svn commit: samba r7216 - in trunk/source/rpc_server: .
vlendec at samba.org
vlendec at samba.org
Fri Jun 3 09:24:41 GMT 2005
Author: vlendec
Date: 2005-06-03 09:24:41 +0000 (Fri, 03 Jun 2005)
New Revision: 7216
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=7216
Log:
Only allow schannel connections if a successful Auth2 has been done
before. Things tested: Domain join and subsequent interactive and network
logon to NT4, W2kSP and XPSP2 workstations and a NT4 domain trusting us. Right
now I've got problems with my W2k3 domain trusts. So this needs testing,
although I'm really confident that this does not break.
Volker
Modified:
trunk/source/rpc_server/srv_netlog_nt.c
trunk/source/rpc_server/srv_pipe.c
Changeset:
Modified: trunk/source/rpc_server/srv_netlog_nt.c
===================================================================
--- trunk/source/rpc_server/srv_netlog_nt.c 2005-06-03 08:00:42 UTC (rev 7215)
+++ trunk/source/rpc_server/srv_netlog_nt.c 2005-06-03 09:24:41 UTC (rev 7216)
@@ -27,6 +27,7 @@
#include "includes.h"
extern struct dcinfo last_dcinfo;
+extern BOOL server_auth2_negotiated;
extern userdom_struct current_user_info;
#undef DBGC_CLASS
@@ -421,6 +422,7 @@
init_net_r_auth_2(r_u, &srv_cred, &srv_flgs, status);
if (NT_STATUS_IS_OK(status)) {
+ server_auth2_negotiated = True;
last_dcinfo = p->dc;
}
Modified: trunk/source/rpc_server/srv_pipe.c
===================================================================
--- trunk/source/rpc_server/srv_pipe.c 2005-06-03 08:00:42 UTC (rev 7215)
+++ trunk/source/rpc_server/srv_pipe.c 2005-06-03 09:24:41 UTC (rev 7216)
@@ -52,6 +52,7 @@
next. This is the way the netlogon schannel works.
**************************************************************/
struct dcinfo last_dcinfo;
+BOOL server_auth2_negotiated = False;
static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
{
@@ -975,6 +976,12 @@
RPC_AUTH_NETSEC_NEG neg;
struct netsec_auth_struct *a = &(p->netsec_auth);
+ if (!server_auth2_negotiated) {
+ DEBUG(0, ("Attempt to bind using schannel "
+ "without successful serverauth2\n"));
+ return False;
+ }
+
if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
DEBUG(0,("api_pipe_bind_req: "
"Could not unmarshal SCHANNEL auth neg\n"));
More information about the samba-cvs
mailing list