summaryrefslogtreecommitdiff
path: root/source3/rpc_server/srv_netlog_nt.c
diff options
context:
space:
mode:
Diffstat (limited to 'source3/rpc_server/srv_netlog_nt.c')
-rw-r--r--source3/rpc_server/srv_netlog_nt.c34
1 files changed, 33 insertions, 1 deletions
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 6182da53d9..76c1d98dab 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -334,6 +334,13 @@ NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u)
srv_time.time = 0;
+ if ( (lp_server_schannel() == True) &&
+ ((q_u->clnt_flgs.neg_flags & NETLOGON_NEG_SCHANNEL) == 0) ) {
+
+ /* schannel must be used, but client did not offer it. */
+ status = NT_STATUS_ACCESS_DENIED;
+ }
+
rpcstr_pull(mach_acct, q_u->clnt_id.uni_acct_name.buffer,sizeof(fstring),q_u->clnt_id.uni_acct_name.uni_str_len*2,0);
if (p->dc.challenge_sent && get_md4pw((char *)p->dc.md4pw, mach_acct)) {
@@ -366,9 +373,18 @@ NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u)
srv_flgs.neg_flags = 0x000001ff;
+ if (lp_server_schannel() != False) {
+ srv_flgs.neg_flags |= NETLOGON_NEG_SCHANNEL;
+ }
+
/* set up the LSA AUTH 2 response */
init_net_r_auth_2(r_u, &srv_cred, &srv_flgs, status);
+ if (NT_STATUS_IS_OK(status)) {
+ extern struct dcinfo last_dcinfo;
+ last_dcinfo = p->dc;
+ }
+
return r_u->status;
}
@@ -523,7 +539,23 @@ NTSTATUS _net_sam_logon(pipes_struct *p, NET_Q_SAM_LOGON *q_u, NET_R_SAM_LOGON *
if (!get_valid_user_struct(p->vuid))
return NT_STATUS_NO_SUCH_USER;
-
+
+
+ if ( (lp_server_schannel() == True) && (!p->netsec_auth_validated) ) {
+ /* 'server schannel = yes' should enforce use of
+ schannel, the client did offer it in auth2, but
+ obviously did not use it. */
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (p->netsec_auth_validated) {
+ /* The client opens a second RPC NETLOGON pipe without
+ doing a auth2. The session key for the schannel is
+ re-used from the auth2 the client did before. */
+ extern struct dcinfo last_dcinfo;
+ p->dc = last_dcinfo;
+ }
+
/* checks and updates credentials. creates reply credentials */
if (!(p->dc.authenticated && deal_with_creds(p->dc.sess_key, &p->dc.clnt_cred, &q_u->sam_id.client.cred, &srv_cred)))
return NT_STATUS_INVALID_HANDLE;