diff options
| author | Simo Sorce <idra@samba.org> | 2010-02-18 10:19:09 -0500 |
|---|---|---|
| committer | Simo Sorce <idra@samba.org> | 2010-02-23 12:46:50 -0500 |
| commit | b4c9dc3724b5c34661b6986e81af2dc6c191dde9 (patch) | |
| tree | 5b151492b580daaafa96eefb2f5bfa9faaa5ba69 | |
| parent | 61b7a24f16c9d3a3c41df19ac7073571164eb47a (diff) | |
| download | samba-b4c9dc3724b5c34661b6986e81af2dc6c191dde9.tar.gz samba-b4c9dc3724b5c34661b6986e81af2dc6c191dde9.tar.bz2 samba-b4c9dc3724b5c34661b6986e81af2dc6c191dde9.zip | |
s3:schannel more readable check logic
Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on ther caller's security
requirements (Integrity/Privacy/Both/None)
| -rw-r--r-- | libcli/auth/schannel_state_proto.h | 2 | ||||
| -rw-r--r-- | libcli/auth/schannel_state_tdb.c | 15 | ||||
| -rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 44 |
3 files changed, 39 insertions, 22 deletions
diff --git a/libcli/auth/schannel_state_proto.h b/libcli/auth/schannel_state_proto.h index c582c3e8b8..d0a071c876 100644 --- a/libcli/auth/schannel_state_proto.h +++ b/libcli/auth/schannel_state_proto.h @@ -36,8 +36,6 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb, NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb, TALLOC_CTX *mem_ctx, const char *computer_name, - bool schannel_required_for_call, - bool schannel_in_use, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator, struct netlogon_creds_CredentialState **creds_out); diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c index 7ec8b3fdea..3da7618e2c 100644 --- a/libcli/auth/schannel_state_tdb.c +++ b/libcli/auth/schannel_state_tdb.c @@ -163,8 +163,6 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb, NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb, TALLOC_CTX *mem_ctx, const char *computer_name, - bool schannel_required_for_call, - bool schannel_in_use, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator, struct netlogon_creds_CredentialState **creds_out) @@ -185,19 +183,6 @@ NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb, status = schannel_fetch_session_key_tdb(tdb, mem_ctx, computer_name, &creds); - /* If we are flaged that schannel is required for a call, and - * it is not in use, then make this an error */ - - /* It would be good to make this mandatory once schannel is - * negotiated, but this is not what windows does */ - if (schannel_required_for_call && !schannel_in_use) { - DEBUG(0,("schannel_creds_server_step_check_tdb: " - "client %s not using schannel for netlogon, despite negotiating it\n", - creds->computer_name )); - tdb_transaction_cancel(tdb); - return NT_STATUS_ACCESS_DENIED; - } - if (NT_STATUS_IS_OK(status)) { status = netlogon_creds_server_step_check(creds, received_authenticator, diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index 71463c28ad..769936ca20 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -766,6 +766,36 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p, } /************************************************************************* + * If schannel is required for this call test that it actually is available. + *************************************************************************/ +static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info, + const char *computer_name, + bool integrity, bool privacy) +{ + if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) { + if (!privacy && !integrity) { + return NT_STATUS_OK; + } + + if ((!privacy && integrity) && + auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { + return NT_STATUS_OK; + } + + if ((privacy || integrity) && + auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + return NT_STATUS_OK; + } + } + + /* test didn't pass */ + DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n", + computer_name)); + + return NT_STATUS_ACCESS_DENIED; +} + +/************************************************************************* *************************************************************************/ static NTSTATUS netr_creds_server_step_check(pipes_struct *p, @@ -778,9 +808,15 @@ static NTSTATUS netr_creds_server_step_check(pipes_struct *p, NTSTATUS status; struct tdb_context *tdb; bool schannel_global_required = (lp_server_schannel() == true) ? true:false; - bool schannel_in_use = (p->auth.auth_type == PIPE_AUTH_TYPE_SCHANNEL) ? true:false; /* && - (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY || - p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY); */ + + if (schannel_global_required) { + status = schannel_check_required(&p->auth, + computer_name, + false, false); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + } tdb = open_schannel_session_store(mem_ctx); if (!tdb) { @@ -789,8 +825,6 @@ static NTSTATUS netr_creds_server_step_check(pipes_struct *p, status = schannel_creds_server_step_check_tdb(tdb, mem_ctx, computer_name, - schannel_global_required, - schannel_in_use, received_authenticator, return_authenticator, creds_out); |