summaryrefslogtreecommitdiff
path: root/source3/rpc_server/lsa
diff options
context:
space:
mode:
authorAndreas Schneider <asn@samba.org>2012-06-26 17:25:57 +0200
committerAndreas Schneider <asn@cryptomilk.org>2012-07-06 10:00:57 +0200
commitd37643c2046c9f45bd9580a9e1107cb33f442cd3 (patch)
treec597a0acb5fee81ac4a7195096310ed9b6ad5f14 /source3/rpc_server/lsa
parentd1e829bbabc9d2f2fdbe2e6fde57bf1e0f441b81 (diff)
downloadsamba-d37643c2046c9f45bd9580a9e1107cb33f442cd3.tar.gz
samba-d37643c2046c9f45bd9580a9e1107cb33f442cd3.tar.bz2
samba-d37643c2046c9f45bd9580a9e1107cb33f442cd3.zip
s3-lsarpc: Enforce a secure connection for LookupSids3 and LookupNames4.
http://thread.gmane.org/gmane.network.protocol.cifs.general/291
Diffstat (limited to 'source3/rpc_server/lsa')
-rw-r--r--source3/rpc_server/lsa/srv_lsa_nt.c22
1 files changed, 14 insertions, 8 deletions
diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index 4802c49591..fc403dfa86 100644
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -1126,10 +1126,13 @@ NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
}
/* No policy handle on this call. Restrict to crypto connections. */
- if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
- DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
- get_remote_machine_name() ));
- return NT_STATUS_INVALID_PARAMETER;
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
+ p->auth.auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+ DEBUG(1, ("_lsa_LookupSids3: The client %s is not using "
+ "a secure connection over netlogon\n",
+ get_remote_machine_name() ));
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+ return NT_STATUS_ACCESS_DENIED;
}
q.in.handle = NULL;
@@ -1432,10 +1435,13 @@ NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
}
/* No policy handle on this call. Restrict to crypto connections. */
- if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
- DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
- get_remote_machine_name() ));
- return NT_STATUS_INVALID_PARAMETER;
+ if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
+ p->auth.auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+ DEBUG(1, ("_lsa_LookupNames4: The client %s is not using "
+ "a secure connection over netlogon\n",
+ get_remote_machine_name()));
+ p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+ return NT_STATUS_ACCESS_DENIED;
}
q.in.handle = NULL;