1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

auth: Disable SChannel authentication if we are not a DC

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2017-07-03 13:10:35 +12:00
parent 1319f19958
commit d10e27c350

View File

@ -34,6 +34,7 @@
#include "param/param.h"
#include "auth/gensec/gensec_toplevel_proto.h"
#include "lib/crypto/crypto.h"
#include "libds/common/roles.h"
struct schannel_state {
struct gensec_security *gensec;
@ -723,9 +724,23 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security,
return NT_STATUS_OK;
}
/*
* Reduce the attack surface by ensuring schannel is not availble when
* we are not a DC
*/
static NTSTATUS schannel_server_start(struct gensec_security *gensec_security)
{
return NT_STATUS_OK;
enum server_role server_role
= lpcfg_server_role(gensec_security->settings->lp_ctx);
switch (server_role) {
case ROLE_DOMAIN_BDC:
case ROLE_DOMAIN_PDC:
case ROLE_ACTIVE_DIRECTORY_DC:
return NT_STATUS_OK;
default:
return NT_STATUS_NOT_IMPLEMENTED;
}
}
static NTSTATUS schannel_client_start(struct gensec_security *gensec_security)