From 8d72e612ac2845cd873c4fd614456fe8749db130 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 18 Jul 2011 12:23:04 +1000 Subject: [PATCH] s3-rpc_server read and write the unix_token and unix_info across named_pipe_auth This ensures that the exact same token is used on both sides of the pipe, when a full token is passed (ie, source3 to source3, but not yet source4 to to source3 as the unix info isn't calculated there yet). If we do not have unix_token, we fall back to the old behaviour and go via create_local_token(). (However, in this case the security_token is now overwritten, as it is better to have it match the rest of the session_info create_local_token() builds). Andrew Bartlett Signed-off-by: Andrew Tridgell --- source3/rpc_server/rpc_ncacn_np.c | 2 + source3/rpc_server/rpc_server.c | 67 ++++++++++++++++++------------- 2 files changed, 42 insertions(+), 27 deletions(-) diff --git a/source3/rpc_server/rpc_ncacn_np.c b/source3/rpc_server/rpc_ncacn_np.c index 0fa8e833295..f43d0b81bc4 100644 --- a/source3/rpc_server/rpc_ncacn_np.c +++ b/source3/rpc_server/rpc_ncacn_np.c @@ -682,6 +682,8 @@ struct np_proxy_state *make_external_rpc_pipe_p(TALLOC_CTX *mem_ctx, /* Send the named_pipe_auth server the user's full token */ session_info_npa->security_token = session_info->security_token; session_info_npa->session_key = session_info->session_key; + session_info_npa->unix_token = session_info->unix_token; + session_info_npa->unix_info = session_info->unix_info; val.sam3 = session_info->info3; diff --git a/source3/rpc_server/rpc_server.c b/source3/rpc_server/rpc_server.c index 7733b3819fc..7e383e84c19 100644 --- a/source3/rpc_server/rpc_server.c +++ b/source3/rpc_server/rpc_server.c @@ -91,7 +91,6 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx, struct netr_SamInfo3 *info3; struct auth_user_info_dc *auth_user_info_dc; struct pipes_struct *p; - struct auth_serversupplied_info *server_info; NTSTATUS status; p = talloc_zero(mem_ctx, struct pipes_struct); @@ -139,34 +138,48 @@ static int make_server_pipes_struct(TALLOC_CTX *mem_ctx, return -1; } - status = make_server_info_info3(p, - info3->base.account_name.string, - info3->base.domain.string, - &server_info, info3); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to init server info\n")); - TALLOC_FREE(p); - *perrno = EINVAL; - return -1; - } + if (session_info->unix_token && session_info->unix_info && session_info->security_token) { + /* Don't call create_local_token(), we already have the full details here */ + p->session_info = talloc_zero(p, struct auth3_session_info); + if (p->session_info == NULL) { + TALLOC_FREE(p); + *perrno = ENOMEM; + return -1; + } + p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token); + p->session_info->unix_token = talloc_move(p->session_info, &session_info->unix_token); + p->session_info->unix_info = talloc_move(p->session_info, &session_info->unix_info); + p->session_info->info3 = talloc_move(p->session_info, &info3); + p->session_info->session_key = session_info->session_key; + p->session_info->session_key.data = talloc_move(p->session_info, &session_info->session_key.data); - /* - * Some internal functions need a local token to determine access to - * resoutrces. - */ - status = create_local_token(p, server_info, &session_info->session_key, &p->session_info); - talloc_free(server_info); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1, ("Failed to init local auth token\n")); - TALLOC_FREE(p); - *perrno = EINVAL; - return -1; - } + } else { + struct auth_serversupplied_info *server_info; - /* Now override the session_info->security_token with the exact - * security_token we were given from the other side, - * regardless of what we just calculated */ - p->session_info->security_token = talloc_move(p->session_info, &session_info->security_token); + status = make_server_info_info3(p, + info3->base.account_name.string, + info3->base.domain.string, + &server_info, info3); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to init server info\n")); + TALLOC_FREE(p); + *perrno = EINVAL; + return -1; + } + + /* + * Some internal functions need a local token to determine access to + * resources. + */ + status = create_local_token(p, server_info, &session_info->session_key, &p->session_info); + talloc_free(server_info); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to init local auth token\n")); + TALLOC_FREE(p); + *perrno = EINVAL; + return -1; + } + } p->remote_address = tsocket_address_copy(remote_address, p); if (p->remote_address == NULL) { -- 2.34.1