diff options
author | Andrew Bartlett <abartlet@samba.org> | 2011-07-18 12:23:04 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2011-07-20 09:17:13 +1000 |
commit | 8d72e612ac2845cd873c4fd614456fe8749db130 (patch) | |
tree | c0f6d0774b59bf72045c5e35d0d25d09515f6727 | |
parent | 594597eb65a9abc0f6190f887ab0fd79caa58085 (diff) | |
download | samba-8d72e612ac2845cd873c4fd614456fe8749db130.tar.gz samba-8d72e612ac2845cd873c4fd614456fe8749db130.tar.bz2 samba-8d72e612ac2845cd873c4fd614456fe8749db130.zip |
s3-rpc_server read and write the unix_token and unix_info across named_pipe_auth
This ensures that the exact same token is used on both sides of the
pipe, when a full token is passed (ie, source3 to source3, but not yet
source4 to to source3 as the unix info isn't calculated there yet).
If we do not have unix_token, we fall back to the old behaviour and go
via create_local_token(). (However, in this case the security_token
is now overwritten, as it is better to have it match the rest of the
session_info create_local_token() builds).
Andrew Bartlett
Signed-off-by: Andrew Tridgell <tridge@samba.org>
-rw-r--r-- | source3/rpc_server/rpc_ncacn_np.c | 2 | ||||
-rw-r--r-- | source3/rpc_server/rpc_server.c | 67 |
2 files changed, 42 insertions, 27 deletions
diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c index 0fa8e83329..f43d0b81bc 100644 --- a/source3/rpc_server/rpc_ncacn_np.c +++ b/source3/rpc_server/rpc_ncacn_np.c @@ -682,6 +682,8 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, /* Send the named_pipe_auth server the user's full token */ session_info_npa->security_token = session_info->security_token; session_info_npa->session_key = session_info->session_key; + session_info_npa->unix_token = session_info->unix_token; + session_info_npa->unix_info = session_info->unix_info; val.sam3 = session_info->info3; diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c index 7733b3819f..7e383e84c1 100644 --- a/source3/rpc_server/rpc_server.c +++ b/source3/rpc_server/rpc_server.c @@ -91,7 +91,6 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx, struct netr_SamInfo3 *info3; struct auth_user_info_dc *auth_user_info_dc; struct pipes_struct *p; - struct auth_serversupplied_info *server_info; NTSTATUS status; p = talloc_zero(mem_ctx, struct pipes_struct); @@ -139,34 +138,48 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx, return -1; } - status = make_server_info_info3(p, - info3->base.account_name.string, - info3->base.domain.string, - &server_info, info3); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to init server info\n")); - TALLOC_FREE(p); - *perrno = EINVAL; - return -1; - } + if (session_info->unix_token && session_info->unix_info && session_info->security_token) { + /* Don't call create_local_token(), we already have the full details here */ + p->session_info = talloc_zero(p, struct auth3_session_info); + if (p->session_info == NULL) { + TALLOC_FREE(p); + *perrno = ENOMEM; + return -1; + } + p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token); + p->session_info->unix_token = talloc_move(p->session_info, &session_info->unix_token); + p->session_info->unix_info = talloc_move(p->session_info, &session_info->unix_info); + p->session_info->info3 = talloc_move(p->session_info, &info3); + p->session_info->session_key = session_info->session_key; + p->session_info->session_key.data = talloc_move(p->session_info, &session_info->session_key.data); - /* - * Some internal functions need a local token to determine access to - * resoutrces. - */ - status = create_local_token(p, server_info, &session_info->session_key, &p->session_info); - talloc_free(server_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to init local auth token\n")); - TALLOC_FREE(p); - *perrno = EINVAL; - return -1; - } + } else { + struct auth_serversupplied_info *server_info; - /* Now override the session_info->security_token with the exact - * security_token we were given from the other side, - * regardless of what we just calculated */ - p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token); + status = make_server_info_info3(p, + info3->base.account_name.string, + info3->base.domain.string, + &server_info, info3); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to init server info\n")); + TALLOC_FREE(p); + *perrno = EINVAL; + return -1; + } + + /* + * Some internal functions need a local token to determine access to + * resources. + */ + status = create_local_token(p, server_info, &session_info->session_key, &p->session_info); + talloc_free(server_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to init local auth token\n")); + TALLOC_FREE(p); + *perrno = EINVAL; + return -1; + } + } p->remote_address = tsocket_address_copy(remote_address, p); if (p->remote_address == NULL) { |