1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

16 Commits

Author SHA1 Message Date
Douglas Bagnall
da841a80e3 s3:rpc: bump named_pipe_auth_req_info version number
This is because commit f893cf85cc
changed the security token in secuirty.idl, and bumping the version
was missed.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-09-11 02:42:41 +00:00
Volker Lendecke
bdba027a33 rpc: Remove named_pipe_auth_req_info6->need_idle_server
Involves bumping up the version number

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2023-05-16 10:53:40 +00:00
Joseph Sutton
8aef16bbbc named_pipe_auth: Bump info5 to info6
In the next commit, we shall replace the 'authenticated' field of
named_pipe_auth_req_info.info5.session_info.session_info.info with a
more general 'user_flags' field.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2023-02-08 00:03:39 +00:00
Volker Lendecke
1bab76223c librpc: Add named_pipe_auth_req_info5->transport
This will serve as a check to make sure that in particular a SAMR
client is really root. This is for example used in get_user_info_18()
handing out a machine password.

The unix domain sockets for NCACN_NP can only be contacted by root,
the "np\" subdirectory for those sockets is root/root 0700.

Connecting to such a socket is done in two situations: First, local
real root processes connecting and smbd on behalf of SMB clients
connecting to \\pipe\name, smbd does become_root() there. Via the
named_pipe_auth_req_info4 smbd hands over the SMB session information
that the RPC server blindly trusts. The session information (i.e. the
NT token) is heavily influenced by external sources like the KDC. It
is highly unlikely that we get a system token via SMB, but who knows,
this is information not fully controlled by smbd.

This is where this additional field in named_pipe_auth_req_info5 makes
a difference: This field is set to NCACN_NP by smbd's code, not
directly controlled by the clients. Other clients directly connecting
to a socket in "np\" is root anyway (only smbd can do become_root())
and can set this field to NCALRPC.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Volker Lendecke
530fb4fdfb named_pipe_auth.idl: Add "need_idle_server"
Once RPC services are done by individual processes, we need to avoid
recursion between processes:

Any RPC server process will be able to serve multiple client requests
simultaneously, but each request is served in a single-threaded
blocking manner.

For example the netlogon RPC service needs to ask samr for
something. The netlogon->samr connection will initially be handled by
a central dispatcher assigning clients to processes. This dispatcher
needs to know that this connection can't end up in the same process
that originated the request.

With this flag an RPC client can request a samr server process that
exclusively serves its own requests and that will not serve anybody
else while serving netlogon.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Volker Lendecke
d1934e2331 named_pipe_auth: Bump info4 to info5
We'll add a field soon

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-12-10 14:02:30 +00:00
Volker Lendecke
bbfdf2708e tstream_npa: Return named_pipe_auth_req_info4 from accept_existing
Callers might want the full picture. We need to make
named_pipe_auth_req_info4 public for that.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-04-01 19:32:36 +00:00
Volker Lendecke
d5877ec49e idl: Remove a trailing empty line
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2019-03-18 19:21:23 +00:00
Gary Lockyer
68200d0d88 named_pipe_auth: Rename client -> remote_client and server -> local_server
While these names may have been clear, much of Samba uses
remote_address and local_address, and this difference has hidden bugs.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Pair-Programmed-by: Gary Lockyer <gary@catalyst.net.nz>
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
2017-03-29 02:37:28 +02:00
Andrew Bartlett
d66150c14d libcli/named_pipe_auth Change from 'info3' to auth_session_info_transport
This changes the structure being used to convey the current user state
from the netlogon-derived 'netr_SamInfo3' structure to a purpose-built
structure that matches the internals of the Samba auth subsystem and
contains the final group list, as well as the final privilege set and
session key.

These previously had to be re-created on the server side of the pipe
each time.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Andrew Bartlett
543ef3b5bf libcli/named_pipe_auth Remove support for unused levels 0-2.
The only client and server for this code uses level 3 exclusively.

Andrew Bartlett

Signed-off-by: Andrew Tridgell <tridge@samba.org>
2011-02-10 06:51:06 +01:00
Jelmer Vernooij
f9ca9e46ad Finish removal of iconv_convenience in public API's. 2010-05-18 11:45:30 +02:00
Stefan Metzmacher
c29364f4b0 named_pipe_auth.idl: add infrastructure to pass delegated credentials
metze
2009-09-18 20:34:40 +02:00
Stefan Metzmacher
6d27b48b3f named_pipe_auth.idl: add level 2 and pass the client/server info and session key
We also return can return the named pipe mode now.

metze
2009-05-01 17:42:03 +02:00
Jelmer Vernooij
08259c1c52 Add iconv_convenience argument to size functions. 2009-01-01 04:45:33 +01:00
Stefan Metzmacher
1a60fc02d8 librpc/idl: Add named_pipe_auth.idl to Samba4
metze
2008-11-06 21:39:13 +01:00