From 2a83f03100deae0f13c255e41ab849d172859971 Mon Sep 17 00:00:00 2001
From: Jeffrey Altman <jaltman@your-file-system.com>
Date: Wed, 25 Apr 2012 20:16:22 -0400
Subject: [PATCH] Windows:  Remove High Security Integrated Logon

High security mode for integrated logon never was high security.
It use was deprecated in the 1.5 series and it has no use at all
in the afs redirector world.  Remove it.

FIXES: 21702

Change-Id: I019b4fecc430517d29195e79e39529a782c88073
Reviewed-on: http://gerrit.openafs.org/7285
Tested-by: BuildBot <buildbot@rampaginggeek.com>
Tested-by: Jeffrey Altman <jaltman@secure-endpoints.com>
Reviewed-by: Jeffrey Altman <jaltman@secure-endpoints.com>
---
 doc/xml/ReleaseNotesWindows/relnotes.xml |  8 -------
 src/WINNT/afsd/afslogon.c                | 17 ++------------
 src/WINNT/afsd/afslogon.h                |  1 -
 src/WINNT/client_config/drivemap.cpp     | 30 +++---------------------
 src/WINNT/client_creds/main.cpp          |  5 ++--
 src/rxkad/rxkad.p.h                      |  1 -
 6 files changed, 7 insertions(+), 55 deletions(-)

diff --git a/doc/xml/ReleaseNotesWindows/relnotes.xml b/doc/xml/ReleaseNotesWindows/relnotes.xml
index 93de7556e..04aa503a6 100644
--- a/doc/xml/ReleaseNotesWindows/relnotes.xml
+++ b/doc/xml/ReleaseNotesWindows/relnotes.xml
@@ -4669,16 +4669,8 @@ NSIS: %WINDIR%\SYSTEM32\afslogon.dll</para>
                 <simplelist type="vert">
                   <member>0x00 - Integrated Logon is not used </member>
                   <member> 0x01 - Integrated Logon is used </member>
-                  <member> 0x02 - High Security Mode is used (deprecated) </member>
-                  <member> 0x03 - Integrated Logon with High Security Mode is used (deprecated)
-                  </member>
                 </simplelist>
               </para>
-              <para>High Security Mode generates random SMB names for the creation of Drive
-                Mappings. This mode should not be used without Integrated Logon.</para>
-              <para>As of 1.3.65 the SMB server supports SMB authentication. The High Security Mode
-                should not be used when using SMB authentication (SMBAuthType setting is non
-                zero).</para>
             </section>
             <section>
               <title id="Domain_Specific_Regkeys_FailLoginsSilently">Value:
diff --git a/src/WINNT/afsd/afslogon.c b/src/WINNT/afsd/afslogon.c
index 38f74997d..571dd78ed 100644
--- a/src/WINNT/afsd/afslogon.c
+++ b/src/WINNT/afsd/afslogon.c
@@ -476,13 +476,7 @@ GetDomainLogonOptions( PLUID lpLogonId, char * username, char * domain, LogonOpt
     }
 
     /* come up with SMB username */
-    if(ISHIGHSECURITY(opt->LogonOption)) {
-        DebugEvent0("High Security Mode active");
-        opt->smbName = malloc( MAXRANDOMNAMELEN );
-        if (opt->smbName == NULL)
-            goto cleanup;
-        GenRandomName(opt->smbName);
-    } else if (lpLogonId) {
+    if (lpLogonId) {
         /* username and domain for logon session is not necessarily the same as
            username and domain passed into network provider. */
         PSECURITY_LOGON_SESSION_DATA plsd=NULL;
@@ -568,14 +562,7 @@ GetDomainLogonOptions( PLUID lpLogonId, char * username, char * domain, LogonOpt
             hkTemp = hkDoms;
             DebugEvent0("Located logon script in hkDoms");
         }
-        /* Note that the LogonScript in the NP key is only used if we are doing high security. */
-        else if(hkNp && ISHIGHSECURITY(opt->LogonOption)) {
-            rv = RegQueryValueExW(hkNp, REG_CLIENT_LOGON_SCRIPT_PARMW, 0, &dwType, NULL, &dwSize);
-            if(rv == ERROR_SUCCESS && !hkTemp && (dwType == REG_SZ || dwType == REG_EXPAND_SZ)) {
-                hkTemp = hkNp;
-                DebugEvent0("Located logon script in hkNp");
-            }
-        }
+        /* Note that the LogonScript in the NP key not used. */
     }
 
     if(hkTemp) {
diff --git a/src/WINNT/afsd/afslogon.h b/src/WINNT/afsd/afslogon.h
index bbac07d0a..ff3f48ac4 100644
--- a/src/WINNT/afsd/afslogon.h
+++ b/src/WINNT/afsd/afslogon.h
@@ -58,7 +58,6 @@ SOFTWARE.
 #define ISLOGONTRACE(v) ( ((v) & TRACE_OPTION_EVENT)==TRACE_OPTION_EVENT)
 
 #define ISLOGONINTEGRATED(v) ( ((v) & LOGON_OPTION_INTEGRATED)==LOGON_OPTION_INTEGRATED)
-#define ISHIGHSECURITY(v) ( ((v) & LOGON_OPTION_HIGHSECURITY)==LOGON_OPTION_HIGHSECURITY)
 
 #define ISREMOTE(v) ( ((v) & LOGON_FLAG_REMOTE)==LOGON_FLAG_REMOTE)
 #define ISADREALM(v) ( ((v) & LOGON_FLAG_AD_REALM)==LOGON_FLAG_AD_REALM)
diff --git a/src/WINNT/client_config/drivemap.cpp b/src/WINNT/client_config/drivemap.cpp
index 1769d5d5b..9e1a7da38 100644
--- a/src/WINNT/client_config/drivemap.cpp
+++ b/src/WINNT/client_config/drivemap.cpp
@@ -1149,8 +1149,6 @@ BOOL TestAndDoMapShare(DWORD dwState)
 	return TRUE;
     }
     dwOldState=SERVICE_RUNNING;
-    if (RWLogonOption(TRUE,LOGON_OPTION_HIGHSECURITY))
-	return (DoMapShare() && GlobalMountDrive());
     return GlobalMountDrive();
 }
 
@@ -1175,9 +1173,7 @@ BOOL IsServiceActive()
 
 void TestAndDoUnMapShare()
 {
-    if (!RWLogonOption(TRUE,LOGON_OPTION_HIGHSECURITY))
-	return;
-    DoUnMapShare(FALSE);
+    return;
 }
 
 void DoUnMapShare(BOOL drivemap)	//disconnect drivemap
@@ -1287,16 +1283,7 @@ BOOL DoMapShareChange(BOOL removeUnknown)
     DWORD cbUser=MAXRANDOMNAMELEN-1;
     CHAR szUser[MAXRANDOMNAMELEN];
     CHAR * pUser = NULL;
-    if (WNetGetUser(szPath,(LPSTR)szUser,&cbUser)!=NO_ERROR) {
-        if (RWLogonOption(TRUE,LOGON_OPTION_HIGHSECURITY)) {
-            if (!pUserName[0]) {
-                GenRandomName(szUser,MAXRANDOMNAMELEN-1);
-                pUser = szUser;
-            } else {
-                pUser = pUserName;
-            }
-        }
-    } else {
+    if (WNetGetUser(szPath,(LPSTR)szUser,&cbUser)==NO_ERROR) {
 	if ((pUser=strchr(szUser,'\\'))!=NULL)
             pUser++;
     }
@@ -1332,16 +1319,7 @@ BOOL DoMapShare()
     DWORD cbUser=MAXRANDOMNAMELEN-1;
     CHAR szUser[MAXRANDOMNAMELEN];
     CHAR * pUser = NULL;
-    if (WNetGetUser(szPath,(LPSTR)szUser,&cbUser)!=NO_ERROR) {
-        if (RWLogonOption(TRUE,LOGON_OPTION_HIGHSECURITY)) {
-            if (!pUserName[0]) {
-                GenRandomName(szUser,MAXRANDOMNAMELEN-1);
-                pUser = szUser;
-            } else {
-                pUser = pUserName;
-            }
-        }
-    } else {
+    if (WNetGetUser(szPath,(LPSTR)szUser,&cbUser)==NO_ERROR) {
 	if ((pUser=strchr(szUser,'\\'))!=NULL)
             pUser++;
     }
@@ -1376,8 +1354,6 @@ BOOL DoMapShare()
                 continue;
 
             BOOL fPersistent = List.aDriveMap[chDrive-chDRIVE_A].fPersistent;
-            if (RWLogonOption(TRUE,LOGON_OPTION_HIGHSECURITY))
-                fPersistent = FALSE;
 	    DWORD res=MountDOSDrive(chDrive
 				     ,szSubmount
 				     ,fPersistent,pUser);
diff --git a/src/WINNT/client_creds/main.cpp b/src/WINNT/client_creds/main.cpp
index 1ada86ead..b3d554c7c 100644
--- a/src/WINNT/client_creds/main.cpp
+++ b/src/WINNT/client_creds/main.cpp
@@ -86,7 +86,6 @@ extern "C" int WINAPI WinMain (HINSTANCE hInst, HINSTANCE hPrev, LPSTR pCmdLine,
    return 0;
 }
 
-#define ISHIGHSECURITY(v) ( ((v) & LOGON_OPTION_HIGHSECURITY)==LOGON_OPTION_HIGHSECURITY)
 #define REG_CLIENT_PROVIDER_KEY "SYSTEM\\CurrentControlSet\\Services\\TransarcAFSDaemon\\NetworkProvider"
 
 BOOL InitApp (LPSTR pszCmdLineA)
@@ -156,8 +155,8 @@ BOOL InitApp (LPSTR pszCmdLineA)
 
          case ':':
              CopyAnsiToString(g.SmbName,pszCmdLineA);
-			 MapShareName(pszCmdLineA);
-			 break;
+             MapShareName(pszCmdLineA);
+             break;
 
          case 'z':
          case 'Z':
diff --git a/src/rxkad/rxkad.p.h b/src/rxkad/rxkad.p.h
index 91d1f5208..55cfcfa74 100644
--- a/src/rxkad/rxkad.p.h
+++ b/src/rxkad/rxkad.p.h
@@ -28,7 +28,6 @@
 #define MAXSMBNAMELEN    256	/* max length of an SMB name */
 
 #define LOGON_OPTION_INTEGRATED 1
-#define LOGON_OPTION_HIGHSECURITY 2
 
 /*
  * Define ticket types. For Kerberos V4 tickets, this is overloaded as
-- 
2.39.5