summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/gensec/schannel.c5
-rw-r--r--source4/rpc_server/dcerpc_server.c14
-rw-r--r--source4/rpc_server/dcesrv_auth.c26
3 files changed, 29 insertions, 16 deletions
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c
index bc616dc64e..5dc5c287ec 100644
--- a/source4/auth/gensec/schannel.c
+++ b/source4/auth/gensec/schannel.c
@@ -102,6 +102,8 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
status = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel,
(ndr_pull_flags_fn_t)ndr_pull_schannel_bind);
if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(3, ("Could not parse incoming schannel bind: %s\n",
+ nt_errstr(status)));
return status;
}
@@ -119,6 +121,9 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_
if (!NT_STATUS_IS_OK(status)) {
DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n",
workstation, nt_errstr(status)));
+ if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
+ return NT_STATUS_LOGON_FAILURE;
+ }
return status;
}
diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c
index f9d1606df8..35b37b3af6 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -620,7 +620,8 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call)
pkt.u.bind_ack.ctx_list[0].syntax = ndr_transfer_syntax;
pkt.u.bind_ack.auth_info = data_blob(NULL, 0);
- if (!dcesrv_auth_bind_ack(call, &pkt)) {
+ status = dcesrv_auth_bind_ack(call, &pkt);
+ if (!NT_STATUS_IS_OK(status)) {
return dcesrv_bind_nak(call, 0);
}
@@ -769,8 +770,15 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call)
pkt.u.alter_resp.auth_info = data_blob(NULL, 0);
pkt.u.alter_resp.secondary_address = "";
- if (!dcesrv_auth_alter_ack(call, &pkt)) {
- return dcesrv_bind_nak(call, 0);
+ status = dcesrv_auth_alter_ack(call, &pkt);
+ if (!NT_STATUS_IS_OK(status)) {
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)
+ || NT_STATUS_EQUAL(status, NT_STATUS_LOGON_FAILURE)
+ || NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
+ || NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
+ return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
+ }
+ return dcesrv_fault(call, 0);
}
rep = talloc(call, struct data_blob_list_item);
diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c
index 10405bb56f..627da844aa 100644
--- a/source4/rpc_server/dcesrv_auth.c
+++ b/source4/rpc_server/dcesrv_auth.c
@@ -98,13 +98,13 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call)
add any auth information needed in a bind ack, and process the authentication
information found in the bind.
*/
-BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
+NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
{
struct dcesrv_connection *dce_conn = call->conn;
NTSTATUS status;
if (!call->conn->auth_state.gensec_security) {
- return True;
+ return NT_STATUS_OK;
}
status = gensec_update(dce_conn->auth_state.gensec_security,
@@ -117,19 +117,19 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *p
&dce_conn->auth_state.session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
- return False;
+ return status;
}
/* Now that we are authenticated, go back to the generic session key... */
dce_conn->auth_state.session_key = dcesrv_generic_session_key;
- return True;
+ return NT_STATUS_OK;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
dce_conn->auth_state.auth_info->auth_pad_length = 0;
dce_conn->auth_state.auth_info->auth_reserved = 0;
- return True;
+ return NT_STATUS_OK;
} else {
DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status)));
- return False;
+ return status;
}
}
@@ -223,7 +223,7 @@ BOOL dcesrv_auth_alter(struct dcesrv_call_state *call)
add any auth information needed in a alter ack, and process the authentication
information found in the alter.
*/
-BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
+NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt)
{
struct dcesrv_connection *dce_conn = call->conn;
NTSTATUS status;
@@ -232,11 +232,11 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *
setup */
if (!call->conn->auth_state.auth_info ||
dce_conn->auth_state.auth_info->credentials.length == 0) {
- return True;
+ return NT_STATUS_OK;
}
if (!call->conn->auth_state.gensec_security) {
- return False;
+ return NT_STATUS_INVALID_PARAMETER;
}
status = gensec_update(dce_conn->auth_state.gensec_security,
@@ -249,20 +249,20 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *
&dce_conn->auth_state.session_info);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status)));
- return False;
+ return status;
}
/* Now that we are authenticated, got back to the generic session key... */
dce_conn->auth_state.session_key = dcesrv_generic_session_key;
- return True;
+ return NT_STATUS_OK;
} else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
dce_conn->auth_state.auth_info->auth_pad_length = 0;
dce_conn->auth_state.auth_info->auth_reserved = 0;
- return True;
+ return NT_STATUS_OK;
}
DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status)));
- return False;
+ return status;
}
/*