s3-lsarpc: Enforce a secure connection for LookupSids3 and LookupNames4.

http://thread.gmane.org/gmane.network.protocol.cifs.general/291

1 files changed, 14 insertions, 8 deletions

diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index 4802c49591..fc403dfa86 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -1126,10 +1126,13 @@ NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
 	}
 
 	/* No policy handle on this call. Restrict to crypto connections. */
-	if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
-		DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
-			get_remote_machine_name() ));
-		return NT_STATUS_INVALID_PARAMETER;
+	if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
+	    p->auth.auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+		DEBUG(1, ("_lsa_LookupSids3: The client %s is not using "
+			  "a secure connection over netlogon\n",
+			  get_remote_machine_name() ));
+		p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+		return NT_STATUS_ACCESS_DENIED;
 	}
 
 	q.in.handle		= NULL;
@@ -1432,10 +1435,13 @@ NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
 	}
 
 	/* No policy handle on this call. Restrict to crypto connections. */
-	if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
-		DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
-			get_remote_machine_name() ));
-		return NT_STATUS_INVALID_PARAMETER;
+	if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
+	    p->auth.auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+		DEBUG(1, ("_lsa_LookupNames4: The client %s is not using "
+			  "a secure connection over netlogon\n",
+			  get_remote_machine_name()));
+		p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+		return NT_STATUS_ACCESS_DENIED;
 	}
 
 	q.in.handle		= NULL;