CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_int...

This will simplify the following changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index cfd6d148b0a37430f27f2323ee6ca847f6375d4e..f63c3981f7499d5d9d874ef6d3abed8475a8b9b1 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -63,6 +63,21 @@
 static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context,
                                               const struct dcesrv_interface *iface)
 {
+       struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
+       int schannel = lpcfg_server_schannel(lp_ctx);
+       bool schannel_global_required = (schannel == true);
+       static bool warned_global_schannel_once = false;
+
+       if (!schannel_global_required && !warned_global_schannel_once) {
+               /*
+                * We want admins to notice their misconfiguration!
+                */
+               D_ERR("CVE-2020-1472(ZeroLogon): "
+                     "Please configure 'server schannel = yes' (the default), "
+                     "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
+               warned_global_schannel_once = true;
+       }
+
        return dcesrv_interface_bind_reject_connect(context, iface);
 }
 
@@ -630,7 +645,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
        enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
        uint16_t opnum = dce_call->pkt.u.request.opnum;
        const char *opname = "<unknown>";
-       static bool warned_global_once = false;
 
        if (opnum < ndr_table_netlogon.num_calls) {
                opname = ndr_table_netlogon.calls[opnum].name;
@@ -682,16 +696,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
                return NT_STATUS_ACCESS_DENIED;
        }
 
-       if (!schannel_global_required && !warned_global_once) {
-               /*
-                * We want admins to notice their misconfiguration!
-                */
-               DBG_ERR("CVE-2020-1472(ZeroLogon): "
-                       "Please configure 'server schannel = yes', "
-                       "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
-               warned_global_once = true;
-       }
-
        if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
                DBG_ERR("CVE-2020-1472(ZeroLogon): "
                        "%s request (opnum[%u]) WITH schannel from "