Changeset 272 for branches/samba-3.2.x/source/rpc_server

Timestamp:

Jun 16, 2009, 5:52:30 PM (16 years ago)

Author:

Herwig Bauernfeind

Message:

Update 3.2 to 3.2.12

Location:

branches/samba-3.2.x/source/rpc_server

Files:

• srv_lsa_nt.c (modified) (4 diffs)
• srv_netlog_nt.c (modified) (8 diffs)
• srv_samr_nt.c (modified) (11 diffs)

branches/samba-3.2.x/source/rpc_server/srv_lsa_nt.c

@@ -1630 +1630 @@
                 return NT_STATUS_INVALID_HANDLE;
 
-        if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
-                return NT_STATUS_ACCESS_DENIED;
-
         if ( !get_privileges_for_sids( &mask, &info->sid, 1 ) )
                 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
@@ -1692 +1689 @@
         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
                 return NT_STATUS_INVALID_HANDLE;
-
-        if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
-                return NT_STATUS_ACCESS_DENIED;
 
         if (!lookup_sid(p->mem_ctx, &info->sid, NULL, NULL, NULL))
@@ -2098 +2092 @@
                 return NT_STATUS_INVALID_HANDLE;
 
-        if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
-                return NT_STATUS_ACCESS_DENIED;
-
         /* according to an NT4 PDC, you can add privileges to SIDs even without
            call_lsa_create_account() first.  And you can use any arbitrary SID. */
@@ -2142 +2133 @@
         if (!find_policy_by_hnd(p, r->in.handle, (void **)(void *)&info))
                 return NT_STATUS_INVALID_HANDLE;
-
-        if (!(info->access & LSA_POLICY_VIEW_LOCAL_INFORMATION))
-                return NT_STATUS_ACCESS_DENIED;
 
         name = r->in.name->string;

branches/samba-3.2.x/source/rpc_server/srv_netlog_nt.c

@@ -473 +473 @@
         NTSTATUS status;
         uint32_t srv_flgs;
+        /* r->in.negotiate_flags is an aliased pointer to r->out.negotiate_flags,
+         * so use a copy to avoid destroying the client values. */
+        uint32_t in_neg_flags = *r->in.negotiate_flags;
         struct netr_Credential srv_chal_out;
 
@@ -478 +481 @@
          * Windows 7 looks at the negotiate_flags
          * returned in this structure *even if the
-         * call fails with access denied ! So in order
+         * call fails with access denied* ! So in order
          * to allow Win7 to connect to a Samba NT style
          * PDC we set the flags before we know if it's
@@ -495 +498 @@
                    NETLOGON_NEG_PASSWORD_CHANGE_REFUSAL;
 
+        /* Ensure we support strong (128-bit) keys. */
+        if (in_neg_flags & NETLOGON_NEG_128BIT) {
+                srv_flgs |= NETLOGON_NEG_128BIT;
+        }
+
         if (lp_server_schannel() != false) {
                 srv_flgs |= NETLOGON_NEG_SCHANNEL;
         }
-
-        *r->out.negotiate_flags = srv_flgs;
 
         /* We use this as the key to store the creds: */
@@ -507 +513 @@
                 DEBUG(0,("_netr_ServerAuthenticate2: no challenge sent to client %s\n",
                         r->in.computer_name));
-                return NT_STATUS_ACCESS_DENIED;
+                status = NT_STATUS_ACCESS_DENIED;
+                goto out;
         }
 
         if ( (lp_server_schannel() == true) &&
-             ((*r->in.negotiate_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
+             ((in_neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
 
                 /* schannel must be used, but client did not offer it. */
@@ -517 +524 @@
                         "to offer it. Client was %s\n",
                         r->in.account_name));
-                return NT_STATUS_ACCESS_DENIED;
+                status = NT_STATUS_ACCESS_DENIED;
+                goto out;
         }
 
@@ -528 +536 @@
                         r->in.account_name, nt_errstr(status) ));
                 /* always return NT_STATUS_ACCESS_DENIED */
-                return NT_STATUS_ACCESS_DENIED;
+                status = NT_STATUS_ACCESS_DENIED;
+                goto out;
         }
 
         /* From the client / server challenges and md4 password, generate sess key */
-        creds_server_init(*r->in.negotiate_flags,
+        creds_server_init(in_neg_flags,
                         p->dc,
                         &p->dc->clnt_chal,      /* Stored client chal. */
@@ -545 +554 @@
                         r->in.computer_name,
                         r->in.account_name));
-                return NT_STATUS_ACCESS_DENIED;
+                status = NT_STATUS_ACCESS_DENIED;
+                goto out;
         }
 
@@ -564 +574 @@
                                             p->dc);
         unbecome_root();
-
-        return NT_STATUS_OK;
+        status = NT_STATUS_OK;
+
+  out:
+
+        *r->out.negotiate_flags = srv_flgs;
+        return status;
 }
 

branches/samba-3.2.x/source/rpc_server/srv_samr_nt.c

@@ -863 +863 @@
                   sid_string_dbg(&pol_sid)));
 
-        status = access_check_samr_function(acc_granted,
-                                            STD_RIGHT_READ_CONTROL_ACCESS,
-                                            "_samr_QuerySecurity");
-        if (!NT_STATUS_IS_OK(status)) {
-                return status;
-        }
-
         /* Check what typ of SID is beeing queried (e.g Domain SID, User SID, Group SID) */
 
@@ -1166 +1159 @@
                                   num_groups, groups);
 
+        if (MAX_SAM_ENTRIES <= num_groups) {
+                status = STATUS_MORE_ENTRIES;
+        } else {
+                status = NT_STATUS_OK;
+        }
+
         samr_array->count = num_groups;
         samr_array->entries = samr_entries;
@@ -1234 +1233 @@
         DEBUG(5,("_samr_EnumDomainAliases: %d\n", __LINE__));
 
+        if (MAX_SAM_ENTRIES <= num_aliases) {
+                status = STATUS_MORE_ENTRIES;
+        } else {
+                status = NT_STATUS_OK;
+        }
+
         samr_array->count = num_aliases;
         samr_array->entries = samr_entries;
@@ -1471 +1476 @@
         if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
                 return NT_STATUS_INVALID_HANDLE;
-
-        status = access_check_samr_function(info->acc_granted,
-                                            SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
-                                            "_samr_QueryDisplayInfo");
-        if (!NT_STATUS_IS_OK(status)) {
-                return status;
-        }
 
         /*
@@ -2121 +2119 @@
                 return NT_STATUS_INVALID_HANDLE;
 
-        status = access_check_samr_function(acc_granted,
-                                            0, /* Don't know the acc_bits yet */
-                                            "_samr__LookupRids");
-        if (!NT_STATUS_IS_OK(status)) {
-                return status;
-        }
-
         if (num_rids > 1000) {
                 DEBUG(0, ("Got asked for %d rids (more than 1000) -- according "
@@ -2700 +2691 @@
                 return NT_STATUS_INVALID_HANDLE;
 
-        status = access_check_samr_function(info->acc_granted,
-                                            SAMR_USER_ACCESS_GET_ATTRIBUTES,
-                                            "_samr_QueryUserInfo");
-        if (!NT_STATUS_IS_OK(status)) {
-                return status;
-        }
-
         domain_sid = info->sid;
 
@@ -2949 +2933 @@
                 return NT_STATUS_INVALID_HANDLE;
         }
-
-        status = access_check_samr_function(info->acc_granted,
-                                            SA_RIGHT_SAM_LOOKUP_DOMAIN,
-                                            "_samr_QueryDomainInfo" );
-
-        if ( !NT_STATUS_IS_OK(status) )
-                return status;
 
         switch (r->in.level) {
@@ -5671 +5648 @@
         time_t u_logout;
         time_t u_lock_duration, u_reset_time;
-        NTSTATUS result;
 
         DEBUG(5,("_samr_SetDomainInfo: %d\n", __LINE__));
@@ -5678 +5654 @@
         if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info))
                 return NT_STATUS_INVALID_HANDLE;
-
-        /* We do have different access bits for info
-         * levels here, but we're really just looking for
-         * GENERIC_RIGHTS_DOMAIN_WRITE access. Unfortunately
-         * this maps to different specific bits. So
-         * assume if we have SA_RIGHT_DOMAIN_SET_INFO_1
-         * set we are ok. */
-
-        result = access_check_samr_function(info->acc_granted,
-                                            SA_RIGHT_DOMAIN_SET_INFO_1,
-                                            "_samr_SetDomainInfo");
-
-        if (!NT_STATUS_IS_OK(result))
-                return result;
 
         DEBUG(5,("_samr_SetDomainInfo: level: %d\n", r->in.level));
@@ -5750 +5712 @@
         uint32_t num_account = 0;
         struct samr_displayentry *entries = NULL;
-        NTSTATUS status;
 
         DEBUG(5,("_samr_GetDisplayEnumerationIndex: %d\n", __LINE__));
@@ -5757 +5718 @@
         if (!find_policy_by_hnd(p, r->in.domain_handle, (void **)(void *)&info)) {
                 return NT_STATUS_INVALID_HANDLE;
-        }
-
-        status = access_check_samr_function(info->acc_granted,
-                                            SA_RIGHT_DOMAIN_ENUM_ACCOUNTS,
-                                            "_samr_GetDisplayEnumerationIndex");
-        if (!NT_STATUS_IS_OK(status)) {
-                return status;
         }