rpc_server3: Use global_sid_Samba_NPA_Flags to pass "need_idle"

More code, but will be more flexible in the future.

Bug: https://bugzilla.samba.org/show_bug.cgi?id=15361
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
index 92d68fa95c646cc2678c619031da676e5af40c04..2975ea5dad3401fa8658cc8756c9cfe4e814dae7 100644 (file)
--- a/source3/rpc_client/local_np.c
+++ b/source3/rpc_client/local_np.c
@@ -24,6 +24,8 @@
 #include "libcli/named_pipe_auth/tstream_u32_read.h"
 #include "lib/util/tevent_unix.h"
 #include "auth/auth_util.h"
+#include "libcli/security/dom_sid.h"
+#include "libcli/security/security_token.h"
 
 /**
  * @file local_np.c
@@ -499,6 +501,12 @@ struct tevent_req *local_np_connect_send(
        struct named_pipe_auth_req_info6 *i6 = NULL;
        const char *socket_dir = NULL;
        char *lower_case_pipename = NULL;
+       struct dom_sid npa_sid = global_sid_Samba_NPA_Flags;
+       uint32_t npa_flags = 0;
+       struct security_token *token = NULL;
+       NTSTATUS status;
+       size_t num_npa_sids;
+       bool ok;
 
        req = tevent_req_create(
                mem_ctx, &state, struct local_np_connect_state);
@@ -507,6 +515,19 @@ struct tevent_req *local_np_connect_send(
        }
        state->ev = ev;
 
+       num_npa_sids =
+               security_token_count_flag_sids(session_info->security_token,
+                                              &npa_sid,
+                                              1,
+                                              NULL);
+       if (num_npa_sids != 0) {
+               DBG_ERR("ERROR: %zu NPA Flags SIDs have already been "
+                       "detected in the security token!\n",
+                       num_npa_sids);
+               tevent_req_error(req, EACCES);
+               return tevent_req_post(req, ev);
+       }
+
        socket_dir = lp_parm_const_string(
                GLOBAL_SECTION_SNUM, "external_rpc_pipe", "socket_dir",
                lp_ncalrpc_dir());
@@ -603,7 +624,26 @@ struct tevent_req *local_np_connect_send(
                return tevent_req_post(req, ev);
        }
 
-       i6->need_idle_server = need_idle_server;
+       if (need_idle_server) {
+               npa_flags |= SAMBA_NPA_FLAGS_NEED_IDLE;
+       }
+
+       ok = sid_append_rid(&npa_sid, npa_flags);
+       if (!ok) {
+               tevent_req_error(req, EINVAL);
+               return tevent_req_post(req, ev);
+       }
+
+       token = i6->session_info->session_info->security_token;
+
+       status = add_sid_to_array_unique(token,
+                                        &npa_sid,
+                                        &token->sids,
+                                        &token->num_sids);
+       if (!NT_STATUS_IS_OK(status)) {
+               tevent_req_oom(req);
+               return tevent_req_post(req, ev);
+       }
 
        subreq = np_sock_connect_send(
                state, state->ev, state->socketpath, state->npa_req);

diff --git a/source3/rpc_server/rpc_host.c b/source3/rpc_server/rpc_host.c
index 1408fa0dd4b4e3c5198b357d17787f22d226a2c9..ac0ada397902b32555676c0aae4fbe9b213f4cdf 100644 (file)
--- a/source3/rpc_server/rpc_host.c
+++ b/source3/rpc_server/rpc_host.c
@@ -68,6 +68,8 @@
 #include "librpc/gen_ndr/ndr_epmapper.h"
 #include "librpc/gen_ndr/ndr_epmapper_c.h"
 #include "nsswitch/winbind_client.h"
+#include "libcli/security/dom_sid.h"
+#include "libcli/security/security_token.h"
 
 extern bool override_logfile;
 
@@ -1321,8 +1323,17 @@ again:
                        worker = rpc_host_find_worker(server);
                }
        } else {
+               struct auth_session_info_transport *session_info =
+                       pending_client->client->npa_info6->session_info;
+               uint32_t flags = 0;
+               bool found;
+
+               found = security_token_find_npa_flags(
+                       session_info->session_info->security_token,
+                       &flags);
+
                /* fresh assoc group requested */
-               if (pending_client->client->npa_info6->need_idle_server != 0) {
+               if (found & (flags & SAMBA_NPA_FLAGS_NEED_IDLE)) {
                        worker = rpc_host_find_idle_worker(server);
                } else {
                        worker = rpc_host_find_worker(server);