diff options
| author | Volker Lendecke <vlendec@samba.org> | 2005-06-03 09:24:48 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 10:57:05 -0500 |
| commit | a01de91394f1723100bcd49870422e03f69afb7e (patch) | |
| tree | b71ecfa949b69618f07710d79a105d403ee69c9b /source3/rpc_server | |
| parent | 0deab47cc6f17e597430130df66f7acf8842ff30 (diff) | |
| download | samba-a01de91394f1723100bcd49870422e03f69afb7e.tar.gz samba-a01de91394f1723100bcd49870422e03f69afb7e.tar.bz2 samba-a01de91394f1723100bcd49870422e03f69afb7e.zip | |
r7217: Only allow schannel connections if a successful Auth2 has been done
before. Things tested: Domain join and subsequent interactive and network
logon to NT4, W2kSP and XPSP2 workstations and a NT4 domain trusting us. Right
now I've got problems with my W2k3 domain trusts. So this needs testing,
although I'm really confident that this does not break.
Volker
(This used to be commit c25b4afda2b657b73a6215d3ff36461a36496ba3)
Diffstat (limited to 'source3/rpc_server')
| -rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 2 | ||||
| -rw-r--r-- | source3/rpc_server/srv_pipe.c | 7 |
2 files changed, 9 insertions, 0 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index eb6bd2ac0a..a6fe9ef31a 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -27,6 +27,7 @@ #include "includes.h" extern struct dcinfo last_dcinfo; +extern BOOL server_auth2_negotiated; extern userdom_struct current_user_info; #undef DBGC_CLASS @@ -421,6 +422,7 @@ NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u) init_net_r_auth_2(r_u, &srv_cred, &srv_flgs, status); if (NT_STATUS_IS_OK(status)) { + server_auth2_negotiated = True; last_dcinfo = p->dc; } diff --git a/source3/rpc_server/srv_pipe.c b/source3/rpc_server/srv_pipe.c index ee6c42bd88..ee4e803d9f 100644 --- a/source3/rpc_server/srv_pipe.c +++ b/source3/rpc_server/srv_pipe.c @@ -52,6 +52,7 @@ extern struct current_user current_user; next. This is the way the netlogon schannel works. **************************************************************/ struct dcinfo last_dcinfo; +BOOL server_auth2_negotiated = False; static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len) { @@ -975,6 +976,12 @@ BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p) RPC_AUTH_NETSEC_NEG neg; struct netsec_auth_struct *a = &(p->netsec_auth); + if (!server_auth2_negotiated) { + DEBUG(0, ("Attempt to bind using schannel " + "without successful serverauth2\n")); + return False; + } + if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) { DEBUG(0,("api_pipe_bind_req: " "Could not unmarshal SCHANNEL auth neg\n")); |