summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2011-07-18 12:23:04 +1000
committerAndrew Bartlett <abartlet@samba.org>2011-07-20 09:17:13 +1000
commit8d72e612ac2845cd873c4fd614456fe8749db130 (patch)
treec0f6d0774b59bf72045c5e35d0d25d09515f6727
parent594597eb65a9abc0f6190f887ab0fd79caa58085 (diff)
downloadsamba-8d72e612ac2845cd873c4fd614456fe8749db130.tar.gz
samba-8d72e612ac2845cd873c4fd614456fe8749db130.tar.bz2
samba-8d72e612ac2845cd873c4fd614456fe8749db130.zip
s3-rpc_server read and write the unix_token and unix_info across named_pipe_auth
This ensures that the exact same token is used on both sides of the pipe, when a full token is passed (ie, source3 to source3, but not yet source4 to to source3 as the unix info isn't calculated there yet). If we do not have unix_token, we fall back to the old behaviour and go via create_local_token(). (However, in this case the security_token is now overwritten, as it is better to have it match the rest of the session_info create_local_token() builds). Andrew Bartlett Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r--source3/rpc_server/rpc_ncacn_np.c2
-rw-r--r--source3/rpc_server/rpc_server.c67
2 files changed, 42 insertions, 27 deletions
diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c
index 0fa8e83329..f43d0b81bc 100644
--- a/source3/rpc_server/rpc_ncacn_np.c
+++ b/source3/rpc_server/rpc_ncacn_np.c
@@ -682,6 +682,8 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx,
/* Send the named_pipe_auth server the user's full token */
session_info_npa->security_token = session_info->security_token;
session_info_npa->session_key = session_info->session_key;
+ session_info_npa->unix_token = session_info->unix_token;
+ session_info_npa->unix_info = session_info->unix_info;
val.sam3 = session_info->info3;
diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c
index 7733b3819f..7e383e84c1 100644
--- a/source3/rpc_server/rpc_server.c
+++ b/source3/rpc_server/rpc_server.c
@@ -91,7 +91,6 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
struct netr_SamInfo3 *info3;
struct auth_user_info_dc *auth_user_info_dc;
struct pipes_struct *p;
- struct auth_serversupplied_info *server_info;
NTSTATUS status;
p = talloc_zero(mem_ctx, struct pipes_struct);
@@ -139,34 +138,48 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx,
return -1;
}
- status = make_server_info_info3(p,
- info3->base.account_name.string,
- info3->base.domain.string,
- &server_info, info3);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to init server info\n"));
- TALLOC_FREE(p);
- *perrno = EINVAL;
- return -1;
- }
+ if (session_info->unix_token && session_info->unix_info && session_info->security_token) {
+ /* Don't call create_local_token(), we already have the full details here */
+ p->session_info = talloc_zero(p, struct auth3_session_info);
+ if (p->session_info == NULL) {
+ TALLOC_FREE(p);
+ *perrno = ENOMEM;
+ return -1;
+ }
+ p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token);
+ p->session_info->unix_token = talloc_move(p->session_info, &session_info->unix_token);
+ p->session_info->unix_info = talloc_move(p->session_info, &session_info->unix_info);
+ p->session_info->info3 = talloc_move(p->session_info, &info3);
+ p->session_info->session_key = session_info->session_key;
+ p->session_info->session_key.data = talloc_move(p->session_info, &session_info->session_key.data);
- /*
- * Some internal functions need a local token to determine access to
- * resoutrces.
- */
- status = create_local_token(p, server_info, &session_info->session_key, &p->session_info);
- talloc_free(server_info);
- if (!NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed to init local auth token\n"));
- TALLOC_FREE(p);
- *perrno = EINVAL;
- return -1;
- }
+ } else {
+ struct auth_serversupplied_info *server_info;
- /* Now override the session_info->security_token with the exact
- * security_token we were given from the other side,
- * regardless of what we just calculated */
- p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token);
+ status = make_server_info_info3(p,
+ info3->base.account_name.string,
+ info3->base.domain.string,
+ &server_info, info3);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to init server info\n"));
+ TALLOC_FREE(p);
+ *perrno = EINVAL;
+ return -1;
+ }
+
+ /*
+ * Some internal functions need a local token to determine access to
+ * resources.
+ */
+ status = create_local_token(p, server_info, &session_info->session_key, &p->session_info);
+ talloc_free(server_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1, ("Failed to init local auth token\n"));
+ TALLOC_FREE(p);
+ *perrno = EINVAL;
+ return -1;
+ }
+ }
p->remote_address = tsocket_address_copy(remote_address, p);
if (p->remote_address == NULL) {