From: Volker Lendecke Date: Tue, 18 Apr 2023 10:28:28 +0000 (+0200) Subject: rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle" X-Git-Tag: samba-4.17.9~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f5323412879a7b038e713a07de894775681aafff;p=thirdparty%2Fsamba.git rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle" More code, but will be more flexible in the future. Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361 Signed-off-by: Volker Lendecke Reviewed-by: Stefan Metzmacher (cherry picked from commit 31180e0e6d9e43d54e7656a56ed3af129f578105) --- diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c index 92d68fa95c6..2975ea5dad3 100644 --- a/source3/rpc_client/local_np.c +++ b/source3/rpc_client/local_np.c @@ -24,6 +24,8 @@ #include "libcli/named_pipe_auth/tstream_u32_read.h" #include "lib/util/tevent_unix.h" #include "auth/auth_util.h" +#include "libcli/security/dom_sid.h" +#include "libcli/security/security_token.h" /** * @file local_np.c @@ -499,6 +501,12 @@ struct tevent_req *local_np_connect_send( struct named_pipe_auth_req_info6 *i6 = NULL; const char *socket_dir = NULL; char *lower_case_pipename = NULL; + struct dom_sid npa_sid = global_sid_Samba_NPA_Flags; + uint32_t npa_flags = 0; + struct security_token *token = NULL; + NTSTATUS status; + size_t num_npa_sids; + bool ok; req = tevent_req_create( mem_ctx, &state, struct local_np_connect_state); @@ -507,6 +515,19 @@ struct tevent_req *local_np_connect_send( } state->ev = ev; + num_npa_sids = + security_token_count_flag_sids(session_info->security_token, + &npa_sid, + 1, + NULL); + if (num_npa_sids != 0) { + DBG_ERR("ERROR: %zu NPA Flags SIDs have already been " + "detected in the security token!\n", + num_npa_sids); + tevent_req_error(req, EACCES); + return tevent_req_post(req, ev); + } + socket_dir = lp_parm_const_string( GLOBAL_SECTION_SNUM, "external_rpc_pipe", "socket_dir", lp_ncalrpc_dir()); @@ -603,7 +624,26 @@ struct tevent_req *local_np_connect_send( return tevent_req_post(req, ev); } - i6->need_idle_server = need_idle_server; + if (need_idle_server) { + npa_flags |= SAMBA_NPA_FLAGS_NEED_IDLE; + } + + ok = sid_append_rid(&npa_sid, npa_flags); + if (!ok) { + tevent_req_error(req, EINVAL); + return tevent_req_post(req, ev); + } + + token = i6->session_info->session_info->security_token; + + status = add_sid_to_array_unique(token, + &npa_sid, + &token->sids, + &token->num_sids); + if (!NT_STATUS_IS_OK(status)) { + tevent_req_oom(req); + return tevent_req_post(req, ev); + } subreq = np_sock_connect_send( state, state->ev, state->socketpath, state->npa_req); diff --git a/source3/rpc_server/rpc_host.c b/source3/rpc_server/rpc_host.c index 07ab7742c3e..ed9118dc639 100644 --- a/source3/rpc_server/rpc_host.c +++ b/source3/rpc_server/rpc_host.c @@ -68,6 +68,8 @@ #include "librpc/gen_ndr/ndr_epmapper.h" #include "librpc/gen_ndr/ndr_epmapper_c.h" #include "nsswitch/winbind_client.h" +#include "libcli/security/dom_sid.h" +#include "libcli/security/security_token.h" extern bool override_logfile; @@ -1321,8 +1323,17 @@ again: worker = rpc_host_find_worker(server); } } else { + struct auth_session_info_transport *session_info = + pending_client->client->npa_info6->session_info; + uint32_t flags = 0; + bool found; + + found = security_token_find_npa_flags( + session_info->session_info->security_token, + &flags); + /* fresh assoc group requested */ - if (pending_client->client->npa_info6->need_idle_server != 0) { + if (found & (flags & SAMBA_NPA_FLAGS_NEED_IDLE)) { worker = rpc_host_find_idle_worker(server); } else { worker = rpc_host_find_worker(server);