git.samba.org / mat / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d1e829b)
s3-lsarpc: Enforce a secure connection for LookupSids3 and LookupNames4.
authorAndreas Schneider <asn@samba.org>
Tue, 26 Jun 2012 15:25:57 +0000 (17:25 +0200)
committerAndreas Schneider <asn@cryptomilk.org>
Fri, 6 Jul 2012 08:00:57 +0000 (10:00 +0200)
http://thread.gmane.org/gmane.network.protocol.cifs.general/291

source3/rpc_server/lsa/srv_lsa_nt.c patch | blob | history

diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c
index 4802c495910dde013fc95289b9af80c5a4db69e7..fc403dfa862a02cd71b961e74302a99419c7a15a 100644 (file)
--- a/source3/rpc_server/lsa/srv_lsa_nt.c
+++ b/source3/rpc_server/lsa/srv_lsa_nt.c
@@ -1126,10 +1126,13 @@ NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
        }
 
        /* No policy handle on this call. Restrict to crypto connections. */
-       if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
-               DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
-                       get_remote_machine_name() ));
-               return NT_STATUS_INVALID_PARAMETER;
+       if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
+           p->auth.auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+               DEBUG(1, ("_lsa_LookupSids3: The client %s is not using "
+                         "a secure connection over netlogon\n",
+                         get_remote_machine_name() ));
+               p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+               return NT_STATUS_ACCESS_DENIED;
        }
 
        q.in.handle             = NULL;
@@ -1432,10 +1435,13 @@ NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
        }
 
        /* No policy handle on this call. Restrict to crypto connections. */
-       if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
-               DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
-                       get_remote_machine_name() ));
-               return NT_STATUS_INVALID_PARAMETER;
+       if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
+           p->auth.auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
+               DEBUG(1, ("_lsa_LookupNames4: The client %s is not using "
+                         "a secure connection over netlogon\n",
+                         get_remote_machine_name()));
+               p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
+               return NT_STATUS_ACCESS_DENIED;
        }
 
        q.in.handle             = NULL;
Default public repo for matthieu