svn commit: samba r7217 - in branches/SAMBA_3_0/source/rpc_server: .
vlendec at samba.org
vlendec at samba.org
Fri Jun 3 09:24:50 GMT 2005
Author: vlendec
Date: 2005-06-03 09:24:48 +0000 (Fri, 03 Jun 2005)
New Revision: 7217
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=7217
Log:
Only allow schannel connections if a successful Auth2 has been done
before. Things tested: Domain join and subsequent interactive and network
logon to NT4, W2kSP and XPSP2 workstations and a NT4 domain trusting us. Right
now I've got problems with my W2k3 domain trusts. So this needs testing,
although I'm really confident that this does not break.
Volker
Modified:
branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
branches/SAMBA_3_0/source/rpc_server/srv_pipe.c
Changeset:
Modified: branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c 2005-06-03 09:24:41 UTC (rev 7216)
+++ branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c 2005-06-03 09:24:48 UTC (rev 7217)
@@ -27,6 +27,7 @@
#include "includes.h"
extern struct dcinfo last_dcinfo;
+extern BOOL server_auth2_negotiated;
extern userdom_struct current_user_info;
#undef DBGC_CLASS
@@ -421,6 +422,7 @@
init_net_r_auth_2(r_u, &srv_cred, &srv_flgs, status);
if (NT_STATUS_IS_OK(status)) {
+ server_auth2_negotiated = True;
last_dcinfo = p->dc;
}
Modified: branches/SAMBA_3_0/source/rpc_server/srv_pipe.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_pipe.c 2005-06-03 09:24:41 UTC (rev 7216)
+++ branches/SAMBA_3_0/source/rpc_server/srv_pipe.c 2005-06-03 09:24:48 UTC (rev 7217)
@@ -52,6 +52,7 @@
next. This is the way the netlogon schannel works.
**************************************************************/
struct dcinfo last_dcinfo;
+BOOL server_auth2_negotiated = False;
static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
{
@@ -975,6 +976,12 @@
RPC_AUTH_NETSEC_NEG neg;
struct netsec_auth_struct *a = &(p->netsec_auth);
+ if (!server_auth2_negotiated) {
+ DEBUG(0, ("Attempt to bind using schannel "
+ "without successful serverauth2\n"));
+ return False;
+ }
+
if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
DEBUG(0,("api_pipe_bind_req: "
"Could not unmarshal SCHANNEL auth neg\n"));
More information about the samba-cvs
mailing list