From c25b4afda2b657b73a6215d3ff36461a36496ba3 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 3 Jun 2005 09:24:48 +0000 Subject: [PATCH] r7217: Only allow schannel connections if a successful Auth2 has been done before. Things tested: Domain join and subsequent interactive and network logon to NT4, W2kSP and XPSP2 workstations and a NT4 domain trusting us. Right now I've got problems with my W2k3 domain trusts. So this needs testing, although I'm really confident that this does not break. Volker --- source/rpc_server/srv_netlog_nt.c | 2 ++ source/rpc_server/srv_pipe.c | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/source/rpc_server/srv_netlog_nt.c b/source/rpc_server/srv_netlog_nt.c index eb6bd2ac0ac..a6fe9ef31af 100644 --- a/source/rpc_server/srv_netlog_nt.c +++ b/source/rpc_server/srv_netlog_nt.c @@ -27,6 +27,7 @@ #include "includes.h" extern struct dcinfo last_dcinfo; +extern BOOL server_auth2_negotiated; extern userdom_struct current_user_info; #undef DBGC_CLASS @@ -421,6 +422,7 @@ NTSTATUS _net_auth_2(pipes_struct *p, NET_Q_AUTH_2 *q_u, NET_R_AUTH_2 *r_u) init_net_r_auth_2(r_u, &srv_cred, &srv_flgs, status); if (NT_STATUS_IS_OK(status)) { + server_auth2_negotiated = True; last_dcinfo = p->dc; } diff --git a/source/rpc_server/srv_pipe.c b/source/rpc_server/srv_pipe.c index ee6c42bd88f..ee4e803d9fc 100644 --- a/source/rpc_server/srv_pipe.c +++ b/source/rpc_server/srv_pipe.c @@ -52,6 +52,7 @@ extern struct current_user current_user; next. This is the way the netlogon schannel works. **************************************************************/ struct dcinfo last_dcinfo; +BOOL server_auth2_negotiated = False; static void NTLMSSPcalc_p( pipes_struct *p, unsigned char *data, int len) { @@ -975,6 +976,12 @@ BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *rpc_in_p) RPC_AUTH_NETSEC_NEG neg; struct netsec_auth_struct *a = &(p->netsec_auth); + if (!server_auth2_negotiated) { + DEBUG(0, ("Attempt to bind using schannel " + "without successful serverauth2\n")); + return False; + } + if (!smb_io_rpc_auth_netsec_neg("", &neg, rpc_in_p, 0)) { DEBUG(0,("api_pipe_bind_req: " "Could not unmarshal SCHANNEL auth neg\n"));