s4:rpc_server/drsuapi: make use dcesrv_call_session_info()
authorStefan Metzmacher <metze@samba.org>
Sat, 3 Nov 2018 00:19:51 +0000 (01:19 +0100)
committerJeremy Allison <jra@samba.org>
Sat, 12 Jan 2019 02:13:32 +0000 (03:13 +0100)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
source4/rpc_server/drsuapi/dcesrv_drsuapi.c
source4/rpc_server/drsuapi/drsutil.c
source4/rpc_server/drsuapi/getncchanges.c
source4/rpc_server/drsuapi/updaterefs.c
source4/rpc_server/drsuapi/writespn.c

index eac96a3..9796da4 100644 (file)
@@ -90,7 +90,7 @@ static WERROR dcesrv_drsuapi_DsBind(struct dcesrv_call_state *dce_call, TALLOC_C
                auth_info = system_session(dce_call->conn->dce_ctx->lp_ctx);
                connected_as_system = true;
        } else {
-               auth_info = dce_call->conn->auth_state.session_info;
+               auth_info = dcesrv_call_session_info(dce_call);
        }
 
        /*
@@ -1011,15 +1011,17 @@ static WERROR dcesrv_drsuapi_DsExecuteKCC(struct dcesrv_call_state *dce_call, TA
 static WERROR dcesrv_drsuapi_DsReplicaGetInfo(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                       struct drsuapi_DsReplicaGetInfo *r)
 {
+       struct auth_session_info *session_info =
+               dcesrv_call_session_info(dce_call);
        enum security_user_level level;
 
        if (!lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
                         "drs", "disable_sec_check", false)) {
-               level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
+               level = security_session_user_level(session_info, NULL);
                if (level < SECURITY_DOMAIN_CONTROLLER) {
                        DEBUG(1,(__location__ ": Administrator access required for DsReplicaGetInfo\n"));
                        security_token_debug(DBGC_DRS_REPL, 2,
-                                            dce_call->conn->auth_state.session_info->security_token);
+                                            session_info->security_token);
                        return WERR_DS_DRA_ACCESS_DENIED;
                }
        }
index 6fe254a..7897c35 100644 (file)
@@ -95,6 +95,8 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
                                enum security_user_level minimum_level,
                                const struct dom_sid *domain_sid)
 {
+       struct auth_session_info *session_info =
+               dcesrv_call_session_info(dce_call);
        enum security_user_level level;
 
        if (lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, NULL,
@@ -102,12 +104,12 @@ WERROR drs_security_level_check(struct dcesrv_call_state *dce_call,
                return WERR_OK;
        }
 
-       level = security_session_user_level(dce_call->conn->auth_state.session_info, domain_sid);
+       level = security_session_user_level(session_info, domain_sid);
        if (level < minimum_level) {
                if (call) {
                        DEBUG(0,("%s refused for security token (level=%u)\n",
                                 call, (unsigned)level));
-                       security_token_debug(DBGC_DRS_REPL, 2, dce_call->conn->auth_state.session_info->security_token);
+                       security_token_debug(DBGC_DRS_REPL, 2, session_info->security_token);
                }
                return WERR_DS_DRA_ACCESS_DENIED;
        }
index b48e9c7..f3f819a 100644 (file)
@@ -2698,6 +2698,8 @@ static struct getncchanges_repl_chunk * getncchanges_chunk_new(TALLOC_CTX *mem_c
 WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                                     struct drsuapi_DsGetNCChanges *r)
 {
+       struct auth_session_info *session_info =
+               dcesrv_call_session_info(dce_call);
        struct drsuapi_DsReplicaObjectIdentifier *ncRoot;
        int ret;
        uint32_t i, k;
@@ -2799,12 +2801,12 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
                return WERR_DS_DRA_SOURCE_DISABLED;
        }
 
-       user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
+       user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
 
        /* all clients must have GUID_DRS_GET_CHANGES */
        werr = drs_security_access_check_nc_root(sam_ctx,
                                                 mem_ctx,
-                                                dce_call->conn->auth_state.session_info->security_token,
+                                                session_info->security_token,
                                                 req10->naming_context,
                                                 GUID_DRS_GET_CHANGES);
        if (!W_ERROR_IS_OK(werr)) {
@@ -2846,7 +2848,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
        if (is_gc_pas_request) {
                werr = drs_security_access_check_nc_root(sam_ctx,
                                                         mem_ctx,
-                                                        dce_call->conn->auth_state.session_info->security_token,
+                                                        session_info->security_token,
                                                         req10->naming_context,
                                                         GUID_DRS_GET_FILTERED_ATTRIBUTES);
                if (W_ERROR_IS_OK(werr)) {
@@ -2863,7 +2865,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
        if (is_secret_request) {
                werr = drs_security_access_check_nc_root(sam_ctx,
                                                         mem_ctx,
-                                                        dce_call->conn->auth_state.session_info->security_token,
+                                                        session_info->security_token,
                                                         req10->naming_context,
                                                         GUID_DRS_GET_ALL_CHANGES);
                if (!W_ERROR_IS_OK(werr)) {
@@ -2879,7 +2881,7 @@ WERROR dcesrv_drsuapi_DsGetNCChanges(struct dcesrv_call_state *dce_call, TALLOC_
 allowed:
        /* for non-administrator replications, check that they have
           given the correct source_dsa_invocation_id */
-       security_level = security_session_user_level(dce_call->conn->auth_state.session_info,
+       security_level = security_session_user_level(session_info,
                                                     samdb_domain_sid(sam_ctx));
        if (security_level == SECURITY_RO_DOMAIN_CONTROLLER) {
                if (req10->replica_flags & DRSUAPI_DRS_WRIT_REP) {
index c92add7..0d3b47a 100644 (file)
@@ -336,6 +336,8 @@ failed:
 WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
                                          struct drsuapi_DsReplicaUpdateRefs *r)
 {
+       struct auth_session_info *session_info =
+               dcesrv_call_session_info(dce_call);
        struct dcesrv_handle *h;
        struct drsuapi_bind_state *b_state;
        struct drsuapi_DsReplicaUpdateRefsRequest1 *req;
@@ -353,7 +355,7 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
        req = &r->in.req.req1;
        werr = drs_security_access_check(b_state->sam_ctx,
                                         mem_ctx,
-                                        dce_call->conn->auth_state.session_info->security_token,
+                                        session_info->security_token,
                                         req->naming_context,
                                         GUID_DRS_MANAGE_TOPOLOGY);
 
@@ -361,16 +363,16 @@ WERROR dcesrv_drsuapi_DsReplicaUpdateRefs(struct dcesrv_call_state *dce_call, TA
                return werr;
        }
 
-       security_level = security_session_user_level(dce_call->conn->auth_state.session_info, NULL);
+       security_level = security_session_user_level(session_info, NULL);
        if (security_level < SECURITY_ADMINISTRATOR) {
                /* check that they are using an DSA objectGUID that they own */
                ret = dsdb_validate_dsa_guid(b_state->sam_ctx,
                                             &req->dest_dsa_guid,
-                                            &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
+                                            &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]);
                if (ret != LDB_SUCCESS) {
                        DEBUG(0,(__location__ ": Refusing DsReplicaUpdateRefs for sid %s with GUID %s\n",
                                 dom_sid_string(mem_ctx,
-                                               &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
+                                               &session_info->security_token->sids[PRIMARY_USER_SID_INDEX]),
                                 GUID_string(mem_ctx, &req->dest_dsa_guid)));
                        return WERR_DS_DRA_ACCESS_DENIED;
                }
index 991efcc..9a28989 100644 (file)
@@ -53,6 +53,8 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
         * 1) they are on the clients own account object
         * 2) they are of the form SERVICE/dnshostname
         */
+       struct auth_session_info *session_info =
+               dcesrv_call_session_info(dce_call);
        struct dom_sid *user_sid, *sid;
        TALLOC_CTX *tmp_ctx = talloc_new(dce_call);
        struct ldb_result *res;
@@ -82,7 +84,7 @@ static bool writespn_check_spn(struct drsuapi_bind_state *b_state,
                return false;
        }
 
-       user_sid = &dce_call->conn->auth_state.session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
+       user_sid = &session_info->security_token->sids[PRIMARY_USER_SID_INDEX];
        sid = samdb_result_dom_sid(tmp_ctx, res->msgs[0], "objectSid");
        if (sid == NULL) {
                talloc_free(tmp_ctx);