From 1cbbe56266b81ffeedb57f2a3283b274e33981c7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 12 Feb 2025 12:45:19 +0100 Subject: [PATCH] s3:rpc_client: Use cli_rpc_pipe_reopen_np_noauth() for OpenPolicy fallback BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider (cherry picked from commit 3bbe35d42c4d4a0ce663580dfb035b6beb329ebb) (cherry picked from commit 1a3be37e0eb564604b20c5d2ab1842661d466433) --- source3/lib/netapi/localgroup.c | 2 +- source3/rpc_client/cli_lsarpc.c | 15 ++++++++++- source3/rpc_client/cli_lsarpc.h | 4 +-- source3/rpcclient/cmd_lsarpc.c | 48 ++++++++++++++++----------------- source3/utils/net_rpc.c | 6 ++--- source3/utils/net_rpc_rights.c | 4 +-- source3/utils/net_rpc_trust.c | 2 +- source3/winbindd/winbindd_cm.c | 2 +- source3/wscript_build | 2 +- 9 files changed, 49 insertions(+), 36 deletions(-) diff --git a/source3/lib/netapi/localgroup.c b/source3/lib/netapi/localgroup.c index a63fca4366a..db72b1d15b6 100644 --- a/source3/lib/netapi/localgroup.c +++ b/source3/lib/netapi/localgroup.c @@ -984,7 +984,7 @@ static NTSTATUS libnetapi_lsa_lookup_names3(TALLOC_CTX *mem_ctx, init_lsa_String(&names, name); status = dcerpc_lsa_open_policy_fallback( - b, + lsa_pipe, mem_ctx, lsa_pipe->srv_name_slash, false, diff --git a/source3/rpc_client/cli_lsarpc.c b/source3/rpc_client/cli_lsarpc.c index cf2572ed61c..fcb0e9b0f1e 100644 --- a/source3/rpc_client/cli_lsarpc.c +++ b/source3/rpc_client/cli_lsarpc.c @@ -24,6 +24,7 @@ #include "includes.h" #include "rpc_client/rpc_client.h" +#include "rpc_client/cli_pipe.h" #include "../librpc/gen_ndr/ndr_lsa_c.h" #include "rpc_client/cli_lsarpc.h" #include "rpc_client/init_lsa.h" @@ -167,7 +168,7 @@ NTSTATUS dcerpc_lsa_open_policy3(struct dcerpc_binding_handle *h, result); } -NTSTATUS dcerpc_lsa_open_policy_fallback(struct dcerpc_binding_handle *h, +NTSTATUS dcerpc_lsa_open_policy_fallback(struct rpc_pipe_client *rpccli, TALLOC_CTX *mem_ctx, const char *srv_name_slash, bool sec_qos, @@ -177,7 +178,9 @@ NTSTATUS dcerpc_lsa_open_policy_fallback(struct dcerpc_binding_handle *h, struct policy_handle *pol, NTSTATUS *result) { + struct dcerpc_binding_handle *h = rpccli->binding_handle; NTSTATUS status; + bool policy2 = false; status = dcerpc_lsa_open_policy3(h, mem_ctx, @@ -189,6 +192,16 @@ NTSTATUS dcerpc_lsa_open_policy_fallback(struct dcerpc_binding_handle *h, pol, result); if (NT_STATUS_EQUAL(status, NT_STATUS_RPC_PROCNUM_OUT_OF_RANGE)) { + policy2 = true; + } else if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { + status = cli_rpc_pipe_reopen_np_noauth(rpccli); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + policy2 = true; + } + + if (policy2) { *out_version = 1; *out_revision_info = (union lsa_revision_info) { .info1 = { diff --git a/source3/rpc_client/cli_lsarpc.h b/source3/rpc_client/cli_lsarpc.h index 0a0f399346e..269dec1ec44 100644 --- a/source3/rpc_client/cli_lsarpc.h +++ b/source3/rpc_client/cli_lsarpc.h @@ -120,7 +120,7 @@ NTSTATUS dcerpc_lsa_open_policy3(struct dcerpc_binding_handle *h, * This first calls lsa_open_policy3 and falls back to lsa_open_policy2 in case * it isn't implemented. * - * @param[in] h The dcerpc binding handle to use. + * @param[in] rpccli The rpc pipe client structure to use. * * @param[in] mem_ctx The memory context to use. * @@ -139,7 +139,7 @@ NTSTATUS dcerpc_lsa_open_policy3(struct dcerpc_binding_handle *h, * * @return A corresponding NTSTATUS error code for the connection. */ -NTSTATUS dcerpc_lsa_open_policy_fallback(struct dcerpc_binding_handle *h, +NTSTATUS dcerpc_lsa_open_policy_fallback(struct rpc_pipe_client *rpccli, TALLOC_CTX *mem_ctx, const char *srv_name_slash, bool sec_qos, diff --git a/source3/rpcclient/cmd_lsarpc.c b/source3/rpcclient/cmd_lsarpc.c index a5693504cdd..b23e8cf80cd 100644 --- a/source3/rpcclient/cmd_lsarpc.c +++ b/source3/rpcclient/cmd_lsarpc.c @@ -186,7 +186,7 @@ static NTSTATUS cmd_lsa_query_info_policy(struct rpc_pipe_client *cli, uint32_t out_version = 0; status = dcerpc_lsa_open_policy_fallback( - b, + cli, mem_ctx, cli->srv_name_slash, true, @@ -938,7 +938,7 @@ static NTSTATUS cmd_lsa_create_account(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1004,7 +1004,7 @@ static NTSTATUS cmd_lsa_enum_privsaccounts(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1089,7 +1089,7 @@ static NTSTATUS cmd_lsa_enum_acct_rights(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1156,7 +1156,7 @@ static NTSTATUS cmd_lsa_add_acct_rights(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1227,7 +1227,7 @@ static NTSTATUS cmd_lsa_remove_acct_rights(struct rpc_pipe_client *cli, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1295,7 +1295,7 @@ static NTSTATUS cmd_lsa_lookup_priv_value(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1358,7 +1358,7 @@ static NTSTATUS cmd_lsa_query_secobj(struct rpc_pipe_client *cli, if (argc == 2) sscanf(argv[1], "%x", &sec_info); - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1463,7 +1463,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobysid(struct rpc_pipe_client *cli, if (argc == 3) info_class = atoi(argv[2]); - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1532,7 +1532,7 @@ static NTSTATUS cmd_lsa_query_trustdominfobyname(struct rpc_pipe_client *cli, if (argc == 3) info_class = atoi(argv[2]); - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1613,7 +1613,7 @@ static NTSTATUS cmd_lsa_set_trustdominfo(struct rpc_pipe_client *cli, return NT_STATUS_INVALID_PARAMETER; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1691,7 +1691,7 @@ static NTSTATUS cmd_lsa_query_trustdominfo(struct rpc_pipe_client *cli, if (argc == 3) info_class = atoi(argv[2]); - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1812,7 +1812,7 @@ static NTSTATUS cmd_lsa_add_priv(struct rpc_pipe_client *cli, goto done; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -1921,7 +1921,7 @@ static NTSTATUS cmd_lsa_del_priv(struct rpc_pipe_client *cli, goto done; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2022,7 +2022,7 @@ static NTSTATUS cmd_lsa_create_secret(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2082,7 +2082,7 @@ static NTSTATUS cmd_lsa_delete_secret(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2161,7 +2161,7 @@ static NTSTATUS cmd_lsa_query_secret(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2265,7 +2265,7 @@ static NTSTATUS cmd_lsa_set_secret(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2357,7 +2357,7 @@ static NTSTATUS cmd_lsa_retrieve_private_data(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2433,7 +2433,7 @@ static NTSTATUS cmd_lsa_store_private_data(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2504,7 +2504,7 @@ static NTSTATUS cmd_lsa_create_trusted_domain(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2595,7 +2595,7 @@ static NTSTATUS cmd_lsa_create_trusted_domain_ex3(struct rpc_pipe_client *cli, goto done; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2710,7 +2710,7 @@ static NTSTATUS cmd_lsa_create_trusted_domain_ex2(struct rpc_pipe_client *cli, goto done; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, @@ -2798,7 +2798,7 @@ static NTSTATUS cmd_lsa_delete_trusted_domain(struct rpc_pipe_client *cli, return NT_STATUS_OK; } - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c index 86cd9a5600b..7edb1ef247a 100644 --- a/source3/utils/net_rpc.c +++ b/source3/utils/net_rpc.c @@ -6634,7 +6634,7 @@ static int rpc_trustdom_establish(struct net_context *c, int argc, b = pipe_hnd->binding_handle; - nt_status = dcerpc_lsa_open_policy_fallback(b, + nt_status = dcerpc_lsa_open_policy_fallback(pipe_hnd, frame, pipe_hnd->srv_name_slash, true, @@ -6919,7 +6919,7 @@ static int rpc_trustdom_vampire(struct net_context *c, int argc, b = pipe_hnd->binding_handle; - nt_status = dcerpc_lsa_open_policy_fallback(b, + nt_status = dcerpc_lsa_open_policy_fallback(pipe_hnd, mem_ctx, pipe_hnd->srv_name_slash, false, @@ -7112,7 +7112,7 @@ static int rpc_trustdom_list(struct net_context *c, int argc, const char **argv) b = pipe_hnd->binding_handle; - nt_status = dcerpc_lsa_open_policy_fallback(b, + nt_status = dcerpc_lsa_open_policy_fallback(pipe_hnd, mem_ctx, pipe_hnd->srv_name_slash, true, diff --git a/source3/utils/net_rpc_rights.c b/source3/utils/net_rpc_rights.c index 267ce6576e6..a3b2a6dc80e 100644 --- a/source3/utils/net_rpc_rights.c +++ b/source3/utils/net_rpc_rights.c @@ -507,7 +507,7 @@ static NTSTATUS rpc_rights_grant_internal(struct net_context *c, if (!NT_STATUS_IS_OK(status)) goto done; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(pipe_hnd, mem_ctx, pipe_hnd->srv_name_slash, true, @@ -593,7 +593,7 @@ static NTSTATUS rpc_rights_revoke_internal(struct net_context *c, if (!NT_STATUS_IS_OK(status)) return status; - status = dcerpc_lsa_open_policy_fallback(b, + status = dcerpc_lsa_open_policy_fallback(pipe_hnd, mem_ctx, pipe_hnd->srv_name_slash, true, diff --git a/source3/utils/net_rpc_trust.c b/source3/utils/net_rpc_trust.c index 4e57d7ce044..5f89689068a 100644 --- a/source3/utils/net_rpc_trust.c +++ b/source3/utils/net_rpc_trust.c @@ -235,7 +235,7 @@ static NTSTATUS connect_and_get_info(TALLOC_CTX *mem_ctx, } status = dcerpc_lsa_open_policy_fallback( - (*pipe_hnd)->binding_handle, + (*pipe_hnd), mem_ctx, (*pipe_hnd)->srv_name_slash, false, diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c index e07b6fb0f32..24616980af3 100644 --- a/source3/winbindd/winbindd_cm.c +++ b/source3/winbindd/winbindd_cm.c @@ -2296,7 +2296,7 @@ no_dssetup: return; } - status = dcerpc_lsa_open_policy_fallback(cli->binding_handle, + status = dcerpc_lsa_open_policy_fallback(cli, mem_ctx, cli->srv_name_slash, true, diff --git a/source3/wscript_build b/source3/wscript_build index 824f961c1ec..643b1768388 100644 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -1037,7 +1037,7 @@ bld.SAMBA3_SUBSYSTEM('LIBCLI_SAMR', bld.SAMBA3_LIBRARY('libcli_lsa3', source='rpc_client/cli_lsarpc.c', - deps='RPC_NDR_LSA INIT_LSA', + deps='RPC_NDR_LSA INIT_LSA msrpc3', private_library=True) bld.SAMBA3_LIBRARY('libcli_netlogon3', -- 2.47.2