Index: samba/source/auth/auth.c
===================================================================
RCS file: /cvs/root/samba/samba/source/auth/auth.c,v
retrieving revision 1.5
diff -u -d -b -r1.5 auth.c
--- samba/source/auth/auth.c 6 Jan 2005 23:36:59 -0000 1.5
+++ samba/source/auth/auth.c 7 Feb 2006 02:13:50 -0000
@@ -20,6 +20,10 @@
#include "includes.h"
+#ifdef WITH_SACL
+#include <membershipPriv.h>
+#endif
+
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@@ -173,7 +177,50 @@
return True;
}
}
+#ifdef WITH_SACL
+/*
+ check_sacl(const char *inUser, const char *inService) - Check Service ACL
+ inUser - username in utf-8
+ inService - name of the service in utf-8
+
+ NOTE: the service name is not the group name, the transformation currently goes like
+ this: "service" -> "com.apple.access_service"
+
+ returns
+ 1 if the user is authorized (or no ACL exists)
+ 0 if the user is not authorized or does not exist
+
+*/
+int check_sacl(const char *inUser, const char *inService)
+{
+ uuid_t user_uuid;
+ int isMember = 0;
+ int mbrErr = 0;
+ // get the uuid
+ if(mbr_user_name_to_uuid(inUser, user_uuid))
+ {
+ return 0;
+ }
+
+ // check the sacl
+ if((mbrErr = mbr_check_service_membership(user_uuid, inService, &isMember)))
+ {
+ if(mbrErr == ENOENT) // no ACL exists
+ {
+ return 1;
+ } else {
+ return 0;
+ }
+ }
+ if(isMember == 1)
+ {
+ return 1;
+ } else {
+ return 0;
+ }
+}
+#endif
/**
* Check a user's Plaintext, LM or NTLM password.
*
@@ -296,6 +343,14 @@
}
}
+ #ifdef WITH_SACL
+ if (check_sacl(unix_username, "smb") == 0)
+ {
+ DEBUG(1,("check_ntlm_password: check_sacl(%s, smb) failed \n", unix_username));
+ return NT_STATUS_WRONG_PASSWORD;
+ }
+ #endif
+
if (NT_STATUS_IS_OK(nt_status)) {
DEBUG((*server_info)->guest ? 5 : 2,
("check_ntlm_password: %sauthentication for user [%s] -> [%s] -> [%s] succeeded\n",
--- samba/source/smbd/sesssetup.c 2006-02-20 17:21:22.000000000 -0800
+++ samba/source/smbd/sesssetup.c 2006-02-23 16:20:35.000000000 -0800
@@ -23,6 +23,12 @@
#include "includes.h"
+#ifdef WITH_SACL
+#include <membershipPriv.h>
+
+extern int check_sacl(const char *inUser, const char *inService);
+#endif
+
uint32 global_client_caps = 0;
static struct auth_ntlmssp_state *global_ntlmssp_state;
@@ -321,6 +327,15 @@
A better interface would copy it.... */
sess_vuid = register_vuid(server_info, session_key, nullblob, client);
+ #ifdef WITH_SACL
+ if (NT_STATUS_IS_OK(ret) && check_sacl((user), "smb") == 0)
+ {
+ DEBUG(1,("reply_spnego_kerberos: check_sacl(%s, smb) failed \n", (user)));
+ ret = NT_STATUS_LOGON_FAILURE;
+ }
+ #endif
+
+
SAFE_FREE(user);
SAFE_FREE(client);