From: Andrew Tridgell <tridge@samba.org>
Date: Fri, 5 Mar 2010 02:01:23 +0000 (+1100)
Subject: s4-rpc: use inherited credentials for schannel RPC connections
X-Git-Url: http://git.samba.org/samba.git/?p=tridge%2Fsamba.git;a=commitdiff_plain;h=2dc19e2878371264606575d3fc09176776be7729

s4-rpc: use inherited credentials for schannel RPC connections

If we have inherited SMB credentials on a schannel authenticated RPC
pipe, then use them instead of the anonymous credentials that
the gensec schannel module would normally give us

This fixes bug 7113

Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 59d8be3e24..a76443ce69 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -30,6 +30,21 @@
 #include "auth/auth.h"
 #include "param/param.h"
 
+/*
+  wrapper around gensec_session_info() that handles the special case
+  of not changing existing inherited credentials from a SMB pipe
+  when schannel is in use
+ */
+static NTSTATUS dcesrv_session_info(struct dcesrv_connection *dce_conn)
+{
+	if (dce_conn->auth_state.gensec_security->ops->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
+	    talloc_get_type(dce_conn->auth_state.session_info, struct auth_session_info)) {
+		return NT_STATUS_OK;
+	}
+	return gensec_session_info(dce_conn->auth_state.gensec_security,
+				   &dce_conn->auth_state.session_info);
+}
+
 /*
   parse any auth information from a dcerpc bind request
   return false if we can't handle the auth request for some 
@@ -116,8 +131,7 @@ NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packe
 			       &dce_conn->auth_state.auth_info->credentials);
 	
 	if (NT_STATUS_IS_OK(status)) {
-		status = gensec_session_info(dce_conn->auth_state.gensec_security,
-					     &dce_conn->auth_state.session_info);
+		status = dcesrv_session_info(dce_conn);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
 			return status;
@@ -171,8 +185,7 @@ bool dcesrv_auth_auth3(struct dcesrv_call_state *call)
 			       dce_conn->auth_state.auth_info->credentials, 
 			       &dce_conn->auth_state.auth_info->credentials);
 	if (NT_STATUS_IS_OK(status)) {
-		status = gensec_session_info(dce_conn->auth_state.gensec_security,
-					     &dce_conn->auth_state.session_info);
+		status = dcesrv_session_info(dce_conn);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
 			return false;
@@ -252,8 +265,7 @@ NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_pack
 			       &dce_conn->auth_state.auth_info->credentials);
 
 	if (NT_STATUS_IS_OK(status)) {
-		status = gensec_session_info(dce_conn->auth_state.gensec_security,
-					     &dce_conn->auth_state.session_info);
+		status = dcesrv_session_info(dce_conn);
 		if (!NT_STATUS_IS_OK(status)) {
 			DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
 			return status;