diff options
author | Volker Lendecke <vl@samba.org> | 2023-04-18 12:47:04 +0200 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2023-05-16 11:54:32 +0000 |
commit | 59694ad0a4cc489f1baa4c2c94c6322c0f22c1df (patch) | |
tree | 2abfdc5792e6f264f89ca96585a1a3d5ab2d7b05 /source3/rpc_server | |
parent | bb3ea36e10079ad9c73c68d7ed8fce51ecb40ebe (diff) | |
download | samba-59694ad0a4cc489f1baa4c2c94c6322c0f22c1df.tar.gz |
rpc_server3: Pass winbind_env_set() state through to rpcd_*
Winbind can ask rpcd_lsad for LookupNames etc. This can recurse back
into winbind for getpwnam. We have the "_NO_WINBINDD" environment
variable set in winbind itself for this case, but this is lost on the
way into rpcd_lsad. Use a flag in global_sid_Samba_NPA_Flags to pass
this information to dcerpc_core, where it sets the variable on every
call if requested.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Tue May 16 11:54:32 UTC 2023 on atb-devel-224
Diffstat (limited to 'source3/rpc_server')
-rw-r--r-- | source3/rpc_server/rpc_worker.c | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/source3/rpc_server/rpc_worker.c b/source3/rpc_server/rpc_worker.c index 39dae54a34c..4f47a0ad4f3 100644 --- a/source3/rpc_server/rpc_worker.c +++ b/source3/rpc_server/rpc_worker.c @@ -42,6 +42,8 @@ #include "nsswitch/winbind_client.h" #include "source3/include/messages.h" #include "libcli/security/security_token.h" +#include "libcli/security/dom_sid.h" +#include "source3/include/proto.h" /* * This is the generic code that becomes the @@ -181,6 +183,9 @@ static void rpc_worker_new_client( struct dcesrv_connection *dcesrv_conn = NULL; DATA_BLOB buffer = { .data = NULL }; struct ncacn_packet *pkt = NULL; + struct security_token *token = NULL; + uint32_t npa_flags, state_flags; + bool found_npa_flags; NTSTATUS status; int ret; @@ -374,13 +379,31 @@ static void rpc_worker_new_client( } sock = -1; - if (security_token_is_system( - info7->session_info->session_info->security_token) && - (transport != NCALRPC)) { + token = info7->session_info->session_info->security_token; + + if (security_token_is_system(token) && (transport != NCALRPC)) { DBG_DEBUG("System token only allowed on NCALRPC\n"); goto fail; } + state_flags = DCESRV_CALL_STATE_FLAG_MAY_ASYNC; + + found_npa_flags = security_token_find_npa_flags(token, &npa_flags); + if (found_npa_flags) { + if (npa_flags & SAMBA_NPA_FLAGS_WINBIND_OFF) { + state_flags |= + DCESRV_CALL_STATE_FLAG_WINBIND_OFF; + } + + /* + * Delete the flags so that we don't bail in + * local_np_connect_send() on subsequent + * connects. Once we connect to another RPC service, a + * new flags sid will be added if required. + */ + security_token_del_npa_flags(token); + } + ncacn_conn->p.msg_ctx = global_messaging_context(); ncacn_conn->p.transport = transport; @@ -389,7 +412,7 @@ static void rpc_worker_new_client( ep, info7->session_info->session_info, global_event_context(), - DCESRV_CALL_STATE_FLAG_MAY_ASYNC, + state_flags, &dcesrv_conn); if (!NT_STATUS_IS_OK(status)) { DBG_DEBUG("Failed to connect to endpoint: %s\n", |