svn commit: samba r9601 - in trunk/source/rpc_server: .
Jeremy Allison
jra at samba.org
Thu Aug 25 21:17:26 GMT 2005
On Fri, Aug 26, 2005 at 07:04:45AM +1000, Andrew Bartlett wrote:
> On Thu, 2005-08-25 at 08:59 -0700, Jeremy Allison wrote:
> > On Thu, Aug 25, 2005 at 10:05:46AM +0200, Stefan (metze) Metzmacher wrote:
> > > > Modified: trunk/source/rpc_server/srv_pipe.c
> > > > ===================================================================
> > > > --- trunk/source/rpc_server/srv_pipe.c 2005-08-25 00:57:21 UTC (rev 9600)
> > > > +++ trunk/source/rpc_server/srv_pipe.c 2005-08-25 01:02:14 UTC (rev 9601)
> > > > @@ -2081,13 +2081,17 @@
> > > > BOOL api_pipe_request(pipes_struct *p)
> > > > {
> > > > BOOL ret = False;
> > > > + BOOL changed_user = False;
> > > > PIPE_RPC_FNS *pipe_fns;
> > > >
> > > > - if (p->pipe_bound && p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
> > > > + if (p->pipe_bound &&
> > > > + ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
> > > > + (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) {
> > >
> > > Hi Jeremy,
> > >
> > > maybe just use p->auth.auth_type != PIPE_AUTH_TYPE_NONE
> > > ( != 0)
> > >
> > > do we become the user for the ipc$ share before?
> > > as with auth_type == 0 we need to run the call as the user that connected
> > > to the ipc$ share.
> >
> > I can't do that as schannel doesn't change user I think. We are in
> > the security context of the user who connected to the ipc$ share when
> > auth type is none, this is changing to an authenticated user.
>
> schannel should change user. We have been warning for ages that this
> will happen, and removed the code that I added to allow machine account
> to be 'virtual' in any way.
Ok, so the user it should change to is the machine account
specified in net_auth2 ? I can look this up I'm just looking
for a quick confirmation or a "no you idiot" response :-).
Jeremy.
More information about the samba-technical
mailing list