The branch, master has been updated
via d50c007 s3-rpc_server: Remove ncalrpc_as_system from
make_server_pipes_struct().
via 76a89a3 s3-rpc_server: Remove ncalrpc_as_system from pipes_struct.
via 6ede575 s3-rpc_server: Use gensec for NCALRPC_AS_SYSTEM.
via 000168b s3-rpc_server: Add special tsocket address for
ncalrpc_as_system.
via 6a5cd18 s3:rpc_client: Use gensec for NCALRPC_AS_SYSTEM.
via 8729d99 s3-auth: Register ncalrpc_as_system gensec module.
via 788f72f gensec: add DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM backend
via 1f4c20f s3:rpc_server: pass everything but
AUTH_TYPE_{NONE,NCALRPC_AS_SYSTEM} to gensec
via 06922f9 s3-rpc_server: Call pipe_auth_verify_final() if needed.
via bfdd22b s3-rpc_server: Return the status code from gensec.
via 2c5ed10 s3:rpc_server: let auth_generic_server_step() handle
gensec_security == NULL
via 5d3bb56 s3:rpc_server: make sure we have a unix token
via 054ef13 s3:rpc_server: handle everything but AUTH_TYPE_NONE as
gensec in verify_final
via 2ed1789 s3:rpc_client: pass everything to gensec by default
via fc59cc3 auth/gensec: use auth_ctx->generate_session_info() for
schannel
via 169c6d4 s3:auth: allow special SYSTEM and ANONYMOUS handling in
auth3_generate_session_info()
from ea27382 s3: torture - Fix racy assumption in original messaging
test.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit d50c0077deefbb32af1a15205b32d928807d86a3
Author: Andreas Schneider <a...@samba.org>
Date: Thu Apr 17 14:25:48 2014 +0200
s3-rpc_server: Remove ncalrpc_as_system from make_server_pipes_struct().
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Thu Apr 24 13:39:10 CEST 2014 on sn-devel-104
commit 76a89a38fe5b2062e49779518ab0c9d0e1240403
Author: Andreas Schneider <a...@samba.org>
Date: Thu Apr 17 14:22:17 2014 +0200
s3-rpc_server: Remove ncalrpc_as_system from pipes_struct.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 6ede575fc40b3157385076e09379d4e0a8830acd
Author: Andreas Schneider <a...@samba.org>
Date: Thu Apr 17 13:46:07 2014 +0200
s3-rpc_server: Use gensec for NCALRPC_AS_SYSTEM.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 000168b002c4687c4c742847b263be1d31cb4d11
Author: Andreas Schneider <a...@samba.org>
Date: Thu Apr 17 11:00:54 2014 +0200
s3-rpc_server: Add special tsocket address for ncalrpc_as_system.
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 6a5cd1857f6f237f27cec116a041989fb0ddea2c
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 23 14:45:45 2014 +0200
s3:rpc_client: Use gensec for NCALRPC_AS_SYSTEM.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 8729d990a32aa2bd59ef176e33ce3966c0f98f9f
Author: Andreas Schneider <a...@samba.org>
Date: Thu Apr 17 12:02:45 2014 +0200
s3-auth: Register ncalrpc_as_system gensec module.
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 788f72f8ebf8e300237cae3c4863586e38301a62
Author: Andreas Schneider <a...@samba.org>
Date: Wed Apr 16 15:21:40 2014 +0200
gensec: add DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM backend
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 1f4c20f2c3506390834552d0102083d2b5b61f48
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 23 13:07:15 2014 +0200
s3:rpc_server: pass everything but AUTH_TYPE_{NONE,NCALRPC_AS_SYSTEM} to
gensec
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 06922f92e4ce885947000651491c17a0fea14294
Author: Andreas Schneider <a...@samba.org>
Date: Wed Apr 23 10:42:12 2014 +0200
s3-rpc_server: Call pipe_auth_verify_final() if needed.
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit bfdd22b3166377200f5395ef7384908d49d81ef1
Author: Andreas Schneider <a...@samba.org>
Date: Wed Apr 23 10:40:27 2014 +0200
s3-rpc_server: Return the status code from gensec.
We need to know the difference between NT_STATUS_OK
and NT_STATUS_MORE_PROCESSING_REQUIRED.
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 2c5ed102b7dfa9a53ece24d048f71fd5e3d59ae7
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 23 13:02:35 2014 +0200
s3:rpc_server: let auth_generic_server_step() handle gensec_security == NULL
This simplifies the caller, we don't need to look at the auth_type anymore.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 5d3bb5671e26d21473563cdccc42c0ee31e1311f
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 23 18:13:04 2014 +0200
s3:rpc_server: make sure we have a unix token
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 054ef133afa98cf02e80b6398a3a719f26bbf44b
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 23 13:01:00 2014 +0200
s3:rpc_server: handle everything but AUTH_TYPE_NONE as gensec in
verify_final
The NCALRPC_AS_SYSTEM doesn't use pipe_auth_verify_final() yet,
so it's fine for now.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 2ed1789e4d8ac09ed78e5ecccf0eb97d1dfa8f65
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 23 14:35:15 2014 +0200
s3:rpc_client: pass everything to gensec by default
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit fc59cc31024598599a2f1c9d73b8fa43a408ced2
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 23 18:59:52 2014 +0200
auth/gensec: use auth_ctx->generate_session_info() for schannel
This way we generate a correct session info for the s3 rpc_server,
including a unix token.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 169c6d409f9c1b50b25bc59bcf12515d9a286c56
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Apr 23 19:00:26 2014 +0200
s3:auth: allow special SYSTEM and ANONYMOUS handling in
auth3_generate_session_info()
auth_ctx->generate_session_info() will be used by the SCHANNEL and
NCALRPC_AS_SYSTEM gensec modules in future.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/gensec/ncalrpc.c | 286 ++++++++++++++++++++++++++++++
auth/gensec/schannel.c | 49 +++++-
auth/gensec/wscript_build | 7 +
source3/auth/auth_generic.c | 4 +-
source3/auth/auth_ntlmssp.c | 45 +++++-
source3/librpc/rpc/dcerpc_helpers.c | 36 ++---
source3/libsmb/auth_generic.c | 3 +-
source3/rpc_client/cli_pipe.c | 103 +++--------
source3/rpc_server/dcesrv_auth_generic.c | 6 +-
source3/rpc_server/rpc_handles.c | 3 +-
source3/rpc_server/rpc_ncacn_np.c | 3 +-
source3/rpc_server/rpc_pipes.h | 4 +-
source3/rpc_server/rpc_server.c | 32 +++-
source3/rpc_server/rpc_server.h | 1 -
source3/rpc_server/srv_pipe.c | 154 ++++++-----------
15 files changed, 513 insertions(+), 223 deletions(-)
create mode 100644 auth/gensec/ncalrpc.c
Changeset truncated at 500 lines:
diff --git a/auth/gensec/ncalrpc.c b/auth/gensec/ncalrpc.c
new file mode 100644
index 0000000..d5537a4
--- /dev/null
+++ b/auth/gensec/ncalrpc.c
@@ -0,0 +1,286 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ dcerpc ncalrpc as system operations
+
+ Copyright (C) 2014 Andreas Schneider <a...@samba.org>
+ Copyright (C) 2014 Stefan Metzmacher <me...@samba.org>
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "auth/auth.h"
+#include "auth/gensec/gensec.h"
+#include "auth/gensec/gensec_internal.h"
+#include "librpc/gen_ndr/dcerpc.h"
+#include "lib/param/param.h"
+#include "tsocket.h"
+
+_PUBLIC_ NTSTATUS gensec_ncalrpc_as_system_init(void);
+
+struct gensec_ncalrpc_state {
+ enum {
+ GENSEC_NCALRPC_START,
+ GENSEC_NCALRPC_MORE,
+ GENSEC_NCALRPC_DONE,
+ GENSEC_NCALRPC_ERROR,
+ } step;
+
+ struct auth_user_info_dc *user_info_dc;
+};
+
+static NTSTATUS gensec_ncalrpc_client_start(struct gensec_security
*gensec_security)
+{
+ struct gensec_ncalrpc_state *state;
+
+ state = talloc_zero(gensec_security,
+ struct gensec_ncalrpc_state);
+ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ gensec_security->private_data = state;
+
+ state->step = GENSEC_NCALRPC_START;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS gensec_ncalrpc_server_start(struct gensec_security
*gensec_security)
+{
+ struct gensec_ncalrpc_state *state;
+
+ state = talloc_zero(gensec_security,
+ struct gensec_ncalrpc_state);
+ if (state == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ gensec_security->private_data = state;
+
+ state->step = GENSEC_NCALRPC_START;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS gensec_ncalrpc_update(struct gensec_security *gensec_security,
+ TALLOC_CTX *mem_ctx,
+ struct tevent_context *ev,
+ const DATA_BLOB in,
+ DATA_BLOB *out)
+{
+ struct gensec_ncalrpc_state *state =
+ talloc_get_type_abort(gensec_security->private_data,
+ struct gensec_ncalrpc_state);
+ DATA_BLOB magic_req = data_blob_string_const("NCALRPC_AUTH_TOKEN");
+ DATA_BLOB magic_ok = data_blob_string_const("NCALRPC_AUTH_OK");
+ DATA_BLOB magic_fail = data_blob_string_const("NCALRPC_AUTH_FAIL");
+ char *unix_path = NULL;
+ int cmp;
+ NTSTATUS status;
+
+ *out = data_blob_null;
+
+ if (state->step >= GENSEC_NCALRPC_DONE) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ switch (gensec_security->gensec_role) {
+ case GENSEC_CLIENT:
+ switch (state->step) {
+ case GENSEC_NCALRPC_START:
+ *out = data_blob_dup_talloc(mem_ctx, magic_req);
+ if (out->data == NULL) {
+ state->step = GENSEC_NCALRPC_ERROR;
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->step = GENSEC_NCALRPC_MORE;
+ return NT_STATUS_MORE_PROCESSING_REQUIRED;
+
+ case GENSEC_NCALRPC_MORE:
+ cmp = data_blob_cmp(&in, &magic_ok);
+ if (cmp != 0) {
+ state->step = GENSEC_NCALRPC_ERROR;
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ state->step = GENSEC_NCALRPC_DONE;
+ return NT_STATUS_OK;
+
+ case GENSEC_NCALRPC_DONE:
+ case GENSEC_NCALRPC_ERROR:
+ break;
+ }
+
+ state->step = GENSEC_NCALRPC_ERROR;
+ return NT_STATUS_INTERNAL_ERROR;
+
+ case GENSEC_SERVER:
+ if (state->step != GENSEC_NCALRPC_START) {
+ state->step = GENSEC_NCALRPC_ERROR;
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ cmp = data_blob_cmp(&in, &magic_req);
+ if (cmp != 0) {
+ state->step = GENSEC_NCALRPC_ERROR;
+ *out = data_blob_dup_talloc(mem_ctx, magic_fail);
+ if (out->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ if (gensec_security->remote_addr == NULL) {
+ state->step = GENSEC_NCALRPC_ERROR;
+ *out = data_blob_dup_talloc(mem_ctx, magic_fail);
+ if (out->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ unix_path =
tsocket_address_unix_path(gensec_security->remote_addr,
+ state);
+ if (unix_path == NULL) {
+ state->step = GENSEC_NCALRPC_ERROR;
+ *out = data_blob_dup_talloc(mem_ctx, magic_fail);
+ if (out->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ cmp = strcmp(unix_path, "/root/ncalrpc_as_system");
+ TALLOC_FREE(unix_path);
+ if (cmp != 0) {
+ state->step = GENSEC_NCALRPC_ERROR;
+ *out = data_blob_dup_talloc(mem_ctx, magic_fail);
+ if (out->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return NT_STATUS_LOGON_FAILURE;
+ }
+
+ status = auth_system_user_info_dc(state,
+
lpcfg_netbios_name(gensec_security->settings->lp_ctx),
+ &state->user_info_dc);
+ if (!NT_STATUS_IS_OK(status)) {
+ state->step = GENSEC_NCALRPC_ERROR;
+ *out = data_blob_dup_talloc(mem_ctx, magic_fail);
+ if (out->data == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ return status;
+ }
+
+ *out = data_blob_dup_talloc(mem_ctx, magic_ok);
+ if (out->data == NULL) {
+ state->step = GENSEC_NCALRPC_ERROR;
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->step = GENSEC_NCALRPC_DONE;
+ return NT_STATUS_OK;
+ }
+
+ state->step = GENSEC_NCALRPC_ERROR;
+ return NT_STATUS_INTERNAL_ERROR;
+}
+
+static NTSTATUS gensec_ncalrpc_session_info(struct gensec_security
*gensec_security,
+ TALLOC_CTX *mem_ctx,
+ struct auth_session_info
**psession_info)
+{
+ struct gensec_ncalrpc_state *state =
+ talloc_get_type_abort(gensec_security->private_data,
+ struct gensec_ncalrpc_state);
+ struct auth4_context *auth_ctx = gensec_security->auth_context;
+ struct auth_session_info *session_info = NULL;
+ uint32_t session_info_flags = 0;
+ NTSTATUS status;
+
+ if (gensec_security->gensec_role != GENSEC_SERVER) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (state->step != GENSEC_NCALRPC_DONE) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ if (auth_ctx == NULL) {
+ DEBUG(0, ("Cannot generate a session_info without the
auth_context\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (auth_ctx->generate_session_info == NULL) {
+ DEBUG(0, ("Cannot generate a session_info without the
generate_session_info hook\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
+ }
+
+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+
+ status = auth_ctx->generate_session_info(
+ auth_ctx,
+ mem_ctx,
+ state->user_info_dc,
+ state->user_info_dc->info->account_name,
+ session_info_flags,
+ &session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *psession_info = session_info;
+ return NT_STATUS_OK;
+}
+
+/* We have no features */
+static bool gensec_ncalrpc_have_feature(struct gensec_security
*gensec_security,
+ uint32_t feature)
+{
+ if (feature & GENSEC_FEATURE_DCE_STYLE) {
+ return true;
+ }
+
+ return false;
+}
+
+static const struct gensec_security_ops gensec_ncalrpc_security_ops = {
+ .name = "naclrpc_as_system",
+ .auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM,
+ .client_start = gensec_ncalrpc_client_start,
+ .server_start = gensec_ncalrpc_server_start,
+ .update = gensec_ncalrpc_update,
+ .session_info = gensec_ncalrpc_session_info,
+ .have_feature = gensec_ncalrpc_have_feature,
+ .enabled = true,
+ .priority = GENSEC_EXTERNAL,
+};
+
+_PUBLIC_ NTSTATUS gensec_ncalrpc_as_system_init(void)
+{
+ NTSTATUS status;
+
+ status = gensec_register(&gensec_ncalrpc_security_ops);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to register '%s' gensec backend!\n",
+ gensec_ncalrpc_security_ops.name));
+ return status;
+ }
+
+ return status;
+}
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 3d30e83..ee23e77 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -38,6 +38,7 @@ struct schannel_state {
uint64_t seq_num;
bool initiator;
struct netlogon_creds_CredentialState *creds;
+ struct auth_user_info_dc *user_info_dc;
};
#define SETUP_SEQNUM(state, buf, initiator) do { \
@@ -58,14 +59,13 @@ static struct schannel_state *netsec_create_state(
{
struct schannel_state *state;
- state = talloc(gensec, struct schannel_state);
+ state = talloc_zero(gensec, struct schannel_state);
if (state == NULL) {
return NULL;
}
state->gensec = gensec;
state->initiator = initiator;
- state->seq_num = 0;
state->creds = netlogon_creds_copy(state, creds);
if (state->creds == NULL) {
talloc_free(state);
@@ -580,6 +580,13 @@ static NTSTATUS schannel_update(struct gensec_security
*gensec_security, TALLOC_
return NT_STATUS_NO_MEMORY;
}
+ status = auth_anonymous_user_info_dc(state,
+
lpcfg_netbios_name(gensec_security->settings->lp_ctx),
+ &state->user_info_dc);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
bind_schannel_ack.MessageType = NL_NEGOTIATE_RESPONSE;
bind_schannel_ack.Flags = 0;
bind_schannel_ack.Buffer.dummy = 0x6c0000; /* actually I think
@@ -610,7 +617,43 @@ static NTSTATUS schannel_session_info(struct
gensec_security *gensec_security,
TALLOC_CTX *mem_ctx,
struct auth_session_info **_session_info)
{
- return auth_anonymous_session_info(mem_ctx,
gensec_security->settings->lp_ctx, _session_info);
+ struct schannel_state *state =
+ talloc_get_type(gensec_security->private_data,
+ struct schannel_state);
+ struct auth4_context *auth_ctx = gensec_security->auth_context;
+ struct auth_session_info *session_info = NULL;
+ uint32_t session_info_flags = 0;
+ NTSTATUS status;
+
+ if (auth_ctx == NULL) {
+ DEBUG(0, ("Cannot generate a session_info without the
auth_context\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (auth_ctx->generate_session_info == NULL) {
+ DEBUG(0, ("Cannot generate a session_info without the
generate_session_info hook\n"));
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (gensec_security->want_features & GENSEC_FEATURE_UNIX_TOKEN) {
+ session_info_flags |= AUTH_SESSION_INFO_UNIX_TOKEN;
+ }
+
+ session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+
+ status = auth_ctx->generate_session_info(
+ auth_ctx,
+ mem_ctx,
+ state->user_info_dc,
+ state->user_info_dc->info->account_name,
+ session_info_flags,
+ &session_info);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *_session_info = session_info;
+ return NT_STATUS_OK;
}
static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
diff --git a/auth/gensec/wscript_build b/auth/gensec/wscript_build
index 7329eec..b2f6033 100755
--- a/auth/gensec/wscript_build
+++ b/auth/gensec/wscript_build
@@ -25,6 +25,13 @@ bld.SAMBA_MODULE('gensec_schannel',
deps='COMMON_SCHANNEL NDR_SCHANNEL samba-credentials auth_session'
)
+bld.SAMBA_MODULE('gensec_ncalrpc',
+ source='ncalrpc.c',
+ subsystem='gensec',
+ init_function='gensec_ncalrpc_as_system_init',
+ deps='samba-util auth_session'
+ )
+
bld.SAMBA_MODULE('gensec_external',
source='external.c',
autoproto='external_proto.h',
diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index e07d3b7..e1c6475 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -262,7 +262,7 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
}
backends = talloc_zero_array(gensec_settings,
- const struct gensec_security_ops
*, 5);
+ const struct gensec_security_ops
*, 6);
if (backends == NULL) {
TALLOC_FREE(tmp_ctx);
return NT_STATUS_NO_MEMORY;
@@ -282,6 +282,8 @@ NTSTATUS auth_generic_prepare(TALLOC_CTX *mem_ctx,
backends[idx++] = gensec_security_by_auth_type(NULL,
DCERPC_AUTH_TYPE_SCHANNEL);
+ backends[idx++] = gensec_security_by_auth_type(NULL,
DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM);
+
/*
* This is anonymous for now, because we just use it
* to set the kerberos state at the moment
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 45166c0..14bce62 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -23,6 +23,7 @@
#include "includes.h"
#include "auth.h"
+#include "libcli/security/security.h"
NTSTATUS auth3_generate_session_info(struct auth4_context *auth_context,
TALLOC_CTX *mem_ctx,
@@ -31,10 +32,50 @@ NTSTATUS auth3_generate_session_info(struct auth4_context
*auth_context,
uint32_t session_info_flags,
struct auth_session_info **session_info)
{
- struct auth_serversupplied_info *server_info =
talloc_get_type_abort(server_returned_info,
-
struct auth_serversupplied_info);
+ struct auth_user_info_dc *user_info = NULL;
+ struct auth_serversupplied_info *server_info = NULL;
NTSTATUS nt_status;
+ /*
+ * This is a hack, some callers...
+ *
+ * Some callers pass auth_user_info_dc, the SCHANNEL and
+ * NCALRPC_AS_SYSTEM gensec modules.
+ *
+ * While the reset passes auth3_check_password() returned.
+ */
+ user_info = talloc_get_type(server_returned_info,
+ struct auth_user_info_dc);
+ if (user_info != NULL) {
+ const struct dom_sid *sid;
+ int cmp;
+
+ /*
+ * This should only be called from SCHANNEL or NCALRPC_AS_SYSTEM
+ */
+ if (user_info->num_sids != 1) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+ sid = &user_info->sids[PRIMARY_USER_SID_INDEX];
+
+ cmp = dom_sid_compare(sid, &global_sid_System);
+ if (cmp == 0) {
+ return make_session_info_system(mem_ctx, session_info);
+ }
+
+ cmp = dom_sid_compare(sid, &global_sid_Anonymous);
+ if (cmp == 0) {
+ /*
+ * TODO: use auth_anonymous_session_info() here?
+ */
+ return make_session_info_guest(mem_ctx, session_info);
+ }
+
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ server_info = talloc_get_type_abort(server_returned_info,
+ struct auth_serversupplied_info);
nt_status = create_local_token(mem_ctx,
server_info,
NULL,
diff --git a/source3/librpc/rpc/dcerpc_helpers.c
b/source3/librpc/rpc/dcerpc_helpers.c
index 2400bfd..62358d5 100644
--- a/source3/librpc/rpc/dcerpc_helpers.c
+++ b/source3/librpc/rpc/dcerpc_helpers.c
@@ -382,6 +382,10 @@ static NTSTATUS get_generic_auth_footer(struct
gensec_security *gensec_security,
DATA_BLOB *data, DATA_BLOB *full_pkt,
DATA_BLOB *auth_token)
{
+ if (gensec_security == NULL) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
switch (auth_level) {
case DCERPC_AUTH_LEVEL_PRIVACY:
/* Data portion is encrypted. */
@@ -424,8 +428,7 @@ NTSTATUS dcerpc_add_auth_footer(struct pipe_auth_data *auth,
--
Samba Shared Repository
