On Thu, 2005-08-25 at 08:59 -0700, Jeremy Allison wrote:
> On Thu, Aug 25, 2005 at 10:05:46AM +0200, Stefan (metze) Metzmacher wrote:
> > > Modified: trunk/source/rpc_server/srv_pipe.c
> > > ===================================================================
> > > --- trunk/source/rpc_server/srv_pipe.c 2005-08-25 00:57:21 UTC (rev
> > > 9600)
> > > +++ trunk/source/rpc_server/srv_pipe.c 2005-08-25 01:02:14 UTC (rev
> > > 9601)
> > > @@ -2081,13 +2081,17 @@
> > > BOOL api_pipe_request(pipes_struct *p)
> > > {
> > > BOOL ret = False;
> > > + BOOL changed_user = False;
> > > PIPE_RPC_FNS *pipe_fns;
> > >
> > > - if (p->pipe_bound && p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) {
> > > + if (p->pipe_bound &&
> > > + ((p->auth.auth_type == PIPE_AUTH_TYPE_NTLMSSP) ||
> > > + (p->auth.auth_type == PIPE_AUTH_TYPE_SPNEGO_NTLMSSP)))
> > > {
> >
> > Hi Jeremy,
> >
> > maybe just use p->auth.auth_type != PIPE_AUTH_TYPE_NONE
> > ( != 0)
> >
> > do we become the user for the ipc$ share before?
> > as with auth_type == 0 we need to run the call as the user that connected
> > to the ipc$ share.
>
> I can't do that as schannel doesn't change user I think. We are in
> the security context of the user who connected to the ipc$ share when
> auth type is none, this is changing to an authenticated user.schannel should change user. We have been warning for ages that this will happen, and removed the code that I added to allow machine account to be 'virtual' in any way. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Samba Developer, SuSE Labs, Novell Inc. http://suse.de Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College http://hawkerc.net
signature.asc
Description: This is a digitally signed message part
