archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/net/sfm/afp/server/client.c

740 lines
20 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*
  3. Copyright (c) 1992 Microsoft Corporation
  5. Module Name:
  7. client.c
  9. Abstract:
  11. This module contains the client impersonation code.
  13. Author:
  15. Jameel Hyder (microsoft!jameelh)
  18. Revision History:
  19. 16 Jun 1992 Initial Version
  21. Notes: Tab stop: 4
  22. --*/
  24. #define FILENUM FILE_CLIENT
  26. #include <afp.h>
  27. #include <client.h>
  28. #include <access.h>
  29. #include <secutil.h>
  31. #ifdef ALLOC_PRAGMA
  32. #pragma alloc_text( PAGE, AfpImpersonateClient)
  33. #pragma alloc_text( PAGE, AfpRevertBack)
  34. #pragma alloc_text( PAGE, AfpGetChallenge)
  35. #pragma alloc_text( PAGE, AfpLogonUser)
  36. #endif
  40. /*** AfpImpersonateClient
  41. *
  42. * Impersonates the remote client. The token representing the remote client
  43. * is available in the SDA. If the SDA is NULL (i.e. server context) then
  44. * impersonate the token that we have created for ourselves.
  45. */
  46. VOID
  47. AfpImpersonateClient(
  48. IN PSDA pSda OPTIONAL
  49. )
  50. {
  51. NTSTATUS Status = STATUS_SUCCESS;
  52. HANDLE Token;
  54. PAGED_CODE( );
  56. if (pSda != NULL)
  57. {
  58. Token = pSda->sda_UserToken;
  59. }
  60. else Token = AfpFspToken;
  62. ASSERT(Token != NULL);
  64. Status = NtSetInformationThread(NtCurrentThread(),
  65. ThreadImpersonationToken,
  66. (PVOID)&Token,
  67. sizeof(Token));
  68. ASSERT(NT_SUCCESS(Status));
  69. }
  72. /*** AfpRevertBack
  73. *
  74. * Revert back to the default thread context.
  75. */
  76. VOID
  77. AfpRevertBack(
  78. VOID
  79. )
  80. {
  81. NTSTATUS Status = STATUS_SUCCESS;
  82. HANDLE Handle = NULL;
  84. PAGED_CODE( );
  86. Status = NtSetInformationThread(NtCurrentThread(),
  87. ThreadImpersonationToken,
  88. (PVOID)&Handle,
  89. sizeof(Handle));
  90. ASSERT(NT_SUCCESS(Status));
  91. }
  94. /*** AfpGetChallenge
  95. *
  96. * Obtain a challenge token from the MSV1_0 package. This token is used by
  97. * AfpLogin call.
  98. *
  99. * The following function modified so that we generate the challenge ourselves
  100. * instead of making a call. This routine borrowed almost verbatim from
  101. * the LM server code.
  102. */
  103. PBYTE
  104. AfpGetChallenge(
  105. IN VOID
  106. )
  107. {
  108. PMSV1_0_LM20_CHALLENGE_REQUEST ChallengeRequest;
  109. PMSV1_0_LM20_CHALLENGE_RESPONSE ChallengeResponse;
  110. ULONG Length;
  111. PBYTE pRetBuf;
  112. NTSTATUS Status, StatusX;
  113. union
  114. {
  115. LARGE_INTEGER time;
  116. UCHAR bytes[8];
  117. } u;
  119. ULONG seed;
  120. ULONG challenge[2];
  121. ULONG result3;
  123. PAGED_CODE( );
  125. ChallengeRequest = NULL;
  127. //
  128. // Create a pseudo-random 8-byte number by munging the system time
  129. // for use as a random number seed.
  130. //
  131. // Start by getting the system time.
  132. //
  134. ASSERT( MSV1_0_CHALLENGE_LENGTH == 2 * sizeof(ULONG) );
  136. KeQuerySystemTime( &u.time );
  138. //
  139. // To ensure that we don't use the same system time twice, add in the
  140. // count of the number of times this routine has been called. Then
  141. // increment the counter.
  142. //
  143. // *** Since we don't use the low byte of the system time (it doesn't
  144. // take on enough different values, because of the timer
  145. // resolution), we increment the counter by 0x100.
  146. //
  147. // *** We don't interlock the counter because we don't really care
  148. // if it's not 100% accurate.
  149. //
  151. u.time.LowPart += EncryptionKeyCount;
  153. EncryptionKeyCount += 0x100;
  155. //
  156. // Now use parts of the system time as a seed for the random
  157. // number generator.
  158. //
  159. // *** Because the middle two bytes of the low part of the system
  160. // time change most rapidly, we use those in forming the seed.
  161. //
  163. seed = ((u.bytes[1] + 1) << 0) |
  164. ((u.bytes[2] + 0) << 8) |
  165. ((u.bytes[2] - 1) << 16) |
  166. ((u.bytes[1] + 0) << 24);
  168. //
  169. // Now get two random numbers. RtlRandom does not return negative
  170. // numbers, so we pseudo-randomly negate them.
  171. //
  173. challenge[0] = RtlRandom( &seed );
  174. challenge[1] = RtlRandom( &seed );
  175. result3 = RtlRandom( &seed );
  177. if ( (result3 & 0x1) != 0 )
  178. {
  179. challenge[0] |= 0x80000000;
  180. }
  181. if ( (result3 & 0x2) != 0 )
  182. {
  183. challenge[1] |= 0x80000000;
  184. }
  186. // Allocate a buffer to hold the challenge and copy it in
  187. if ((pRetBuf = AfpAllocNonPagedMemory(MSV1_0_CHALLENGE_LENGTH)) != NULL)
  188. {
  189. RtlCopyMemory(pRetBuf, challenge, MSV1_0_CHALLENGE_LENGTH);
  190. }
  192. return (pRetBuf);
  193. }
  197. /*** AfpLogonUser
  198. *
  199. * Attempt to login the user. The password is either encrypted or cleartext
  200. * based on the UAM used. The UserName and domain is extracted out of the Sda.
  201. *
  202. * LOCKS: AfpStatisticsLock (SPIN)
  203. */
  204. AFPSTATUS
  205. AfpLogonUser(
  206. IN PSDA pSda,
  207. IN PANSI_STRING UserPasswd
  208. )
  209. {
  210. NTSTATUS Status, SubStatus;
  211. PUNICODE_STRING WSName;
  212. ULONG ulUnused;
  213. ULONG NtlmInTokenSize;
  214. PNTLM_AUTHENTICATE_MESSAGE NtlmInToken = NULL;
  215. PAUTHENTICATE_MESSAGE InToken = NULL;
  216. ULONG InTokenSize;
  217. PNTLM_ACCEPT_RESPONSE OutToken = NULL;
  218. ULONG OutTokenSize;
  219. SIZE_T AllocateSize;
  220. SecBufferDesc InputToken;
  221. SecBuffer InputBuffers[2];
  222. SecBufferDesc OutputToken;
  223. SecBuffer OutputBuffer;
  224. CtxtHandle hNewContext;
  225. TimeStamp Expiry;
  226. ULONG BufferOffset;
  227. PCHAR pTmp;
  228. PRAS_SUBAUTH_INFO pRasSubAuthInfo;
  229. PARAP_SUBAUTH_REQ pSfmSubAuthInfo;
  230. PARAP_SUBAUTH_RESP pSfmResp;
  231. DWORD ResponseHigh;
  232. DWORD ResponseLow;
  233. DWORD dwTmpLen;
  236. PAGED_CODE( );
  238. ASSERT(KeGetCurrentIrql() < DISPATCH_LEVEL);
  240. #ifdef OPTIMIZE_GUEST_LOGONS
  241. // 11/28/94 SueA: Now that there is a License Service to track the number
  242. // of sessions via LsaLogonUser, we can no longer fake the guest tokens.
  244. // Optimization for subsequent guest logons
  245. // After the first guest logon, we save the token and do not free it till the
  246. // server stops. All subsequent guest logons 'share' that token.
  247. if (pSda->sda_ClientType == SDA_CLIENT_GUEST)
  248. {
  249. AfpSwmrAcquireExclusive(&AfpEtcMapLock);
  251. if (AfpGuestToken != NULL)
  252. {
  253. pSda->sda_UserToken = AfpGuestToken;
  254. pSda->sda_UserSid = &AfpSidWorld;
  255. pSda->sda_GroupSid = &AfpSidWorld; // Primary group of Guest is also 'World'
  256. #ifdef INHERIT_DIRECTORY_PERMS
  257. pSda->sda_UID = AfpIdWorld;
  258. pSda->sda_GID = AfpIdWorld;
  259. #else
  260. ASSERT (AfpGuestSecDesc != NULL);
  261. pSda->sda_pSecDesc = AfpGuestSecDesc;
  262. #endif
  263. AfpSwmrRelease(&AfpEtcMapLock);
  264. return AFP_ERR_NONE;
  265. }
  266. else
  267. {
  268. AfpSwmrRelease(&AfpEtcMapLock);
  269. }
  270. }
  272. #endif // OPTIMIZE_GUEST_LOGONS
  275. WSName = &AfpDefaultWksta;
  276. if (pSda->sda_WSName.Length != 0)
  277. WSName = &pSda->sda_WSName;
  280. //
  281. // Figure out how big a buffer we need. We put all the messages
  282. // in one buffer for efficiency's sake.
  283. //
  285. NtlmInTokenSize = sizeof(NTLM_AUTHENTICATE_MESSAGE);
  287. // alignment needs to be correct based on 32/64 bit addressing!!!
  288. NtlmInTokenSize = (NtlmInTokenSize + 7) & 0xfffffff8;
  290. InTokenSize = sizeof(AUTHENTICATE_MESSAGE) +
  291. pSda->sda_UserName.Length +
  292. WSName->Length +
  293. (sizeof(RAS_SUBAUTH_INFO) + sizeof(ARAP_SUBAUTH_REQ)) +
  294. pSda->sda_DomainName.Length +
  295. UserPasswd->Length +
  296. 24; // extra for byte aligning
  298. InTokenSize = (InTokenSize + 7) & 0xfffffff8;
  300. OutTokenSize = sizeof(NTLM_ACCEPT_RESPONSE);
  301. OutTokenSize = (OutTokenSize + 7) & 0xfffffff8;
  303. //
  304. // Round this up to 8 byte boundary becaus the out token needs to be
  305. // quad word aligned for the LARGE_INTEGER.
  306. //
  307. AllocateSize = ((NtlmInTokenSize + InTokenSize + 7) & 0xfffffff8) + OutTokenSize;
  310. Status = NtAllocateVirtualMemory(NtCurrentProcess(),
  311. &InToken,
  312. 0L,
  313. &AllocateSize,
  314. MEM_COMMIT,
  315. PAGE_READWRITE);
  317. if (!NT_SUCCESS(Status))
  318. {
  319. AFPLOG_ERROR(AFPSRVMSG_PAGED_POOL, Status, &AllocateSize,sizeof(AllocateSize), NULL);
  320. #if DBG
  321. DbgBreakPoint();
  322. #endif
  323. return(AFP_ERR_MISC);
  324. }
  326. NtlmInToken = (PNTLM_AUTHENTICATE_MESSAGE) ((PUCHAR) InToken + InTokenSize);
  327. OutToken = (PNTLM_ACCEPT_RESPONSE) ((PUCHAR)NtlmInToken + ((NtlmInTokenSize + 7) & 0xfffffff8));
  329. RtlZeroMemory(InToken, InTokenSize + NtlmInTokenSize);
  331. //
  332. // set up the NtlmInToken first
  333. //
  335. if (pSda->sda_Challenge)
  336. {
  337. RtlCopyMemory(NtlmInToken->ChallengeToClient,
  338. pSda->sda_Challenge,
  339. MSV1_0_CHALLENGE_LENGTH );
  340. }
  342. if ((pSda->sda_ClientType == SDA_CLIENT_RANDNUM) ||
  343. (pSda->sda_ClientType == SDA_CLIENT_TWOWAY))
  344. {
  345. NtlmInToken->ParameterControl = (MSV1_0_SUBAUTHENTICATION_DLL_RAS << 24);
  346. }
  347. else
  348. {
  349. NtlmInToken->ParameterControl = 0;
  350. }
  352. //
  353. // Okay, now for the tought part - marshalling the AUTHENTICATE_MESSAGE
  354. //
  356. RtlCopyMemory(InToken->Signature,
  357. NTLMSSP_SIGNATURE,
  358. sizeof(NTLMSSP_SIGNATURE) );
  360. InToken->MessageType = NtLmAuthenticate;
  362. BufferOffset = sizeof(AUTHENTICATE_MESSAGE);
  364. //
  365. // LM password - case insensitive
  366. //
  368. pTmp = (PBYTE)InToken + BufferOffset;
  369. *(LPWSTR)pTmp = L'\0';
  371. InToken->LmChallengeResponse.Buffer = BufferOffset;
  372. InToken->LmChallengeResponse.Length = 1;
  373. InToken->LmChallengeResponse.MaximumLength = sizeof(WCHAR);
  375. InToken->NtChallengeResponse.Buffer = BufferOffset;
  376. InToken->NtChallengeResponse.Length = 0;
  377. InToken->NtChallengeResponse.MaximumLength = sizeof(WCHAR);
  379. InToken->DomainName.Buffer = BufferOffset;
  380. InToken->DomainName.Length = 0;
  381. InToken->DomainName.MaximumLength = sizeof(WCHAR);
  383. InToken->Workstation.Buffer = BufferOffset;
  384. InToken->Workstation.Length = 0;
  385. InToken->Workstation.MaximumLength = sizeof(WCHAR);
  387. InToken->UserName.Buffer = BufferOffset;
  388. InToken->UserName.Length = 0;
  389. InToken->UserName.MaximumLength = sizeof(WCHAR);
  392. if (pSda->sda_UserName.Length != 0)
  393. {
  395. if (pSda->sda_DomainName.Length != 0)
  396. {
  398. InToken->DomainName.Length = pSda->sda_DomainName.Length;
  399. InToken->DomainName.MaximumLength = pSda->sda_DomainName.MaximumLength;
  401. InToken->DomainName.Buffer = BufferOffset;
  402. RtlCopyMemory((PBYTE)InToken + BufferOffset,
  403. (PBYTE)pSda->sda_DomainName.Buffer,
  404. pSda->sda_DomainName.Length);
  405. BufferOffset += pSda->sda_DomainName.Length;
  406. BufferOffset = (BufferOffset + 3) & 0xfffffffc; // dword align it
  407. }
  410. InToken->LmChallengeResponse.Buffer = BufferOffset;
  412. //
  413. // is he using native Apple UAM? setup buffers differently!
  414. //
  415. if ((pSda->sda_ClientType == SDA_CLIENT_RANDNUM) ||
  416. (pSda->sda_ClientType == SDA_CLIENT_TWOWAY))
  417. {
  418. pRasSubAuthInfo =
  419. (PRAS_SUBAUTH_INFO)((PBYTE)InToken + BufferOffset);
  421. pRasSubAuthInfo->ProtocolType = RAS_SUBAUTH_PROTO_ARAP;
  422. pRasSubAuthInfo->DataSize = sizeof(ARAP_SUBAUTH_REQ);
  424. pSfmSubAuthInfo = (PARAP_SUBAUTH_REQ)&pRasSubAuthInfo->Data[0];
  426. if (pSda->sda_ClientType == SDA_CLIENT_RANDNUM)
  427. {
  428. pSfmSubAuthInfo->PacketType = SFM_SUBAUTH_LOGON_PKT;
  429. }
  430. else
  431. {
  432. pSfmSubAuthInfo->PacketType = SFM_2WAY_SUBAUTH_LOGON_PKT;
  433. }
  435. pSfmSubAuthInfo->Logon.fGuestLogon = FALSE;
  437. ASSERT(pSda->sda_Challenge != NULL);
  439. // put the 2 dwords of challenge that we gave the Mac
  440. pTmp = pSda->sda_Challenge;
  441. GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.NTChallenge1,pTmp);
  443. pTmp += sizeof(DWORD);
  444. GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.NTChallenge2,pTmp);
  446. // put the 2 dwords of response that the Mac gave us
  447. pTmp = UserPasswd->Buffer;
  448. GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.MacResponse1,pTmp);
  450. pTmp += sizeof(DWORD);
  451. GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.MacResponse2,pTmp);
  453. // 2-way guy sends his own challenge: doesn't trust us!
  454. if (pSda->sda_ClientType == SDA_CLIENT_TWOWAY)
  455. {
  456. pTmp += sizeof(DWORD);
  457. GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.MacChallenge1,pTmp);
  459. pTmp += sizeof(DWORD);
  460. GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.MacChallenge2,pTmp);
  461. }
  463. dwTmpLen = (sizeof(RAS_SUBAUTH_INFO) + sizeof(ARAP_SUBAUTH_REQ));
  464. InToken->LmChallengeResponse.Length = (USHORT)dwTmpLen;
  465. InToken->LmChallengeResponse.MaximumLength = (USHORT)dwTmpLen;
  467. BufferOffset += dwTmpLen;
  468. }
  470. //
  471. // this client is using MS-UAM or Apple's cleartext
  472. //
  473. else
  474. {
  475. InToken->LmChallengeResponse.Length = UserPasswd->Length;
  476. InToken->LmChallengeResponse.MaximumLength = UserPasswd->MaximumLength;
  478. RtlCopyMemory( (PBYTE)InToken + BufferOffset,
  479. UserPasswd->Buffer,
  480. UserPasswd->Length );
  482. BufferOffset += UserPasswd->Length;
  483. }
  486. BufferOffset = (BufferOffset + 3) & 0xfffffffc; // dword align it
  488. //
  489. // Workstation Name
  490. //
  492. InToken->Workstation.Buffer = BufferOffset;
  493. InToken->Workstation.Length = WSName->Length;
  494. InToken->Workstation.MaximumLength = WSName->MaximumLength;
  496. RtlCopyMemory((PBYTE)InToken + BufferOffset,
  497. WSName->Buffer,
  498. WSName->Length);
  500. BufferOffset += WSName->Length;
  501. BufferOffset = (BufferOffset + 3) & 0xfffffffc; // dword align it
  503. //
  504. // User Name
  505. //
  507. InToken->UserName.Buffer = BufferOffset;
  508. InToken->UserName.Length = pSda->sda_UserName.Length;
  509. InToken->UserName.MaximumLength = pSda->sda_UserName.MaximumLength;
  511. RtlCopyMemory((PBYTE)InToken + BufferOffset,
  512. pSda->sda_UserName.Buffer,
  513. pSda->sda_UserName.Length);
  515. BufferOffset += pSda->sda_UserName.Length;
  516. }
  519. InputToken.pBuffers = InputBuffers;
  520. InputToken.cBuffers = 2;
  521. InputToken.ulVersion = 0;
  522. InputBuffers[0].pvBuffer = InToken;
  523. InputBuffers[0].cbBuffer = InTokenSize;
  524. InputBuffers[0].BufferType = SECBUFFER_TOKEN;
  525. InputBuffers[1].pvBuffer = NtlmInToken;
  526. InputBuffers[1].cbBuffer = NtlmInTokenSize;
  527. InputBuffers[1].BufferType = SECBUFFER_TOKEN;
  529. OutputToken.pBuffers = &OutputBuffer;
  530. OutputToken.cBuffers = 1;
  531. OutputToken.ulVersion = 0;
  532. OutputBuffer.pvBuffer = OutToken;
  533. OutputBuffer.cbBuffer = OutTokenSize;
  534. OutputBuffer.BufferType = SECBUFFER_TOKEN;
  536. Status = AcceptSecurityContext(&AfpSecHandle,
  537. NULL,
  538. &InputToken,
  539. ASC_REQ_LICENSING,
  540. SECURITY_NATIVE_DREP,
  541. &hNewContext,
  542. &OutputToken,
  543. &ulUnused,
  544. &Expiry );
  546. if (NT_SUCCESS(Status))
  547. {
  548. AFPTIME CurrentTime;
  549. NTSTATUS SecStatus;
  551. if (pSda->sda_ClientType != SDA_CLIENT_GUEST)
  552. {
  553. SecPkgContext_PasswordExpiry PasswordExpires;
  556. // Get the kickoff time from the profile buffer. Round this to
  557. // even # of SESSION_CHECK_TIME units
  559. SecStatus = QueryContextAttributes(
  560. &hNewContext,
  561. SECPKG_ATTR_PASSWORD_EXPIRY,
  562. &PasswordExpires
  563. );
  565. if( SecStatus == NO_ERROR )
  566. {
  567. AfpGetCurrentTimeInMacFormat(&CurrentTime);
  569. pSda->sda_tTillKickOff = (DWORD)
  570. ( AfpConvertTimeToMacFormat(&PasswordExpires.tsPasswordExpires) -
  571. CurrentTime );
  573. pSda->sda_tTillKickOff -= pSda->sda_tTillKickOff % SESSION_CHECK_TIME;
  574. }
  575. else
  576. {
  577. DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR,
  578. ("AfpLogonUser: QueryContextAttributes failed %lx\n",SecStatus));
  579. }
  580. }
  582. // return stuff from subauth
  583. pSfmResp = (PARAP_SUBAUTH_RESP)&OutToken->UserSessionKey[0];
  585. ResponseHigh = pSfmResp->Response.high;
  586. ResponseLow = pSfmResp->Response.low;
  588. SubStatus = NtFreeVirtualMemory(NtCurrentProcess( ),
  589. (PVOID *)&InToken,
  590. &AllocateSize,
  591. MEM_RELEASE);
  592. ASSERT(NT_SUCCESS(SubStatus));
  594. //
  595. // 2-Way authentication? client expects us to send a response to
  596. // the challenge that it sent
  597. //
  598. if (pSda->sda_ClientType == SDA_CLIENT_TWOWAY)
  599. {
  600. pSda->sda_ReplySize = RANDNUM_RESP_LEN;
  602. if (AfpAllocReplyBuf(pSda) != AFP_ERR_NONE)
  603. {
  604. return(AFP_ERR_USER_NOT_AUTH);
  605. }
  607. pTmp = pSda->sda_ReplyBuf;
  608. PUTBYTE42BYTE4(pTmp, (PBYTE)&ResponseHigh);
  610. pTmp += sizeof(DWORD);
  611. PUTBYTE42BYTE4(pTmp, (PBYTE)&ResponseLow);
  612. }
  614. else if (pSda->sda_ClientType == SDA_CLIENT_MSUAM_V2)
  615. {
  616. pSda->sda_ReplySize = sizeof(DWORD);
  618. if (AfpAllocReplyBuf(pSda) != AFP_ERR_NONE)
  619. {
  620. return(AFP_ERR_USER_NOT_AUTH);
  621. }
  623. pTmp = pSda->sda_ReplyBuf;
  624. PUTBYTE42BYTE4(pTmp, (PBYTE)&pSda->sda_tTillKickOff);
  625. }
  627. }
  629. else // if (NT_SUCCESS(Status) != NO_ERROR)
  630. {
  631. NTSTATUS ExtErrCode = Status;
  633. DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR,
  634. ("AfpLogonUser: AcceptSecurityContext() failed with %X\n", Status));
  636. SubStatus = NtFreeVirtualMemory(NtCurrentProcess(),
  637. (PVOID *)&InToken,
  638. &AllocateSize,
  639. MEM_RELEASE );
  640. ASSERT(NT_SUCCESS(SubStatus));
  642. // Set extended error codes here if using custom UAM or AFP 2.1
  643. Status = AFP_ERR_USER_NOT_AUTH; // default
  645. // The mac will map this to a session error dialog for each UAM.
  646. // The dialog may be a little different for different versions of
  647. // the mac OS and each UAM, but will always have something to do
  648. // with getting the message across about no more sessions available.
  650. if (ExtErrCode == STATUS_LICENSE_QUOTA_EXCEEDED)
  651. {
  652. DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR,
  653. ("AfpLogonUser: License Quota Exceeded: returning ASP_SERVER_BUSY\n"));
  654. return (ASP_SERVER_BUSY);
  655. }
  657. if ((pSda->sda_ClientVersion >= AFP_VER_21) &&
  658. (pSda->sda_ClientType != SDA_CLIENT_MSUAM_V2) &&
  659. (pSda->sda_ClientType != SDA_CLIENT_MSUAM_V2))
  660. {
  661. if ((ExtErrCode == STATUS_PASSWORD_EXPIRED) ||
  662. (ExtErrCode == STATUS_PASSWORD_MUST_CHANGE))
  663. Status = AFP_ERR_PWD_EXPIRED;
  664. }
  665. else if ((pSda->sda_ClientType == SDA_CLIENT_MSUAM_V1) ||
  666. (pSda->sda_ClientType == SDA_CLIENT_MSUAM_V2))
  667. {
  668. if ((ExtErrCode == STATUS_PASSWORD_EXPIRED) ||
  669. (ExtErrCode == STATUS_PASSWORD_MUST_CHANGE))
  670. Status = AFP_ERR_PASSWORD_EXPIRED;
  671. else if ((ExtErrCode == STATUS_ACCOUNT_DISABLED) ||
  672. (ExtErrCode == STATUS_ACCOUNT_LOCKED_OUT))
  673. Status = AFP_ERR_ACCOUNT_DISABLED;
  674. else if (ExtErrCode == STATUS_INVALID_LOGON_HOURS)
  675. Status = AFP_ERR_INVALID_LOGON_HOURS;
  676. else if (ExtErrCode == STATUS_INVALID_WORKSTATION)
  677. Status = AFP_ERR_INVALID_WORKSTATION;
  678. }
  680. return( Status );
  681. }
  683. //
  684. // get the token out using the context
  685. //
  686. Status = QuerySecurityContextToken( &hNewContext, &pSda->sda_UserToken );
  687. if (!NT_SUCCESS(Status))
  688. {
  689. DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR,
  690. ("AfpLogonUser: QuerySecurityContextToken() failed with %X\n", Status));
  691. pSda->sda_UserToken = NULL; // just paranoia
  692. return(Status);
  693. }
  695. Status = DeleteSecurityContext( &hNewContext );
  696. if (!NT_SUCCESS(Status))
  697. {
  698. DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR,
  699. ("AfpLogonUser: DeleteSecurityContext() failed with %X\n", Status));
  700. }
  702. Status = AfpGetUserAndPrimaryGroupSids(pSda);
  703. if (!NT_SUCCESS(Status))
  704. {
  705. DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR,
  706. ("AfpLogonUser: AfpGetUserAndPrimaryGroupSids() failed with %X\n", Status));
  707. AFPLOG_ERROR(AFPSRVMSG_LOGON, Status, NULL, 0, NULL);
  708. return( Status );
  709. }
  711. #ifdef INHERIT_DIRECTORY_PERMS
  712. // Convert the user and group sids to IDs
  713. AfpSidToMacId(pSda->sda_UserSid, &pSda->sda_UID);
  715. AfpSidToMacId(pSda->sda_GroupSid, &pSda->sda_GID);
  716. #else
  717. // Make a security descriptor for user
  718. Status = AfpMakeSecurityDescriptorForUser(pSda->sda_UserSid,
  719. pSda->sda_GroupSid,
  720. &pSda->sda_pSecDesc);
  721. #endif
  723. #ifdef OPTIMIZE_GUEST_LOGONS
  724. if (pSda->sda_ClientType == SDA_CLIENT_GUEST)
  725. {
  726. // Save the guest login token and security descriptor
  727. AfpSwmrAcquireExclusive(&AfpEtcMapLock);
  728. AfpGuestToken = pSda->sda_UserToken;
  730. #ifdef INHERIT_DIRECTORY_PERMS
  731. AfpSidToMacId(&AfpSidWorld, &AfpIdWorld);
  732. #else
  733. AfpGuestSecDesc = pSda->sda_pSecDesc;
  734. #endif
  735. AfpSwmrRelease(&AfpEtcMapLock);
  736. }
  737. #endif // OPTIMIZE_GUEST_LOGONS
  739. return Status;
  740. }