On Thu, 2005-08-25 at 08:59 -0700, Jeremy Allison wrote: > On Thu, Aug 25, 2005 at 10:05:46AM +0200, Stefan (metze) Metzmacher wrote: > > > Modified: trunk/source/rpc_server/srv_pipe.c > > > =================================================================== > > > --- trunk/source/rpc_server/srv_pipe.c 2005-08-25 00:57:21 UTC (rev > > > 9600) > > > +++ trunk/source/rpc_server/srv_pipe.c 2005-08-25 01:02:14 UTC (rev > > > 9601) > > > @@ -2081,13 +2081,17 @@ > > > BOOL api_pipe_request(pipes_struct *p) > > > { > > > BOOL ret = False; > > > + BOOL changed_user = False; > > > PIPE_RPC_FNS *pipe_fns; > > > > > > - if (p->pipe_bound && p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) { > > > + if (p->pipe_bound && > > > + ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) || > > > + (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP))) > > > { > > > > Hi Jeremy, > > > > maybe just use p->auth.auth_type != PIPE_AUTH_TYPE_NONE > > ( != 0) > > > > do we become the user for the ipc$ share before? > > as with auth_type == 0 we need to run the call as the user that connected > > to the ipc$ share. > > I can't do that as schannel doesn't change user I think. We are in > the security context of the user who connected to the ipc$ share when > auth type is none, this is changing to an authenticated user.
schannel should change user. We have been warning for ages that this will happen, and removed the code that I added to allow machine account to be 'virtual' in any way. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part