[PATCH 4/5] s3-rpc: add server support for mgmt_inq_princ_name
David Disseldorp
ddiss at suse.de
Wed Jan 15 11:03:37 MST 2014
Thanks for the feedback metze.
On Mon, 06 Jan 2014 13:07:04 +0100
"Stefan (metze) Metzmacher" <metze at samba.org> wrote:
> Am 06.01.2014 06:20, schrieb David Disseldorp:
> > Return the servers service principle name, as defined in MS-RPCE
> > 2.2.1.3.4. This method is called by the diskshadow.exe FSRVP client.
> >
> > Signed-off-by: David Disseldorp <ddiss at samba.org>
> > ---
> > librpc/idl/mgmt.idl | 11 ++++++++++-
> > source3/rpc_server/mgmt/srv_mgmt_nt.c | 20 ++++++++++++++++++--
> > 2 files changed, 28 insertions(+), 3 deletions(-)
> >
> > diff --git a/librpc/idl/mgmt.idl b/librpc/idl/mgmt.idl
> > index 17c8cc4..d64e0c0 100644
> > --- a/librpc/idl/mgmt.idl
> > +++ b/librpc/idl/mgmt.idl
> > @@ -9,9 +9,18 @@ import "misc.idl";
> > version(1.0),
> > pointer_default(unique),
> > helpstring("DCE/RPC Remote Management")
> > -]
> > +]
> > interface mgmt
> > {
> > + /* MS-RPCE 2.2.1.1.7 Security Providers */
> > + const uint32 MGMT_AUTHN_NONE = 0x00;
> > + const uint32 MGMT_AUTHN_GSS_NEG = 0x09;
> > + const uint32 MGMT_AUTHN_WINNT = 0x0A;
> > + const uint32 MGMT_AUTHN_GSS_SCHANNEL = 0x0E;
> > + const uint32 MGMT_AUTHN_GSS_KERBEROS = 0x10;
> > + const uint32 MGMT_AUTHN_NETLOGON = 0x44;
> > + const uint32 MGMT_AUTHN_DEFAULT = 0xFF;
>
> Can you reuse the DCERPC_AUTH_TYPE_* values from dcerpc.idl?
There's some overlap with these values, but the mapping doesn't appear
to be consistent. I'd prefer to use the definitions above as they are
in MS-RPCE 2.2.1.1.7.
> > typedef struct {
> > ndr_syntax_id *id;
> > } ndr_syntax_id_p;
> > diff --git a/source3/rpc_server/mgmt/srv_mgmt_nt.c b/source3/rpc_server/mgmt/srv_mgmt_nt.c
> > index c0a4122..cf4563e 100644
> > --- a/source3/rpc_server/mgmt/srv_mgmt_nt.c
> > +++ b/source3/rpc_server/mgmt/srv_mgmt_nt.c
> > @@ -65,6 +65,22 @@ WERROR _mgmt_stop_server_listening(struct pipes_struct *p,
> > WERROR _mgmt_inq_princ_name(struct pipes_struct *p,
> > struct mgmt_inq_princ_name *r)
> > {
> > - p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
> > - return WERR_NOT_SUPPORTED;
> > + int ret;
> > +
> > + if (r->in.authn_proto != MGMT_AUTHN_GSS_NEG) {
> > + DEBUG(0, ("unsupported authn_proto %u\n",
> > + (unsigned)r->in.authn_proto));
>
> Is this really correct? Shouldn't we just return an empty principal name?
> What's with auth type 16?
I did some iterative testing against an AD member and standalone host...
2k12 AD member:
0x09 MGMT_AUTHN_GSS_NEG: lutze$@LURCH.SUSE.DE
0x0A MGMT_AUTHN_WINNT: (empty string)
0x10 MGMT_AUTHN_GSS_KERBEROS: lutze$@LURCH.SUSE.DE
Windows 8 standalone:
0x0A MGMT_AUTHN_WINNT: (empty string)
All other values (authn_proto <= 0xFF) returned WERR_RPC_S_UNKNOWN_AUTHN_SERVICE.
I'll post a new round of patches with these minor modifications.
Cheers, David
More information about the samba-technical
mailing list