dfs: always call create_conn_struct with root privileges

This fixes a bug in dfs_samba4 identified by Daniel Müller.

create_conn_struct calls SMB_VFS_CONNECT which requires root privileges.
SMB_VFS_CONNECT in turn calls dfs_samba4_connect which connects to samdb.

Calls were made to this function without ever becoming root (notably via setup_dfs_referral)
which resulted in an error and the VFS connect failing. This happens when you have an active
directory domain controller with host msdfs = yes in smb.conf and dfs links in place.

Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Bjoern Baumbach <bb@sernet.de>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Jan 10 20:11:03 CET 2014 on sn-devel-104

(cherry picked from commit 24a687642de21ce872d25f16b3525003844d05f9)

Fix bug #10378 - dfs: always call create_conn_struct with root privileges.

diff --git a/source3/smbd/msdfs.c b/source3/smbd/msdfs.c
index 52a2a4852e90d678712ffa15d76ad7f8b61496c8..096a3a09c99b8b3c5ed9066e6aaeebb213a53158 100644 (file)
--- a/source3/smbd/msdfs.c
+++ b/source3/smbd/msdfs.c
@@ -221,9 +221,11 @@ static NTSTATUS parse_dfs_path(connection_struct *conn,
  Fake up a connection struct for the VFS layer, for use in
  applications (such as the python bindings), that do not want the
  global working directory changed under them.
+
+ SMB_VFS_CONNECT requires root privileges.
 *********************************************************/
 
-NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
+static NTSTATUS create_conn_struct_as_root(TALLOC_CTX *ctx,
                            struct tevent_context *ev,
                            struct messaging_context *msg,
                            connection_struct **pconn,
@@ -346,6 +348,33 @@ NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
        return NT_STATUS_OK;
 }
 
+/********************************************************
+ Fake up a connection struct for the VFS layer, for use in
+ applications (such as the python bindings), that do not want the
+ global working directory changed under them.
+
+ SMB_VFS_CONNECT requires root privileges.
+*********************************************************/
+
+NTSTATUS create_conn_struct(TALLOC_CTX *ctx,
+                           struct tevent_context *ev,
+                           struct messaging_context *msg,
+                           connection_struct **pconn,
+                           int snum,
+                           const char *path,
+                           const struct auth_session_info *session_info)
+{
+       NTSTATUS status;
+       become_root();
+       status = create_conn_struct_as_root(ctx, ev,
+                                           msg, pconn,
+                                           snum, path,
+                                           session_info);
+       unbecome_root();
+
+       return status;
+}
+
 /********************************************************
  Fake up a connection struct for the VFS layer.
  Note: this performs a vfs connect and CHANGES CWD !!!! JRA.