summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2009-04-09 14:22:04 +1000
committerAndrew Bartlett <abartlet@samba.org>2009-04-14 16:23:44 +1000
commit53afa1adacb239fd942b3b58707c8e4c55639175 (patch)
treeeb78cd8d92bdf2a45223fc383edef90b2c5f1507
parentbaf7274fed2f1ae7a9e3a57160bf5471566e636c (diff)
downloadsamba-53afa1adacb239fd942b3b58707c8e4c55639175.tar.gz
samba-53afa1adacb239fd942b3b58707c8e4c55639175.tar.bz2
samba-53afa1adacb239fd942b3b58707c8e4c55639175.zip
libcli/auth Push schannel check into common libcli/auth
This means we have a single choke point to ensure the remote client is using schannel. Andrew Bartlett
-rw-r--r--libcli/auth/schannel_state.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/libcli/auth/schannel_state.c b/libcli/auth/schannel_state.c
index c3f087d7dc..b45249e9e2 100644
--- a/libcli/auth/schannel_state.c
+++ b/libcli/auth/schannel_state.c
@@ -147,7 +147,7 @@ NTSTATUS schannel_store_session_key(struct ldb_context *ldb,
/* We don't need a transaction here, as we either add or
* modify records, never delete them, so it must exist */
- if (ret != 0) {
+ if (ret != LDB_SUCCESS) {
DEBUG(0,("Unable to add %s to session key db - %s\n",
ldb_dn_get_linearized(msg->dn), ldb_errstring(ldb)));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
@@ -263,8 +263,9 @@ NTSTATUS schannel_fetch_session_key(struct ldb_context *ldb,
*/
NTSTATUS schannel_creds_server_step_check(struct ldb_context *ldb,
TALLOC_CTX *mem_ctx,
- bool schannel_in_use,
const char *computer_name,
+ bool schannel_required_for_call,
+ bool schannel_in_use,
struct netr_Authenticator *received_authenticator,
struct netr_Authenticator *return_authenticator,
struct netlogon_creds_CredentialState **creds_out)
@@ -285,8 +286,12 @@ NTSTATUS schannel_creds_server_step_check(struct ldb_context *ldb,
nt_status = schannel_fetch_session_key(ldb, ldb, computer_name,
&creds);
- /* Ensure that once the client and server agree on schannel, that all future calls must use it */
- if (creds->negotiate_flags & NETLOGON_NEG_SCHANNEL && !schannel_in_use) {
+ /* If we are flaged that schannel is required for a call, and
+ * it is not in use, then make this an error */
+
+ /* It would be good to make this mandetory once schannel is
+ * negoiated, bu this is not what windows does */
+ if (schannel_required_for_call && !schannel_in_use) {
DEBUG(0,("schannel_creds_server_step_check: client %s not using schannel for netlogon, despite negotiating it\n",
creds->computer_name ));
return NT_STATUS_ACCESS_DENIED;