[SCM] Samba Shared Repository - branch master updated
Volker Lendecke
vlendec at samba.org
Tue May 16 11:55:01 UTC 2023
The branch, master has been updated
via 59694ad0a4c rpc_server3: Pass winbind_env_set() state through to rpcd_*
via bb3ea36e100 lib: Add security_token_del_npa_flags() helper function
via bdba027a33e rpc: Remove named_pipe_auth_req_info6->need_idle_server
via 31180e0e6d9 rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle"
via ebbb93cc7a5 rpc: Add global_sid_Samba_NPA_Flags SID
via 1d11e0489b2 librpc: Simplify dcerpc_is_transport_encrypted()
via 244ee8ad75c smbd: Use security_token_count_flag_sids() in open_np_file()
via 5e8c7192ba5 libcli: Add security_token_count_flag_sids()
from 6206e15b4de winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 59694ad0a4cc489f1baa4c2c94c6322c0f22c1df
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:47:04 2023 +0200
rpc_server3: Pass winbind_env_set() state through to rpcd_*
Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back
into winbind for getpwnam. We have the "_NO_WINBINDD" environment
variable set in winbind itself for this case, but this is lost on the
way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass
this information to dcerpc_core, where it sets the variable on every
call if requested.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224
commit bb3ea36e10079ad9c73c68d7ed8fce51ecb40ebe
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 14:32:20 2023 +0200
lib: Add security_token_del_npa_flags() helper function
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit bdba027a33e35aab7bb322bc3167cdd7babfc059
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:29:34 2023 +0200
rpc: Remove named_pipe_auth_req_info6->need_idle_server
Involves bumping up the version number
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 31180e0e6d9e43d54e7656a56ed3af129f578105
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:28:28 2023 +0200
rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle"
More code, but will be more flexible in the future.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ebbb93cc7a57a118b82b8f383d25f1eb022397d6
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:09:45 2023 +0200
rpc: Add global_sid_Samba_NPA_Flags SID
This will be used as a flexible way to pass per-RPC-connection flags
over ncalrpc to the RPC server without having to modify
named_pipe_auth_req_info6 every time something new needs to be
passed. It's modeled after global_sid_Samba_SMB3.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1d11e0489b2c91fc05c6befc0463695d7102abcc
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:04:17 2023 +0200
librpc: Simplify dcerpc_is_transport_encrypted()
Simplify logic by using security_token_count_flag_sids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 244ee8ad75c2c968997dfdd5eeb9e9cb97a191fb
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:01:02 2023 +0200
smbd: Use security_token_count_flag_sids() in open_np_file()
Simpler logic in the caller
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5e8c7192ba5469547ba3101885dfbaba2f8181f4
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 11:31:16 2023 +0200
libcli: Add security_token_count_flag_sids()
To be used in a few places when checking special-case Samba SIDs.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
libcli/named_pipe_auth/npa_tstream.c | 144 +++++++++++++++++++----------------
libcli/named_pipe_auth/npa_tstream.h | 4 +-
libcli/security/dom_sid.h | 4 +
libcli/security/security_token.c | 37 +++++++++
libcli/security/security_token.h | 9 +++
libcli/security/util_sid.c | 7 ++
librpc/idl/named_pipe_auth.idl | 9 +--
librpc/rpc/dcerpc_helper.c | 25 +++---
librpc/rpc/dcesrv_core.c | 17 +++++
librpc/rpc/dcesrv_core.h | 1 +
source3/include/proto.h | 3 +
source3/lib/util_sid.c | 34 +++++++++
source3/librpc/idl/rpc_host.idl | 2 +-
source3/rpc_client/local_np.c | 105 ++++++++++++++++++-------
source3/rpc_server/rpc_host.c | 115 ++++++++++++++++------------
source3/rpc_server/rpc_worker.c | 112 ++++++++++++++++-----------
source3/smbd/smb2_pipes.c | 23 +++---
17 files changed, 426 insertions(+), 225 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/named_pipe_auth/npa_tstream.c b/libcli/named_pipe_auth/npa_tstream.c
index 6f4ab45887b..f84440fe755 100644
--- a/libcli/named_pipe_auth/npa_tstream.c
+++ b/libcli/named_pipe_auth/npa_tstream.c
@@ -73,7 +73,7 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
int ret;
enum ndr_err_code ndr_err;
char *lower_case_npipe;
- struct named_pipe_auth_req_info6 *info6;
+ struct named_pipe_auth_req_info7 *info7;
req = tevent_req_create(mem_ctx, &state,
struct tstream_npa_connect_state);
@@ -119,39 +119,43 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
goto post;
}
- state->auth_req.level = 6;
- info6 = &state->auth_req.info.info6;
+ state->auth_req.level = 7;
+ info7 = &state->auth_req.info.info7;
- info6->transport = transport;
- SMB_ASSERT(info6->transport == transport); /* Assert no overflow */
+ info7->transport = transport;
+ SMB_ASSERT(info7->transport == transport); /* Assert no overflow */
- info6->remote_client_name = remote_client_name_in;
- info6->remote_client_addr = tsocket_address_inet_addr_string(remote_client_addr,
- state);
- if (!info6->remote_client_addr) {
+ info7->remote_client_name = remote_client_name_in;
+ info7->remote_client_addr =
+ tsocket_address_inet_addr_string(remote_client_addr, state);
+ if (!info7->remote_client_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
- info6->remote_client_port = tsocket_address_inet_port(remote_client_addr);
- if (!info6->remote_client_name) {
- info6->remote_client_name = info6->remote_client_addr;
+ info7->remote_client_port =
+ tsocket_address_inet_port(remote_client_addr);
+ if (!info7->remote_client_name) {
+ info7->remote_client_name = info7->remote_client_addr;
}
- info6->local_server_name = local_server_name_in;
- info6->local_server_addr = tsocket_address_inet_addr_string(local_server_addr,
- state);
- if (!info6->local_server_addr) {
+ info7->local_server_name = local_server_name_in;
+ info7->local_server_addr =
+ tsocket_address_inet_addr_string(local_server_addr, state);
+ if (!info7->local_server_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
- info6->local_server_port = tsocket_address_inet_port(local_server_addr);
- if (!info6->local_server_name) {
- info6->local_server_name = info6->local_server_addr;
+ info7->local_server_port =
+ tsocket_address_inet_port(local_server_addr);
+ if (!info7->local_server_name) {
+ info7->local_server_name = info7->local_server_addr;
}
- info6->session_info = discard_const_p(struct auth_session_info_transport, session_info);
+ info7->session_info =
+ discard_const_p(struct auth_session_info_transport,
+ session_info);
if (DEBUGLVL(10)) {
NDR_PRINT_DEBUG(named_pipe_auth_req, &state->auth_req);
@@ -348,10 +352,10 @@ int _tstream_npa_connect_recv(struct tevent_req *req,
npas->unix_stream = talloc_move(stream, &state->unix_stream);
switch (state->auth_rep.level) {
- case 6:
- npas->file_type = state->auth_rep.info.info6.file_type;
- device_state = state->auth_rep.info.info6.device_state;
- allocation_size = state->auth_rep.info.info6.allocation_size;
+ case 7:
+ npas->file_type = state->auth_rep.info.info7.file_type;
+ device_state = state->auth_rep.info.info7.device_state;
+ allocation_size = state->auth_rep.info.info7.allocation_size;
break;
}
@@ -1084,7 +1088,7 @@ static void tstream_npa_accept_existing_reply(struct tevent_req *subreq)
tevent_req_data(req, struct tstream_npa_accept_state);
struct named_pipe_auth_req *pipe_request;
struct named_pipe_auth_rep pipe_reply;
- struct named_pipe_auth_req_info6 i6;
+ struct named_pipe_auth_req_info7 i7;
enum ndr_err_code ndr_err;
DATA_BLOB in, out;
int err;
@@ -1147,53 +1151,59 @@ static void tstream_npa_accept_existing_reply(struct tevent_req *subreq)
NDR_PRINT_DEBUG(named_pipe_auth_req, pipe_request);
}
- ZERO_STRUCT(i6);
+ ZERO_STRUCT(i7);
- if (pipe_request->level != 6) {
+ if (pipe_request->level != 7) {
DEBUG(0, ("Unknown level %u\n", pipe_request->level));
pipe_reply.level = 0;
pipe_reply.status = NT_STATUS_INVALID_LEVEL;
goto reply;
}
- pipe_reply.level = 6;
+ pipe_reply.level = 7;
pipe_reply.status = NT_STATUS_OK;
- pipe_reply.info.info6.file_type = state->file_type;
- pipe_reply.info.info6.device_state = state->device_state;
- pipe_reply.info.info6.allocation_size = state->alloc_size;
+ pipe_reply.info.info7.file_type = state->file_type;
+ pipe_reply.info.info7.device_state = state->device_state;
+ pipe_reply.info.info7.allocation_size = state->alloc_size;
- i6 = pipe_request->info.info6;
- if (i6.local_server_addr == NULL) {
+ i7 = pipe_request->info.info7;
+ if (i7.local_server_addr == NULL) {
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
DEBUG(2, ("Missing local server address\n"));
goto reply;
}
- if (i6.remote_client_addr == NULL) {
+ if (i7.remote_client_addr == NULL) {
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
DEBUG(2, ("Missing remote client address\n"));
goto reply;
}
- ret = tsocket_address_inet_from_strings(state, "ip",
- i6.local_server_addr,
- i6.local_server_port,
+ ret = tsocket_address_inet_from_strings(state,
+ "ip",
+ i7.local_server_addr,
+ i7.local_server_port,
&state->local_server_addr);
if (ret != 0) {
- DEBUG(2, ("Invalid local server address[%s:%u] - %s\n",
- i6.local_server_addr, i6.local_server_port,
- strerror(errno)));
+ DEBUG(2,
+ ("Invalid local server address[%s:%u] - %s\n",
+ i7.local_server_addr,
+ i7.local_server_port,
+ strerror(errno)));
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
goto reply;
}
- ret = tsocket_address_inet_from_strings(state, "ip",
- i6.remote_client_addr,
- i6.remote_client_port,
+ ret = tsocket_address_inet_from_strings(state,
+ "ip",
+ i7.remote_client_addr,
+ i7.remote_client_port,
&state->remote_client_addr);
if (ret != 0) {
- DEBUG(2, ("Invalid remote client address[%s:%u] - %s\n",
- i6.remote_client_addr, i6.remote_client_port,
- strerror(errno)));
+ DEBUG(2,
+ ("Invalid remote client address[%s:%u] - %s\n",
+ i7.remote_client_addr,
+ i7.remote_client_port,
+ strerror(errno)));
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
goto reply;
}
@@ -1249,14 +1259,15 @@ static void tstream_npa_accept_existing_done(struct tevent_req *subreq)
tevent_req_done(req);
}
-static struct named_pipe_auth_req_info6 *copy_npa_info6(
- TALLOC_CTX *mem_ctx, const struct named_pipe_auth_req_info6 *src)
+static struct named_pipe_auth_req_info7 *
+copy_npa_info7(TALLOC_CTX *mem_ctx,
+ const struct named_pipe_auth_req_info7 *src)
{
- struct named_pipe_auth_req_info6 *dst = NULL;
+ struct named_pipe_auth_req_info7 *dst = NULL;
DATA_BLOB blob;
enum ndr_err_code ndr_err;
- dst = talloc_zero(mem_ctx, struct named_pipe_auth_req_info6);
+ dst = talloc_zero(mem_ctx, struct named_pipe_auth_req_info7);
if (dst == NULL) {
return NULL;
}
@@ -1265,9 +1276,9 @@ static struct named_pipe_auth_req_info6 *copy_npa_info6(
&blob,
dst,
src,
- (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req_info6);
+ (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req_info7);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DBG_WARNING("ndr_push_named_pipe_auth_req_info6 failed: %s\n",
+ DBG_WARNING("ndr_push_named_pipe_auth_req_info7 failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
return NULL;
@@ -1277,10 +1288,10 @@ static struct named_pipe_auth_req_info6 *copy_npa_info6(
&blob,
dst,
dst,
- (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_req_info6);
+ (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_req_info7);
TALLOC_FREE(blob.data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DBG_WARNING("ndr_push_named_pipe_auth_req_info6 failed: %s\n",
+ DBG_WARNING("ndr_push_named_pipe_auth_req_info7 failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
return NULL;
@@ -1294,7 +1305,7 @@ int _tstream_npa_accept_existing_recv(
int *perrno,
TALLOC_CTX *mem_ctx,
struct tstream_context **stream,
- struct named_pipe_auth_req_info6 **info6,
+ struct named_pipe_auth_req_info7 **info7,
enum dcerpc_transport_t *transport,
struct tsocket_address **remote_client_addr,
char **_remote_client_name,
@@ -1305,7 +1316,8 @@ int _tstream_npa_accept_existing_recv(
{
struct tstream_npa_accept_state *state =
tevent_req_data(req, struct tstream_npa_accept_state);
- struct named_pipe_auth_req_info6 *i6 = &state->pipe_request->info.info6;
+ struct named_pipe_auth_req_info7 *i7 =
+ &state->pipe_request->info.info7;
struct tstream_npa *npas;
int ret;
@@ -1346,24 +1358,24 @@ int _tstream_npa_accept_existing_recv(
npas->unix_stream = state->plain;
npas->file_type = state->file_type;
- if (info6 != NULL) {
+ if (info7 != NULL) {
/*
- * Make a full copy of "info6" because further down we
+ * Make a full copy of "info7" because further down we
* talloc_move() away substructures from
* state->pipe_request.
*/
- struct named_pipe_auth_req_info6 *dst = copy_npa_info6(
- mem_ctx, i6);
+ struct named_pipe_auth_req_info7 *dst =
+ copy_npa_info7(mem_ctx, i7);
if (dst == NULL) {
*perrno = ENOMEM;
tevent_req_received(req);
return -1;
}
- *info6 = dst;
+ *info7 = dst;
}
if (transport != NULL) {
- *transport = i6->transport;
+ *transport = i7->transport;
}
if (remote_client_addr != NULL) {
*remote_client_addr = talloc_move(
@@ -1371,7 +1383,8 @@ int _tstream_npa_accept_existing_recv(
}
if (_remote_client_name != NULL) {
*_remote_client_name = discard_const_p(
- char, talloc_move(mem_ctx, &i6->remote_client_name));
+ char,
+ talloc_move(mem_ctx, &i7->remote_client_name));
}
if (local_server_addr != NULL) {
*local_server_addr = talloc_move(
@@ -1379,10 +1392,11 @@ int _tstream_npa_accept_existing_recv(
}
if (local_server_name != NULL) {
*local_server_name = discard_const_p(
- char, talloc_move(mem_ctx, &i6->local_server_name));
+ char,
+ talloc_move(mem_ctx, &i7->local_server_name));
}
if (session_info != NULL) {
- *session_info = talloc_move(mem_ctx, &i6->session_info);
+ *session_info = talloc_move(mem_ctx, &i7->session_info);
}
tevent_req_received(req);
diff --git a/libcli/named_pipe_auth/npa_tstream.h b/libcli/named_pipe_auth/npa_tstream.h
index 4aff10f9afd..ebb6d16e428 100644
--- a/libcli/named_pipe_auth/npa_tstream.h
+++ b/libcli/named_pipe_auth/npa_tstream.h
@@ -27,7 +27,7 @@ struct tevent_req;
struct tevent_context;
struct auth_session_info_transport;
struct tsocket_address;
-struct named_pipe_auth_req_info6;
+struct named_pipe_auth_req_info7;
struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -114,7 +114,7 @@ int _tstream_npa_accept_existing_recv(
int *perrno,
TALLOC_CTX *mem_ctx,
struct tstream_context **stream,
- struct named_pipe_auth_req_info6 **info6,
+ struct named_pipe_auth_req_info7 **info7,
enum dcerpc_transport_t *transport,
struct tsocket_address **remote_client_addr,
char **_remote_client_name,
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index 98ee935ff97..d99713cb914 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -66,6 +66,10 @@ extern const struct dom_sid global_sid_Unix_NFS_Mode;
extern const struct dom_sid global_sid_Unix_NFS_Other;
extern const struct dom_sid global_sid_Samba_SMB3;
+extern const struct dom_sid global_sid_Samba_NPA_Flags;
+#define SAMBA_NPA_FLAGS_NEED_IDLE 1
+#define SAMBA_NPA_FLAGS_WINBIND_OFF 2
+
struct auth_SidAttr;
enum lsa_SidType;
diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c
index 17e69f861ff..31be678941e 100644
--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -23,6 +23,7 @@
#include "replace.h"
#include "lib/util/debug.h"
+#include "lib/util/fault.h"
#include "libcli/security/security_token.h"
#include "libcli/security/dom_sid.h"
#include "libcli/security/privileges.h"
@@ -96,6 +97,42 @@ bool security_token_has_sid(const struct security_token *token, const struct dom
return false;
}
+size_t security_token_count_flag_sids(const struct security_token *token,
+ const struct dom_sid *prefix_sid,
+ size_t num_flags,
+ const struct dom_sid **_flag_sid)
+{
+ const size_t num_auths_expected = prefix_sid->num_auths + num_flags;
+ const struct dom_sid *found = NULL;
+ size_t num = 0;
+ uint32_t i;
+
+ SMB_ASSERT(num_auths_expected <= ARRAY_SIZE(prefix_sid->sub_auths));
+
+ for (i = 0; i < token->num_sids; i++) {
+ const struct dom_sid *sid = &token->sids[i];
+ int cmp;
+
+ if ((size_t)sid->num_auths != num_auths_expected) {
+ continue;
+ }
+
+ cmp = dom_sid_compare_domain(sid, prefix_sid);
+ if (cmp != 0) {
+ continue;
+ }
+
+ num += 1;
+ found = sid;
+ }
+
+ if ((num == 1) && (_flag_sid != NULL)) {
+ *_flag_sid = found;
+ }
+
+ return num;
+}
+
bool security_token_has_builtin_guests(const struct security_token *token)
{
return security_token_has_sid(token, &global_sid_Builtin_Guests);
diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h
index ee7fd8d2509..bb8795919e9 100644
--- a/libcli/security/security_token.h
+++ b/libcli/security/security_token.h
@@ -51,6 +51,15 @@ bool security_token_is_anonymous(const struct security_token *token);
bool security_token_has_sid(const struct security_token *token, const struct dom_sid *sid);
+/*
+ * Return any of the domain sids found in the token matching "domain"
+ * in _domain_sid, makes most sense if you just found one.
+ */
+size_t security_token_count_flag_sids(const struct security_token *token,
+ const struct dom_sid *prefix_sid,
+ size_t num_flags,
+ const struct dom_sid **_flag_sid);
+
bool security_token_has_builtin_guests(const struct security_token *token);
bool security_token_has_builtin_administrators(const struct security_token *token);
diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 0a8e114c338..6ee22284033 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -165,6 +165,13 @@ const struct dom_sid global_sid_Unix_NFS_Other = /* Unix other, MS NFS and Appl
const struct dom_sid global_sid_Samba_SMB3 =
{1, 1, {0,0,0,0,0,22}, {1397571891, }};
+const struct dom_sid global_sid_Samba_NPA_Flags = {1,
+ 1,
+ {0, 0, 0, 0, 0, 22},
+ {
+ 2041152804,
+ }};
+
/* Unused, left here for documentary purposes */
#if 0
#define SECURITY_NULL_SID_AUTHORITY 0
diff --git a/librpc/idl/named_pipe_auth.idl b/librpc/idl/named_pipe_auth.idl
index 2204deb63c9..b2c9201d1ce 100644
--- a/librpc/idl/named_pipe_auth.idl
+++ b/librpc/idl/named_pipe_auth.idl
@@ -21,11 +21,10 @@ interface named_pipe_auth
[charset(DOS),string] uint8 *local_server_addr;
uint16 local_server_port;
auth_session_info_transport *session_info;
- boolean8 need_idle_server;
- } named_pipe_auth_req_info6;
+ } named_pipe_auth_req_info7;
typedef [switch_type(uint32)] union {
- [case(6)] named_pipe_auth_req_info6 info6;
+ [case(7)] named_pipe_auth_req_info7 info7;
} named_pipe_auth_req_info;
typedef [public,gensize] struct {
@@ -41,10 +40,10 @@ interface named_pipe_auth
uint16 file_type;
uint16 device_state;
hyper allocation_size;
- } named_pipe_auth_rep_info6;
+ } named_pipe_auth_rep_info7;
typedef [switch_type(uint32)] union {
- [case(6)] named_pipe_auth_rep_info6 info6;
+ [case(7)] named_pipe_auth_rep_info7 info7;
} named_pipe_auth_rep_info;
typedef [public,gensize] struct {
diff --git a/librpc/rpc/dcerpc_helper.c b/librpc/rpc/dcerpc_helper.c
index cf0deeb2079..eec78e034ee 100644
--- a/librpc/rpc/dcerpc_helper.c
+++ b/librpc/rpc/dcerpc_helper.c
@@ -20,6 +20,7 @@
#include "librpc/gen_ndr/auth.h"
#include "lib/crypto/gnutls_helpers.h"
#include "libcli/security/dom_sid.h"
+#include "libcli/security/security_token.h"
#include "libcli/smb/smb2_constants.h"
#include "dcerpc_helper.h"
@@ -75,23 +76,17 @@ bool dcerpc_is_transport_encrypted(struct auth_session_info *session_info)
uint16_t dialect = 0;
uint16_t encrypt = 0;
uint16_t cipher = 0;
- uint32_t i;
+ size_t num_smb3_sids;
bool ok;
- for (i = 0; i < token->num_sids; i++) {
- int cmp;
-
- /* There is only one SMB3 SID allowed! */
- cmp = dom_sid_compare_domain(&token->sids[i], &smb3_dom_sid);
- if (cmp == 0) {
- if (smb3_sid == NULL) {
- smb3_sid = &token->sids[i];
- } else {
- DBG_ERR("ERROR: The SMB3 SID has been detected "
- "multiple times\n");
- return false;
- }
- }
+ num_smb3_sids = security_token_count_flag_sids(token,
+ &smb3_dom_sid,
+ 3,
+ &smb3_sid);
+ if (num_smb3_sids > 1) {
--
Samba Shared Repository
More information about the samba-cvs
mailing list