diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c index 8029ed5e472..0c8c7ebb17c 100644 --- a/librpc/rpc/dcesrv_core.c +++ b/librpc/rpc/dcesrv_core.c @@ -1905,7 +1905,20 @@ static void dcesrv_alter_done(struct tevent_req *subreq) status = dcesrv_auth_complete(call, status); if (!NT_STATUS_IS_OK(status)) { - status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR); + /* + * NT_STATUS_ACCESS_DENIED from gensec means + * a signing check or decryption failure, + * which should result in DCERPC_FAULT_SEC_PKG_ERROR. + * + * Any other status, e.g. NT_STATUS_LOGON_FAILURE or + * NT_STATUS_INVALID_PARAMETER should result in + * DCERPC_FAULT_ACCESS_DENIED. + */ + if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { + status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR); + } else { + status = dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED); + } dcesrv_conn_auth_wait_finished(conn, status); return; } diff --git a/selftest/knownfail.d/dcerpc-auth-pad b/selftest/knownfail.d/dcerpc-auth-pad index b7c23427e22..e4fdd21e1dc 100644 --- a/selftest/knownfail.d/dcerpc-auth-pad +++ b/selftest/knownfail.d/dcerpc-auth-pad @@ -9,5 +9,3 @@ ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_ntlm_auth3 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_alter ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_auth3 -^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_schannel_invalid_alter_no_padding.*chgdcpass -^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_schannel_invalid_alter_tail_padding.*chgdcpass