[SCM] Samba Shared Repository - branch v4-18-test updated
Jule Anger
janger at samba.org
Fri May 26 13:30:01 UTC 2023
The branch, v4-18-test has been updated
via a22173a745e rpc_server3: Pass winbind_env_set() state through to rpcd_*
via faa507637e5 lib: Add security_token_del_npa_flags() helper function
via ec0c93199b9 rpc: Remove named_pipe_auth_req_info6->need_idle_server
via e92fb837630 rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle"
via e46af7b3322 named_pipe_auth: Bump info5 to info6
via 5a09eaf01ac rpc: Add global_sid_Samba_NPA_Flags SID
via 40378826afb librpc: Simplify dcerpc_is_transport_encrypted()
via dc2606e10e1 smbd: Use security_token_count_flag_sids() in open_np_file()
via 8ed6bbcb555 libcli: Add security_token_count_flag_sids()
via 74449f2afcc samba-tool domain: Run in interactive mode if no args are supplied
via cae050cf785 librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms
from 0f1dbe552dc winbind: Fix "wbinfo -u" on a Samba AD DC with >1000 users
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test
- Log -----------------------------------------------------------------
commit a22173a745ecfc0023231e4f32b862e5ab287955
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:47:04 2023 +0200
rpc_server3: Pass winbind_env_set() state through to rpcd_*
Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back
into winbind for getpwnam. We have the "_NO_WINBINDD" environment
variable set in winbind itself for this case, but this is lost on the
way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass
this information to dcerpc_core, where it sets the variable on every
call if requested.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224
(cherry picked from commit 59694ad0a4cc489f1baa4c2c94c6322c0f22c1df)
Autobuild-User(v4-18-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-18-test): Fri May 26 13:29:20 UTC 2023 on atb-devel-224
commit faa507637e54373467ffe78c1c2feb6fd949b9d5
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 14:32:20 2023 +0200
lib: Add security_token_del_npa_flags() helper function
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit bb3ea36e10079ad9c73c68d7ed8fce51ecb40ebe)
commit ec0c93199b934db0c91816b6dcf465dbb68d6aed
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:29:34 2023 +0200
rpc: Remove named_pipe_auth_req_info6->need_idle_server
Involves bumping up the version number
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit bdba027a33e35aab7bb322bc3167cdd7babfc059)
commit e92fb837630f1dc4107085fb38b16905de0dbf25
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:28:28 2023 +0200
rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle"
More code, but will be more flexible in the future.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 31180e0e6d9e43d54e7656a56ed3af129f578105)
commit e46af7b3322e52cf482180e4da1eefa6bff55e5b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 22 17:48:26 2022 +1300
named_pipe_auth: Bump info5 to info6
In the next commit, we shall replace the 'authenticated' field of
named_pipe_auth_req_info.info5.session_info.session_info.info with a
more general 'user_flags' field.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8aef16bbbc1e55f0a9f5a8ec87e5348688d93785)
commit 5a09eaf01aca6fb650973deca4f0142f26be9934
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:09:45 2023 +0200
rpc: Add global_sid_Samba_NPA_Flags SID
This will be used as a flexible way to pass per-RPC-connection flags
over ncalrpc to the RPC server without having to modify
named_pipe_auth_req_info6 every time something new needs to be
passed. It's modeled after global_sid_Samba_SMB3.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit ebbb93cc7a57a118b82b8f383d25f1eb022397d6)
commit 40378826afbd370d087efb248edfb68d7f385f47
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:04:17 2023 +0200
librpc: Simplify dcerpc_is_transport_encrypted()
Simplify logic by using security_token_count_flag_sids()
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 1d11e0489b2c91fc05c6befc0463695d7102abcc)
commit dc2606e10e1905215daa5d982b5fa57bebe6e296
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 12:01:02 2023 +0200
smbd: Use security_token_count_flag_sids() in open_np_file()
Simpler logic in the caller
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 244ee8ad75c2c968997dfdd5eeb9e9cb97a191fb)
commit 8ed6bbcb555f089d80e32e5d26c9aae6c2918d1f
Author: Volker Lendecke <vl at samba.org>
Date: Tue Apr 18 11:31:16 2023 +0200
libcli: Add security_token_count_flag_sids()
To be used in a few places when checking special-case Samba SIDs.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5e8c7192ba5469547ba3101885dfbaba2f8181f4)
commit 74449f2afcc4559aeee1888c048965866cb3a4c2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 26 10:31:51 2023 +1200
samba-tool domain: Run in interactive mode if no args are supplied
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15363
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(backported from commit f1281b80c1ad68d380ce91c13076f6a60fbc627e)
[jsutton at samba.org Adapted to provisioning code refactor in commit
5986937d12c237121d4e62fa6dfa0f5dadec263d]
commit cae050cf785575b3d66ad2093ac48d7f1e9652e8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue May 16 13:09:23 2023 +0200
librpc/rpc: allow smb3_sid_parse() to accept modern encryption algorithms
We should not limit the possible encryption algorithms to the currently
known ones.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15374
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Volker Lendecke <vl at samba.org>
Autobuild-User(master): Volker Lendecke <vl at samba.org>
Autobuild-Date(master): Wed May 17 07:34:28 UTC 2023 on atb-devel-224
(cherry picked from commit e03e738dfc96b3c8ce54e2d280143965713f4778)
-----------------------------------------------------------------------
Summary of changes:
libcli/named_pipe_auth/npa_tstream.c | 144 +++++++++++++++++++----------------
libcli/named_pipe_auth/npa_tstream.h | 4 +-
libcli/security/dom_sid.h | 4 +
libcli/security/security_token.c | 36 +++++++++
libcli/security/security_token.h | 9 +++
libcli/security/util_sid.c | 7 ++
librpc/idl/named_pipe_auth.idl | 9 +--
librpc/rpc/dcerpc_helper.c | 32 ++++----
librpc/rpc/dcesrv_core.c | 17 +++++
librpc/rpc/dcesrv_core.h | 1 +
python/samba/netcmd/domain.py | 2 +-
source3/include/proto.h | 3 +
source3/lib/util_sid.c | 34 +++++++++
source3/librpc/idl/rpc_host.idl | 2 +-
source3/rpc_client/local_np.c | 105 ++++++++++++++++++-------
source3/rpc_server/rpc_host.c | 115 ++++++++++++++++------------
source3/rpc_server/rpc_worker.c | 112 ++++++++++++++++-----------
source3/smbd/smb2_pipes.c | 23 +++---
18 files changed, 432 insertions(+), 227 deletions(-)
Changeset truncated at 500 lines:
diff --git a/libcli/named_pipe_auth/npa_tstream.c b/libcli/named_pipe_auth/npa_tstream.c
index 506c4a35681..f84440fe755 100644
--- a/libcli/named_pipe_auth/npa_tstream.c
+++ b/libcli/named_pipe_auth/npa_tstream.c
@@ -73,7 +73,7 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
int ret;
enum ndr_err_code ndr_err;
char *lower_case_npipe;
- struct named_pipe_auth_req_info5 *info5;
+ struct named_pipe_auth_req_info7 *info7;
req = tevent_req_create(mem_ctx, &state,
struct tstream_npa_connect_state);
@@ -119,39 +119,43 @@ struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
goto post;
}
- state->auth_req.level = 5;
- info5 = &state->auth_req.info.info5;
+ state->auth_req.level = 7;
+ info7 = &state->auth_req.info.info7;
- info5->transport = transport;
- SMB_ASSERT(info5->transport == transport); /* Assert no overflow */
+ info7->transport = transport;
+ SMB_ASSERT(info7->transport == transport); /* Assert no overflow */
- info5->remote_client_name = remote_client_name_in;
- info5->remote_client_addr = tsocket_address_inet_addr_string(remote_client_addr,
- state);
- if (!info5->remote_client_addr) {
+ info7->remote_client_name = remote_client_name_in;
+ info7->remote_client_addr =
+ tsocket_address_inet_addr_string(remote_client_addr, state);
+ if (!info7->remote_client_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
- info5->remote_client_port = tsocket_address_inet_port(remote_client_addr);
- if (!info5->remote_client_name) {
- info5->remote_client_name = info5->remote_client_addr;
+ info7->remote_client_port =
+ tsocket_address_inet_port(remote_client_addr);
+ if (!info7->remote_client_name) {
+ info7->remote_client_name = info7->remote_client_addr;
}
- info5->local_server_name = local_server_name_in;
- info5->local_server_addr = tsocket_address_inet_addr_string(local_server_addr,
- state);
- if (!info5->local_server_addr) {
+ info7->local_server_name = local_server_name_in;
+ info7->local_server_addr =
+ tsocket_address_inet_addr_string(local_server_addr, state);
+ if (!info7->local_server_addr) {
/* errno might be EINVAL */
tevent_req_error(req, errno);
goto post;
}
- info5->local_server_port = tsocket_address_inet_port(local_server_addr);
- if (!info5->local_server_name) {
- info5->local_server_name = info5->local_server_addr;
+ info7->local_server_port =
+ tsocket_address_inet_port(local_server_addr);
+ if (!info7->local_server_name) {
+ info7->local_server_name = info7->local_server_addr;
}
- info5->session_info = discard_const_p(struct auth_session_info_transport, session_info);
+ info7->session_info =
+ discard_const_p(struct auth_session_info_transport,
+ session_info);
if (DEBUGLVL(10)) {
NDR_PRINT_DEBUG(named_pipe_auth_req, &state->auth_req);
@@ -348,10 +352,10 @@ int _tstream_npa_connect_recv(struct tevent_req *req,
npas->unix_stream = talloc_move(stream, &state->unix_stream);
switch (state->auth_rep.level) {
- case 5:
- npas->file_type = state->auth_rep.info.info5.file_type;
- device_state = state->auth_rep.info.info5.device_state;
- allocation_size = state->auth_rep.info.info5.allocation_size;
+ case 7:
+ npas->file_type = state->auth_rep.info.info7.file_type;
+ device_state = state->auth_rep.info.info7.device_state;
+ allocation_size = state->auth_rep.info.info7.allocation_size;
break;
}
@@ -1084,7 +1088,7 @@ static void tstream_npa_accept_existing_reply(struct tevent_req *subreq)
tevent_req_data(req, struct tstream_npa_accept_state);
struct named_pipe_auth_req *pipe_request;
struct named_pipe_auth_rep pipe_reply;
- struct named_pipe_auth_req_info5 i5;
+ struct named_pipe_auth_req_info7 i7;
enum ndr_err_code ndr_err;
DATA_BLOB in, out;
int err;
@@ -1147,53 +1151,59 @@ static void tstream_npa_accept_existing_reply(struct tevent_req *subreq)
NDR_PRINT_DEBUG(named_pipe_auth_req, pipe_request);
}
- ZERO_STRUCT(i5);
+ ZERO_STRUCT(i7);
- if (pipe_request->level != 5) {
+ if (pipe_request->level != 7) {
DEBUG(0, ("Unknown level %u\n", pipe_request->level));
pipe_reply.level = 0;
pipe_reply.status = NT_STATUS_INVALID_LEVEL;
goto reply;
}
- pipe_reply.level = 5;
+ pipe_reply.level = 7;
pipe_reply.status = NT_STATUS_OK;
- pipe_reply.info.info5.file_type = state->file_type;
- pipe_reply.info.info5.device_state = state->device_state;
- pipe_reply.info.info5.allocation_size = state->alloc_size;
+ pipe_reply.info.info7.file_type = state->file_type;
+ pipe_reply.info.info7.device_state = state->device_state;
+ pipe_reply.info.info7.allocation_size = state->alloc_size;
- i5 = pipe_request->info.info5;
- if (i5.local_server_addr == NULL) {
+ i7 = pipe_request->info.info7;
+ if (i7.local_server_addr == NULL) {
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
DEBUG(2, ("Missing local server address\n"));
goto reply;
}
- if (i5.remote_client_addr == NULL) {
+ if (i7.remote_client_addr == NULL) {
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
DEBUG(2, ("Missing remote client address\n"));
goto reply;
}
- ret = tsocket_address_inet_from_strings(state, "ip",
- i5.local_server_addr,
- i5.local_server_port,
+ ret = tsocket_address_inet_from_strings(state,
+ "ip",
+ i7.local_server_addr,
+ i7.local_server_port,
&state->local_server_addr);
if (ret != 0) {
- DEBUG(2, ("Invalid local server address[%s:%u] - %s\n",
- i5.local_server_addr, i5.local_server_port,
- strerror(errno)));
+ DEBUG(2,
+ ("Invalid local server address[%s:%u] - %s\n",
+ i7.local_server_addr,
+ i7.local_server_port,
+ strerror(errno)));
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
goto reply;
}
- ret = tsocket_address_inet_from_strings(state, "ip",
- i5.remote_client_addr,
- i5.remote_client_port,
+ ret = tsocket_address_inet_from_strings(state,
+ "ip",
+ i7.remote_client_addr,
+ i7.remote_client_port,
&state->remote_client_addr);
if (ret != 0) {
- DEBUG(2, ("Invalid remote client address[%s:%u] - %s\n",
- i5.remote_client_addr, i5.remote_client_port,
- strerror(errno)));
+ DEBUG(2,
+ ("Invalid remote client address[%s:%u] - %s\n",
+ i7.remote_client_addr,
+ i7.remote_client_port,
+ strerror(errno)));
pipe_reply.status = NT_STATUS_INVALID_ADDRESS;
goto reply;
}
@@ -1249,14 +1259,15 @@ static void tstream_npa_accept_existing_done(struct tevent_req *subreq)
tevent_req_done(req);
}
-static struct named_pipe_auth_req_info5 *copy_npa_info5(
- TALLOC_CTX *mem_ctx, const struct named_pipe_auth_req_info5 *src)
+static struct named_pipe_auth_req_info7 *
+copy_npa_info7(TALLOC_CTX *mem_ctx,
+ const struct named_pipe_auth_req_info7 *src)
{
- struct named_pipe_auth_req_info5 *dst = NULL;
+ struct named_pipe_auth_req_info7 *dst = NULL;
DATA_BLOB blob;
enum ndr_err_code ndr_err;
- dst = talloc_zero(mem_ctx, struct named_pipe_auth_req_info5);
+ dst = talloc_zero(mem_ctx, struct named_pipe_auth_req_info7);
if (dst == NULL) {
return NULL;
}
@@ -1265,9 +1276,9 @@ static struct named_pipe_auth_req_info5 *copy_npa_info5(
&blob,
dst,
src,
- (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req_info5);
+ (ndr_push_flags_fn_t)ndr_push_named_pipe_auth_req_info7);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DBG_WARNING("ndr_push_named_pipe_auth_req_info5 failed: %s\n",
+ DBG_WARNING("ndr_push_named_pipe_auth_req_info7 failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
return NULL;
@@ -1277,10 +1288,10 @@ static struct named_pipe_auth_req_info5 *copy_npa_info5(
&blob,
dst,
dst,
- (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_req_info5);
+ (ndr_pull_flags_fn_t)ndr_pull_named_pipe_auth_req_info7);
TALLOC_FREE(blob.data);
if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
- DBG_WARNING("ndr_push_named_pipe_auth_req_info5 failed: %s\n",
+ DBG_WARNING("ndr_push_named_pipe_auth_req_info7 failed: %s\n",
ndr_errstr(ndr_err));
TALLOC_FREE(dst);
return NULL;
@@ -1294,7 +1305,7 @@ int _tstream_npa_accept_existing_recv(
int *perrno,
TALLOC_CTX *mem_ctx,
struct tstream_context **stream,
- struct named_pipe_auth_req_info5 **info5,
+ struct named_pipe_auth_req_info7 **info7,
enum dcerpc_transport_t *transport,
struct tsocket_address **remote_client_addr,
char **_remote_client_name,
@@ -1305,7 +1316,8 @@ int _tstream_npa_accept_existing_recv(
{
struct tstream_npa_accept_state *state =
tevent_req_data(req, struct tstream_npa_accept_state);
- struct named_pipe_auth_req_info5 *i5 = &state->pipe_request->info.info5;
+ struct named_pipe_auth_req_info7 *i7 =
+ &state->pipe_request->info.info7;
struct tstream_npa *npas;
int ret;
@@ -1346,24 +1358,24 @@ int _tstream_npa_accept_existing_recv(
npas->unix_stream = state->plain;
npas->file_type = state->file_type;
- if (info5 != NULL) {
+ if (info7 != NULL) {
/*
- * Make a full copy of "info5" because further down we
+ * Make a full copy of "info7" because further down we
* talloc_move() away substructures from
* state->pipe_request.
*/
- struct named_pipe_auth_req_info5 *dst = copy_npa_info5(
- mem_ctx, i5);
+ struct named_pipe_auth_req_info7 *dst =
+ copy_npa_info7(mem_ctx, i7);
if (dst == NULL) {
*perrno = ENOMEM;
tevent_req_received(req);
return -1;
}
- *info5 = dst;
+ *info7 = dst;
}
if (transport != NULL) {
- *transport = i5->transport;
+ *transport = i7->transport;
}
if (remote_client_addr != NULL) {
*remote_client_addr = talloc_move(
@@ -1371,7 +1383,8 @@ int _tstream_npa_accept_existing_recv(
}
if (_remote_client_name != NULL) {
*_remote_client_name = discard_const_p(
- char, talloc_move(mem_ctx, &i5->remote_client_name));
+ char,
+ talloc_move(mem_ctx, &i7->remote_client_name));
}
if (local_server_addr != NULL) {
*local_server_addr = talloc_move(
@@ -1379,10 +1392,11 @@ int _tstream_npa_accept_existing_recv(
}
if (local_server_name != NULL) {
*local_server_name = discard_const_p(
- char, talloc_move(mem_ctx, &i5->local_server_name));
+ char,
+ talloc_move(mem_ctx, &i7->local_server_name));
}
if (session_info != NULL) {
- *session_info = talloc_move(mem_ctx, &i5->session_info);
+ *session_info = talloc_move(mem_ctx, &i7->session_info);
}
tevent_req_received(req);
diff --git a/libcli/named_pipe_auth/npa_tstream.h b/libcli/named_pipe_auth/npa_tstream.h
index 1d7e93dc0fa..ebb6d16e428 100644
--- a/libcli/named_pipe_auth/npa_tstream.h
+++ b/libcli/named_pipe_auth/npa_tstream.h
@@ -27,7 +27,7 @@ struct tevent_req;
struct tevent_context;
struct auth_session_info_transport;
struct tsocket_address;
-struct named_pipe_auth_req_info5;
+struct named_pipe_auth_req_info7;
struct tevent_req *tstream_npa_connect_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
@@ -114,7 +114,7 @@ int _tstream_npa_accept_existing_recv(
int *perrno,
TALLOC_CTX *mem_ctx,
struct tstream_context **stream,
- struct named_pipe_auth_req_info5 **info5,
+ struct named_pipe_auth_req_info7 **info7,
enum dcerpc_transport_t *transport,
struct tsocket_address **remote_client_addr,
char **_remote_client_name,
diff --git a/libcli/security/dom_sid.h b/libcli/security/dom_sid.h
index 568916a159d..c362fa6fe80 100644
--- a/libcli/security/dom_sid.h
+++ b/libcli/security/dom_sid.h
@@ -66,6 +66,10 @@ extern const struct dom_sid global_sid_Unix_NFS_Mode;
extern const struct dom_sid global_sid_Unix_NFS_Other;
extern const struct dom_sid global_sid_Samba_SMB3;
+extern const struct dom_sid global_sid_Samba_NPA_Flags;
+#define SAMBA_NPA_FLAGS_NEED_IDLE 1
+#define SAMBA_NPA_FLAGS_WINBIND_OFF 2
+
enum lsa_SidType;
NTSTATUS dom_sid_lookup_predefined_name(const char *name,
diff --git a/libcli/security/security_token.c b/libcli/security/security_token.c
index 03e7bb70743..f788540e98e 100644
--- a/libcli/security/security_token.c
+++ b/libcli/security/security_token.c
@@ -95,6 +95,42 @@ bool security_token_has_sid(const struct security_token *token, const struct dom
return false;
}
+size_t security_token_count_flag_sids(const struct security_token *token,
+ const struct dom_sid *prefix_sid,
+ size_t num_flags,
+ const struct dom_sid **_flag_sid)
+{
+ const size_t num_auths_expected = prefix_sid->num_auths + num_flags;
+ const struct dom_sid *found = NULL;
+ size_t num = 0;
+ uint32_t i;
+
+ SMB_ASSERT(num_auths_expected <= ARRAY_SIZE(prefix_sid->sub_auths));
+
+ for (i = 0; i < token->num_sids; i++) {
+ const struct dom_sid *sid = &token->sids[i];
+ int cmp;
+
+ if ((size_t)sid->num_auths != num_auths_expected) {
+ continue;
+ }
+
+ cmp = dom_sid_compare_domain(sid, prefix_sid);
+ if (cmp != 0) {
+ continue;
+ }
+
+ num += 1;
+ found = sid;
+ }
+
+ if ((num == 1) && (_flag_sid != NULL)) {
+ *_flag_sid = found;
+ }
+
+ return num;
+}
+
bool security_token_has_builtin_guests(const struct security_token *token)
{
return security_token_has_sid(token, &global_sid_Builtin_Guests);
diff --git a/libcli/security/security_token.h b/libcli/security/security_token.h
index 15773df617f..c6898859b98 100644
--- a/libcli/security/security_token.h
+++ b/libcli/security/security_token.h
@@ -47,6 +47,15 @@ bool security_token_is_anonymous(const struct security_token *token);
bool security_token_has_sid(const struct security_token *token, const struct dom_sid *sid);
+/*
+ * Return any of the domain sids found in the token matching "domain"
+ * in _domain_sid, makes most sense if you just found one.
+ */
+size_t security_token_count_flag_sids(const struct security_token *token,
+ const struct dom_sid *prefix_sid,
+ size_t num_flags,
+ const struct dom_sid **_flag_sid);
+
bool security_token_has_builtin_guests(const struct security_token *token);
bool security_token_has_builtin_administrators(const struct security_token *token);
diff --git a/libcli/security/util_sid.c b/libcli/security/util_sid.c
index 242d7dd9dd1..a0b77751b78 100644
--- a/libcli/security/util_sid.c
+++ b/libcli/security/util_sid.c
@@ -162,6 +162,13 @@ const struct dom_sid global_sid_Unix_NFS_Other = /* Unix other, MS NFS and Appl
const struct dom_sid global_sid_Samba_SMB3 =
{1, 1, {0,0,0,0,0,22}, {1397571891, }};
+const struct dom_sid global_sid_Samba_NPA_Flags = {1,
+ 1,
+ {0, 0, 0, 0, 0, 22},
+ {
+ 2041152804,
+ }};
+
/* Unused, left here for documentary purposes */
#if 0
#define SECURITY_NULL_SID_AUTHORITY 0
diff --git a/librpc/idl/named_pipe_auth.idl b/librpc/idl/named_pipe_auth.idl
index 6f26cceab17..b2c9201d1ce 100644
--- a/librpc/idl/named_pipe_auth.idl
+++ b/librpc/idl/named_pipe_auth.idl
@@ -21,11 +21,10 @@ interface named_pipe_auth
[charset(DOS),string] uint8 *local_server_addr;
uint16 local_server_port;
auth_session_info_transport *session_info;
- boolean8 need_idle_server;
- } named_pipe_auth_req_info5;
+ } named_pipe_auth_req_info7;
typedef [switch_type(uint32)] union {
- [case(5)] named_pipe_auth_req_info5 info5;
+ [case(7)] named_pipe_auth_req_info7 info7;
} named_pipe_auth_req_info;
typedef [public,gensize] struct {
@@ -41,10 +40,10 @@ interface named_pipe_auth
uint16 file_type;
uint16 device_state;
hyper allocation_size;
- } named_pipe_auth_rep_info5;
+ } named_pipe_auth_rep_info7;
typedef [switch_type(uint32)] union {
- [case(5)] named_pipe_auth_rep_info5 info5;
+ [case(7)] named_pipe_auth_rep_info7 info7;
} named_pipe_auth_rep_info;
typedef [public,gensize] struct {
diff --git a/librpc/rpc/dcerpc_helper.c b/librpc/rpc/dcerpc_helper.c
index cf0deeb2079..e1589f90794 100644
--- a/librpc/rpc/dcerpc_helper.c
+++ b/librpc/rpc/dcerpc_helper.c
@@ -20,6 +20,7 @@
#include "librpc/gen_ndr/auth.h"
#include "lib/crypto/gnutls_helpers.h"
#include "libcli/security/dom_sid.h"
+#include "libcli/security/security_token.h"
#include "libcli/smb/smb2_constants.h"
#include "dcerpc_helper.h"
@@ -48,7 +49,12 @@ static bool smb3_sid_parse(const struct dom_sid *sid,
}
cipher = sid->sub_auths[3];
- if (cipher > SMB2_ENCRYPTION_AES128_GCM) {
+ if (cipher > 256) {
+ /*
+ * It is unlikely that we
+ * ever have more then 256
+ * encryption algorithms
+ */
return false;
}
@@ -75,23 +81,17 @@ bool dcerpc_is_transport_encrypted(struct auth_session_info *session_info)
uint16_t dialect = 0;
uint16_t encrypt = 0;
uint16_t cipher = 0;
- uint32_t i;
+ size_t num_smb3_sids;
bool ok;
- for (i = 0; i < token->num_sids; i++) {
- int cmp;
-
- /* There is only one SMB3 SID allowed! */
- cmp = dom_sid_compare_domain(&token->sids[i], &smb3_dom_sid);
- if (cmp == 0) {
- if (smb3_sid == NULL) {
- smb3_sid = &token->sids[i];
- } else {
- DBG_ERR("ERROR: The SMB3 SID has been detected "
- "multiple times\n");
- return false;
- }
--
Samba Shared Repository
More information about the samba-cvs
mailing list