diff options
-rw-r--r-- | source4/auth/gensec/schannel.c | 5 | ||||
-rw-r--r-- | source4/rpc_server/dcerpc_server.c | 14 | ||||
-rw-r--r-- | source4/rpc_server/dcesrv_auth.c | 26 |
3 files changed, 29 insertions, 16 deletions
diff --git a/source4/auth/gensec/schannel.c b/source4/auth/gensec/schannel.c index bc616dc64e..5dc5c287ec 100644 --- a/source4/auth/gensec/schannel.c +++ b/source4/auth/gensec/schannel.c @@ -102,6 +102,8 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ status = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel, (ndr_pull_flags_fn_t)ndr_pull_schannel_bind); if (!NT_STATUS_IS_OK(status)) { + DEBUG(3, ("Could not parse incoming schannel bind: %s\n", + nt_errstr(status))); return status; } @@ -119,6 +121,9 @@ static NTSTATUS schannel_update(struct gensec_security *gensec_security, TALLOC_ if (!NT_STATUS_IS_OK(status)) { DEBUG(3, ("Could not find session key for attempted schannel connection from %s: %s\n", workstation, nt_errstr(status))); + if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) { + return NT_STATUS_LOGON_FAILURE; + } return status; } diff --git a/source4/rpc_server/dcerpc_server.c b/source4/rpc_server/dcerpc_server.c index f9d1606df8..35b37b3af6 100644 --- a/source4/rpc_server/dcerpc_server.c +++ b/source4/rpc_server/dcerpc_server.c @@ -620,7 +620,8 @@ static NTSTATUS dcesrv_bind(struct dcesrv_call_state *call) pkt.u.bind_ack.ctx_list[0].syntax = ndr_transfer_syntax; pkt.u.bind_ack.auth_info = data_blob(NULL, 0); - if (!dcesrv_auth_bind_ack(call, &pkt)) { + status = dcesrv_auth_bind_ack(call, &pkt); + if (!NT_STATUS_IS_OK(status)) { return dcesrv_bind_nak(call, 0); } @@ -769,8 +770,15 @@ static NTSTATUS dcesrv_alter(struct dcesrv_call_state *call) pkt.u.alter_resp.auth_info = data_blob(NULL, 0); pkt.u.alter_resp.secondary_address = ""; - if (!dcesrv_auth_alter_ack(call, &pkt)) { - return dcesrv_bind_nak(call, 0); + status = dcesrv_auth_alter_ack(call, &pkt); + if (!NT_STATUS_IS_OK(status)) { + if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED) + || NT_STATUS_EQUAL(status, NT_STATUS_LOGON_FAILURE) + || NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER) + || NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) { + return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED); + } + return dcesrv_fault(call, 0); } rep = talloc(call, struct data_blob_list_item); diff --git a/source4/rpc_server/dcesrv_auth.c b/source4/rpc_server/dcesrv_auth.c index 10405bb56f..627da844aa 100644 --- a/source4/rpc_server/dcesrv_auth.c +++ b/source4/rpc_server/dcesrv_auth.c @@ -98,13 +98,13 @@ BOOL dcesrv_auth_bind(struct dcesrv_call_state *call) add any auth information needed in a bind ack, and process the authentication information found in the bind. */ -BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt) +NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; if (!call->conn->auth_state.gensec_security) { - return True; + return NT_STATUS_OK; } status = gensec_update(dce_conn->auth_state.gensec_security, @@ -117,19 +117,19 @@ BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet *p &dce_conn->auth_state.session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); - return False; + return status; } /* Now that we are authenticated, go back to the generic session key... */ dce_conn->auth_state.session_key = dcesrv_generic_session_key; - return True; + return NT_STATUS_OK; } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { dce_conn->auth_state.auth_info->auth_pad_length = 0; dce_conn->auth_state.auth_info->auth_reserved = 0; - return True; + return NT_STATUS_OK; } else { DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", nt_errstr(status))); - return False; + return status; } } @@ -223,7 +223,7 @@ BOOL dcesrv_auth_alter(struct dcesrv_call_state *call) add any auth information needed in a alter ack, and process the authentication information found in the alter. */ -BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt) +NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet *pkt) { struct dcesrv_connection *dce_conn = call->conn; NTSTATUS status; @@ -232,11 +232,11 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet * setup */ if (!call->conn->auth_state.auth_info || dce_conn->auth_state.auth_info->credentials.length == 0) { - return True; + return NT_STATUS_OK; } if (!call->conn->auth_state.gensec_security) { - return False; + return NT_STATUS_INVALID_PARAMETER; } status = gensec_update(dce_conn->auth_state.gensec_security, @@ -249,20 +249,20 @@ BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet * &dce_conn->auth_state.session_info); if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to establish session_info: %s\n", nt_errstr(status))); - return False; + return status; } /* Now that we are authenticated, got back to the generic session key... */ dce_conn->auth_state.session_key = dcesrv_generic_session_key; - return True; + return NT_STATUS_OK; } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { dce_conn->auth_state.auth_info->auth_pad_length = 0; dce_conn->auth_state.auth_info->auth_reserved = 0; - return True; + return NT_STATUS_OK; } DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", nt_errstr(status))); - return False; + return status; } /* |