diff options
author | Jeremy Allison <jra@samba.org> | 2006-02-09 00:23:40 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:09:59 -0500 |
commit | cf7c47aac990f67e1829a7e4b9d3550b7e93739b (patch) | |
tree | 0246e8d6e9ae210adfb67bfc2e06f45e2b4920e3 /source3/rpc_server | |
parent | 86358fc10bb02bd3069736bedb120f52fa3f6494 (diff) | |
download | samba-cf7c47aac990f67e1829a7e4b9d3550b7e93739b.tar.gz samba-cf7c47aac990f67e1829a7e4b9d3550b7e93739b.tar.bz2 samba-cf7c47aac990f67e1829a7e4b9d3550b7e93739b.zip |
r13399: Get closer to passing RPC-SCHANNEL test.
Jeremy.
(This used to be commit 8ae70122b79fbe682c227ec2c4e5a72bf58d76de)
Diffstat (limited to 'source3/rpc_server')
-rw-r--r-- | source3/rpc_server/srv_netlog.c | 8 | ||||
-rw-r--r-- | source3/rpc_server/srv_netlog_nt.c | 14 | ||||
-rw-r--r-- | source3/rpc_server/srv_samr_nt.c | 5 |
3 files changed, 18 insertions, 9 deletions
diff --git a/source3/rpc_server/srv_netlog.c b/source3/rpc_server/srv_netlog.c index a45a7eebf6..567028eec4 100644 --- a/source3/rpc_server/srv_netlog.c +++ b/source3/rpc_server/srv_netlog.c @@ -197,10 +197,10 @@ static BOOL api_net_sam_logon(pipes_struct *p) ZERO_STRUCT(q_u); ZERO_STRUCT(r_u); - if(!net_io_q_sam_logon("", &q_u, data, 0)) { - DEBUG(0, ("api_net_sam_logon: Failed to unmarshall NET_Q_SAM_LOGON.\n")); - return False; - } + if(!net_io_q_sam_logon("", &q_u, data, 0)) { + DEBUG(0, ("api_net_sam_logon: Failed to unmarshall NET_Q_SAM_LOGON.\n")); + return False; + } r_u.status = _net_sam_logon(p, &q_u, &r_u); diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c index fd78f954cc..d6ec31a985 100644 --- a/source3/rpc_server/srv_netlog_nt.c +++ b/source3/rpc_server/srv_netlog_nt.c @@ -473,7 +473,7 @@ NTSTATUS _net_srv_pwset(pipes_struct *p, NET_Q_SRV_PWSET *q_u, NET_R_SRV_PWSET * DEBUG(2,("_net_srv_pwset: creds_server_step failed. Rejecting auth " "request from client %s machine account %s\n", p->dc->remote_machine, p->dc->mach_acct )); - return NT_STATUS_ACCESS_DENIED; + return NT_STATUS_INVALID_PARAMETER; } DEBUG(5,("_net_srv_pwset: %d\n", __LINE__)); @@ -573,7 +573,7 @@ NTSTATUS _net_sam_logoff(pipes_struct *p, NET_Q_SAM_LOGOFF *q_u, NET_R_SAM_LOGOF DEBUG(2,("_net_sam_logoff: creds_server_step failed. Rejecting auth " "request from client %s machine account %s\n", p->dc->remote_machine, p->dc->mach_acct )); - return NT_STATUS_ACCESS_DENIED; + return NT_STATUS_INVALID_PARAMETER; } r_u->status = NT_STATUS_OK; @@ -636,9 +636,13 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * /* store the user information, if there is any. */ r_u->user = usr_info; - r_u->switch_value = 0; /* indicates no info */ r_u->auth_resp = 1; /* authoritative response */ - r_u->switch_value = 3; /* indicates type of validation user info */ + if (q_u->validation_level != 2 && q_u->validation_level != 3) { + DEBUG(0,("_net_sam_logon: bad validation_level value %d.\n", (int)q_u->validation_level )); + return NT_STATUS_ACCESS_DENIED; + } + /* We handle the return of USER_INFO_2 instead of 3 in the parse return. Sucks, I know... */ + r_u->switch_value = q_u->validation_level; /* indicates type of validation user info */ r_u->buffer_creds = 1; /* Ensure we always return server creds. */ if (!get_valid_user_struct(p->vuid)) @@ -662,7 +666,7 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON * DEBUG(2,("_net_sam_logon: creds_server_step failed. Rejecting auth " "request from client %s machine account %s\n", p->dc->remote_machine, p->dc->mach_acct )); - return NT_STATUS_ACCESS_DENIED; + return NT_STATUS_INVALID_PARAMETER; } /* find the username */ diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index 52f922b924..bf0e2ba070 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2537,6 +2537,11 @@ NTSTATUS _samr_connect_anon(pipes_struct *p, SAMR_Q_CONNECT_ANON *q_u, SAMR_R_CO was observed from a win98 client trying to enumerate users (when configured user level access control on shares) --jerry */ + if (des_access == MAXIMUM_ALLOWED_ACCESS) { + /* Map to max possible knowing we're filtered below. */ + des_access = GENERIC_ALL_ACCESS; + } + se_map_generic( &des_access, &sam_generic_mapping ); info->acc_granted = des_access & (SA_RIGHT_SAM_ENUM_DOMAINS|SA_RIGHT_SAM_OPEN_DOMAIN); |