diff options
Diffstat (limited to 'source3')
| -rw-r--r-- | source3/Makefile.in | 3 | ||||
| -rw-r--r-- | source3/rpc_server/rpc_ncacn_np.c | 45 | ||||
| -rw-r--r-- | source3/rpc_server/rpc_server.c | 49 |
3 files changed, 72 insertions, 25 deletions
diff --git a/source3/Makefile.in b/source3/Makefile.in index 15d854eb15..3012caa7d3 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -709,7 +709,8 @@ RPC_EVENTLOG_OBJ = rpc_server/srv_eventlog_nt.o \ $(LIB_EVENTLOG_OBJ) librpc/gen_ndr/srv_eventlog.o NPA_TSTREAM_OBJ = ../libcli/named_pipe_auth/npa_tstream.o \ - librpc/gen_ndr/ndr_named_pipe_auth.o + librpc/gen_ndr/ndr_named_pipe_auth.o \ + ../auth/auth_sam_reply.o librpc/gen_ndr/ndr_auth.o RPC_NCACN_NP = rpc_server/srv_pipe_register.o rpc_server/rpc_ncacn_np.o \ rpc_server/rpc_handles.o diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c index af21ec2aad..c35fa847ad 100644 --- a/source3/rpc_server/rpc_ncacn_np.c +++ b/source3/rpc_server/rpc_ncacn_np.c @@ -26,6 +26,8 @@ #include "../libcli/named_pipe_auth/npa_tstream.h" #include "rpc_server/rpc_ncacn_np.h" #include "librpc/gen_ndr/netlogon.h" +#include "librpc/gen_ndr/auth.h" +#include "../auth/auth_sam_reply.h" #undef DBGC_CLASS #define DBGC_CLASS DBGC_RPC_SRV @@ -594,7 +596,9 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, const char *socket_dir; struct tevent_context *ev; struct tevent_req *subreq; - struct netr_SamInfo3 *info3; + struct auth_session_info_transport *session_info; + struct auth_user_info_dc *user_info_dc; + union netr_Validation val; NTSTATUS status; bool ok; int ret; @@ -637,20 +641,31 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, goto fail; } - info3 = talloc_zero(talloc_tos(), struct netr_SamInfo3); - if (info3 == NULL) { + session_info = talloc_zero(talloc_tos(), struct auth_session_info_transport); + if (session_info == NULL) { DEBUG(0, ("talloc failed\n")); goto fail; } - status = serverinfo_to_SamInfo3(server_info, NULL, 0, info3); + /* Send the named_pipe_auth server the user's full token */ + session_info->security_token = server_info->ptok; + session_info->session_key = server_info->user_session_key; + + val.sam3 = server_info->info3; + + /* Convert into something we can build a struct + * auth_session_info_transport from. Most of the work here + * will be to convert the SIDS, which we will then ignore, but + * this is the easier way to handle it */ + status = make_user_info_dc_netlogon_validation(talloc_tos(), "", 3, &val, &user_info_dc); if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(info3); - DEBUG(0, ("serverinfo_to_SamInfo3 failed: %s\n", - nt_errstr(status))); + DEBUG(0, ("conversion of info3 into user_info_dc failed!\n")); goto fail; } + session_info->info = talloc_move(session_info, &user_info_dc->info); + talloc_free(user_info_dc); + become_root(); subreq = tstream_npa_connect_send(talloc_tos(), ev, socket_np_dir, @@ -659,15 +674,13 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, NULL, /* client_name */ local_address, /* server_addr */ NULL, /* server_name */ - info3, - server_info->user_session_key, - data_blob_null /* delegated_creds */); + session_info); if (subreq == NULL) { unbecome_root(); DEBUG(0, ("tstream_npa_connect_send to %s for pipe %s and " "user %s\\%s failed\n", - socket_np_dir, pipe_name, info3->base.domain.string, - info3->base.account_name.string)); + socket_np_dir, pipe_name, session_info->info->domain_name, + session_info->info->account_name)); goto fail; } ok = tevent_req_poll(subreq, ev); @@ -675,8 +688,8 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, if (!ok) { DEBUG(0, ("tevent_req_poll to %s for pipe %s and user %s\\%s " "failed for tstream_npa_connect: %s\n", - socket_np_dir, pipe_name, info3->base.domain.string, - info3->base.account_name.string, + socket_np_dir, pipe_name, session_info->info->domain_name, + session_info->info->account_name, strerror(errno))); goto fail; @@ -691,8 +704,8 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, if (ret != 0) { DEBUG(0, ("tstream_npa_connect_recv to %s for pipe %s and " "user %s\\%s failed: %s\n", - socket_np_dir, pipe_name, info3->base.domain.string, - info3->base.account_name.string, + socket_np_dir, pipe_name, session_info->info->domain_name, + session_info->info->account_name, strerror(sys_errno))); goto fail; } diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c index 229096e463..a0da354fd3 100644 --- a/source3/rpc_server/rpc_server.c +++ b/source3/rpc_server/rpc_server.c @@ -21,9 +21,11 @@ #include "rpc_server/rpc_server.h" #include "rpc_dce.h" #include "librpc/gen_ndr/netlogon.h" +#include "librpc/gen_ndr/auth.h" #include "registry/reg_parse_prs.h" #include "lib/tsocket/tsocket.h" #include "libcli/named_pipe_auth/npa_tstream.h" +#include "../auth/auth_sam_reply.h" /* Creates a pipes_struct and initializes it with the information * sent from the client */ @@ -31,10 +33,12 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx, const char *pipe_name, const struct ndr_syntax_id id, const char *client_address, - struct netr_SamInfo3 *info3, + struct auth_session_info_transport *session_info, struct pipes_struct **_p, int *perrno) { + struct netr_SamInfo3 *info3; + struct auth_user_info_dc *auth_user_info_dc; struct pipes_struct *p; NTSTATUS status; bool ok; @@ -67,6 +71,30 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx, p->endian = RPC_LITTLE_ENDIAN; + /* Fake up an auth_user_info_dc for now, to make an info3, to make the server_info structure */ + auth_user_info_dc = talloc_zero(p, struct auth_user_info_dc); + if (!auth_user_info_dc) { + TALLOC_FREE(p); + *perrno = ENOMEM; + return -1; + } + + auth_user_info_dc->num_sids = session_info->security_token->num_sids; + auth_user_info_dc->sids = session_info->security_token->sids; + auth_user_info_dc->info = session_info->info; + auth_user_info_dc->user_session_key = session_info->session_key; + + /* This creates the input structure that make_server_info_info3 is looking for */ + status = auth_convert_user_info_dc_saminfo3(p, auth_user_info_dc, + &info3); + + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to convert auth_user_info_dc into netr_SamInfo3\n")); + TALLOC_FREE(p); + *perrno = EINVAL; + return -1; + } + status = make_server_info_info3(p, info3->base.account_name.string, info3->base.domain.string, @@ -90,6 +118,15 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx, return -1; } + /* Now override the server_info->ptok with the exact + * security_token we were given from the other side, + * regardless of what we just calculated */ + p->server_info->ptok = talloc_move(p->server_info, &session_info->security_token); + + /* Also set the session key to the correct value */ + p->server_info->user_session_key = session_info->session_key; + p->server_info->user_session_key.data = talloc_move(p->server_info, &session_info->session_key.data); + p->client_id = talloc_zero(p, struct client_address); if (!p->client_id) { TALLOC_FREE(p); @@ -318,9 +355,7 @@ struct named_pipe_client { char *client_name; struct tsocket_address *server; char *server_name; - struct netr_SamInfo3 *info3; - DATA_BLOB session_key; - DATA_BLOB delegated_creds; + struct auth_session_info_transport *session_info; struct pipes_struct *p; @@ -410,9 +445,7 @@ static void named_pipe_accept_done(struct tevent_req *subreq) &npc->client_name, &npc->server, &npc->server_name, - &npc->info3, - &npc->session_key, - &npc->delegated_creds); + &npc->session_info); TALLOC_FREE(subreq); if (ret != 0) { DEBUG(2, ("Failed to accept named pipe connection! (%s)\n", @@ -434,7 +467,7 @@ static void named_pipe_accept_done(struct tevent_req *subreq) ret = make_server_pipes_struct(npc, npc->pipe_name, npc->pipe_id, - cli_addr, npc->info3, + cli_addr, npc->session_info, &npc->p, &error); if (ret != 0) { DEBUG(2, ("Failed to create pipes_struct! (%s)\n", |