s3:rpcclient: only require netlogon_creds for specified netlogon calls

A lot of calls on the netlogon pipe doesn't require netlogon credentials,
e.g. netr_LogonControl*() should work just with administrator credentials.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Guenther Deschner <gd@samba.org>

diff --git a/source3/rpcclient/cmd_netlogon.c b/source3/rpcclient/cmd_netlogon.c
index 2d1c35168cea0f28b068decbe933a5ac528267a6..1af68f98681c41b9a059701be074a370b8ed2264 100644 (file)
--- a/source3/rpcclient/cmd_netlogon.c
+++ b/source3/rpcclient/cmd_netlogon.c
@@ -1289,10 +1289,10 @@ struct cmd_set netlogon_commands[] = {
        { "dsr_getsitename", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_getsitename, &ndr_table_netlogon, NULL, "Get sitename",     "" },
        { "dsr_getforesttrustinfo", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_getforesttrustinfo, &ndr_table_netlogon, NULL, "Get Forest Trust Info",     "" },
        { "logonctrl",  RPC_RTYPE_WERROR, NULL, cmd_netlogon_logon_ctrl, &ndr_table_netlogon, NULL, "Logon Control",       "" },
-       { "samsync",    RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_sync,    NULL, &ndr_table_netlogon, NULL, "Sam Synchronisation", "" },
-       { "samdeltas",  RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_deltas,  NULL, &ndr_table_netlogon, NULL, "Query Sam Deltas",    "" },
-       { "samlogon",   RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_logon,   NULL, &ndr_table_netlogon, NULL, "Sam Logon",           "" },
-       { "change_trust_pw",   RPC_RTYPE_NTSTATUS, cmd_netlogon_change_trust_pw,   NULL, &ndr_table_netlogon, NULL, "Change Trust Account Password",           "" },
+       { "samsync",    RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_sync,    NULL, &ndr_table_netlogon, NULL, "Sam Synchronisation", "", .use_netlogon_creds = true, },
+       { "samdeltas",  RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_deltas,  NULL, &ndr_table_netlogon, NULL, "Query Sam Deltas",    "", .use_netlogon_creds = true, },
+       { "samlogon",   RPC_RTYPE_NTSTATUS, cmd_netlogon_sam_logon,   NULL, &ndr_table_netlogon, NULL, "Sam Logon",           "", .use_netlogon_creds = true, },
+       { "change_trust_pw",   RPC_RTYPE_NTSTATUS, cmd_netlogon_change_trust_pw,   NULL, &ndr_table_netlogon, NULL, "Change Trust Account Password",           "", .use_netlogon_creds = true, },
        { "gettrustrid", RPC_RTYPE_WERROR, NULL, cmd_netlogon_gettrustrid, &ndr_table_netlogon, NULL, "Get trust rid",     "" },
        { "dsr_enumtrustdom", RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_enumtrustdom, &ndr_table_netlogon, NULL, "Enumerate trusted domains",     "" },
        { "dsenumdomtrusts",  RPC_RTYPE_WERROR, NULL, cmd_netlogon_dsr_enumtrustdom, &ndr_table_netlogon, NULL, "Enumerate all trusted domains in an AD forest",     "" },
@@ -1300,8 +1300,8 @@ struct cmd_set netlogon_commands[] = {
        { "netrenumtrusteddomains", RPC_RTYPE_NTSTATUS, cmd_netlogon_enumtrusteddomains, NULL, &ndr_table_netlogon, NULL, "Enumerate trusted domains",     "" },
        { "netrenumtrusteddomainsex", RPC_RTYPE_WERROR, NULL, cmd_netlogon_enumtrusteddomainsex, &ndr_table_netlogon, NULL, "Enumerate trusted domains",     "" },
        { "getdcsitecoverage", RPC_RTYPE_WERROR, NULL, cmd_netlogon_getdcsitecoverage, &ndr_table_netlogon, NULL, "Get the Site-Coverage from a DC",     "" },
-       { "database_redo", RPC_RTYPE_NTSTATUS, cmd_netlogon_database_redo, NULL, &ndr_table_netlogon, NULL, "Replicate single object from a DC",     "" },
-       { "capabilities", RPC_RTYPE_NTSTATUS, cmd_netlogon_capabilities, NULL, &ndr_table_netlogon, NULL, "Return Capabilities",     "" },
+       { "database_redo", RPC_RTYPE_NTSTATUS, cmd_netlogon_database_redo, NULL, &ndr_table_netlogon, NULL, "Replicate single object from a DC",     "", .use_netlogon_creds = true, },
+       { "capabilities", RPC_RTYPE_NTSTATUS, cmd_netlogon_capabilities, NULL, &ndr_table_netlogon, NULL, "Return Capabilities",     "", .use_netlogon_creds = true, },
 
        { NULL }
 };

diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
index db89b47dfc70f57472d468db81901de813cbb67c..47789f44835fb1851ce84199526a2e5b0a49ee37 100644 (file)
--- a/source3/rpcclient/rpcclient.c
+++ b/source3/rpcclient/rpcclient.c
@@ -681,7 +681,6 @@ static NTSTATUS do_cmd(struct cli_state *cli,
 {
        NTSTATUS ntresult;
        WERROR wresult;
-       bool ok;
 
        TALLOC_CTX *mem_ctx;
 
@@ -757,9 +756,7 @@ static NTSTATUS do_cmd(struct cli_state *cli,
                        return ntresult;
                }
 
-               ok = ndr_syntax_id_equal(&cmd_entry->table->syntax_id,
-                                        &ndr_table_netlogon.syntax_id);
-               if (rpcclient_netlogon_creds == NULL && ok) {
+               if (rpcclient_netlogon_creds == NULL && cmd_entry->use_netlogon_creds) {
                        const char *dc_name = cmd_entry->rpc_pipe->desthost;
                        const char *domain = get_cmdline_auth_info_domain(auth_info);
                        struct cli_credentials *creds = NULL;

diff --git a/source3/rpcclient/rpcclient.h b/source3/rpcclient/rpcclient.h
index 9cb0323dd4a42caa5692cb150ad7c75935fc3010..7697d3d0485c9e8c8b79de08af4e1e1841b71813 100644 (file)
--- a/source3/rpcclient/rpcclient.h
+++ b/source3/rpcclient/rpcclient.h
@@ -39,6 +39,7 @@ struct cmd_set {
        struct rpc_pipe_client *rpc_pipe;
        const char *description;
        const char *usage;
+       bool use_netlogon_creds;
 };
 
 extern struct messaging_context *rpcclient_msg_ctx;