s3:schannel more readable check logic

Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on ther caller's security
requirements (Integrity/Privacy/Both/None)

1 files changed, 0 insertions, 15 deletions

diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
index 7ec8b3fdea..3da7618e2c 100644
--- a/libcli/auth/schannel_state_tdb.c
+++ b/libcli/auth/schannel_state_tdb.c
@@ -163,8 +163,6 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb,
 NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb,
 					      TALLOC_CTX *mem_ctx,
 					      const char *computer_name,
-					      bool schannel_required_for_call,
-					      bool schannel_in_use,
 					      struct netr_Authenticator *received_authenticator,
 					      struct netr_Authenticator *return_authenticator,
 					      struct netlogon_creds_CredentialState **creds_out)
@@ -185,19 +183,6 @@ NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb,
 	status = schannel_fetch_session_key_tdb(tdb, mem_ctx, computer_name,
 						&creds);
 
-	/* If we are flaged that schannel is required for a call, and
-	 * it is not in use, then make this an error */
-
-	/* It would be good to make this mandatory once schannel is
-	 * negotiated, but this is not what windows does */
-	if (schannel_required_for_call && !schannel_in_use) {
-		DEBUG(0,("schannel_creds_server_step_check_tdb: "
-			"client %s not using schannel for netlogon, despite negotiating it\n",
-			creds->computer_name ));
-		tdb_transaction_cancel(tdb);
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
 	if (NT_STATUS_IS_OK(status)) {
 		status = netlogon_creds_server_step_check(creds,
 							  received_authenticator,