sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

librpc/server: prepare schannel_util.c for netr_ServerAuthenticateKerberos

Browse Source 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher 2024-10-29 18:30:22 +01:00 committed by Andreas Schneider
parent c58137aad9
commit 4834b9dacc
1 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

52
librpc/rpc/server/netlogon/schannel_util.c
View File

@ -22,6 +22,7 @@
*/
#include "includes.h"
#include "auth/auth.h"
#include "schannel_util.h"
#include "param/param.h"
#include "libcli/security/dom_sid.h"
@ -35,6 +36,8 @@ struct dcesrv_netr_check_schannel_state {
enum dcerpc_AuthType auth_type;
enum dcerpc_AuthLevel auth_level;
bool kerberos_required;
bool schannel_global_required;
bool schannel_required;
bool schannel_explicitly_set;
@ -66,6 +69,25 @@ static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *d
*_s = NULL;
if (creds->authenticate_kerberos) {
struct auth_session_info *session_info =
dcesrv_call_session_info(dce_call);
const struct dom_sid *auth_sid =
&session_info->security_token->sids[0];
if (auth_type != DCERPC_AUTH_TYPE_KRB5) {
return NT_STATUS_ACCESS_DENIED;
}
if (auth_level != DCERPC_AUTH_LEVEL_PRIVACY) {
return NT_STATUS_ACCESS_DENIED;
}
if (!dom_sid_equal(auth_sid, &creds->client_sid)) {
return NT_STATUS_ACCESS_DENIED;
}
}
s = dcesrv_iface_state_find_conn(dce_call,
DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
struct dcesrv_netr_check_schannel_state);
@ -131,6 +153,11 @@ new_state:
s->seal_required = require_seal;
s->seal_explicitly_set = explicit_seal_opt != NULL;
if (creds->authenticate_kerberos) {
s->kerberos_required = true;
s->seal_required = true;
}
status = dcesrv_iface_state_store_conn(dce_call,
DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
s);
@ -165,7 +192,22 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
opname = ndr_table_netlogon.calls[opnum].name;
}
if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
if (s->auth_type == DCERPC_AUTH_TYPE_KRB5) {
if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
reason = "KRB5 WITH SEALED";
} else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
reason = "KRB5 ONLY WITH SIGNED";
dbg_lvl = DBGLVL_ERR;
s->result = NT_STATUS_ACCESS_DENIED;
} else {
reason = "KRB5 WITH INVALID";
dbg_lvl = DBGLVL_ERR;
s->result = NT_STATUS_ACCESS_DENIED;
}
} else if (s->kerberos_required) {
s->result = NT_STATUS_ACCESS_DENIED;
reason = "WITHOUT KRB5";
} else if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
reason = "WITH SEALED";
} else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
@ -196,6 +238,14 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
return s->result;
}
if (s->auth_type == DCERPC_AUTH_TYPE_KRB5 &&
s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
{
s->result = NT_STATUS_OK;
TALLOC_FREE(frame);
return s->result;
}
if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
{