summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
authorVolker Lendecke <vlendec@samba.org>2005-06-03 09:24:48 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 10:57:05 -0500
commita01de91394f1723100bcd49870422e03f69afb7e (patch)
treeb71ecfa949b69618f07710d79a105d403ee69c9b /source3/rpc_server
parent0deab47cc6f17e597430130df66f7acf8842ff30 (diff)
downloadsamba-a01de91394f1723100bcd49870422e03f69afb7e.tar.gz
samba-a01de91394f1723100bcd49870422e03f69afb7e.tar.bz2
samba-a01de91394f1723100bcd49870422e03f69afb7e.zip
r7217: Only allow schannel connections if a successful Auth2 has been done
before. Things tested: Domain join and subsequent interactive and network logon to NT4, W2kSP and XPSP2 workstations and a NT4 domain trusting us. Right now I've got problems with my W2k3 domain trusts. So this needs testing, although I'm really confident that this does not break. Volker (This used to be commit c25b4afda2b657b73a6215d3ff36461a36496ba3)
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/srv_netlog_nt.c2
-rw-r--r--source3/rpc_server/srv_pipe.c7
2 files changed, 9 insertions, 0 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index eb6bd2ac0a..a6fe9ef31a 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -27,6 +27,7 @@
#include "includes.h"
extern struct dcinfo last_dcinfo;
+extern BOOL server_auth2_negotiated;
extern userdom_struct current_user_info;
#undef DBGC_CLASS
@@ -421,6 +422,7 @@ NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u)
init_net_r_auth_2(r_u, &srv_cred, &srv_flgs, status);
if (NT_STATUS_IS_OK(status)) {
+ server_auth2_negotiated = True;
last_dcinfo = p->dc;
}
diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c
index ee6c42bd88..ee4e803d9f 100644
--- a/source3/rpc_server/srv_pipe.c
+++ b/source3/rpc_server/srv_pipe.c
@@ -52,6 +52,7 @@ extern struct current_user current_user;
next. This is the way the netlogon schannel works.
**************************************************************/
struct dcinfo last_dcinfo;
+BOOL server_auth2_negotiated = False;
static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
{
@@ -975,6 +976,12 @@ BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p)
RPC_AUTH_NETSEC_NEG neg;
struct netsec_auth_struct *a = &(p->netsec_auth);
+ if (!server_auth2_negotiated) {
+ DEBUG(0, ("Attempt to bind using schannel "
+ "without successful serverauth2\n"));
+ return False;
+ }
+
if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
DEBUG(0,("api_pipe_bind_req: "
"Could not unmarshal SCHANNEL auth neg\n"));