dcesrv_core: alter_context logon failures should result in DCERPC_FAULT_ACCESS_DENIED

We should use DCERPC_FAULT_ACCESS_DENIED as default for
gensec status results of e.g. NT_STATUS_LOGON_FAILURE or
NT_STATUS_INVALID_PARAMTER.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>

diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index 747d41704ca8d954d2c0e9cce8eebceb0e7e5fde..10b6535a16bfcaeb7bddf1c9a222e1e6c2694767 100644 (file)
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -1904,7 +1904,20 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
 
        status = dcesrv_auth_complete(call, status);
        if (!NT_STATUS_IS_OK(status)) {
-               status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
+               /*
+                * NT_STATUS_ACCESS_DENIED from gensec means
+                * a signing check or decryption failure,
+                * which should result in DCERPC_FAULT_SEC_PKG_ERROR.
+                *
+                * Any other status, e.g. NT_STATUS_LOGON_FAILURE or
+                * NT_STATUS_INVALID_PARAMETER should result in
+                * DCERPC_FAULT_ACCESS_DENIED.
+                */
+               if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+                       status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
+               } else {
+                       status = dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED);
+               }
                dcesrv_conn_auth_wait_finished(conn, status);
                return;
        }