[PATCH 1/8] s3:schannel more readable check logic
Simo Sorce
idra at samba.org
Thu Feb 18 08:19:09 MST 2010
Make the initial schannel check logic more understandable.
Make it easy to define different policies depending on ther caller's security
requirements (Integrity/Privacy/Both/None)
---
libcli/auth/schannel_state_proto.h | 2 -
libcli/auth/schannel_state_tdb.c | 15 ------------
source3/rpc_server/srv_netlog_nt.c | 44 +++++++++++++++++++++++++++++++----
3 files changed, 39 insertions(+), 22 deletions(-)
diff --git a/libcli/auth/schannel_state_proto.h b/libcli/auth/schannel_state_proto.h
index c582c3e..d0a071c 100644
--- a/libcli/auth/schannel_state_proto.h
+++ b/libcli/auth/schannel_state_proto.h
@@ -36,8 +36,6 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb,
NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb,
TALLOC_CTX *mem_ctx,
const char *computer_name,
- bool schannel_required_for_call,
- bool schannel_in_use,
struct netr_Authenticator *received_authenticator,
struct netr_Authenticator *return_authenticator,
struct netlogon_creds_CredentialState **creds_out);
diff --git a/libcli/auth/schannel_state_tdb.c b/libcli/auth/schannel_state_tdb.c
index 7ec8b3f..3da7618 100644
--- a/libcli/auth/schannel_state_tdb.c
+++ b/libcli/auth/schannel_state_tdb.c
@@ -163,8 +163,6 @@ NTSTATUS schannel_fetch_session_key_tdb(struct tdb_context *tdb,
NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb,
TALLOC_CTX *mem_ctx,
const char *computer_name,
- bool schannel_required_for_call,
- bool schannel_in_use,
struct netr_Authenticator *received_authenticator,
struct netr_Authenticator *return_authenticator,
struct netlogon_creds_CredentialState **creds_out)
@@ -185,19 +183,6 @@ NTSTATUS schannel_creds_server_step_check_tdb(struct tdb_context *tdb,
status = schannel_fetch_session_key_tdb(tdb, mem_ctx, computer_name,
&creds);
- /* If we are flaged that schannel is required for a call, and
- * it is not in use, then make this an error */
-
- /* It would be good to make this mandatory once schannel is
- * negotiated, but this is not what windows does */
- if (schannel_required_for_call && !schannel_in_use) {
- DEBUG(0,("schannel_creds_server_step_check_tdb: "
- "client %s not using schannel for netlogon, despite negotiating it\n",
- creds->computer_name ));
- tdb_transaction_cancel(tdb);
- return NT_STATUS_ACCESS_DENIED;
- }
-
if (NT_STATUS_IS_OK(status)) {
status = netlogon_creds_server_step_check(creds,
received_authenticator,
diff --git a/source3/rpc_server/srv_netlog_nt.c b/source3/rpc_server/srv_netlog_nt.c
index 66f3bd3..aeb321c 100644
--- a/source3/rpc_server/srv_netlog_nt.c
+++ b/source3/rpc_server/srv_netlog_nt.c
@@ -766,6 +766,36 @@ NTSTATUS _netr_ServerAuthenticate2(pipes_struct *p,
}
/*************************************************************************
+ * If schannel is required for this call test that it actually is available.
+ *************************************************************************/
+static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
+ const char *computer_name,
+ bool integrity, bool privacy)
+{
+ if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) {
+ if (!privacy && !integrity) {
+ return NT_STATUS_OK;
+ }
+
+ if ((!privacy && integrity) &&
+ auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+ return NT_STATUS_OK;
+ }
+
+ if ((privacy || integrity) &&
+ auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ return NT_STATUS_OK;
+ }
+ }
+
+ /* test didn't pass */
+ DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
+ computer_name));
+
+ return NT_STATUS_ACCESS_DENIED;
+}
+
+/*************************************************************************
*************************************************************************/
static NTSTATUS netr_creds_server_step_check(pipes_struct *p,
@@ -778,9 +808,15 @@ static NTSTATUS netr_creds_server_step_check(pipes_struct *p,
NTSTATUS status;
struct tdb_context *tdb;
bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
- bool schannel_in_use = (p->auth.auth_type == PIPE_AUTH_TYPE_SCHANNEL) ? true:false; /* &&
- (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY ||
- p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY); */
+
+ if (schannel_global_required) {
+ status = schannel_check_required(&p->auth,
+ computer_name,
+ false, false);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+ }
tdb = open_schannel_session_store(mem_ctx);
if (!tdb) {
@@ -789,8 +825,6 @@ static NTSTATUS netr_creds_server_step_check(pipes_struct *p,
status = schannel_creds_server_step_check_tdb(tdb, mem_ctx,
computer_name,
- schannel_global_required,
- schannel_in_use,
received_authenticator,
return_authenticator,
creds_out);
--
1.6.6
--=-s85XraIvagGPiKkswX0v
Content-Disposition: attachment; filename="0002-s4-schannel-more-readable-check-logic.patch"
Content-Type: text/x-patch; name="0002-s4-schannel-more-readable-check-logic.patch"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
More information about the samba-technical
mailing list