From d37643c2046c9f45bd9580a9e1107cb33f442cd3 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 26 Jun 2012 17:25:57 +0200 Subject: [PATCH] s3-lsarpc: Enforce a secure connection for LookupSids3 and LookupNames4. http://thread.gmane.org/gmane.network.protocol.cifs.general/291 --- source3/rpc_server/lsa/srv_lsa_nt.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/source3/rpc_server/lsa/srv_lsa_nt.c b/source3/rpc_server/lsa/srv_lsa_nt.c index 4802c49591..fc403dfa86 100644 --- a/source3/rpc_server/lsa/srv_lsa_nt.c +++ b/source3/rpc_server/lsa/srv_lsa_nt.c @@ -1126,10 +1126,13 @@ NTSTATUS _lsa_LookupSids3(struct pipes_struct *p, } /* No policy handle on this call. Restrict to crypto connections. */ - if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { - DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n", - get_remote_machine_name() )); - return NT_STATUS_INVALID_PARAMETER; + if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL || + p->auth.auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) { + DEBUG(1, ("_lsa_LookupSids3: The client %s is not using " + "a secure connection over netlogon\n", + get_remote_machine_name() )); + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return NT_STATUS_ACCESS_DENIED; } q.in.handle = NULL; @@ -1432,10 +1435,13 @@ NTSTATUS _lsa_LookupNames4(struct pipes_struct *p, } /* No policy handle on this call. Restrict to crypto connections. */ - if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { - DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n", - get_remote_machine_name() )); - return NT_STATUS_INVALID_PARAMETER; + if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL || + p->auth.auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) { + DEBUG(1, ("_lsa_LookupNames4: The client %s is not using " + "a secure connection over netlogon\n", + get_remote_machine_name())); + p->fault_state = DCERPC_FAULT_ACCESS_DENIED; + return NT_STATUS_ACCESS_DENIED; } q.in.handle = NULL; -- 2.34.1