libcli/security: only announce a session as GUEST if 'Builtin\Guests' is there without 'Authenticated User'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13328

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f564847c8e9d31fe07dd3cbf435986b36f097fa3)

1 files changed, 11 insertions, 7 deletions

diff --git a/libcli/security/session.c b/libcli/security/session.c
index 0fbb87d584e..f17e884c847 100644
--- a/libcli/security/session.c
+++ b/libcli/security/session.c
@@ -26,6 +26,9 @@
 enum security_user_level security_session_user_level(struct auth_session_info *session_info,
 						     const struct dom_sid *domain_sid)
 {
+	bool authenticated = false;
+	bool guest = false;
+
 	if (!session_info) {
 		return SECURITY_ANONYMOUS;
 	}
@@ -38,8 +41,13 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
 		return SECURITY_ANONYMOUS;
 	}
 
-	if (security_token_has_builtin_guests(session_info->security_token)) {
-		return SECURITY_GUEST;
+	authenticated = security_token_has_nt_authenticated_users(session_info->security_token);
+	guest = security_token_has_builtin_guests(session_info->security_token);
+	if (!authenticated) {
+		if (guest) {
+			return SECURITY_GUEST;
+		}
+		return SECURITY_ANONYMOUS;
 	}
 
 	if (security_token_has_builtin_administrators(session_info->security_token)) {
@@ -60,9 +68,5 @@ enum security_user_level security_session_user_level(struct auth_session_info *s
 		return SECURITY_DOMAIN_CONTROLLER;
 	}
 
-	if (security_token_has_nt_authenticated_users(session_info->security_token)) {
-		return SECURITY_USER;
-	}
-
-	return SECURITY_ANONYMOUS;
+	return SECURITY_USER;
 }