summaryrefslogtreecommitdiff
path: root/source3/rpc_server
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2006-02-09 00:23:40 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 11:09:59 -0500
commitcf7c47aac990f67e1829a7e4b9d3550b7e93739b (patch)
tree0246e8d6e9ae210adfb67bfc2e06f45e2b4920e3 /source3/rpc_server
parent86358fc10bb02bd3069736bedb120f52fa3f6494 (diff)
downloadsamba-cf7c47aac990f67e1829a7e4b9d3550b7e93739b.tar.gz
samba-cf7c47aac990f67e1829a7e4b9d3550b7e93739b.tar.bz2
samba-cf7c47aac990f67e1829a7e4b9d3550b7e93739b.zip
r13399: Get closer to passing RPC-SCHANNEL test.
Jeremy. (This used to be commit 8ae70122b79fbe682c227ec2c4e5a72bf58d76de)
Diffstat (limited to 'source3/rpc_server')
-rw-r--r--source3/rpc_server/srv_netlog.c8
-rw-r--r--source3/rpc_server/srv_netlog_nt.c14
-rw-r--r--source3/rpc_server/srv_samr_nt.c5
3 files changed, 18 insertions, 9 deletions
diff --git a/source3/rpc_server/srv_netlog.c b/source3/rpc_server/srv_netlog.c
index a45a7eebf6..567028eec4 100644
--- a/source3/rpc_server/srv_netlog.c
+++ b/source3/rpc_server/srv_netlog.c
@@ -197,10 +197,10 @@ static BOOL api_net_sam_logon(pipes_struct *p)
ZERO_STRUCT(q_u);
ZERO_STRUCT(r_u);
- if(!net_io_q_sam_logon("", &q_u, data, 0)) {
- DEBUG(0, ("api_net_sam_logon: Failed to unmarshall NET_Q_SAM_LOGON.\n"));
- return False;
- }
+ if(!net_io_q_sam_logon("", &q_u, data, 0)) {
+ DEBUG(0, ("api_net_sam_logon: Failed to unmarshall NET_Q_SAM_LOGON.\n"));
+ return False;
+ }
r_u.status = _net_sam_logon(p, &q_u, &r_u);
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index fd78f954cc..d6ec31a985 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -473,7 +473,7 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET *
DEBUG(2,("_net_srv_pwset: creds_server_step failed. Rejecting auth "
"request from client %s machine account %s\n",
p->dc->remote_machine, p->dc->mach_acct ));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_INVALID_PARAMETER;
}
DEBUG(5,("_net_srv_pwset: %d\n", __LINE__));
@@ -573,7 +573,7 @@ NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u, NET_R_SAM_LOGOF
DEBUG(2,("_net_sam_logoff: creds_server_step failed. Rejecting auth "
"request from client %s machine account %s\n",
p->dc->remote_machine, p->dc->mach_acct ));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_INVALID_PARAMETER;
}
r_u->status = NT_STATUS_OK;
@@ -636,9 +636,13 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
/* store the user information, if there is any. */
r_u->user = usr_info;
- r_u->switch_value = 0; /* indicates no info */
r_u->auth_resp = 1; /* authoritative response */
- r_u->switch_value = 3; /* indicates type of validation user info */
+ if (q_u->validation_level != 2 && q_u->validation_level != 3) {
+ DEBUG(0,("_net_sam_logon: bad validation_level value %d.\n", (int)q_u->validation_level ));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ /* We handle the return of USER_INFO_2 instead of 3 in the parse return. Sucks, I know... */
+ r_u->switch_value = q_u->validation_level; /* indicates type of validation user info */
r_u->buffer_creds = 1; /* Ensure we always return server creds. */
if (!get_valid_user_struct(p->vuid))
@@ -662,7 +666,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
DEBUG(2,("_net_sam_logon: creds_server_step failed. Rejecting auth "
"request from client %s machine account %s\n",
p->dc->remote_machine, p->dc->mach_acct ));
- return NT_STATUS_ACCESS_DENIED;
+ return NT_STATUS_INVALID_PARAMETER;
}
/* find the username */
diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 52f922b924..bf0e2ba070 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -2537,6 +2537,11 @@ NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CO
was observed from a win98 client trying to enumerate users (when configured
user level access control on shares) --jerry */
+ if (des_access == MAXIMUM_ALLOWED_ACCESS) {
+ /* Map to max possible knowing we're filtered below. */
+ des_access = GENERIC_ALL_ACCESS;
+ }
+
se_map_generic( &des_access, &sam_generic_mapping );
info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN);