The branch, v4-18-test has been updated via a22173a745e rpc_server3: Pass winbind_env_set() state through to rpcd_* via faa507637e5 lib: Add security_token_del_npa_flags() helper function via ec0c93199b9 rpc: Remove named_pipe_auth_req_info6->need_idle_server via e92fb837630 rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle" via e46af7b3322 named_pipe_auth: Bump info5 to info6 via 5a09eaf01ac rpc: Add global_sid_Samba_NPA_Flags SID via 40378826afb librpc: Simplify dcerpc_is_transport_encrypted() via dc2606e10e1 smbd: Use security_token_count_flag_sids() in open_np_file() via 8ed6bbcb555 libcli: Add security_token_count_flag_sids() via 74449f2afcc samba-tool domain: Run in interactive mode if no args are supplied via cae050cf785 librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms from 0f1dbe552dc winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log ----------------------------------------------------------------- commit a22173a745ecfc0023231e4f32b862e5ab287955 Author: Volker Lendecke <v...@samba.org> Date: Tue Apr 18 12:47:04 2023 +0200 rpc_server3: Pass winbind_env_set() state through to rpcd_* Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back into winbind for getpwnam. We have the "_NO_WINBINDD" environment variable set in winbind itself for this case, but this is lost on the way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass this information to dcerpc_core, where it sets the variable on every call if requested. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224 (cherry picked from commit 59694ad0a4cc489f1baa4c2c94c6322c0f22c1df) Autobuild-User(v4-18-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-18-test): Fri May 26 13:29:20 UTC 2023 on atb-devel-224 commit faa507637e54373467ffe78c1c2feb6fd949b9d5 Author: Volker Lendecke <v...@samba.org> Date: Tue Apr 18 14:32:20 2023 +0200 lib: Add security_token_del_npa_flags() helper function Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit bb3ea36e10079ad9c73c68d7ed8fce51ecb40ebe) commit ec0c93199b934db0c91816b6dcf465dbb68d6aed Author: Volker Lendecke <v...@samba.org> Date: Tue Apr 18 12:29:34 2023 +0200 rpc: Remove named_pipe_auth_req_info6->need_idle_server Involves bumping up the version number Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit bdba027a33e35aab7bb322bc3167cdd7babfc059) commit e92fb837630f1dc4107085fb38b16905de0dbf25 Author: Volker Lendecke <v...@samba.org> Date: Tue Apr 18 12:28:28 2023 +0200 rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle" More code, but will be more flexible in the future. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 31180e0e6d9e43d54e7656a56ed3af129f578105) commit e46af7b3322e52cf482180e4da1eefa6bff55e5b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 22 17:48:26 2022 +1300 named_pipe_auth: Bump info5 to info6 In the next commit, we shall replace the 'authenticated' field of named_pipe_auth_req_info.info5.session_info.session_info.info with a more general 'user_flags' field. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 8aef16bbbc1e55f0a9f5a8ec87e5348688d93785) commit 5a09eaf01aca6fb650973deca4f0142f26be9934 Author: Volker Lendecke <v...@samba.org> Date: Tue Apr 18 12:09:45 2023 +0200 rpc: Add global_sid_Samba_NPA_Flags SID This will be used as a flexible way to pass per-RPC-connection flags over ncalrpc to the RPC server without having to modify named_pipe_auth_req_info6 every time something new needs to be passed. It's modeled after global_sid_Samba_SMB3. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit ebbb93cc7a57a118b82b8f383d25f1eb022397d6) commit 40378826afbd370d087efb248edfb68d7f385f47 Author: Volker Lendecke <v...@samba.org> Date: Tue Apr 18 12:04:17 2023 +0200 librpc: Simplify dcerpc_is_transport_encrypted() Simplify logic by using security_token_count_flag_sids() Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 1d11e0489b2c91fc05c6befc0463695d7102abcc) commit dc2606e10e1905215daa5d982b5fa57bebe6e296 Author: Volker Lendecke <v...@samba.org> Date: Tue Apr 18 12:01:02 2023 +0200 smbd: Use security_token_count_flag_sids() in open_np_file() Simpler logic in the caller Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 244ee8ad75c2c968997dfdd5eeb9e9cb97a191fb) commit 8ed6bbcb555f089d80e32e5d26c9aae6c2918d1f Author: Volker Lendecke <v...@samba.org> Date: Tue Apr 18 11:31:16 2023 +0200 libcli: Add security_token_count_flag_sids() To be used in a few places when checking special-case Samba SIDs. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit 5e8c7192ba5469547ba3101885dfbaba2f8181f4) commit 74449f2afcc4559aeee1888c048965866cb3a4c2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Apr 26 10:31:51 2023 +1200 samba-tool domain: Run in interactive mode if no args are supplied BUG: https://bugzilla.samba.org/show_bug.cgi?id=15363 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (backported from commit f1281b80c1ad68d380ce91c13076f6a60fbc627e) [jsut...@samba.org Adapted to provisioning code refactor in commit 5986937d12c237121d4e62fa6dfa0f5dadec263d] commit cae050cf785575b3d66ad2093ac48d7f1e9652e8 Author: Stefan Metzmacher <me...@samba.org> Date: Tue May 16 13:09:23 2023 +0200 librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms We should not limit the possible encryption algorithms to the currently known ones. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15374 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Volker Lendecke <v...@samba.org> Autobuild-User(master): Volker Lendecke <v...@samba.org> Autobuild-Date(master): Wed May 17 07:34:28 UTC 2023 on atb-devel-224 (cherry picked from commit e03e738dfc96b3c8ce54e2d280143965713f4778) ----------------------------------------------------------------------- Summary of changes: libcli/named_pipe_auth/npa_tstream.c | 144 +++++++++++++++++++---------------- libcli/named_pipe_auth/npa_tstream.h | 4 +- libcli/security/dom_sid.h | 4 + libcli/security/security_token.c | 36 +++++++++ libcli/security/security_token.h | 9 +++ libcli/security/util_sid.c | 7 ++ librpc/idl/named_pipe_auth.idl | 9 +-- librpc/rpc/dcerpc_helper.c | 32 ++++---- librpc/rpc/dcesrv_core.c | 17 +++++ librpc/rpc/dcesrv_core.h | 1 + python/samba/netcmd/domain.py | 2 +- source3/include/proto.h | 3 + source3/lib/util_sid.c | 34 +++++++++ source3/librpc/idl/rpc_host.idl | 2 +- source3/rpc_client/local_np.c | 105 ++++++++++++++++++------- source3/rpc_server/rpc_host.c | 115 ++++++++++++++++------------ source3/rpc_server/rpc_worker.c | 112 ++++++++++++++++----------- source3/smbd/smb2_pipes.c | 23 +++--- 18 files changed, 432 insertions(+), 227 deletions(-) Changeset truncated at 500 lines: diff --git a/libcli/named_pipe_auth/npa_tstream.c b/libcli/named_pipe_auth/npa_tstream.c index 506c4a35681..f84440fe755 100644 --- a/libcli/named_pipe_auth/npa_tstream.c +++ b/libcli/named_pipe_auth/npa_tstream.c @@ -73,7 +73,7 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx, int ret; enum ndr_err_code ndr_err; char *lower_case_npipe; - struct named_pipe_auth_req_info5 *info5; + struct named_pipe_auth_req_info7 *info7; req = tevent_req_create(mem_ctx, &state, struct tstream_npa_connect_state); @@ -119,39 +119,43 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx, goto post; } - state->auth_req.level = 5; - info5 = &state->auth_req.info.info5; + state->auth_req.level = 7; + info7 = &state->auth_req.info.info7; - info5->transport = transport; - SMB_ASSERT(info5->transport == transport); /* Assert no overflow */ + info7->transport = transport; + SMB_ASSERT(info7->transport == transport); /* Assert no overflow */ - info5->remote_client_name = remote_client_name_in; - info5->remote_client_addr = tsocket_address_inet_addr_string(remote_client_addr, - state); - if (!info5->remote_client_addr) { + info7->remote_client_name = remote_client_name_in; + info7->remote_client_addr = + tsocket_address_inet_addr_string(remote_client_addr, state); + if (!info7->remote_client_addr) { /* errno might be EINVAL */ tevent_req_error(req, errno); goto post; } - info5->remote_client_port = tsocket_address_inet_port(remote_client_addr); - if (!info5->remote_client_name) { - info5->remote_client_name = info5->remote_client_addr; + info7->remote_client_port = + tsocket_address_inet_port(remote_client_addr); + if (!info7->remote_client_name) { + info7->remote_client_name = info7->remote_client_addr; } - info5->local_server_name = local_server_name_in; - info5->local_server_addr = tsocket_address_inet_addr_string(local_server_addr, - state); - if (!info5->local_server_addr) { + info7->local_server_name = local_server_name_in; + info7->local_server_addr = + tsocket_address_inet_addr_string(local_server_addr, state); + if (!info7->local_server_addr) { /* errno might be EINVAL */ tevent_req_error(req, errno); goto post; } - info5->local_server_port = tsocket_address_inet_port(local_server_addr); - if (!info5->local_server_name) { - info5->local_server_name = info5->local_server_addr; + info7->local_server_port = + tsocket_address_inet_port(local_server_addr); + if (!info7->local_server_name) { + info7->local_server_name = info7->local_server_addr; } - info5->session_info = discard_const_p(struct auth_session_info_transport, session_info); + info7->session_info = + discard_const_p(struct auth_session_info_transport, + session_info); if (DEBUGLVL(10)) { NDR_PRINT_DEBUG(named_pipe_auth_req, &state->auth_req); @@ -348,10 +352,10 @@ int _tstream_npa_connect_recv(struct tevent_req *req, npas->unix_stream = talloc_move(stream, &state->unix_stream); switch (state->auth_rep.level) { - case 5: - npas->file_type = state->auth_rep.info.info5.file_type; - device_state = state->auth_rep.info.info5.device_state; - allocation_size = state->auth_rep.info.info5.allocation_size; + case 7: + npas->file_type = state->auth_rep.info.info7.file_type; + device_state = state->auth_rep.info.info7.device_state; + allocation_size = state->auth_rep.info.info7.allocation_size; break; } @@ -1084,7 +1088,7 @@ static void tstream_npa_accept_existing_reply(struct tevent_req *subreq) tevent_req_data(req, struct tstream_npa_accept_state); struct named_pipe_auth_req *pipe_request; struct named_pipe_auth_rep pipe_reply; - struct named_pipe_auth_req_info5 i5; + struct named_pipe_auth_req_info7 i7; enum ndr_err_code ndr_err; DATA_BLOB in, out; int err; @@ -1147,53 +1151,59 @@ static void tstream_npa_accept_existing_reply(struct tevent_req *subreq) NDR_PRINT_DEBUG(named_pipe_auth_req, pipe_request); } - ZERO_STRUCT(i5); + ZERO_STRUCT(i7); - if (pipe_request->level != 5) { + if (pipe_request->level != 7) { DEBUG(0, ("Unknown level %u\n", pipe_request->level)); pipe_reply.level = 0; pipe_reply.status = NT_STATUS_INVALID_LEVEL; goto reply; } - pipe_reply.level = 5; + pipe_reply.level = 7; pipe_reply.status = NT_STATUS_OK; - pipe_reply.info.info5.file_type = state->file_type; - pipe_reply.info.info5.device_state = state->device_state; - pipe_reply.info.info5.allocation_size = state->alloc_size; + pipe_reply.info.info7.file_type = state->file_type; + pipe_reply.info.info7.device_state = state->device_state; + pipe_reply.info.info7.allocation_size = state->alloc_size; - i5 = pipe_request->info.info5; - if (i5.local_server_addr == NULL) { + i7 = pipe_request->info.info7; + if (i7.local_server_addr == NULL) { pipe_reply.status = NT_STATUS_INVALID_ADDRESS; DEBUG(2, ("Missing local server address\n")); goto reply; } - if (i5.remote_client_addr == NULL) { + if (i7.remote_client_addr == NULL) { pipe_reply.status = NT_STATUS_INVALID_ADDRESS; DEBUG(2, ("Missing remote client address\n")); goto reply; } - ret = tsocket_address_inet_from_strings(state, "ip", - i5.local_server_addr, - i5.local_server_port, + ret = tsocket_address_inet_from_strings(state, + "ip", + i7.local_server_addr, + i7.local_server_port, &state->local_server_addr); if (ret != 0) { - DEBUG(2, ("Invalid local server address[%s:%u] - %s\n", - i5.local_server_addr, i5.local_server_port, - strerror(errno))); + DEBUG(2, + ("Invalid local server address[%s:%u] - %s\n", + i7.local_server_addr, + i7.local_server_port, + strerror(errno))); pipe_reply.status = NT_STATUS_INVALID_ADDRESS; goto reply; } - ret = tsocket_address_inet_from_strings(state, "ip", - i5.remote_client_addr, - i5.remote_client_port, + ret = tsocket_address_inet_from_strings(state, + "ip", + i7.remote_client_addr, + i7.remote_client_port, &state->remote_client_addr); if (ret != 0) { - DEBUG(2, ("Invalid remote client address[%s:%u] - %s\n", - i5.remote_client_addr, i5.remote_client_port, - strerror(errno))); + DEBUG(2, + ("Invalid remote client address[%s:%u] - %s\n", + i7.remote_client_addr, + i7.remote_client_port, + strerror(errno))); pipe_reply.status = NT_STATUS_INVALID_ADDRESS; goto reply; } @@ -1249,14 +1259,15 @@ static void tstream_npa_accept_existing_done(struct tevent_req *subreq) tevent_req_done(req); } -static struct named_pipe_auth_req_info5 *copy_npa_info5( - TALLOC_CTX *mem_ctx, const struct named_pipe_auth_req_info5 *src) +static struct named_pipe_auth_req_info7 * +copy_npa_info7(TALLOC_CTX *mem_ctx, + const struct named_pipe_auth_req_info7 *src) { - struct named_pipe_auth_req_info5 *dst = NULL; + struct named_pipe_auth_req_info7 *dst = NULL; DATA_BLOB blob; enum ndr_err_code ndr_err; - dst = talloc_zero(mem_ctx, struct named_pipe_auth_req_info5); + dst = talloc_zero(mem_ctx, struct named_pipe_auth_req_info7); if (dst == NULL) { return NULL; } @@ -1265,9 +1276,9 @@ static struct named_pipe_auth_req_info5 *copy_npa_info5( &blob, dst, src, - (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req_info5); + (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req_info7); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - DBG_WARNING("ndr_push_named_pipe_auth_req_info5 failed: %s\n", + DBG_WARNING("ndr_push_named_pipe_auth_req_info7 failed: %s\n", ndr_errstr(ndr_err)); TALLOC_FREE(dst); return NULL; @@ -1277,10 +1288,10 @@ static struct named_pipe_auth_req_info5 *copy_npa_info5( &blob, dst, dst, - (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_req_info5); + (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_req_info7); TALLOC_FREE(blob.data); if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - DBG_WARNING("ndr_push_named_pipe_auth_req_info5 failed: %s\n", + DBG_WARNING("ndr_push_named_pipe_auth_req_info7 failed: %s\n", ndr_errstr(ndr_err)); TALLOC_FREE(dst); return NULL; @@ -1294,7 +1305,7 @@ int _tstream_npa_accept_existing_recv( int *perrno, TALLOC_CTX *mem_ctx, struct tstream_context **stream, - struct named_pipe_auth_req_info5 **info5, + struct named_pipe_auth_req_info7 **info7, enum dcerpc_transport_t *transport, struct tsocket_address **remote_client_addr, char **_remote_client_name, @@ -1305,7 +1316,8 @@ int _tstream_npa_accept_existing_recv( { struct tstream_npa_accept_state *state = tevent_req_data(req, struct tstream_npa_accept_state); - struct named_pipe_auth_req_info5 *i5 = &state->pipe_request->info.info5; + struct named_pipe_auth_req_info7 *i7 = + &state->pipe_request->info.info7; struct tstream_npa *npas; int ret; @@ -1346,24 +1358,24 @@ int _tstream_npa_accept_existing_recv( npas->unix_stream = state->plain; npas->file_type = state->file_type; - if (info5 != NULL) { + if (info7 != NULL) { /* - * Make a full copy of "info5" because further down we + * Make a full copy of "info7" because further down we * talloc_move() away substructures from * state->pipe_request. */ - struct named_pipe_auth_req_info5 *dst = copy_npa_info5( - mem_ctx, i5); + struct named_pipe_auth_req_info7 *dst = + copy_npa_info7(mem_ctx, i7); if (dst == NULL) { *perrno = ENOMEM; tevent_req_received(req); return -1; } - *info5 = dst; + *info7 = dst; } if (transport != NULL) { - *transport = i5->transport; + *transport = i7->transport; } if (remote_client_addr != NULL) { *remote_client_addr = talloc_move( @@ -1371,7 +1383,8 @@ int _tstream_npa_accept_existing_recv( } if (_remote_client_name != NULL) { *_remote_client_name = discard_const_p( - char, talloc_move(mem_ctx, &i5->remote_client_name)); + char, + talloc_move(mem_ctx, &i7->remote_client_name)); } if (local_server_addr != NULL) { *local_server_addr = talloc_move( @@ -1379,10 +1392,11 @@ int _tstream_npa_accept_existing_recv( } if (local_server_name != NULL) { *local_server_name = discard_const_p( - char, talloc_move(mem_ctx, &i5->local_server_name)); + char, + talloc_move(mem_ctx, &i7->local_server_name)); } if (session_info != NULL) { - *session_info = talloc_move(mem_ctx, &i5->session_info); + *session_info = talloc_move(mem_ctx, &i7->session_info); } tevent_req_received(req); diff --git a/libcli/named_pipe_auth/npa_tstream.h b/libcli/named_pipe_auth/npa_tstream.h index 1d7e93dc0fa..ebb6d16e428 100644 --- a/libcli/named_pipe_auth/npa_tstream.h +++ b/libcli/named_pipe_auth/npa_tstream.h @@ -27,7 +27,7 @@ struct tevent_req; struct tevent_context; struct auth_session_info_transport; struct tsocket_address; -struct named_pipe_auth_req_info5; +struct named_pipe_auth_req_info7; struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, @@ -114,7 +114,7 @@ int _tstream_npa_accept_existing_recv( int *perrno, TALLOC_CTX *mem_ctx, struct tstream_context **stream, - struct named_pipe_auth_req_info5 **info5, + struct named_pipe_auth_req_info7 **info7, enum dcerpc_transport_t *transport, struct tsocket_address **remote_client_addr, char **_remote_client_name, diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h index 568916a159d..c362fa6fe80 100644 --- a/libcli/security/dom_sid.h +++ b/libcli/security/dom_sid.h @@ -66,6 +66,10 @@ extern const struct dom_sid global_sid_Unix_NFS_Mode; extern const struct dom_sid global_sid_Unix_NFS_Other; extern const struct dom_sid global_sid_Samba_SMB3; +extern const struct dom_sid global_sid_Samba_NPA_Flags; +#define SAMBA_NPA_FLAGS_NEED_IDLE 1 +#define SAMBA_NPA_FLAGS_WINBIND_OFF 2 + enum lsa_SidType; NTSTATUS dom_sid_lookup_predefined_name(const char *name, diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c index 03e7bb70743..f788540e98e 100644 --- a/libcli/security/security_token.c +++ b/libcli/security/security_token.c @@ -95,6 +95,42 @@ bool security_token_has_sid(const struct security_token *token, const struct dom return false; } +size_t security_token_count_flag_sids(const struct security_token *token, + const struct dom_sid *prefix_sid, + size_t num_flags, + const struct dom_sid **_flag_sid) +{ + const size_t num_auths_expected = prefix_sid->num_auths + num_flags; + const struct dom_sid *found = NULL; + size_t num = 0; + uint32_t i; + + SMB_ASSERT(num_auths_expected <= ARRAY_SIZE(prefix_sid->sub_auths)); + + for (i = 0; i < token->num_sids; i++) { + const struct dom_sid *sid = &token->sids[i]; + int cmp; + + if ((size_t)sid->num_auths != num_auths_expected) { + continue; + } + + cmp = dom_sid_compare_domain(sid, prefix_sid); + if (cmp != 0) { + continue; + } + + num += 1; + found = sid; + } + + if ((num == 1) && (_flag_sid != NULL)) { + *_flag_sid = found; + } + + return num; +} + bool security_token_has_builtin_guests(const struct security_token *token) { return security_token_has_sid(token, &global_sid_Builtin_Guests); diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h index 15773df617f..c6898859b98 100644 --- a/libcli/security/security_token.h +++ b/libcli/security/security_token.h @@ -47,6 +47,15 @@ bool security_token_is_anonymous(const struct security_token *token); bool security_token_has_sid(const struct security_token *token, const struct dom_sid *sid); +/* + * Return any of the domain sids found in the token matching "domain" + * in _domain_sid, makes most sense if you just found one. + */ +size_t security_token_count_flag_sids(const struct security_token *token, + const struct dom_sid *prefix_sid, + size_t num_flags, + const struct dom_sid **_flag_sid); + bool security_token_has_builtin_guests(const struct security_token *token); bool security_token_has_builtin_administrators(const struct security_token *token); diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c index 242d7dd9dd1..a0b77751b78 100644 --- a/libcli/security/util_sid.c +++ b/libcli/security/util_sid.c @@ -162,6 +162,13 @@ const struct dom_sid global_sid_Unix_NFS_Other = /* Unix other, MS NFS and Appl const struct dom_sid global_sid_Samba_SMB3 = {1, 1, {0,0,0,0,0,22}, {1397571891, }}; +const struct dom_sid global_sid_Samba_NPA_Flags = {1, + 1, + {0, 0, 0, 0, 0, 22}, + { + 2041152804, + }}; + /* Unused, left here for documentary purposes */ #if 0 #define SECURITY_NULL_SID_AUTHORITY 0 diff --git a/librpc/idl/named_pipe_auth.idl b/librpc/idl/named_pipe_auth.idl index 6f26cceab17..b2c9201d1ce 100644 --- a/librpc/idl/named_pipe_auth.idl +++ b/librpc/idl/named_pipe_auth.idl @@ -21,11 +21,10 @@ interface named_pipe_auth [charset(DOS),string] uint8 *local_server_addr; uint16 local_server_port; auth_session_info_transport *session_info; - boolean8 need_idle_server; - } named_pipe_auth_req_info5; + } named_pipe_auth_req_info7; typedef [switch_type(uint32)] union { - [case(5)] named_pipe_auth_req_info5 info5; + [case(7)] named_pipe_auth_req_info7 info7; } named_pipe_auth_req_info; typedef [public,gensize] struct { @@ -41,10 +40,10 @@ interface named_pipe_auth uint16 file_type; uint16 device_state; hyper allocation_size; - } named_pipe_auth_rep_info5; + } named_pipe_auth_rep_info7; typedef [switch_type(uint32)] union { - [case(5)] named_pipe_auth_rep_info5 info5; + [case(7)] named_pipe_auth_rep_info7 info7; } named_pipe_auth_rep_info; typedef [public,gensize] struct { diff --git a/librpc/rpc/dcerpc_helper.c b/librpc/rpc/dcerpc_helper.c index cf0deeb2079..e1589f90794 100644 --- a/librpc/rpc/dcerpc_helper.c +++ b/librpc/rpc/dcerpc_helper.c @@ -20,6 +20,7 @@ #include "librpc/gen_ndr/auth.h" #include "lib/crypto/gnutls_helpers.h" #include "libcli/security/dom_sid.h" +#include "libcli/security/security_token.h" #include "libcli/smb/smb2_constants.h" #include "dcerpc_helper.h" @@ -48,7 +49,12 @@ static bool smb3_sid_parse(const struct dom_sid *sid, } cipher = sid->sub_auths[3]; - if (cipher > SMB2_ENCRYPTION_AES128_GCM) { + if (cipher > 256) { + /* + * It is unlikely that we + * ever have more then 256 + * encryption algorithms + */ return false; } @@ -75,23 +81,17 @@ bool dcerpc_is_transport_encrypted(struct auth_session_info *session_info) uint16_t dialect = 0; uint16_t encrypt = 0; uint16_t cipher = 0; - uint32_t i; + size_t num_smb3_sids; bool ok; - for (i = 0; i < token->num_sids; i++) { - int cmp; - - /* There is only one SMB3 SID allowed! */ - cmp = dom_sid_compare_domain(&token->sids[i], &smb3_dom_sid); - if (cmp == 0) { - if (smb3_sid == NULL) { - smb3_sid = &token->sids[i]; - } else { - DBG_ERR("ERROR: The SMB3 SID has been detected " - "multiple times\n"); - return false; - } -- Samba Shared Repository