[PATCH 4/5] s3-rpc: add server support for mgmt_inq_princ_name

Andrew Bartlett abartlet at samba.org
Wed Jan 15 11:59:53 MST 2014 

On Wed, 2014-01-15 at 19:03 +0100, David Disseldorp wrote:
> Thanks for the feedback metze.
> 
> On Mon, 06 Jan 2014 13:07:04 +0100
> "Stefan (metze) Metzmacher" <metze at samba.org> wrote:
> 
> > Am 06.01.2014 06:20, schrieb David Disseldorp:
> > > Return the servers service principle name, as defined in MS-RPCE
> > > 2.2.1.3.4. This method is called by the diskshadow.exe FSRVP client.
> > > 
> > > Signed-off-by: David Disseldorp <ddiss at samba.org>
> > > ---
> > >  librpc/idl/mgmt.idl                   | 11 ++++++++++-
> > >  source3/rpc_server/mgmt/srv_mgmt_nt.c | 20 ++++++++++++++++++--
> > >  2 files changed, 28 insertions(+), 3 deletions(-)
> > > 
> > > diff --git a/librpc/idl/mgmt.idl b/librpc/idl/mgmt.idl
> > > index 17c8cc4..d64e0c0 100644
> > > --- a/librpc/idl/mgmt.idl
> > > +++ b/librpc/idl/mgmt.idl
> > > @@ -9,9 +9,18 @@ import "misc.idl";
> > >    version(1.0),
> > >    pointer_default(unique),
> > >    helpstring("DCE/RPC Remote Management")
> > > -] 
> > > +]
> > >  interface mgmt
> > >  {
> > > +	/* MS-RPCE 2.2.1.1.7 Security Providers */
> > > +	const uint32 MGMT_AUTHN_NONE = 0x00;
> > > +	const uint32 MGMT_AUTHN_GSS_NEG = 0x09;
> > > +	const uint32 MGMT_AUTHN_WINNT = 0x0A;
> > > +	const uint32 MGMT_AUTHN_GSS_SCHANNEL = 0x0E;
> > > +	const uint32 MGMT_AUTHN_GSS_KERBEROS = 0x10;
> > > +	const uint32 MGMT_AUTHN_NETLOGON = 0x44;
> > > +	const uint32 MGMT_AUTHN_DEFAULT = 0xFF;
> > 
> > Can you reuse the DCERPC_AUTH_TYPE_* values from dcerpc.idl?
> 
> There's some overlap with these values, but the mapping doesn't appear
> to be consistent. I'd prefer to use the definitions above as they are
> in MS-RPCE 2.2.1.1.7.

What exactly are the differences?  I'm very cautious about this kind of
duplication, my experience in the auth area is that this stuff really is
defined only once, and that what we have seen as differences turns out
to be misunderstandings or an incomplete view.  

> > >  	typedef struct {
> > >  		ndr_syntax_id *id;
> > >  	} ndr_syntax_id_p;
> > > diff --git a/source3/rpc_server/mgmt/srv_mgmt_nt.c b/source3/rpc_server/mgmt/srv_mgmt_nt.c
> > > index c0a4122..cf4563e 100644
> > > --- a/source3/rpc_server/mgmt/srv_mgmt_nt.c
> > > +++ b/source3/rpc_server/mgmt/srv_mgmt_nt.c
> > > @@ -65,6 +65,22 @@ WERROR _mgmt_stop_server_listening(struct pipes_struct *p,
> > >  WERROR _mgmt_inq_princ_name(struct pipes_struct *p,
> > >  			    struct mgmt_inq_princ_name *r)
> > >  {
> > > -	p->fault_state = DCERPC_FAULT_OP_RNG_ERROR;
> > > -	return WERR_NOT_SUPPORTED;
> > > +	int ret;
> > > +
> > > +	if (r->in.authn_proto != MGMT_AUTHN_GSS_NEG) {
> > > +		DEBUG(0, ("unsupported authn_proto %u\n",
> > > +			  (unsigned)r->in.authn_proto));
> > 
> > Is this really correct? Shouldn't we just return an empty principal name?
> > What's with auth type 16?
> 
> I did some iterative testing against an AD member and standalone host...
> 
> 2k12 AD member:
> 0x09 MGMT_AUTHN_GSS_NEG: lutze$@LURCH.SUSE.DE
> 0x0A MGMT_AUTHN_WINNT: (empty string)
> 0x10 MGMT_AUTHN_GSS_KERBEROS: lutze$@LURCH.SUSE.DE
> 
> Windows 8 standalone:
> 0x0A MGMT_AUTHN_WINNT: (empty string)
> 
> All other values (authn_proto <= 0xFF) returned WERR_RPC_S_UNKNOWN_AUTHN_SERVICE.
> I'll post a new round of patches with these minor modifications.

Thanks.

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list