From 31a422b7e58d7a670ebedb7c91f240a3134a9624 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 12 Nov 2020 16:41:21 +0100 Subject: [PATCH] dcesrv_core: alter_context logon failures should result in DCERPC_FAULT_ACCESS_DENIED We should use DCERPC_FAULT_ACCESS_DENIED as default for gensec status results of e.g. NT_STATUS_LOGON_FAILURE or NT_STATUS_INVALID_PARAMTER. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- librpc/rpc/dcesrv_core.c | 15 ++++++++++++++- selftest/knownfail.d/dcerpc-auth-pad | 2 -- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c index 8029ed5e472..0c8c7ebb17c 100644 --- a/librpc/rpc/dcesrv_core.c +++ b/librpc/rpc/dcesrv_core.c @@ -1905,7 +1905,20 @@ static void dcesrv_alter_done(struct tevent_req *subreq) status = dcesrv_auth_complete(call, status); if (!NT_STATUS_IS_OK(status)) { - status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR); + /* + * NT_STATUS_ACCESS_DENIED from gensec means + * a signing check or decryption failure, + * which should result in DCERPC_FAULT_SEC_PKG_ERROR. + * + * Any other status, e.g. NT_STATUS_LOGON_FAILURE or + * NT_STATUS_INVALID_PARAMETER should result in + * DCERPC_FAULT_ACCESS_DENIED. + */ + if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) { + status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR); + } else { + status = dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED); + } dcesrv_conn_auth_wait_finished(conn, status); return; } diff --git a/selftest/knownfail.d/dcerpc-auth-pad b/selftest/knownfail.d/dcerpc-auth-pad index b7c23427e22..e4fdd21e1dc 100644 --- a/selftest/knownfail.d/dcerpc-auth-pad +++ b/selftest/knownfail.d/dcerpc-auth-pad @@ -9,5 +9,3 @@ ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_ntlm_auth3 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_alter ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_auth3 -^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_schannel_invalid_alter_no_padding.*chgdcpass -^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_schannel_invalid_alter_tail_padding.*chgdcpass