From 8e2f5fe7c5bc0fce0564c751a68e0feb370e0857 Mon Sep 17 00:00:00 2001
From: Simo Sorce <idra@samba.org>
Date: Thu, 18 Feb 2010 10:26:24 -0500
Subject: s4:schannel more readable check logic

Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on the caller's
security requirements (Integrity/Privacy/Both/None)

This is the same change applied to s3
---
 libcli/auth/schannel_state_ldb.c   | 10 ----------
 libcli/auth/schannel_state_proto.h |  2 --
 2 files changed, 12 deletions(-)

(limited to 'libcli/auth')

diff --git a/libcli/auth/schannel_state_ldb.c b/libcli/auth/schannel_state_ldb.c
index ba3d96fcf7..2919ed6369 100644
--- a/libcli/auth/schannel_state_ldb.c
+++ b/libcli/auth/schannel_state_ldb.c
@@ -264,8 +264,6 @@ NTSTATUS schannel_fetch_session_key_ldb(struct ldb_context *ldb,
 NTSTATUS schannel_creds_server_step_check_ldb(struct ldb_context *ldb,
 					      TALLOC_CTX *mem_ctx,
 					      const char *computer_name,
-					      bool schannel_required_for_call,
-					      bool schannel_in_use,
 					      struct netr_Authenticator *received_authenticator,
 					      struct netr_Authenticator *return_authenticator,
 					      struct netlogon_creds_CredentialState **creds_out)
@@ -277,14 +275,6 @@ NTSTATUS schannel_creds_server_step_check_ldb(struct ldb_context *ldb,
 	/* If we are flaged that schannel is required for a call, and
 	 * it is not in use, then make this an error */
 
-	/* It would be good to make this mandetory once schannel is
-	 * negoiated, but this is not what windows does */
-	if (schannel_required_for_call && !schannel_in_use) {
-		DEBUG(0,("schannel_creds_server_step_check: client %s not using schannel for netlogon, despite negotiating it\n",
-			creds->computer_name ));
-		return NT_STATUS_ACCESS_DENIED;
-	}
-
 	ret = ldb_transaction_start(ldb);
 	if (ret != 0) {
 		return NT_STATUS_INTERNAL_DB_CORRUPTION;
diff --git a/libcli/auth/schannel_state_proto.h b/libcli/auth/schannel_state_proto.h
index d0a071c876..da5ebb3b7b 100644
--- a/libcli/auth/schannel_state_proto.h
+++ b/libcli/auth/schannel_state_proto.h
@@ -21,8 +21,6 @@ NTSTATUS schannel_fetch_session_key_ldb(struct ldb_context *ldb,
 NTSTATUS schannel_creds_server_step_check_ldb(struct ldb_context *ldb,
 					      TALLOC_CTX *mem_ctx,
 					      const char *computer_name,
-					      bool schannel_required_for_call,
-					      bool schannel_in_use,
 					      struct netr_Authenticator *received_authenticator,
 					      struct netr_Authenticator *return_authenticator,
 					      struct netlogon_creds_CredentialState **creds_out);
-- 
cgit