r10764: To match Win2k3 SP1, we need to set an anonymous user token for

schannel connections.

Test for Win2k3 SP1 behaviour in RPC-SCHANNEL.

Andrew Bartlett

diff --git a/source/auth/gensec/schannel.c b/source/auth/gensec/schannel.c
index a4561ee9968eeb0630ee571ff7ab3d68c4d2ad6d..8d5c7554f544d941c0e3952af89a38dcb3cba650 100644 (file)
--- a/source/auth/gensec/schannel.c
+++ b/source/auth/gensec/schannel.c
@@ -160,22 +160,33 @@ NTSTATUS dcerpc_schannel_creds(struct gensec_security *gensec_security,
                
 
 /** 
- * Return the credentials of a logged on user, including session keys
- * etc.
- *
- * Only valid after a successful authentication
- *
- * May only be called once per authentication.
+ * Returns anonymous credentials for schannel, matching Win2k3.
  *
  */
 
 static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
-                                     struct auth_session_info **session_info)
+                                        struct auth_session_info **_session_info) 
 {
-       (*session_info) = talloc(gensec_security, struct auth_session_info);
-       NT_STATUS_HAVE_NO_MEMORY(*session_info);
+       NTSTATUS nt_status;
+       struct schannel_state *state = gensec_security->private_data;
+       struct auth_serversupplied_info *server_info = NULL;
+       struct auth_session_info *session_info = NULL;
+       TALLOC_CTX *mem_ctx = talloc_new(state);
+       
+       nt_status = auth_anonymous_server_info(mem_ctx,
+                                              &server_info);
+       if (!NT_STATUS_IS_OK(nt_status)) {
+               talloc_free(mem_ctx);
+               return nt_status;
+       }
+
+       /* references the server_info into the session_info */
+       nt_status = auth_generate_session_info(state, server_info, &session_info);
+       talloc_free(mem_ctx);
+
+       NT_STATUS_NOT_OK_RETURN(nt_status);
 
-       ZERO_STRUCTP(*session_info);
+       *_session_info = session_info;
 
        return NT_STATUS_OK;
 }

diff --git a/source/rpc_server/lsa/dcesrv_lsa.c b/source/rpc_server/lsa/dcesrv_lsa.c
index 4222447f0193cb6e62456e9ab814ea55290a3b53..ba28462d5e01facd80ada566ecd55e9a7a3fe3e3 100644 (file)
--- a/source/rpc_server/lsa/dcesrv_lsa.c
+++ b/source/rpc_server/lsa/dcesrv_lsa.c
@@ -2404,7 +2404,7 @@ static NTSTATUS lsa_RetrievePrivateData(struct dcesrv_call_state *dce_call, TALL
   lsa_GetUserName
 */
 static NTSTATUS lsa_GetUserName(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
-                      struct lsa_GetUserName *r)
+                               struct lsa_GetUserName *r)
 {
        NTSTATUS status = NT_STATUS_OK;
        const char *account_name;

diff --git a/source/torture/rpc/schannel.c b/source/torture/rpc/schannel.c
index 7674b304178d43cf46552dcd216add2d5d85d930..056684631abb195032f6919563110a4c1c375c35 100644 (file)
--- a/source/torture/rpc/schannel.c
+++ b/source/torture/rpc/schannel.c
@@ -112,9 +112,9 @@ static BOOL test_lsa_ops(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
                                return False;
                        }
 
-                       if (strcmp(r.out.account_name->string, "SYSTEM") != 0) {
+                       if (strcmp(r.out.account_name->string, "ANONYMOUS LOGON") != 0) {
                                printf("GetUserName returned wrong user: %s, expected %s\n",
-                                      r.out.account_name->string, "SYSTEM");
+                                      r.out.account_name->string, "ANONYMOUS LOGON");
                                return False;
                        }
                        if (!r.out.authority_name || !r.out.authority_name->string) {