#include "lib/socket/socket.h"
#include "smbd/process_model.h"
#include "lib/messaging/irpc.h"
-
-/* this is only used when the client asks for an unknown interface */
-#define DUMMY_ASSOC_GROUP 0x0FFFFFFF
+#include "librpc/rpc/rpc_common.h"
+#include "lib/util/samba_modules.h"
+#include "librpc/gen_ndr/ndr_dcerpc.h"
extern const struct dcesrv_interface dcesrv_mgmt_interface;
assoc_group = dcesrv_assoc_group_find(dce_ctx, id);
if (assoc_group == NULL) {
- DEBUG(0,(__location__ ": Failed to find assoc_group 0x%08x\n", id));
+ DEBUG(2,(__location__ ": Failed to find assoc_group 0x%08x\n", id));
return NULL;
}
return talloc_reference(mem_ctx, assoc_group);
static bool endpoints_match(const struct dcerpc_binding *ep1,
const struct dcerpc_binding *ep2)
{
- if (ep1->transport != ep2->transport) {
+ enum dcerpc_transport_t t1;
+ enum dcerpc_transport_t t2;
+ const char *e1;
+ const char *e2;
+
+ t1 = dcerpc_binding_get_transport(ep1);
+ t2 = dcerpc_binding_get_transport(ep2);
+
+ e1 = dcerpc_binding_get_string_option(ep1, "endpoint");
+ e2 = dcerpc_binding_get_string_option(ep2, "endpoint");
+
+ if (t1 != t2) {
return false;
}
- if (!ep1->endpoint || !ep2->endpoint) {
- return ep1->endpoint == ep2->endpoint;
+ if (!e1 || !e2) {
+ return e1 == e2;
}
- if (strcasecmp(ep1->endpoint, ep2->endpoint) != 0)
+ if (strcasecmp(e1, e2) != 0) {
return false;
+ }
return true;
}
/* check if this endpoint exists
*/
if ((ep=find_endpoint(dce_ctx, binding))==NULL) {
- ep = talloc(dce_ctx, struct dcesrv_endpoint);
+ ep = talloc_zero(dce_ctx, struct dcesrv_endpoint);
if (!ep) {
return NT_STATUS_NO_MEMORY;
}
ZERO_STRUCTP(ep);
- ep->ep_description = talloc_reference(ep, binding);
+ ep->ep_description = talloc_move(ep, &binding);
add_ep = true;
/* add mgmt interface */
- ifl = talloc(dce_ctx, struct dcesrv_if_list);
+ ifl = talloc_zero(ep, struct dcesrv_if_list);
if (!ifl) {
return NT_STATUS_NO_MEMORY;
}
}
/* talloc a new interface list element */
- ifl = talloc(dce_ctx, struct dcesrv_if_list);
+ ifl = talloc_zero(ep, struct dcesrv_if_list);
if (!ifl) {
return NT_STATUS_NO_MEMORY;
}
* we try to set it
*/
if (ep->sd == NULL) {
- ep->sd = security_descriptor_copy(dce_ctx, sd);
+ ep->sd = security_descriptor_copy(ep, sd);
}
/* if now there's no security descriptor given on the endpoint
const struct dcesrv_endpoint *ep,
struct auth_session_info *session_info,
struct tevent_context *event_ctx,
- struct messaging_context *msg_ctx,
+ struct imessaging_context *msg_ctx,
struct server_id server_id,
uint32_t state_flags,
struct dcesrv_connection **_p)
return NT_STATUS_ACCESS_DENIED;
}
- p = talloc(mem_ctx, struct dcesrv_connection);
+ p = talloc_zero(mem_ctx, struct dcesrv_connection);
NT_STATUS_HAVE_NO_MEMORY(p);
if (!talloc_reference(p, session_info)) {
p->dce_ctx = dce_ctx;
p->endpoint = ep;
- p->contexts = NULL;
- p->call_list = NULL;
- p->packet_log_dir = lpcfg_lockdir(dce_ctx->lp_ctx);
- p->incoming_fragmented_call_list = NULL;
- p->pending_call_list = NULL;
- p->cli_max_recv_frag = 0;
- p->partial_input = data_blob(NULL, 0);
- p->auth_state.auth_info = NULL;
- p->auth_state.gensec_security = NULL;
+ p->packet_log_dir = lpcfg_lock_directory(dce_ctx->lp_ctx);
p->auth_state.session_info = session_info;
p->auth_state.session_key = dcesrv_generic_session_key;
p->event_ctx = event_ctx;
p->msg_ctx = msg_ctx;
p->server_id = server_id;
- p->processing = false;
p->state_flags = state_flags;
- ZERO_STRUCT(p->transport);
+ p->allow_bind = true;
+ p->max_recv_frag = 5840;
+ p->max_xmit_frag = 5840;
+ p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE;
*_p = p;
return NT_STATUS_OK;
case DCESRV_LIST_NONE:
break;
case DCESRV_LIST_CALL_LIST:
- DLIST_ADD_END(call->conn->call_list, call, struct dcesrv_call_state *);
+ DLIST_ADD_END(call->conn->call_list, call);
break;
case DCESRV_LIST_FRAGMENTED_CALL_LIST:
- DLIST_ADD_END(call->conn->incoming_fragmented_call_list, call, struct dcesrv_call_state *);
+ DLIST_ADD_END(call->conn->incoming_fragmented_call_list, call);
break;
case DCESRV_LIST_PENDING_CALL_LIST:
- DLIST_ADD_END(call->conn->pending_call_list, call, struct dcesrv_call_state *);
+ DLIST_ADD_END(call->conn->pending_call_list, call);
break;
}
}
+static void dcesrv_call_disconnect_after(struct dcesrv_call_state *call,
+ const char *reason)
+{
+ if (call->conn->terminate != NULL) {
+ return;
+ }
+
+ call->conn->allow_bind = false;
+ call->conn->allow_alter = false;
+ call->conn->allow_auth3 = false;
+ call->conn->allow_request = false;
+
+ call->terminate_reason = talloc_strdup(call, reason);
+ if (call->terminate_reason == NULL) {
+ call->terminate_reason = __location__;
+ }
+}
/*
return a dcerpc bind_nak
static NTSTATUS dcesrv_bind_nak(struct dcesrv_call_state *call, uint32_t reason)
{
struct ncacn_packet pkt;
+ struct dcerpc_bind_nak_version version;
struct data_blob_list_item *rep;
NTSTATUS status;
+ static const uint8_t _pad[3] = { 0, };
+
+ /*
+ * We add the call to the pending_call_list
+ * in order to defer the termination.
+ */
+ dcesrv_call_disconnect_after(call, "dcesrv_bind_nak");
/* setup a bind_nak */
dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
pkt.ptype = DCERPC_PKT_BIND_NAK;
pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
pkt.u.bind_nak.reject_reason = reason;
- if (pkt.u.bind_nak.reject_reason == DECRPC_BIND_PROTOCOL_VERSION_NOT_SUPPORTED) {
- pkt.u.bind_nak.versions.v.num_versions = 0;
- }
+ version.rpc_vers = 5;
+ version.rpc_vers_minor = 0;
+ pkt.u.bind_nak.num_versions = 1;
+ pkt.u.bind_nak.versions = &version;
+ pkt.u.bind_nak._pad = data_blob_const(_pad, sizeof(_pad));
- rep = talloc(call, struct data_blob_list_item);
+ rep = talloc_zero(call, struct data_blob_list_item);
if (!rep) {
return NT_STATUS_NO_MEMORY;
}
dcerpc_set_frag_length(&rep->blob, rep->blob.length);
- DLIST_ADD_END(call->replies, rep, struct data_blob_list_item *);
+ DLIST_ADD_END(call->replies, rep);
dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
if (call->conn->call_list && call->conn->call_list->replies) {
return NT_STATUS_OK;
}
+static NTSTATUS dcesrv_fault_disconnect(struct dcesrv_call_state *call,
+ uint32_t fault_code)
+{
+ /*
+ * We add the call to the pending_call_list
+ * in order to defer the termination.
+ */
+ dcesrv_call_disconnect_after(call, "dcesrv_fault_disconnect");
+
+ return dcesrv_fault_with_flags(call, fault_code,
+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
+}
+
static int dcesrv_connection_context_destructor(struct dcesrv_connection_context *c)
{
DLIST_REMOVE(c->conn->contexts, c);
if (c->iface && c->iface->unbind) {
c->iface->unbind(c, c->iface);
+ c->iface = NULL;
}
return 0;
}
+static void dcesrv_prepare_context_auth(struct dcesrv_call_state *dce_call)
+{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(endpoint->ep_description);
+ struct dcesrv_connection_context *context = dce_call->context;
+ const struct dcesrv_interface *iface = context->iface;
+
+ context->min_auth_level = DCERPC_AUTH_LEVEL_NONE;
+
+ if (transport == NCALRPC) {
+ context->allow_connect = true;
+ return;
+ }
+
+ /*
+ * allow overwrite per interface
+ * allow dcerpc auth level connect:<interface>
+ */
+ context->allow_connect = lpcfg_allow_dcerpc_auth_level_connect(lp_ctx);
+ context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
+ "allow dcerpc auth level connect",
+ iface->name,
+ context->allow_connect);
+}
+
+NTSTATUS dcesrv_interface_bind_require_integrity(struct dcesrv_call_state *dce_call,
+ const struct dcesrv_interface *iface)
+{
+ if (dce_call->context == NULL) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ dce_call->context->min_auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS dcesrv_interface_bind_require_privacy(struct dcesrv_call_state *dce_call,
+ const struct dcesrv_interface *iface)
+{
+ if (dce_call->context == NULL) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ dce_call->context->min_auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
+ return NT_STATUS_OK;
+}
+
+_PUBLIC_ NTSTATUS dcesrv_interface_bind_reject_connect(struct dcesrv_call_state *dce_call,
+ const struct dcesrv_interface *iface)
+{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(endpoint->ep_description);
+ struct dcesrv_connection_context *context = dce_call->context;
+
+ if (context == NULL) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (transport == NCALRPC) {
+ context->allow_connect = true;
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * allow overwrite per interface
+ * allow dcerpc auth level connect:<interface>
+ */
+ context->allow_connect = false;
+ context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
+ "allow dcerpc auth level connect",
+ iface->name,
+ context->allow_connect);
+ return NT_STATUS_OK;
+}
+
+_PUBLIC_ NTSTATUS dcesrv_interface_bind_allow_connect(struct dcesrv_call_state *dce_call,
+ const struct dcesrv_interface *iface)
+{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ const struct dcesrv_endpoint *endpoint = dce_call->conn->endpoint;
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(endpoint->ep_description);
+ struct dcesrv_connection_context *context = dce_call->context;
+
+ if (context == NULL) {
+ return NT_STATUS_INTERNAL_ERROR;
+ }
+
+ if (transport == NCALRPC) {
+ context->allow_connect = true;
+ return NT_STATUS_OK;
+ }
+
+ /*
+ * allow overwrite per interface
+ * allow dcerpc auth level connect:<interface>
+ */
+ context->allow_connect = true;
+ context->allow_connect = lpcfg_parm_bool(lp_ctx, NULL,
+ "allow dcerpc auth level connect",
+ iface->name,
+ context->allow_connect);
+ return NT_STATUS_OK;
+}
+
/*
handle a bind request
*/
uint32_t context_id;
const struct dcesrv_interface *iface;
uint32_t extra_flags = 0;
+ uint16_t max_req = 0;
+ uint16_t max_rep = 0;
+ const char *ep_prefix = "";
+ const char *endpoint = NULL;
+
+ status = dcerpc_verify_ncacn_packet_header(&call->pkt,
+ DCERPC_PKT_BIND,
+ call->pkt.u.bind.auth_info.length,
+ 0, /* required flags */
+ DCERPC_PFC_FLAG_FIRST |
+ DCERPC_PFC_FLAG_LAST |
+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
+ 0x08 | /* this is not defined, but should be ignored */
+ DCERPC_PFC_FLAG_CONC_MPX |
+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
+ DCERPC_PFC_FLAG_MAYBE |
+ DCERPC_PFC_FLAG_OBJECT_UUID);
+ if (!NT_STATUS_IS_OK(status)) {
+ return dcesrv_bind_nak(call,
+ DCERPC_BIND_NAK_REASON_PROTOCOL_VERSION_NOT_SUPPORTED);
+ }
+
+ /* max_recv_frag and max_xmit_frag result always in the same value! */
+ max_req = MIN(call->pkt.u.bind.max_xmit_frag,
+ call->pkt.u.bind.max_recv_frag);
+ /*
+ * The values are between 2048 and 5840 tested against Windows 2012R2
+ * via ncacn_ip_tcp on port 135.
+ */
+ max_req = MAX(2048, max_req);
+ max_rep = MIN(max_req, call->conn->max_recv_frag);
+ /* They are truncated to an 8 byte boundary. */
+ max_rep &= 0xFFF8;
+
+ /* max_recv_frag and max_xmit_frag result always in the same value! */
+ call->conn->max_recv_frag = max_rep;
+ call->conn->max_xmit_frag = max_rep;
/*
if provided, check the assoc_group is valid
*/
- if (call->pkt.u.bind.assoc_group_id != 0 &&
- lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","assoc group checking", true) &&
- dcesrv_assoc_group_find(call->conn->dce_ctx, call->pkt.u.bind.assoc_group_id) == NULL) {
- return dcesrv_bind_nak(call, 0);
+ if (call->pkt.u.bind.assoc_group_id != 0) {
+ call->conn->assoc_group = dcesrv_assoc_group_reference(call->conn,
+ call->conn->dce_ctx,
+ call->pkt.u.bind.assoc_group_id);
+ } else {
+ call->conn->assoc_group = dcesrv_assoc_group_new(call->conn,
+ call->conn->dce_ctx);
+ }
+ if (call->conn->assoc_group == NULL) {
+ return dcesrv_bind_nak(call, 0);
}
if (call->pkt.u.bind.num_contexts < 1 ||
}
context_id = call->pkt.u.bind.ctx_list[0].context_id;
-
- /* you can't bind twice on one context */
- if (dcesrv_find_context(call->conn, context_id) != NULL) {
- return dcesrv_bind_nak(call, 0);
- }
-
if_version = call->pkt.u.bind.ctx_list[0].abstract_syntax.if_version;
uuid = call->pkt.u.bind.ctx_list[0].abstract_syntax.uuid;
transfer_syntax_version = call->pkt.u.bind.ctx_list[0].transfer_syntaxes[0].if_version;
transfer_syntax_uuid = &call->pkt.u.bind.ctx_list[0].transfer_syntaxes[0].uuid;
- if (!GUID_equal(&ndr_transfer_syntax.uuid, transfer_syntax_uuid) != 0 ||
- ndr_transfer_syntax.if_version != transfer_syntax_version) {
+ if (!GUID_equal(&ndr_transfer_syntax_ndr.uuid, transfer_syntax_uuid) != 0 ||
+ ndr_transfer_syntax_ndr.if_version != transfer_syntax_version) {
char *uuid_str = GUID_string(call, transfer_syntax_uuid);
/* we only do NDR encoded dcerpc */
DEBUG(0,("Non NDR transfer syntax requested - %s\n", uuid_str));
if (iface) {
/* add this context to the list of available context_ids */
- struct dcesrv_connection_context *context = talloc(call->conn,
+ struct dcesrv_connection_context *context = talloc_zero(call->conn,
struct dcesrv_connection_context);
if (context == NULL) {
return dcesrv_bind_nak(call, 0);
context->conn = call->conn;
context->iface = iface;
context->context_id = context_id;
- if (call->pkt.u.bind.assoc_group_id != 0) {
- context->assoc_group = dcesrv_assoc_group_reference(context,
- call->conn->dce_ctx,
- call->pkt.u.bind.assoc_group_id);
- } else {
- context->assoc_group = dcesrv_assoc_group_new(context, call->conn->dce_ctx);
- }
- if (context->assoc_group == NULL) {
- talloc_free(context);
- return dcesrv_bind_nak(call, 0);
- }
+ /* legacy for openchange dcesrv_mapiproxy.c */
+ context->assoc_group = call->conn->assoc_group;
context->private_data = NULL;
DLIST_ADD(call->conn->contexts, context);
call->context = context;
talloc_set_destructor(context, dcesrv_connection_context_destructor);
+ dcesrv_prepare_context_auth(call);
+
status = iface->bind(call, iface, if_version);
if (!NT_STATUS_IS_OK(status)) {
char *uuid_str = GUID_string(call, &uuid);
}
}
- if (call->conn->cli_max_recv_frag == 0) {
- call->conn->cli_max_recv_frag = MIN(0x2000, call->pkt.u.bind.max_recv_frag);
+ if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
+ (call->state_flags & DCESRV_CALL_STATE_FLAG_MULTIPLEXED)) {
+ call->context->conn->state_flags |= DCESRV_CALL_STATE_FLAG_MULTIPLEXED;
+ extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
}
- if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN) &&
- lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","header signing", false)) {
- call->conn->state_flags |= DCESRV_CALL_STATE_FLAG_HEADER_SIGNING;
- extra_flags |= DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN;
+ if (call->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
+ call->context->conn->state_flags |= DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL;
}
/* handle any authentication that is being requested */
if (!dcesrv_auth_bind(call)) {
- talloc_free(call->context);
- call->context = NULL;
- return dcesrv_bind_nak(call, DCERPC_BIND_REASON_INVALID_AUTH_TYPE);
+ struct dcesrv_auth *auth = &call->conn->auth_state;
+
+ TALLOC_FREE(call->context);
+
+ if (auth->auth_level != DCERPC_AUTH_LEVEL_NONE) {
+ /*
+ * We only give INVALID_AUTH_TYPE if the auth_level was
+ * valid.
+ */
+ return dcesrv_bind_nak(call,
+ DCERPC_BIND_NAK_REASON_INVALID_AUTH_TYPE);
+ }
+ return dcesrv_bind_nak(call,
+ DCERPC_BIND_NAK_REASON_NOT_SPECIFIED);
}
/* setup a bind_ack */
pkt.call_id = call->pkt.call_id;
pkt.ptype = DCERPC_PKT_BIND_ACK;
pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
- pkt.u.bind_ack.max_xmit_frag = call->conn->cli_max_recv_frag;
- pkt.u.bind_ack.max_recv_frag = 0x2000;
+ pkt.u.bind_ack.max_xmit_frag = call->conn->max_xmit_frag;
+ pkt.u.bind_ack.max_recv_frag = call->conn->max_recv_frag;
+ pkt.u.bind_ack.assoc_group_id = call->conn->assoc_group->id;
- /*
- make it possible for iface->bind() to specify the assoc_group_id
- This helps the openchange mapiproxy plugin to work correctly.
-
- metze
- */
- if (call->context) {
- pkt.u.bind_ack.assoc_group_id = call->context->assoc_group->id;
- } else {
- pkt.u.bind_ack.assoc_group_id = DUMMY_ASSOC_GROUP;
+ if (iface) {
+ endpoint = dcerpc_binding_get_string_option(
+ call->conn->endpoint->ep_description,
+ "endpoint");
}
- if (iface) {
- /* FIXME: Use pipe name as specified by endpoint instead of interface name */
- pkt.u.bind_ack.secondary_address = talloc_asprintf(call, "\\PIPE\\%s", iface->name);
- } else {
- pkt.u.bind_ack.secondary_address = "";
+ if (endpoint == NULL) {
+ endpoint = "";
+ }
+
+ if (strncasecmp(endpoint, "\\pipe\\", 6) == 0) {
+ /*
+ * TODO: check if this is really needed
+ *
+ * Or if we should fix this in our idl files.
+ */
+ ep_prefix = "\\PIPE\\";
+ endpoint += 6;
+ }
+
+ pkt.u.bind_ack.secondary_address = talloc_asprintf(call, "%s%s",
+ ep_prefix,
+ endpoint);
+ if (pkt.u.bind_ack.secondary_address == NULL) {
+ TALLOC_FREE(call->context);
+ return NT_STATUS_NO_MEMORY;
}
pkt.u.bind_ack.num_results = 1;
- pkt.u.bind_ack.ctx_list = talloc(call, struct dcerpc_ack_ctx);
+ pkt.u.bind_ack.ctx_list = talloc_zero(call, struct dcerpc_ack_ctx);
if (!pkt.u.bind_ack.ctx_list) {
talloc_free(call->context);
call->context = NULL;
return NT_STATUS_NO_MEMORY;
}
pkt.u.bind_ack.ctx_list[0].result = result;
- pkt.u.bind_ack.ctx_list[0].reason = reason;
- pkt.u.bind_ack.ctx_list[0].syntax = ndr_transfer_syntax;
+ pkt.u.bind_ack.ctx_list[0].reason.value = reason;
+ pkt.u.bind_ack.ctx_list[0].syntax = ndr_transfer_syntax_ndr;
pkt.u.bind_ack.auth_info = data_blob(NULL, 0);
status = dcesrv_auth_bind_ack(call, &pkt);
return dcesrv_bind_nak(call, 0);
}
- rep = talloc(call, struct data_blob_list_item);
+ rep = talloc_zero(call, struct data_blob_list_item);
if (!rep) {
talloc_free(call->context);
call->context = NULL;
}
status = ncacn_push_auth(&rep->blob, call, &pkt,
- call->conn->auth_state.auth_info);
+ call->out_auth_info);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(call->context);
call->context = NULL;
dcerpc_set_frag_length(&rep->blob, rep->blob.length);
- DLIST_ADD_END(call->replies, rep, struct data_blob_list_item *);
+ DLIST_ADD_END(call->replies, rep);
dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
if (call->conn->call_list && call->conn->call_list->replies) {
*/
static NTSTATUS dcesrv_auth3(struct dcesrv_call_state *call)
{
+ NTSTATUS status;
+
+ if (!call->conn->allow_auth3) {
+ return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
+ }
+
+ if (call->conn->auth_state.auth_finished) {
+ return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
+ }
+
+ status = dcerpc_verify_ncacn_packet_header(&call->pkt,
+ DCERPC_PKT_AUTH3,
+ call->pkt.u.auth3.auth_info.length,
+ 0, /* required flags */
+ DCERPC_PFC_FLAG_FIRST |
+ DCERPC_PFC_FLAG_LAST |
+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
+ 0x08 | /* this is not defined, but should be ignored */
+ DCERPC_PFC_FLAG_CONC_MPX |
+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
+ DCERPC_PFC_FLAG_MAYBE |
+ DCERPC_PFC_FLAG_OBJECT_UUID);
+ if (!NT_STATUS_IS_OK(status)) {
+ return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
+ }
+
/* handle the auth3 in the auth code */
if (!dcesrv_auth_auth3(call)) {
- return dcesrv_fault(call, DCERPC_FAULT_OTHER);
+ call->conn->auth_state.auth_invalid = true;
}
talloc_free(call);
transfer_syntax_version = call->pkt.u.alter.ctx_list[0].transfer_syntaxes[0].if_version;
transfer_syntax_uuid = &call->pkt.u.alter.ctx_list[0].transfer_syntaxes[0].uuid;
- if (!GUID_equal(transfer_syntax_uuid, &ndr_transfer_syntax.uuid) ||
- ndr_transfer_syntax.if_version != transfer_syntax_version) {
+ if (!GUID_equal(transfer_syntax_uuid, &ndr_transfer_syntax_ndr.uuid) ||
+ ndr_transfer_syntax_ndr.if_version != transfer_syntax_version) {
/* we only do NDR encoded dcerpc */
return NT_STATUS_RPC_PROTSEQ_NOT_SUPPORTED;
}
}
/* add this context to the list of available context_ids */
- context = talloc(call->conn, struct dcesrv_connection_context);
+ context = talloc_zero(call->conn, struct dcesrv_connection_context);
if (context == NULL) {
return NT_STATUS_NO_MEMORY;
}
context->conn = call->conn;
context->iface = iface;
context->context_id = context_id;
- if (call->pkt.u.alter.assoc_group_id != 0) {
- context->assoc_group = dcesrv_assoc_group_reference(context,
- call->conn->dce_ctx,
- call->pkt.u.alter.assoc_group_id);
- } else {
- context->assoc_group = dcesrv_assoc_group_new(context, call->conn->dce_ctx);
- }
- if (context->assoc_group == NULL) {
- talloc_free(context);
- call->context = NULL;
- return NT_STATUS_NO_MEMORY;
- }
+ /* legacy for openchange dcesrv_mapiproxy.c */
+ context->assoc_group = call->conn->assoc_group;
context->private_data = NULL;
DLIST_ADD(call->conn->contexts, context);
call->context = context;
talloc_set_destructor(context, dcesrv_connection_context_destructor);
+ dcesrv_prepare_context_auth(call);
+
status = iface->bind(call, iface, if_version);
if (!NT_STATUS_IS_OK(status)) {
/* we don't want to trigger the iface->unbind() hook */
return NT_STATUS_OK;
}
-
-/*
- handle a alter context request
-*/
-static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
+/* setup and send an alter_resp */
+static NTSTATUS dcesrv_alter_resp(struct dcesrv_call_state *call,
+ uint32_t result,
+ uint32_t reason)
{
struct ncacn_packet pkt;
- struct data_blob_list_item *rep;
+ uint32_t extra_flags = 0;
+ struct data_blob_list_item *rep = NULL;
NTSTATUS status;
- uint32_t result=0, reason=0;
- uint32_t context_id;
- /* handle any authentication that is being requested */
- if (!dcesrv_auth_alter(call)) {
- /* TODO: work out the right reject code */
- result = DCERPC_BIND_PROVIDER_REJECT;
- reason = DCERPC_BIND_REASON_ASYNTAX;
- }
-
- context_id = call->pkt.u.alter.ctx_list[0].context_id;
-
- /* see if they are asking for a new interface */
- if (result == 0) {
- call->context = dcesrv_find_context(call->conn, context_id);
- if (!call->context) {
- status = dcesrv_alter_new_context(call, context_id);
- if (!NT_STATUS_IS_OK(status)) {
- result = DCERPC_BIND_PROVIDER_REJECT;
- reason = DCERPC_BIND_REASON_ASYNTAX;
- }
- }
- }
-
- if (result == 0 &&
- call->pkt.u.alter.assoc_group_id != 0 &&
- lpcfg_parm_bool(call->conn->dce_ctx->lp_ctx, NULL, "dcesrv","assoc group checking", true) &&
- call->pkt.u.alter.assoc_group_id != call->context->assoc_group->id) {
- DEBUG(0,(__location__ ": Failed attempt to use new assoc_group in alter context (0x%08x 0x%08x)\n",
- call->context->assoc_group->id, call->pkt.u.alter.assoc_group_id));
- /* TODO: can they ask for a new association group? */
- result = DCERPC_BIND_PROVIDER_REJECT;
- reason = DCERPC_BIND_REASON_ASYNTAX;
- }
-
- /* setup a alter_resp */
dcesrv_init_hdr(&pkt, lpcfg_rpc_big_endian(call->conn->dce_ctx->lp_ctx));
pkt.auth_length = 0;
pkt.call_id = call->pkt.call_id;
pkt.ptype = DCERPC_PKT_ALTER_RESP;
- pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST;
- pkt.u.alter_resp.max_xmit_frag = 0x2000;
- pkt.u.alter_resp.max_recv_frag = 0x2000;
if (result == 0) {
- pkt.u.alter_resp.assoc_group_id = call->context->assoc_group->id;
- } else {
- pkt.u.alter_resp.assoc_group_id = 0;
+ if ((call->pkt.pfc_flags & DCERPC_PFC_FLAG_CONC_MPX) &&
+ call->context->conn->state_flags &
+ DCESRV_CALL_STATE_FLAG_MULTIPLEXED) {
+ extra_flags |= DCERPC_PFC_FLAG_CONC_MPX;
+ }
+ if (call->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
+ call->context->conn->state_flags |=
+ DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL;
+ }
}
+ pkt.pfc_flags = DCERPC_PFC_FLAG_FIRST | DCERPC_PFC_FLAG_LAST | extra_flags;
+ pkt.u.alter_resp.max_xmit_frag = call->conn->max_xmit_frag;
+ pkt.u.alter_resp.max_recv_frag = call->conn->max_recv_frag;
+ pkt.u.alter_resp.assoc_group_id = call->conn->assoc_group->id;
pkt.u.alter_resp.num_results = 1;
- pkt.u.alter_resp.ctx_list = talloc_array(call, struct dcerpc_ack_ctx, 1);
+ pkt.u.alter_resp.ctx_list = talloc_zero(call, struct dcerpc_ack_ctx);
if (!pkt.u.alter_resp.ctx_list) {
return NT_STATUS_NO_MEMORY;
}
pkt.u.alter_resp.ctx_list[0].result = result;
- pkt.u.alter_resp.ctx_list[0].reason = reason;
- pkt.u.alter_resp.ctx_list[0].syntax = ndr_transfer_syntax;
+ pkt.u.alter_resp.ctx_list[0].reason.value = reason;
+ pkt.u.alter_resp.ctx_list[0].syntax = ndr_transfer_syntax_ndr;
pkt.u.alter_resp.auth_info = data_blob(NULL, 0);
pkt.u.alter_resp.secondary_address = "";
status = dcesrv_auth_alter_ack(call, &pkt);
if (!NT_STATUS_IS_OK(status)) {
- if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)
- || NT_STATUS_EQUAL(status, NT_STATUS_LOGON_FAILURE)
- || NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
- || NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
- return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
- }
- return dcesrv_fault(call, 0);
+ return dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
}
- rep = talloc(call, struct data_blob_list_item);
+ rep = talloc_zero(call, struct data_blob_list_item);
if (!rep) {
return NT_STATUS_NO_MEMORY;
}
- status = ncacn_push_auth(&rep->blob, call, &pkt, call->conn->auth_state.auth_info);
+ status = ncacn_push_auth(&rep->blob, call, &pkt, call->out_auth_info);
if (!NT_STATUS_IS_OK(status)) {
return status;
}
dcerpc_set_frag_length(&rep->blob, rep->blob.length);
- DLIST_ADD_END(call->replies, rep, struct data_blob_list_item *);
+ DLIST_ADD_END(call->replies, rep);
dcesrv_call_set_list(call, DCESRV_LIST_CALL_LIST);
if (call->conn->call_list && call->conn->call_list->replies) {
return NT_STATUS_OK;
}
+/*
+ handle a alter context request
+*/
+static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
+{
+ NTSTATUS status;
+ const struct dcerpc_ctx_list *ctx = NULL;
+ bool auth_ok = false;
+
+ if (!call->conn->allow_alter) {
+ return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
+ }
+
+ status = dcerpc_verify_ncacn_packet_header(&call->pkt,
+ DCERPC_PKT_ALTER,
+ call->pkt.u.alter.auth_info.length,
+ 0, /* required flags */
+ DCERPC_PFC_FLAG_FIRST |
+ DCERPC_PFC_FLAG_LAST |
+ DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN |
+ 0x08 | /* this is not defined, but should be ignored */
+ DCERPC_PFC_FLAG_CONC_MPX |
+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
+ DCERPC_PFC_FLAG_MAYBE |
+ DCERPC_PFC_FLAG_OBJECT_UUID);
+ if (!NT_STATUS_IS_OK(status)) {
+ return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
+ }
+
+ auth_ok = dcesrv_auth_alter(call);
+ if (!auth_ok) {
+ if (call->in_auth_info.auth_type == DCERPC_AUTH_TYPE_NONE) {
+ return dcesrv_fault_disconnect(call,
+ DCERPC_FAULT_ACCESS_DENIED);
+ }
+ }
+
+ if (call->pkt.u.alter.num_contexts < 1) {
+ return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
+ }
+ ctx = &call->pkt.u.alter.ctx_list[0];
+ if (ctx->num_transfer_syntaxes < 1) {
+ return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
+ }
+
+ /* see if they are asking for a new interface */
+ call->context = dcesrv_find_context(call->conn, ctx->context_id);
+ if (!call->context) {
+ status = dcesrv_alter_new_context(call, ctx->context_id);
+ if (!NT_STATUS_IS_OK(status)) {
+ return dcesrv_alter_resp(call,
+ DCERPC_BIND_PROVIDER_REJECT,
+ DCERPC_BIND_REASON_ASYNTAX);
+ }
+ } else {
+ bool ok;
+
+ ok = ndr_syntax_id_equal(&ctx->abstract_syntax,
+ &call->context->iface->syntax_id);
+ if (!ok) {
+ return dcesrv_fault_disconnect(call,
+ DCERPC_NCA_S_PROTO_ERROR);
+ }
+
+ if (ctx->num_transfer_syntaxes != 1) {
+ return dcesrv_fault_disconnect(call,
+ DCERPC_NCA_S_PROTO_ERROR);
+ }
+
+ ok = ndr_syntax_id_equal(&ctx->transfer_syntaxes[0],
+ &ndr_transfer_syntax_ndr);
+ if (!ok) {
+ return dcesrv_fault_disconnect(call,
+ DCERPC_NCA_S_PROTO_ERROR);
+ }
+ }
+
+ /* handle any authentication that is being requested */
+ if (!auth_ok) {
+ if (call->in_auth_info.auth_type !=
+ call->conn->auth_state.auth_type)
+ {
+ return dcesrv_fault_disconnect(call,
+ DCERPC_FAULT_SEC_PKG_ERROR);
+ }
+ return dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED);
+ }
+
+ return dcesrv_alter_resp(call,
+ DCERPC_BIND_ACK_RESULT_ACCEPTANCE,
+ DCERPC_BIND_ACK_REASON_NOT_SPECIFIED);
+}
+
/*
possibly save the call for inspection with ndrdump
*/
#endif
}
+static NTSTATUS dcesrv_check_verification_trailer(struct dcesrv_call_state *call)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ const uint32_t bitmask1 = call->conn->auth_state.client_hdr_signing ?
+ DCERPC_SEC_VT_CLIENT_SUPPORTS_HEADER_SIGNING : 0;
+ const struct dcerpc_sec_vt_pcontext pcontext = {
+ .abstract_syntax = call->context->iface->syntax_id,
+ .transfer_syntax = ndr_transfer_syntax_ndr,
+ };
+ const struct dcerpc_sec_vt_header2 header2 =
+ dcerpc_sec_vt_header2_from_ncacn_packet(&call->pkt);
+ enum ndr_err_code ndr_err;
+ struct dcerpc_sec_verification_trailer *vt = NULL;
+ NTSTATUS status = NT_STATUS_OK;
+ bool ok;
+
+ SMB_ASSERT(call->pkt.ptype == DCERPC_PKT_REQUEST);
+
+ ndr_err = ndr_pop_dcerpc_sec_verification_trailer(call->ndr_pull,
+ frame, &vt);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ status = ndr_map_error2ntstatus(ndr_err);
+ goto done;
+ }
+
+ ok = dcerpc_sec_verification_trailer_check(vt, &bitmask1,
+ &pcontext, &header2);
+ if (!ok) {
+ status = NT_STATUS_ACCESS_DENIED;
+ goto done;
+ }
+done:
+ TALLOC_FREE(frame);
+ return status;
+}
+
/*
handle a dcerpc request packet
*/
static NTSTATUS dcesrv_request(struct dcesrv_call_state *call)
{
+ const struct dcesrv_endpoint *endpoint = call->conn->endpoint;
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(endpoint->ep_description);
struct ndr_pull *pull;
NTSTATUS status;
struct dcesrv_connection_context *context;
+ if (!call->conn->allow_request) {
+ return dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
+ }
+
/* if authenticated, and the mech we use can't do async replies, don't use them... */
if (call->conn->auth_state.gensec_security &&
!gensec_have_feature(call->conn->auth_state.gensec_security, GENSEC_FEATURE_ASYNC_REPLIES)) {
return dcesrv_fault(call, DCERPC_FAULT_UNK_IF);
}
+ switch (call->conn->auth_state.auth_level) {
+ case DCERPC_AUTH_LEVEL_NONE:
+ case DCERPC_AUTH_LEVEL_INTEGRITY:
+ case DCERPC_AUTH_LEVEL_PRIVACY:
+ break;
+ default:
+ if (!context->allow_connect) {
+ char *addr;
+
+ addr = tsocket_address_string(call->conn->remote_address,
+ call);
+
+ DEBUG(2, ("%s: restrict auth_level_connect access "
+ "to [%s] with auth[type=0x%x,level=0x%x] "
+ "on [%s] from [%s]\n",
+ __func__, context->iface->name,
+ call->conn->auth_state.auth_type,
+ call->conn->auth_state.auth_level,
+ derpc_transport_string_by_transport(transport),
+ addr));
+ return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
+ }
+ break;
+ }
+
+ if (call->conn->auth_state.auth_level < context->min_auth_level) {
+ char *addr;
+
+ addr = tsocket_address_string(call->conn->remote_address, call);
+
+ DEBUG(2, ("%s: restrict access by min_auth_level[0x%x] "
+ "to [%s] with auth[type=0x%x,level=0x%x] "
+ "on [%s] from [%s]\n",
+ __func__,
+ context->min_auth_level,
+ context->iface->name,
+ call->conn->auth_state.auth_type,
+ call->conn->auth_state.auth_level,
+ derpc_transport_string_by_transport(transport),
+ addr));
+ return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
+ }
+
pull = ndr_pull_init_blob(&call->pkt.u.request.stub_and_verifier, call);
NT_STATUS_HAVE_NO_MEMORY(pull);
pull->flags |= LIBNDR_FLAG_BIGENDIAN;
}
+ status = dcesrv_check_verification_trailer(call);
+ if (!NT_STATUS_IS_OK(status)) {
+ uint32_t faultcode = DCERPC_FAULT_OTHER;
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ faultcode = DCERPC_FAULT_ACCESS_DENIED;
+ }
+ DEBUG(10, ("dcesrv_check_verification_trailer failed: %s\n",
+ nt_errstr(status)));
+ return dcesrv_fault(call, faultcode);
+ }
+
/* unravel the NDR for the packet */
status = context->iface->ndr_pull(call, call, pull, &call->r);
if (!NT_STATUS_IS_OK(status)) {
/*
process some input to a dcerpc endpoint server.
*/
-NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
- struct ncacn_packet *pkt,
- DATA_BLOB blob)
+static NTSTATUS dcesrv_process_ncacn_packet(struct dcesrv_connection *dce_conn,
+ struct ncacn_packet *pkt,
+ DATA_BLOB blob)
{
NTSTATUS status;
struct dcesrv_call_state *call;
+ struct dcesrv_call_state *existing = NULL;
call = talloc_zero(dce_conn, struct dcesrv_call_state);
if (!call) {
talloc_set_destructor(call, dcesrv_call_dequeue);
- /* we have to check the signing here, before combining the
- pdus */
- if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
- !dcesrv_auth_request(call, &blob)) {
- return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
+ if (call->conn->allow_bind) {
+ /*
+ * Only one bind is possible per connection
+ */
+ call->conn->allow_bind = false;
+ return dcesrv_bind(call);
}
- /* see if this is a continued packet */
- if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
- !(call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST)) {
- struct dcesrv_call_state *call2 = call;
- uint32_t alloc_size;
+ /* we have to check the signing here, before combining the
+ pdus */
+ if (call->pkt.ptype == DCERPC_PKT_REQUEST) {
+ if (!call->conn->allow_request) {
+ return dcesrv_fault_disconnect(call,
+ DCERPC_NCA_S_PROTO_ERROR);
+ }
- /* we only allow fragmented requests, no other packet types */
- if (call->pkt.ptype != DCERPC_PKT_REQUEST) {
- return dcesrv_fault(call2, DCERPC_FAULT_OTHER);
+ status = dcerpc_verify_ncacn_packet_header(&call->pkt,
+ DCERPC_PKT_REQUEST,
+ call->pkt.u.request.stub_and_verifier.length,
+ 0, /* required_flags */
+ DCERPC_PFC_FLAG_FIRST |
+ DCERPC_PFC_FLAG_LAST |
+ DCERPC_PFC_FLAG_PENDING_CANCEL |
+ 0x08 | /* this is not defined, but should be ignored */
+ DCERPC_PFC_FLAG_CONC_MPX |
+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE |
+ DCERPC_PFC_FLAG_MAYBE |
+ DCERPC_PFC_FLAG_OBJECT_UUID);
+ if (!NT_STATUS_IS_OK(status)) {
+ return dcesrv_fault_disconnect(call,
+ DCERPC_NCA_S_PROTO_ERROR);
}
- /* this is a continuation of an existing call - find the call then
- tack it on the end */
- call = dcesrv_find_fragmented_call(dce_conn, call2->pkt.call_id);
- if (!call) {
- return dcesrv_fault(call2, DCERPC_FAULT_OTHER);
+ if (call->pkt.frag_length > DCERPC_FRAG_MAX_SIZE) {
+ /*
+ * We don't use dcesrv_fault_disconnect()
+ * here, because we don't want to set
+ * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
+ *
+ * Note that we don't check against the negotiated
+ * max_recv_frag, but a hard coded value.
+ */
+ dcesrv_call_disconnect_after(call,
+ "dcesrv_auth_request - frag_length too large");
+ return dcesrv_fault(call,
+ DCERPC_NCA_S_PROTO_ERROR);
}
- if (call->pkt.ptype != call2->pkt.ptype) {
- /* trying to play silly buggers are we? */
- return dcesrv_fault(call2, DCERPC_FAULT_OTHER);
+ if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_FIRST) {
+ /* only one request is possible in the fragmented list */
+ if (dce_conn->incoming_fragmented_call_list != NULL) {
+ TALLOC_FREE(call);
+ call = dce_conn->incoming_fragmented_call_list;
+ dcesrv_call_disconnect_after(call,
+ "dcesrv_auth_request - "
+ "existing fragmented call");
+ return dcesrv_fault(call,
+ DCERPC_NCA_S_PROTO_ERROR);
+ }
+ if (call->pkt.pfc_flags & DCERPC_PFC_FLAG_PENDING_CANCEL) {
+ return dcesrv_fault_disconnect(call,
+ DCERPC_FAULT_NO_CALL_ACTIVE);
+ }
+ } else {
+ const struct dcerpc_request *nr = &call->pkt.u.request;
+ const struct dcerpc_request *er = NULL;
+ int cmp;
+
+ existing = dcesrv_find_fragmented_call(dce_conn,
+ call->pkt.call_id);
+ if (existing == NULL) {
+ dcesrv_call_disconnect_after(call,
+ "dcesrv_auth_request - "
+ "no existing fragmented call");
+ return dcesrv_fault(call,
+ DCERPC_NCA_S_PROTO_ERROR);
+ }
+ er = &existing->pkt.u.request;
+
+ if (call->pkt.ptype != existing->pkt.ptype) {
+ /* trying to play silly buggers are we? */
+ return dcesrv_fault_disconnect(existing,
+ DCERPC_NCA_S_PROTO_ERROR);
+ }
+ cmp = memcmp(call->pkt.drep, existing->pkt.drep,
+ sizeof(pkt->drep));
+ if (cmp != 0) {
+ return dcesrv_fault_disconnect(existing,
+ DCERPC_NCA_S_PROTO_ERROR);
+ }
+ if (nr->context_id != er->context_id) {
+ return dcesrv_fault_disconnect(existing,
+ DCERPC_NCA_S_PROTO_ERROR);
+ }
+ if (nr->opnum != er->opnum) {
+ return dcesrv_fault_disconnect(existing,
+ DCERPC_NCA_S_PROTO_ERROR);
+ }
}
- alloc_size = call->pkt.u.request.stub_and_verifier.length +
- call2->pkt.u.request.stub_and_verifier.length;
- if (call->pkt.u.request.alloc_hint > alloc_size) {
- alloc_size = call->pkt.u.request.alloc_hint;
+ if (!dcesrv_auth_request(call, &blob)) {
+ /*
+ * We don't use dcesrv_fault_disconnect()
+ * here, because we don't want to set
+ * DCERPC_PFC_FLAG_DID_NOT_EXECUTE
+ */
+ dcesrv_call_disconnect_after(call,
+ "dcesrv_auth_request - failed");
+ return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
}
+ }
- call->pkt.u.request.stub_and_verifier.data =
- talloc_realloc(call,
- call->pkt.u.request.stub_and_verifier.data,
+ /* see if this is a continued packet */
+ if (existing != NULL) {
+ struct dcerpc_request *er = &existing->pkt.u.request;
+ const struct dcerpc_request *nr = &call->pkt.u.request;
+ size_t available;
+ size_t alloc_size;
+ size_t alloc_hint;
+
+ /*
+ * Up to 4 MByte are allowed by all fragments
+ */
+ available = dce_conn->max_total_request_size;
+ if (er->stub_and_verifier.length > available) {
+ dcesrv_call_disconnect_after(existing,
+ "dcesrv_auth_request - existing payload too large");
+ return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
+ }
+ available -= er->stub_and_verifier.length;
+ if (nr->alloc_hint > available) {
+ dcesrv_call_disconnect_after(existing,
+ "dcesrv_auth_request - alloc hint too large");
+ return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
+ }
+ if (nr->stub_and_verifier.length > available) {
+ dcesrv_call_disconnect_after(existing,
+ "dcesrv_auth_request - new payload too large");
+ return dcesrv_fault(existing, DCERPC_FAULT_ACCESS_DENIED);
+ }
+ alloc_hint = er->stub_and_verifier.length + nr->alloc_hint;
+ /* allocate at least 1 byte */
+ alloc_hint = MAX(alloc_hint, 1);
+ alloc_size = er->stub_and_verifier.length +
+ nr->stub_and_verifier.length;
+ alloc_size = MAX(alloc_size, alloc_hint);
+
+ er->stub_and_verifier.data =
+ talloc_realloc(existing,
+ er->stub_and_verifier.data,
uint8_t, alloc_size);
- if (!call->pkt.u.request.stub_and_verifier.data) {
- return dcesrv_fault(call2, DCERPC_FAULT_OTHER);
+ if (er->stub_and_verifier.data == NULL) {
+ TALLOC_FREE(call);
+ return dcesrv_fault_with_flags(existing,
+ DCERPC_FAULT_OUT_OF_RESOURCES,
+ DCERPC_PFC_FLAG_DID_NOT_EXECUTE);
}
- memcpy(call->pkt.u.request.stub_and_verifier.data +
- call->pkt.u.request.stub_and_verifier.length,
- call2->pkt.u.request.stub_and_verifier.data,
- call2->pkt.u.request.stub_and_verifier.length);
- call->pkt.u.request.stub_and_verifier.length +=
- call2->pkt.u.request.stub_and_verifier.length;
+ memcpy(er->stub_and_verifier.data +
+ er->stub_and_verifier.length,
+ nr->stub_and_verifier.data,
+ nr->stub_and_verifier.length);
+ er->stub_and_verifier.length += nr->stub_and_verifier.length;
- call->pkt.pfc_flags |= (call2->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST);
+ existing->pkt.pfc_flags |= (call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST);
- talloc_free(call2);
+ TALLOC_FREE(call);
+ call = existing;
}
/* this may not be the last pdu in the chain - if its isn't then
just put it on the incoming_fragmented_call_list and wait for the rest */
if (call->pkt.ptype == DCERPC_PKT_REQUEST &&
!(call->pkt.pfc_flags & DCERPC_PFC_FLAG_LAST)) {
+ /*
+ * Up to 4 MByte are allowed by all fragments
+ */
+ if (call->pkt.u.request.alloc_hint > dce_conn->max_total_request_size) {
+ dcesrv_call_disconnect_after(call,
+ "dcesrv_auth_request - initial alloc hint too large");
+ return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
+ }
dcesrv_call_set_list(call, DCESRV_LIST_FRAGMENTED_CALL_LIST);
return NT_STATUS_OK;
}
switch (call->pkt.ptype) {
case DCERPC_PKT_BIND:
- status = dcesrv_bind(call);
+ status = dcesrv_bind_nak(call,
+ DCERPC_BIND_NAK_REASON_NOT_SPECIFIED);
break;
case DCERPC_PKT_AUTH3:
status = dcesrv_auth3(call);
status = dcesrv_request(call);
break;
default:
- status = NT_STATUS_INVALID_PARAMETER;
+ status = dcesrv_fault_disconnect(call, DCERPC_NCA_S_PROTO_ERROR);
break;
}
return NT_STATUS_INTERNAL_ERROR;
}
- dce_ctx = talloc(mem_ctx, struct dcesrv_context);
+ dce_ctx = talloc_zero(mem_ctx, struct dcesrv_context);
NT_STATUS_HAVE_NO_MEMORY(dce_ctx);
+
+ if (uid_wrapper_enabled()) {
+ setenv("UID_WRAPPER_MYUID", "1", 1);
+ }
+ dce_ctx->initial_euid = geteuid();
+ if (uid_wrapper_enabled()) {
+ unsetenv("UID_WRAPPER_MYUID");
+ }
+
dce_ctx->endpoint_list = NULL;
dce_ctx->lp_ctx = lp_ctx;
dce_ctx->assoc_groups_idr = idr_init(dce_ctx);
NT_STATUS_HAVE_NO_MEMORY(dce_ctx->assoc_groups_idr);
+ dce_ctx->broken_connections = NULL;
for (i=0;endpoint_servers[i];i++) {
const struct dcesrv_endpoint_server *ep_server;
}
initialized = true;
- shared_init = load_samba_modules(NULL, lp_ctx, "dcerpc_server");
+ shared_init = load_samba_modules(NULL, "dcerpc_server");
run_init_functions(static_init);
run_init_functions(shared_init);
static void dcesrv_terminate_connection(struct dcesrv_connection *dce_conn, const char *reason)
{
+ struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
struct stream_connection *srv_conn;
srv_conn = talloc_get_type(dce_conn->transport.private_data,
struct stream_connection);
- stream_terminate_connection(srv_conn, reason);
+ dce_conn->allow_bind = false;
+ dce_conn->allow_auth3 = false;
+ dce_conn->allow_alter = false;
+ dce_conn->allow_request = false;
+
+ if (dce_conn->pending_call_list == NULL) {
+ char *full_reason = talloc_asprintf(dce_conn, "dcesrv: %s", reason);
+
+ DLIST_REMOVE(dce_ctx->broken_connections, dce_conn);
+ stream_terminate_connection(srv_conn, full_reason ? full_reason : reason);
+ return;
+ }
+
+ if (dce_conn->terminate != NULL) {
+ return;
+ }
+
+ DEBUG(3,("dcesrv: terminating connection due to '%s' defered due to pending calls\n",
+ reason));
+ dce_conn->terminate = talloc_strdup(dce_conn, reason);
+ if (dce_conn->terminate == NULL) {
+ dce_conn->terminate = "dcesrv: defered terminating connection - no memory";
+ }
+ DLIST_ADD_END(dce_ctx->broken_connections, dce_conn);
+}
+
+static void dcesrv_cleanup_broken_connections(struct dcesrv_context *dce_ctx)
+{
+ struct dcesrv_connection *cur, *next;
+
+ next = dce_ctx->broken_connections;
+ while (next != NULL) {
+ cur = next;
+ next = cur->next;
+
+ if (cur->state_flags & DCESRV_CALL_STATE_FLAG_PROCESS_PENDING_CALL) {
+ struct dcesrv_connection_context *context_cur, *context_next;
+
+ context_next = cur->contexts;
+ while (context_next != NULL) {
+ context_cur = context_next;
+ context_next = context_cur->next;
+
+ dcesrv_connection_context_destructor(context_cur);
+ }
+ }
+
+ dcesrv_terminate_connection(cur, cur->terminate);
+ }
}
+
/* We need this include to be able to compile on some plateforms
* (ie. freebsd 7.2) as it seems that <sys/uio.h> is not included
* correctly.
};
static void dcesrv_sock_reply_done(struct tevent_req *subreq);
+static void dcesrv_call_terminate_step1(struct tevent_req *subreq);
static void dcesrv_sock_report_output_data(struct dcesrv_connection *dce_conn)
{
struct dcesrv_sock_reply_state *substate;
struct tevent_req *subreq;
- substate = talloc(call, struct dcesrv_sock_reply_state);
+ substate = talloc_zero(call, struct dcesrv_sock_reply_state);
if (!substate) {
dcesrv_terminate_connection(dce_conn, "no memory");
return;
DLIST_REMOVE(call->replies, rep);
- if (call->replies == NULL) {
+ if (call->replies == NULL && call->terminate_reason == NULL) {
substate->call = call;
}
substate);
}
+ if (call->terminate_reason != NULL) {
+ struct tevent_req *subreq;
+
+ subreq = tevent_queue_wait_send(call,
+ dce_conn->event_ctx,
+ dce_conn->send_queue);
+ if (!subreq) {
+ dcesrv_terminate_connection(dce_conn, __location__);
+ return;
+ }
+ tevent_req_set_callback(subreq, dcesrv_call_terminate_step1,
+ call);
+ }
+
DLIST_REMOVE(call->conn->call_list, call);
call->list = DCESRV_LIST_NONE;
}
ret = tstream_writev_queue_recv(subreq, &sys_errno);
TALLOC_FREE(subreq);
if (ret == -1) {
- status = map_nt_error_from_unix(sys_errno);
+ status = map_nt_error_from_unix_common(sys_errno);
dcesrv_terminate_connection(substate->dce_conn, nt_errstr(status));
return;
}
}
}
+static void dcesrv_call_terminate_step2(struct tevent_req *subreq);
+static void dcesrv_call_terminate_step1(struct tevent_req *subreq)
+{
+ struct dcesrv_call_state *call = tevent_req_callback_data(subreq,
+ struct dcesrv_call_state);
+ bool ok;
+ struct timeval tv;
+ /* make sure we stop send queue before removing subreq */
+ tevent_queue_stop(call->conn->send_queue);
+
+ ok = tevent_queue_wait_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (!ok) {
+ dcesrv_terminate_connection(call->conn, __location__);
+ return;
+ }
+
+ /* disconnect after 200 usecs */
+ tv = timeval_current_ofs_usec(200);
+ subreq = tevent_wakeup_send(call, call->conn->event_ctx, tv);
+ if (subreq == NULL) {
+ dcesrv_terminate_connection(call->conn, __location__);
+ return;
+ }
+ tevent_req_set_callback(subreq, dcesrv_call_terminate_step2,
+ call);
+}
+
+static void dcesrv_call_terminate_step2(struct tevent_req *subreq)
+{
+ struct dcesrv_call_state *call = tevent_req_callback_data(subreq,
+ struct dcesrv_call_state);
+ bool ok;
+
+ ok = tevent_wakeup_recv(subreq);
+ TALLOC_FREE(subreq);
+ if (!ok) {
+ dcesrv_terminate_connection(call->conn, __location__);
+ return;
+ }
+
+ dcesrv_terminate_connection(call->conn, call->terminate_reason);
+}
struct dcesrv_socket_context {
const struct dcesrv_endpoint *endpoint;
NTSTATUS status;
struct dcesrv_socket_context *dcesrv_sock =
talloc_get_type(srv_conn->private_data, struct dcesrv_socket_context);
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(dcesrv_sock->endpoint->ep_description);
struct dcesrv_connection *dcesrv_conn = NULL;
int ret;
struct tevent_req *subreq;
struct loadparm_context *lp_ctx = dcesrv_sock->dcesrv_ctx->lp_ctx;
+ dcesrv_cleanup_broken_connections(dcesrv_sock->dcesrv_ctx);
+
if (!srv_conn->session_info) {
status = auth_anonymous_session_info(srv_conn,
lp_ctx,
return;
}
- if (dcesrv_sock->endpoint->ep_description->transport == NCACN_NP) {
+ if (transport == NCACN_NP) {
dcesrv_conn->auth_state.session_key = dcesrv_inherited_session_key;
dcesrv_conn->stream = talloc_move(dcesrv_conn,
&srv_conn->tstream);
socket_get_fd(srv_conn->socket),
&dcesrv_conn->stream);
if (ret == -1) {
- status = map_nt_error_from_unix(errno);
+ status = map_nt_error_from_unix_common(errno);
DEBUG(0, ("dcesrv_sock_accept: "
"failed to setup tstream: %s\n",
nt_errstr(status)));
dcesrv_conn->local_address = srv_conn->local_address;
dcesrv_conn->remote_address = srv_conn->remote_address;
+ if (transport == NCALRPC) {
+ uid_t uid;
+ gid_t gid;
+ int sock_fd;
+
+ sock_fd = socket_get_fd(srv_conn->socket);
+ if (sock_fd == -1) {
+ stream_terminate_connection(
+ srv_conn, "socket_get_fd failed\n");
+ return;
+ }
+
+ ret = getpeereid(sock_fd, &uid, &gid);
+ if (ret == -1) {
+ status = map_nt_error_from_unix_common(errno);
+ DEBUG(0, ("dcesrv_sock_accept: "
+ "getpeereid() failed for NCALRPC: %s\n",
+ nt_errstr(status)));
+ stream_terminate_connection(srv_conn, nt_errstr(status));
+ return;
+ }
+ if (uid == dcesrv_conn->dce_ctx->initial_euid) {
+ struct tsocket_address *r = NULL;
+
+ ret = tsocket_address_unix_from_path(dcesrv_conn,
+ "/root/ncalrpc_as_system",
+ &r);
+ if (ret == -1) {
+ status = map_nt_error_from_unix_common(errno);
+ DEBUG(0, ("dcesrv_sock_accept: "
+ "tsocket_address_unix_from_path() failed for NCALRPC: %s\n",
+ nt_errstr(status)));
+ stream_terminate_connection(srv_conn, nt_errstr(status));
+ return;
+ }
+ dcesrv_conn->remote_address = r;
+ }
+ }
+
srv_conn->private_data = dcesrv_conn;
irpc_add_name(srv_conn->msg_ctx, "rpc_server");
{
struct dcesrv_connection *dce_conn = tevent_req_callback_data(subreq,
struct dcesrv_connection);
+ struct dcesrv_context *dce_ctx = dce_conn->dce_ctx;
struct ncacn_packet *pkt;
DATA_BLOB buffer;
NTSTATUS status;
+ if (dce_conn->terminate) {
+ /*
+ * if the current connection is broken
+ * we need to clean it up before any other connection
+ */
+ dcesrv_terminate_connection(dce_conn, dce_conn->terminate);
+ dcesrv_cleanup_broken_connections(dce_ctx);
+ return;
+ }
+
+ dcesrv_cleanup_broken_connections(dce_ctx);
+
status = dcerpc_read_ncacn_packet_recv(subreq, dce_conn,
&pkt, &buffer);
TALLOC_FREE(subreq);
struct dcesrv_socket_context *dcesrv_sock;
uint16_t port = 1;
NTSTATUS status;
+ const char *endpoint;
- dcesrv_sock = talloc(event_ctx, struct dcesrv_socket_context);
+ dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
/* remember the endpoint of this socket */
dcesrv_sock->endpoint = e;
dcesrv_sock->dcesrv_ctx = talloc_reference(dcesrv_sock, dce_ctx);
- status = stream_setup_socket(event_ctx, lp_ctx,
+ endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
+
+ status = stream_setup_socket(dcesrv_sock, event_ctx, lp_ctx,
model_ops, &dcesrv_stream_ops,
- "unix", e->ep_description->endpoint, &port,
+ "unix", endpoint, &port,
lpcfg_socket_options(lp_ctx),
dcesrv_sock);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("service_setup_stream_socket(path=%s) failed - %s\n",
- e->ep_description->endpoint, nt_errstr(status)));
+ endpoint, nt_errstr(status)));
}
return status;
uint16_t port = 1;
char *full_path;
NTSTATUS status;
+ const char *endpoint;
+
+ endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
- if (!e->ep_description->endpoint) {
- /* No identifier specified: use DEFAULT.
- * DO NOT hardcode this value anywhere else. Rather, specify
- * no endpoint and let the epmapper worry about it. */
- e->ep_description->endpoint = talloc_strdup(dce_ctx, "DEFAULT");
+ if (endpoint == NULL) {
+ /*
+ * No identifier specified: use DEFAULT.
+ *
+ * TODO: DO NOT hardcode this value anywhere else. Rather, specify
+ * no endpoint and let the epmapper worry about it.
+ */
+ endpoint = "DEFAULT";
+ status = dcerpc_binding_set_string_option(e->ep_description,
+ "endpoint",
+ endpoint);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("dcerpc_binding_set_string_option() failed - %s\n",
+ nt_errstr(status)));
+ return status;
+ }
}
full_path = talloc_asprintf(dce_ctx, "%s/%s", lpcfg_ncalrpc_dir(lp_ctx),
- e->ep_description->endpoint);
+ endpoint);
- dcesrv_sock = talloc(event_ctx, struct dcesrv_socket_context);
+ dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
/* remember the endpoint of this socket */
dcesrv_sock->endpoint = e;
dcesrv_sock->dcesrv_ctx = talloc_reference(dcesrv_sock, dce_ctx);
- status = stream_setup_socket(event_ctx, lp_ctx,
+ status = stream_setup_socket(dcesrv_sock, event_ctx, lp_ctx,
model_ops, &dcesrv_stream_ops,
"unix", full_path, &port,
lpcfg_socket_options(lp_ctx),
dcesrv_sock);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("service_setup_stream_socket(identifier=%s,path=%s) failed - %s\n",
- e->ep_description->endpoint, full_path, nt_errstr(status)));
+ endpoint, full_path, nt_errstr(status)));
}
return status;
}
{
struct dcesrv_socket_context *dcesrv_sock;
NTSTATUS status;
-
- if (e->ep_description->endpoint == NULL) {
+ const char *endpoint;
+
+ endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
+ if (endpoint == NULL) {
DEBUG(0, ("Endpoint mandatory for named pipes\n"));
return NT_STATUS_INVALID_PARAMETER;
}
- dcesrv_sock = talloc(event_ctx, struct dcesrv_socket_context);
+ dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
/* remember the endpoint of this socket */
dcesrv_sock->endpoint = e;
dcesrv_sock->dcesrv_ctx = talloc_reference(dcesrv_sock, dce_ctx);
- status = tstream_setup_named_pipe(event_ctx, lp_ctx,
+ status = tstream_setup_named_pipe(dce_ctx, event_ctx, lp_ctx,
model_ops, &dcesrv_stream_ops,
- e->ep_description->endpoint,
+ endpoint,
dcesrv_sock);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("stream_setup_named_pipe(pipe=%s) failed - %s\n",
- e->ep_description->endpoint, nt_errstr(status)));
+ endpoint, nt_errstr(status)));
return status;
}
struct dcesrv_socket_context *dcesrv_sock;
uint16_t port = 0;
NTSTATUS status;
-
- if (e->ep_description->endpoint) {
- port = atoi(e->ep_description->endpoint);
+ const char *endpoint;
+ char port_str[6];
+
+ endpoint = dcerpc_binding_get_string_option(e->ep_description, "endpoint");
+ if (endpoint != NULL) {
+ port = atoi(endpoint);
}
- dcesrv_sock = talloc(event_ctx, struct dcesrv_socket_context);
+ dcesrv_sock = talloc_zero(event_ctx, struct dcesrv_socket_context);
NT_STATUS_HAVE_NO_MEMORY(dcesrv_sock);
/* remember the endpoint of this socket */
dcesrv_sock->endpoint = e;
dcesrv_sock->dcesrv_ctx = talloc_reference(dcesrv_sock, dce_ctx);
- status = stream_setup_socket(event_ctx, dce_ctx->lp_ctx,
+ status = stream_setup_socket(dcesrv_sock, event_ctx, dce_ctx->lp_ctx,
model_ops, &dcesrv_stream_ops,
- "ipv4", address, &port,
+ "ip", address, &port,
lpcfg_socket_options(dce_ctx->lp_ctx),
dcesrv_sock);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("service_setup_stream_socket(address=%s,port=%u) failed - %s\n",
address, port, nt_errstr(status)));
+ return status;
}
- if (e->ep_description->endpoint == NULL) {
- e->ep_description->endpoint = talloc_asprintf(dce_ctx, "%d", port);
+ snprintf(port_str, sizeof(port_str), "%u", port);
+
+ status = dcerpc_binding_set_string_option(e->ep_description,
+ "endpoint", port_str);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("dcerpc_binding_set_string_option(endpoint, %s) failed - %s\n",
+ port_str, nt_errstr(status)));
+ return status;
}
- return status;
+ return NT_STATUS_OK;
}
#include "lib/socket/netif.h" /* Included here to work around the fact that socket_wrapper redefines bind() */
int i;
struct interface *ifaces;
- load_interfaces(dce_ctx, lpcfg_interfaces(lp_ctx), &ifaces);
+ load_interface_list(dce_ctx, lp_ctx, &ifaces);
- num_interfaces = iface_count(ifaces);
+ num_interfaces = iface_list_count(ifaces);
for(i = 0; i < num_interfaces; i++) {
- const char *address = iface_n_ip(ifaces, i);
+ const char *address = iface_list_n_ip(ifaces, i);
status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx, model_ops, address);
NT_STATUS_NOT_OK_RETURN(status);
}
} else {
- status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx, model_ops,
- lpcfg_socket_address(lp_ctx));
- NT_STATUS_NOT_OK_RETURN(status);
+ char **wcard;
+ int i;
+ int num_binds = 0;
+ wcard = iface_list_wildcard(dce_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(wcard);
+ for (i=0; wcard[i]; i++) {
+ status = add_socket_rpc_tcp_iface(dce_ctx, e, event_ctx, model_ops, wcard[i]);
+ if (NT_STATUS_IS_OK(status)) {
+ num_binds++;
+ }
+ }
+ talloc_free(wcard);
+ if (num_binds == 0) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
}
return NT_STATUS_OK;
struct tevent_context *event_ctx,
const struct model_ops *model_ops)
{
- switch (e->ep_description->transport) {
+ enum dcerpc_transport_t transport =
+ dcerpc_binding_get_transport(e->ep_description);
+
+ switch (transport) {
case NCACN_UNIX_STREAM:
return dcesrv_add_ep_unix(dce_ctx, lp_ctx, e, event_ctx, model_ops);
return NT_STATUS_NOT_SUPPORTED;
}
}
+
+
+/**
+ * retrieve credentials from a dce_call
+ */
+_PUBLIC_ struct cli_credentials *dcesrv_call_credentials(struct dcesrv_call_state *dce_call)
+{
+ return dce_call->conn->auth_state.session_info->credentials;
+}
+
+/**
+ * returns true if this is an authenticated call
+ */
+_PUBLIC_ bool dcesrv_call_authenticated(struct dcesrv_call_state *dce_call)
+{
+ enum security_user_level level;
+ level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
+ return level >= SECURITY_USER;
+}
+
+/**
+ * retrieve account_name for a dce_call
+ */
+_PUBLIC_ const char *dcesrv_call_account_name(struct dcesrv_call_state *dce_call)
+{
+ return dce_call->context->conn->auth_state.session_info->info->account_name;
+}
git.samba.org / samba.git / blobdiff