[PATCH] s3/rpc_server/samr get_user_info_18(): allow encrypted connexions

Stefan Metzmacher metze at samba.org
Mon Feb 29 17:21:37 UTC 2016 

Hi Aurélien,

>>> In the current code the test to know if the connexion was encrypted
>>> is incorrect as the test is always true (the function always returns
>>> "access denied"). This patch fixes this and continues on properly
>>> encrypted connexions, as expected.
>>
>> I think we should better match Windows and return
>> NT_STATUS_INVALID_INFO_CLASS if this is called over the network.
> 
> we can update the return code but that's not the problem I was talking
> about
>  
>> The only valid case is using this over NCALRPC as SYSTEM.
>>
>> Why are you trying to change this?
> 
> read again, the current test is always true.

Yes.

> - if auth_type is one of the tested type, it cannot be any of the
>   others, the 2 other != expressions will return true => access denied

Yes.

> - if auth_type is not one of the tested type, then all the !=
>   expressions return true => access denied

Yes.

> the whole test in its current form can be replaced with
> 
>     if (1)
>         return NT_STATUS_ACCESS_DENIED
> 
> which is surely not what we want.

The code is confusing and should be changed, but
I think the result is what we want.

> another fix would be to replace all || by &&.

I'm talking about something like this:

diff --git a/source3/rpc_server/samr/srv_samr_nt.c
b/source3/rpc_server/samr/srv_samr_nt.c
index 4b4b77a..a77bd9d 100644
--- a/source3/rpc_server/samr/srv_samr_nt.c
+++ b/source3/rpc_server/samr/srv_samr_nt.c
@@ -2616,21 +2616,14 @@ static NTSTATUS get_user_info_18(struct
pipes_struct *p,

        ZERO_STRUCTP(r);

-       if (security_token_is_system(p->session_info->security_token)) {
-               goto query;
-       }
-
-       if ((p->auth.auth_type != DCERPC_AUTH_TYPE_NTLMSSP) ||
-           (p->auth.auth_type != DCERPC_AUTH_TYPE_KRB5) ||
-           (p->auth.auth_type != DCERPC_AUTH_TYPE_SPNEGO)) {
-               return NT_STATUS_ACCESS_DENIED;
+       if (p->transport != NCALRPC) {
+               return NT_STATUS_INVALID_INFO_CLASS;
        }

-       if (p->auth.auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
+       if (!security_token_is_system(p->session_info->security_token)) {
                return NT_STATUS_ACCESS_DENIED;
        }

- query:
        /*
         * Do *NOT* do become_root()/unbecome_root() here ! JRA.
         */

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160229/32fceb8e/signature.sig>

More information about the samba-technical mailing list