r6272: For 'programmed' use of an anonymous account, we should use

cli_credentials_set_conf(), not cli_credentials_guess().

Also, clarify why for particular flags, we don't do a DCERPC-level
authentication.

Andrew Bartlett
(This used to be commit 838925761d004a1426107f4c5c84d0276fddb2c0)

diff --git a/source4/librpc/rpc/dcerpc_util.c b/source4/librpc/rpc/dcerpc_util.c
index f45ae92babec5cb9e3d87c8bae95cfe5d6e5dac1..d1d9977b39946eac73680b97eedf28cf8efe2f95 100644 (file)
--- a/source4/librpc/rpc/dcerpc_util.c
+++ b/source4/librpc/rpc/dcerpc_util.c
@@ -806,8 +806,8 @@ NTSTATUS dcerpc_epm_map_binding(TALLOC_CTX *mem_ctx, struct dcerpc_binding *bind
 
        struct cli_credentials *anon_creds
                = cli_credentials_init(mem_ctx);
+       cli_credentials_set_conf(anon_creds);
        cli_credentials_set_anonymous(anon_creds);
-       cli_credentials_guess(anon_creds);
 
        /* First, check if there is a default endpoint specified in the IDL */
 
@@ -939,7 +939,14 @@ NTSTATUS dcerpc_pipe_auth(struct dcerpc_pipe *p,
        } else if (!cli_credentials_is_anonymous(credentials) &&
                !(binding->transport == NCACN_NP &&
                  !(binding->flags & DCERPC_SIGN) &&
-                 !(binding->flags & DCERPC_SEAL))) {
+                 !(binding->flags & DCERPC_SEAL))) {   
+       
+               /* Perform an authenticated DCE-RPC bind, except where
+                * we ask for a connection on NCACN_NP, and that
+                * connection is not signed or sealed.  For that case
+                * we rely on the already authenicated CIFS connection
+                */
+
                uint8_t auth_type;
                if (binding->flags & DCERPC_AUTH_SPNEGO) {
                        auth_type = DCERPC_AUTH_TYPE_SPNEGO;