svn commit: samba r7217 - in branches/SAMBA_3_0/source/rpc_server: .

vlendec at samba.org vlendec at samba.org
Fri Jun 3 09:24:50 GMT 2005 

Author: vlendec
Date: 2005-06-03 09:24:48 +0000 (Fri, 03 Jun 2005)
New Revision: 7217

WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=7217

Log:
Only allow schannel connections if a successful Auth2 has been done
before. Things tested: Domain join and subsequent interactive and network
logon to NT4, W2kSP and XPSP2 workstations and a NT4 domain trusting us. Right
now I've got problems with my W2k3 domain trusts. So this needs testing,
although I'm really confident that this does not break.

Volker

Modified:
   branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
   branches/SAMBA_3_0/source/rpc_server/srv_pipe.c


Changeset:
Modified: branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c	2005-06-03 09:24:41 UTC (rev 7216)
+++ branches/SAMBA_3_0/source/rpc_server/srv_netlog_nt.c	2005-06-03 09:24:48 UTC (rev 7217)
@@ -27,6 +27,7 @@
 #include "includes.h"
 
 extern struct dcinfo last_dcinfo;
+extern BOOL server_auth2_negotiated;
 extern userdom_struct current_user_info;
 
 #undef DBGC_CLASS
@@ -421,6 +422,7 @@
 	init_net_r_auth_2(r_u, &srv_cred, &srv_flgs, status);
 
 	if (NT_STATUS_IS_OK(status)) {
+		server_auth2_negotiated = True;
 		last_dcinfo = p->dc;
 	}
 

Modified: branches/SAMBA_3_0/source/rpc_server/srv_pipe.c
===================================================================
--- branches/SAMBA_3_0/source/rpc_server/srv_pipe.c	2005-06-03 09:24:41 UTC (rev 7216)
+++ branches/SAMBA_3_0/source/rpc_server/srv_pipe.c	2005-06-03 09:24:48 UTC (rev 7217)
@@ -52,6 +52,7 @@
  next. This is the way the netlogon schannel works.
 **************************************************************/
 struct dcinfo last_dcinfo;
+BOOL server_auth2_negotiated = False;
 
 static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len)
 {
@@ -975,6 +976,12 @@
 			RPC_AUTH_NETSEC_NEG neg;
 			struct netsec_auth_struct *a = &(p->netsec_auth);
 
+			if (!server_auth2_negotiated) {
+				DEBUG(0, ("Attempt to bind using schannel "
+					  "without successful serverauth2\n"));
+				return False;
+			}
+
 			if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) {
 				DEBUG(0,("api_pipe_bind_req: "
 					 "Could not unmarshal SCHANNEL auth neg\n"));

More information about the samba-cvs mailing list