diff options
| author | Andrew Bartlett <abartlet@samba.org> | 2010-04-19 15:51:57 +1000 |
|---|---|---|
| committer | Andrew Bartlett <abartlet@samba.org> | 2010-05-20 17:39:10 +1000 |
| commit | 9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5 (patch) | |
| tree | 1526cb9826169a6ea4162b5c3f13f279cda4ff7b /source4/smbd/service_named_pipe.c | |
| parent | 3ff2766231625863140434bab18b27d5105deb3c (diff) | |
| download | samba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.tar.gz samba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.tar.bz2 samba-9c6b637ce8a750fa2fef6a5d3a303bf9e6c4eea5.zip | |
s4:auth Change auth_generate_session_info to take flags
This allows us to control what groups should be added in what use
cases, and in particular to more carefully control the introduction of
the 'authenticated' group.
In particular, in the 'service_named_pipe' protocol, we do not have
control over the addition of the authenticated users group, so we key
of 'is this user the anonymous SID'.
This also takes more care to allocate the right length ptoken->sids
Andrew Bartlett
Diffstat (limited to 'source4/smbd/service_named_pipe.c')
| -rw-r--r-- | source4/smbd/service_named_pipe.c | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/source4/smbd/service_named_pipe.c b/source4/smbd/service_named_pipe.c index d78fd72cc2..235d4c2a3a 100644 --- a/source4/smbd/service_named_pipe.c +++ b/source4/smbd/service_named_pipe.c @@ -35,6 +35,7 @@ #include "libcli/raw/smb.h" #include "auth/credentials/credentials.h" #include "auth/credentials/credentials_krb5.h" +#include "libcli/security/dom_sid.h" struct named_pipe_socket { const char *pipe_name; @@ -164,6 +165,8 @@ static void named_pipe_auth_request(struct tevent_req *subreq) struct named_pipe_auth_req pipe_request; struct named_pipe_auth_rep pipe_reply; struct auth_context *auth_context; + uint32_t session_flags = 0; + struct dom_sid *anonymous_sid; NTSTATUS status; int ret; @@ -264,11 +267,23 @@ static void named_pipe_auth_request(struct tevent_req *subreq) goto reply; } + anonymous_sid = dom_sid_parse_talloc(auth_context, SID_NT_ANONYMOUS); + if (anonymous_sid == NULL) { + named_pipe_terminate_connection(pipe_conn, "Failed to parse Anonymous SID "); + talloc_free(auth_context); + return; + } + + session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; + if (!dom_sid_equal(anonymous_sid, server_info->account_sid)) { + session_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } /* setup the session_info on the connection */ pipe_reply.status = auth_context->generate_session_info(conn, auth_context, server_info, + session_flags, &conn->session_info); talloc_free(auth_context); if (!NT_STATUS_IS_OK(pipe_reply.status)) { @@ -315,9 +330,22 @@ static void named_pipe_auth_request(struct tevent_req *subreq) goto reply; } + anonymous_sid = dom_sid_parse_talloc(auth_context, SID_NT_ANONYMOUS); + if (anonymous_sid == NULL) { + named_pipe_terminate_connection(pipe_conn, "Failed to parse Anonymous SID "); + talloc_free(auth_context); + return; + } + + session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; + if (!dom_sid_equal(anonymous_sid, server_info->account_sid)) { + session_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + pipe_reply.status = auth_context->generate_session_info(conn, auth_context, server_info, + session_flags, &conn->session_info); talloc_free(auth_context); if (!NT_STATUS_IS_OK(pipe_reply.status)) { @@ -405,10 +433,23 @@ static void named_pipe_auth_request(struct tevent_req *subreq) goto reply; } + anonymous_sid = dom_sid_parse_talloc(auth_context, SID_NT_ANONYMOUS); + if (anonymous_sid == NULL) { + named_pipe_terminate_connection(pipe_conn, "Failed to parse Anonymous SID "); + talloc_free(auth_context); + return; + } + + session_flags = AUTH_SESSION_INFO_DEFAULT_GROUPS; + if (!dom_sid_equal(anonymous_sid, server_info->account_sid)) { + session_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + /* setup the session_info on the connection */ pipe_reply.status = auth_context->generate_session_info(conn, auth_context, server_info, + session_flags, &conn->session_info); talloc_free(auth_context); if (!NT_STATUS_IS_OK(pipe_reply.status)) { |