From: Stefan Metzmacher Date: Tue, 1 Mar 2005 16:08:36 +0000 (+0000) Subject: r5603: add "authservice()" property to the interface property list X-Git-Tag: samba-4.0.0alpha6~801^3~11445 X-Git-Url: http://git.samba.org/?p=samba.git;a=commitdiff_plain;h=4a3ca96fb44a62867ef565d1eeb6c0a16418e505 r5603: add "authservice()" property to the interface property list so we can specify allowed target service names in the idl file the default is "host" metze (This used to be commit bf40d5321f3257bf9354a42d31265f1a9b0d53ad) --- diff --git a/source4/build/pidl/ndr.pm b/source4/build/pidl/ndr.pm index 27f0b87d971..c460c92c95a 100644 --- a/source4/build/pidl/ndr.pm +++ b/source4/build/pidl/ndr.pm @@ -2008,18 +2008,40 @@ sub FunctionTable($) pidl ""; pidl "static const struct dcerpc_endpoint_list $interface->{NAME}\_endpoints = {"; - pidl "\t$endpoint_count, $interface->{NAME}\_endpoint_strings"; + pidl "\t.count\t= $endpoint_count,"; + pidl "\t.names\t= $interface->{NAME}\_endpoint_strings"; + pidl "};"; + pidl ""; + + if (! defined $interface->{PROPERTIES}->{authservice}) { + $interface->{PROPERTIES}->{authservice} = "\"host\""; + } + + my @a = split / /, $interface->{PROPERTIES}->{authservice}; + my $authservice_count = $#a + 1; + + pidl "static const char * const $interface->{NAME}\_authservice_strings[] = {"; + foreach my $ap (@a) { + pidl "\t$ap, "; + } + pidl "};"; + pidl ""; + + pidl "static const struct dcerpc_authservice_list $interface->{NAME}\_authservices = {"; + pidl "\t.count\t= $endpoint_count,"; + pidl "\t.names\t= $interface->{NAME}\_authservice_strings"; pidl "};"; pidl ""; pidl "\nconst struct dcerpc_interface_table dcerpc_table_$interface->{NAME} = {"; - pidl "\t\"$interface->{NAME}\","; - pidl "\tDCERPC_$uname\_UUID,"; - pidl "\tDCERPC_$uname\_VERSION,"; - pidl "\tDCERPC_$uname\_HELPSTRING,"; - pidl "\t$count,"; - pidl "\t$interface->{NAME}\_calls,"; - pidl "\t&$interface->{NAME}\_endpoints"; + pidl "\t.name\t\t= \"$interface->{NAME}\","; + pidl "\t.uuid\t\t= DCERPC_$uname\_UUID,"; + pidl "\t.if_version\t= DCERPC_$uname\_VERSION,"; + pidl "\t.helpstring\t= DCERPC_$uname\_HELPSTRING,"; + pidl "\t.num_calls\t= $count,"; + pidl "\t.calls\t\t= $interface->{NAME}\_calls,"; + pidl "\t.endpoints\t= &$interface->{NAME}\_endpoints,"; + pidl "\t.authservices\t= &$interface->{NAME}\_authservices"; pidl "};"; pidl ""; diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h index 32a03d71a76..db7b76a7796 100644 --- a/source4/librpc/rpc/dcerpc.h +++ b/source4/librpc/rpc/dcerpc.h @@ -153,6 +153,11 @@ struct dcerpc_endpoint_list { const char * const *names; }; +struct dcerpc_authservice_list { + uint32_t count; + const char * const *names; +}; + struct dcerpc_interface_table { const char *name; const char *uuid; @@ -161,6 +166,7 @@ struct dcerpc_interface_table { uint32_t num_calls; const struct dcerpc_interface_call *calls; const struct dcerpc_endpoint_list *endpoints; + const struct dcerpc_authservice_list *authservices; }; struct dcerpc_interface_list { @@ -175,6 +181,7 @@ struct dcerpc_binding { uint16_t object_version; const char *host; const char *endpoint; + const char *authservice; const char **options; uint32_t flags; }; diff --git a/source4/librpc/rpc/dcerpc_auth.c b/source4/librpc/rpc/dcerpc_auth.c index c0b72b68423..1bcf4224c46 100644 --- a/source4/librpc/rpc/dcerpc_auth.c +++ b/source4/librpc/rpc/dcerpc_auth.c @@ -146,7 +146,8 @@ NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p, const char *domain, const char *username, const char *password, - uint8_t auth_type) + uint8_t auth_type, + const char *service) { NTSTATUS status; @@ -189,6 +190,15 @@ NTSTATUS dcerpc_bind_auth_password(struct dcerpc_pipe *p, return status; } + if (service) { + status = gensec_set_target_service(p->conn->security_state.generic_state, service); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(1, ("Failed to start set GENSEC target service: %s\n", + nt_errstr(status))); + return status; + } + } + status = gensec_start_mech_by_authtype(p->conn->security_state.generic_state, auth_type, dcerpc_auth_level(p->conn)); diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c index 3697d2f181b..7b753d1b307 100644 --- a/source4/librpc/rpc/dcerpc_util.c +++ b/source4/librpc/rpc/dcerpc_util.c @@ -789,13 +789,15 @@ NTSTATUS dcerpc_epm_map_binding(TALLOC_CTX *mem_ctx, struct dcerpc_binding *bind if (table) { struct dcerpc_binding default_binding; - + + binding->authservice = talloc_strdup(mem_ctx, table->authservices->names[0]); + /* Find one of the default pipes for this interface */ for (i = 0; i < table->endpoints->count; i++) { status = dcerpc_parse_binding(mem_ctx, table->endpoints->names[i], &default_binding); if (NT_STATUS_IS_OK(status) && default_binding.transport == binding->transport && default_binding.endpoint) { - binding->endpoint = talloc_strdup(mem_ctx, default_binding.endpoint); + binding->endpoint = talloc_strdup(mem_ctx, default_binding.endpoint); return NT_STATUS_OK; } } @@ -808,6 +810,7 @@ NTSTATUS dcerpc_epm_map_binding(TALLOC_CTX *mem_ctx, struct dcerpc_binding *bind epmapper_binding.options = NULL; epmapper_binding.flags = 0; epmapper_binding.endpoint = NULL; + epmapper_binding.authservice = NULL; status = dcerpc_pipe_connect_b(&p, &epmapper_binding, @@ -903,8 +906,9 @@ static NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p, status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version, domain, username, password, - auth_type); - } else { + auth_type, + binding->authservice); + } else { status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version); } diff --git a/source4/torture/rpc/bind.c b/source4/torture/rpc/bind.c index d6265361696..10ffa502899 100644 --- a/source4/torture/rpc/bind.c +++ b/source4/torture/rpc/bind.c @@ -53,7 +53,7 @@ BOOL torture_multi_bind(void) status = dcerpc_parse_binding(mem_ctx, binding_string, &b); if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("Failed to parse dcerpc binding '%s'\n", binding_string)); + printf("Failed to parse dcerpc binding '%s'\n", binding_string); talloc_free(mem_ctx); return False; } @@ -82,21 +82,21 @@ BOOL torture_multi_bind(void) status = dcerpc_bind_auth_password(p, pipe_uuid, pipe_version, domain, username, password, - auth_type); - } else { + auth_type, + binding->authservice); + } else { status = dcerpc_bind_auth_none(p, pipe_uuid, pipe_version); } if (NT_STATUS_IS_OK(status)) { - DEBUG(0,("(incorrectly) allowed re-bind to uuid %s - %s\n", - pipe_uuid, nt_errstr(status))); + printf("(incorrectly) allowed re-bind to uuid %s - %s\n", + pipe_uuid, nt_errstr(status)); ret = False; } else { + printf("\n"); ret = True; } - printf("\n"); - talloc_free(mem_ctx); torture_rpc_close(p);