From 337d86f87e4f35bb2b2b4d858c3cb835a7a5da79 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 26 Mar 2015 14:41:09 +0100 Subject: [PATCH] s3:rpcclient: only require netlogon_creds for specified netlogon calls A lot of calls on the netlogon pipe doesn't require netlogon credentials, e.g. netr_LogonControl*() should work just with administrator credentials. Signed-off-by: Stefan Metzmacher Reviewed-by: Guenther Deschner --- source3/rpcclient/cmd_netlogon.c | 12 ++++++------ source3/rpcclient/rpcclient.c | 5 +---- source3/rpcclient/rpcclient.h | 1 + 3 files changed, 8 insertions(+), 10 deletions(-) diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c index 2d1c35168ce..1af68f98681 100644 --- a/source3/rpcclient/cmd_netlogon.c +++ b/source3/rpcclient/cmd_netlogon.c @@ -1289,10 +1289,10 @@ struct cmd_set netlogon_commands[] = { { "dsr_getsitename", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_getsitename, &ndr_table_netlogon, NULL, "Get sitename", "" }, { "dsr_getforesttrustinfo", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_getforesttrustinfo, &ndr_table_netlogon, NULL, "Get Forest Trust Info", "" }, { "logonctrl", RPC_RTYPE_WERROR, NULL, cmd_netlogon_logon_ctrl, &ndr_table_netlogon, NULL, "Logon Control", "" }, - { "samsync", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_sync, NULL, &ndr_table_netlogon, NULL, "Sam Synchronisation", "" }, - { "samdeltas", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_deltas, NULL, &ndr_table_netlogon, NULL, "Query Sam Deltas", "" }, - { "samlogon", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_logon, NULL, &ndr_table_netlogon, NULL, "Sam Logon", "" }, - { "change_trust_pw", RPC_RTYPE_NTSTATUS, cmd_netlogon_change_trust_pw, NULL, &ndr_table_netlogon, NULL, "Change Trust Account Password", "" }, + { "samsync", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_sync, NULL, &ndr_table_netlogon, NULL, "Sam Synchronisation", "", .use_netlogon_creds = true, }, + { "samdeltas", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_deltas, NULL, &ndr_table_netlogon, NULL, "Query Sam Deltas", "", .use_netlogon_creds = true, }, + { "samlogon", RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_logon, NULL, &ndr_table_netlogon, NULL, "Sam Logon", "", .use_netlogon_creds = true, }, + { "change_trust_pw", RPC_RTYPE_NTSTATUS, cmd_netlogon_change_trust_pw, NULL, &ndr_table_netlogon, NULL, "Change Trust Account Password", "", .use_netlogon_creds = true, }, { "gettrustrid", RPC_RTYPE_WERROR, NULL, cmd_netlogon_gettrustrid, &ndr_table_netlogon, NULL, "Get trust rid", "" }, { "dsr_enumtrustdom", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_enumtrustdom, &ndr_table_netlogon, NULL, "Enumerate trusted domains", "" }, { "dsenumdomtrusts", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_enumtrustdom, &ndr_table_netlogon, NULL, "Enumerate all trusted domains in an AD forest", "" }, @@ -1300,8 +1300,8 @@ struct cmd_set netlogon_commands[] = { { "netrenumtrusteddomains", RPC_RTYPE_NTSTATUS, cmd_netlogon_enumtrusteddomains, NULL, &ndr_table_netlogon, NULL, "Enumerate trusted domains", "" }, { "netrenumtrusteddomainsex", RPC_RTYPE_WERROR, NULL, cmd_netlogon_enumtrusteddomainsex, &ndr_table_netlogon, NULL, "Enumerate trusted domains", "" }, { "getdcsitecoverage", RPC_RTYPE_WERROR, NULL, cmd_netlogon_getdcsitecoverage, &ndr_table_netlogon, NULL, "Get the Site-Coverage from a DC", "" }, - { "database_redo", RPC_RTYPE_NTSTATUS, cmd_netlogon_database_redo, NULL, &ndr_table_netlogon, NULL, "Replicate single object from a DC", "" }, - { "capabilities", RPC_RTYPE_NTSTATUS, cmd_netlogon_capabilities, NULL, &ndr_table_netlogon, NULL, "Return Capabilities", "" }, + { "database_redo", RPC_RTYPE_NTSTATUS, cmd_netlogon_database_redo, NULL, &ndr_table_netlogon, NULL, "Replicate single object from a DC", "", .use_netlogon_creds = true, }, + { "capabilities", RPC_RTYPE_NTSTATUS, cmd_netlogon_capabilities, NULL, &ndr_table_netlogon, NULL, "Return Capabilities", "", .use_netlogon_creds = true, }, { NULL } }; diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c index db89b47dfc7..47789f44835 100644 --- a/source3/rpcclient/rpcclient.c +++ b/source3/rpcclient/rpcclient.c @@ -681,7 +681,6 @@ static NTSTATUS do_cmd(struct cli_state *cli, { NTSTATUS ntresult; WERROR wresult; - bool ok; TALLOC_CTX *mem_ctx; @@ -757,9 +756,7 @@ static NTSTATUS do_cmd(struct cli_state *cli, return ntresult; } - ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id, - &ndr_table_netlogon.syntax_id); - if (rpcclient_netlogon_creds == NULL && ok) { + if (rpcclient_netlogon_creds == NULL && cmd_entry->use_netlogon_creds) { const char *dc_name = cmd_entry->rpc_pipe->desthost; const char *domain = get_cmdline_auth_info_domain(auth_info); struct cli_credentials *creds = NULL; diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h index 9cb0323dd4a..7697d3d0485 100644 --- a/source3/rpcclient/rpcclient.h +++ b/source3/rpcclient/rpcclient.h @@ -39,6 +39,7 @@ struct cmd_set { struct rpc_pipe_client *rpc_pipe; const char *description; const char *usage; + bool use_netlogon_creds; }; extern struct messaging_context *rpcclient_msg_ctx; -- 2.34.1