force user and not security=share, but force
678 * group. vuser has a token to copy */
680 conn
->nt_user_token
= dup_nt_token(
681 NULL
, vuser
->nt_user_token
);
682 if (conn
->nt_user_token
== NULL
) {
683 DEBUG(0, ("dup_nt_token failed\n"));
685 *status
= NT_STATUS_NO_MEMORY
;
690 /* If conn->nt_user_token is still NULL, we have
691 * security=share. This means ignore the SID, as we had no
692 * vuser to copy from */
694 if (conn
->nt_user_token
!= NULL
) {
695 /* Overwrite the primary group sid */
696 sid_copy(&conn
->nt_user_token
->user_sids
[1],
700 conn
->force_group
= True
;
703 if (conn
->nt_user_token
!= NULL
) {
706 /* We have a share-specific token from force [user|group].
707 * This means we have to create the list of unix groups from
708 * the list of sids. */
713 for (i
=0; i
<conn
->nt_user_token
->num_sids
; i
++) {
715 DOM_SID
*sid
= &conn
->nt_user_token
->user_sids
[i
];
717 if (!sid_to_gid(sid
, &gid
)) {
718 DEBUG(10, ("Could not convert SID %s to gid, "
720 sid_string_static(sid
)));
723 add_gid_to_array_unique(NULL
, gid
, &conn
->groups
,
730 pstrcpy(s
,lp_pathname(snum
));
731 standard_sub_conn(conn
,s
,sizeof(s
));
732 set_conn_connectpath(conn
,s
);
733 DEBUG(3,("Connect path is '%s' for service [%s]\n",s
,
734 lp_servicename(snum
)));
738 * New code to check if there's a share security descripter
739 * added from NT server manager. This is done after the
740 * smb.conf checks are done as we need a uid and token. JRA.
745 BOOL can_write
= share_access_check(conn
, snum
, vuser
,
749 if (!share_access_check(conn
, snum
, vuser
,
751 /* No access, read or write. */
752 DEBUG(0,("make_connection: connection to %s "
753 "denied due to security "
755 lp_servicename(snum
)));
757 *status
= NT_STATUS_ACCESS_DENIED
;
760 conn
->read_only
= True
;
764 /* Initialise VFS function pointers */
766 if (!smbd_vfs_init(conn
)) {
767 DEBUG(0, ("vfs_init failed for service %s\n",
768 lp_servicename(snum
)));
770 *status
= NT_STATUS_BAD_NETWORK_NAME
;
775 * If widelinks are disallowed we need to canonicalise the connect
776 * path here to ensure we don't have any symlinks in the
777 * connectpath. We will be checking all paths on this connection are
778 * below this directory. We must do this after the VFS init as we
779 * depend on the realpath() pointer in the vfs table. JRA.
781 if (!lp_widelinks(snum
)) {
783 pstrcpy(s
,conn
->connectpath
);
784 canonicalize_path(conn
, s
);
785 set_conn_connectpath(conn
,s
);
788 /* ROOT Activities: */
789 /* check number of connections */
790 if (!claim_connection(conn
,
791 lp_servicename(snum
),
792 lp_max_connections(snum
),
794 DEBUG(1,("too many connections - rejected\n"));
796 *status
= NT_STATUS_INSUFFICIENT_RESOURCES
;
800 /* Preexecs are done here as they might make the dir we are to ChDir
802 /* execute any "root preexec = " line */
803 if (*lp_rootpreexec(snum
)) {
805 pstrcpy(cmd
,lp_rootpreexec(snum
));
806 standard_sub_conn(conn
,cmd
,sizeof(cmd
));
807 DEBUG(5,("cmd=%s\n",cmd
));
808 ret
= smbrun(cmd
,NULL
);
809 if (ret
!= 0 && lp_rootpreexec_close(snum
)) {
810 DEBUG(1,("root preexec gave %d - failing "
811 "connection\n", ret
));
812 yield_connection(conn
, lp_servicename(snum
));
814 *status
= NT_STATUS_ACCESS_DENIED
;
819 /* USER Activites: */
820 if (!change_to_user(conn
, conn
->vuid
)) {
821 /* No point continuing if they fail the basic checks */
822 DEBUG(0,("Can't become connected user!\n"));
823 yield_connection(conn
, lp_servicename(snum
));
825 *status
= NT_STATUS_LOGON_FAILURE
;
829 /* Remember that a different vuid can connect later without these
832 /* Preexecs are done here as they might make the dir we are to ChDir
835 /* execute any "preexec = " line */
836 if (*lp_preexec(snum
)) {
838 pstrcpy(cmd
,lp_preexec(snum
));
839 standard_sub_conn(conn
,cmd
,sizeof(cmd
));
840 ret
= smbrun(cmd
,NULL
);
841 if (ret
!= 0 && lp_preexec_close(snum
)) {
842 DEBUG(1,("preexec gave %d - failing connection\n",
844 change_to_root_user();
845 yield_connection(conn
, lp_servicename(snum
));
847 *status
= NT_STATUS_ACCESS_DENIED
;
852 #ifdef WITH_FAKE_KASERVER
853 if (lp_afs_share(snum
)) {
858 /* Add veto/hide lists */
859 if (!IS_IPC(conn
) && !IS_PRINT(conn
)) {
860 set_namearray( &conn
->veto_list
, lp_veto_files(snum
));
861 set_namearray( &conn
->hide_list
, lp_hide_files(snum
));
862 set_namearray( &conn
->veto_oplock_list
, lp_veto_oplocks(snum
));
865 /* Invoke VFS make connection hook - do this before the VFS_STAT call
866 to allow any filesystems needing user credentials to initialize
869 if (SMB_VFS_CONNECT(conn
, lp_servicename(snum
), user
) < 0) {
870 DEBUG(0,("make_connection: VFS make connection failed!\n"));
871 change_to_root_user();
872 yield_connection(conn
, lp_servicename(snum
));
874 *status
= NT_STATUS_UNSUCCESSFUL
;
878 /* win2000 does not check the permissions on the directory
879 during the tree connect, instead relying on permission
880 check during individual operations. To match this behaviour
881 I have disabled this chdir check (tridge) */
882 /* the alternative is just to check the directory exists */
883 if ((ret
= SMB_VFS_STAT(conn
, conn
->connectpath
, &st
)) != 0 ||
884 !S_ISDIR(st
.st_mode
)) {
885 if (ret
== 0 && !S_ISDIR(st
.st_mode
)) {
886 DEBUG(0,("'%s' is not a directory, when connecting to "
887 "[%s]\n", conn
->connectpath
,
888 lp_servicename(snum
)));
890 DEBUG(0,("'%s' does not exist or permission denied "
891 "when connecting to [%s] Error was %s\n",
892 conn
->connectpath
, lp_servicename(snum
),
895 change_to_root_user();
896 /* Call VFS disconnect hook */
897 SMB_VFS_DISCONNECT(conn
);
898 yield_connection(conn
, lp_servicename(snum
));
900 *status
= NT_STATUS_BAD_NETWORK_NAME
;
904 string_set(&conn
->origpath
,conn
->connectpath
);
906 #if SOFTLINK_OPTIMISATION
907 /* resolve any soft links early if possible */
908 if (vfs_ChDir(conn
,conn
->connectpath
) == 0) {
910 pstrcpy(s
,conn
->connectpath
);
912 set_conn_connectpath(conn
,s
);
913 vfs_ChDir(conn
,conn
->connectpath
);
918 * Print out the 'connected as' stuff here as we need
919 * to know the effective uid and gid we will be using
920 * (at least initially).
923 if( DEBUGLVL( IS_IPC(conn
) ? 3 : 1 ) ) {
924 dbgtext( "%s (%s) ", get_remote_machine_name(),
925 conn
->client_address
);
926 dbgtext( "%s", srv_is_signing_active() ? "signed " : "");
927 dbgtext( "connect to service %s ", lp_servicename(snum
) );
928 dbgtext( "initially as user %s ", user
);
929 dbgtext( "(uid=%d, gid=%d) ", (int)geteuid(), (int)getegid() );
930 dbgtext( "(pid %d)\n", (int)sys_getpid() );
933 /* Setup the minimum value for a change notify wait time (seconds). */
934 set_change_notify_timeout(lp_change_notify_timeout(snum
));
936 /* we've finished with the user stuff - go back to root */
937 change_to_root_user();
941 /***************************************************************************************
942 Simple wrapper function for make_connection() to include a call to
944 **************************************************************************************/
946 connection_struct
*make_connection_with_chdir(const char *service_in
,
948 const char *dev
, uint16 vuid
,
951 connection_struct
*conn
= NULL
;
953 conn
= make_connection(service_in
, password
, dev
, vuid
, status
);
956 * make_connection() does not change the directory for us any more
957 * so we have to do it as a separate step --jerry
960 if ( conn
&& vfs_ChDir(conn
,conn
->connectpath
) != 0 ) {
961 DEBUG(0,("move_driver_to_download_area: Can't change "
962 "directory to %s for [print$] (%s)\n",
963 conn
->connectpath
,strerror(errno
)));
964 yield_connection(conn
, lp_servicename(SNUM(conn
)));
966 *status
= NT_STATUS_UNSUCCESSFUL
;
973 /****************************************************************************
974 Make a connection to a service.
977 ****************************************************************************/
979 connection_struct
*make_connection(const char *service_in
, DATA_BLOB password
,
980 const char *pdev
, uint16 vuid
,
984 user_struct
*vuser
= NULL
;
991 /* This must ONLY BE CALLED AS ROOT. As it exits this function as
993 if (!non_root_mode() && (euid
= geteuid()) != 0) {
994 DEBUG(0,("make_connection: PANIC ERROR. Called as nonroot "
995 "(%u)\n", (unsigned int)euid
));
996 smb_panic("make_connection: PANIC ERROR. Called as nonroot\n");
999 if(lp_security() != SEC_SHARE
) {
1000 vuser
= get_valid_user_struct(vuid
);
1002 DEBUG(1,("make_connection: refusing to connect with "
1003 "no session setup\n"));
1004 *status
= NT_STATUS_ACCESS_DENIED
;
1009 /* Logic to try and connect to the correct [homes] share, preferably
1010 without too many getpwnam() lookups. This is particulary nasty for
1011 winbind usernames, where the share name isn't the same as unix
1014 The snum of the homes share is stored on the vuser at session setup
1018 if (strequal(service_in
,HOMES_NAME
)) {
1019 if(lp_security() != SEC_SHARE
) {
1020 DATA_BLOB no_pw
= data_blob(NULL
, 0);
1021 if (vuser
->homes_snum
== -1) {
1022 DEBUG(2, ("[homes] share not available for "
1023 "this user because it was not found "
1024 "or created at session setup "
1026 *status
= NT_STATUS_BAD_NETWORK_NAME
;
1029 DEBUG(5, ("making a connection to [homes] service "
1030 "created at session setup time\n"));
1031 return make_connection_snum(vuser
->homes_snum
,
1035 /* Security = share. Try with
1036 * current_user_info.smb_name as the username. */
1037 if (*current_user_info
.smb_name
) {
1038 fstring unix_username
;
1039 fstrcpy(unix_username
,
1040 current_user_info
.smb_name
);
1041 map_username(unix_username
);
1042 snum
= find_service(unix_username
);
1045 DEBUG(5, ("making a connection to 'homes' "
1046 "service %s based on "
1047 "security=share\n", service_in
));
1048 return make_connection_snum(snum
, NULL
,
1053 } else if ((lp_security() != SEC_SHARE
) && (vuser
->homes_snum
!= -1)
1054 && strequal(service_in
,
1055 lp_servicename(vuser
->homes_snum
))) {
1056 DATA_BLOB no_pw
= data_blob(NULL
, 0);
1057 DEBUG(5, ("making a connection to 'homes' service [%s] "
1058 "created at session setup time\n", service_in
));
1059 return make_connection_snum(vuser
->homes_snum
,
1064 fstrcpy(service
, service_in
);
1066 strlower_m(service
);
1068 snum
= find_service(service
);
1071 if (strequal(service
,"IPC$") ||
1072 (lp_enable_asu_support() && strequal(service
,"ADMIN$"))) {
1073 DEBUG(3,("refusing IPC connection to %s\n", service
));
1074 *status
= NT_STATUS_ACCESS_DENIED
;
1078 DEBUG(0,("%s (%s) couldn't find service %s\n",
1079 get_remote_machine_name(), client_addr(), service
));
1080 *status
= NT_STATUS_BAD_NETWORK_NAME
;
1084 /* Handle non-Dfs clients attempting connections to msdfs proxy */
1085 if (lp_host_msdfs() && (*lp_msdfs_proxy(snum
) != '\0')) {
1086 DEBUG(3, ("refusing connection to dfs proxy share '%s' "
1087 "(pointing to %s)\n",
1088 service
, lp_msdfs_proxy(snum
)));
1089 *status
= NT_STATUS_BAD_NETWORK_NAME
;
1093 DEBUG(5, ("making a connection to 'normal' service %s\n", service
));
1095 return make_connection_snum(snum
, vuser
,
1100 /****************************************************************************
1102 ****************************************************************************/
1104 void close_cnum(connection_struct
*conn
, uint16 vuid
)
1107 pipe_close_conn(conn
);
1109 file_close_conn(conn
);
1110 dptr_closecnum(conn
);
1113 change_to_root_user();
1115 DEBUG(IS_IPC(conn
)?3:1, ("%s (%s) closed connection to service %s\n",
1116 get_remote_machine_name(),
1117 conn
->client_address
,
1118 lp_servicename(SNUM(conn
))));
1120 /* Call VFS disconnect hook */
1121 SMB_VFS_DISCONNECT(conn
);
1123 yield_connection(conn
, lp_servicename(SNUM(conn
)));
1125 /* make sure we leave the directory available for unmount */
1126 vfs_ChDir(conn
, "/");
1128 /* execute any "postexec = " line */
1129 if (*lp_postexec(SNUM(conn
)) &&
1130 change_to_user(conn
, vuid
)) {
1132 pstrcpy(cmd
,lp_postexec(SNUM(conn
)));
1133 standard_sub_conn(conn
,cmd
,sizeof(cmd
));
1135 change_to_root_user();
1138 change_to_root_user();
1139 /* execute any "root postexec = " line */
1140 if (*lp_rootpostexec(SNUM(conn
))) {
1142 pstrcpy(cmd
,lp_rootpostexec(SNUM(conn
)));
1143 standard_sub_conn(conn
,cmd
,sizeof(cmd
));