sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

s3-lsarpc: Enforce a secure connection for LookupSids3 and LookupNames4.

Browse Source 
http://thread.gmane.org/gmane.network.protocol.cifs.general/291
This commit is contained in:
Andreas Schneider 2012-06-26 17:25:57 +02:00 committed by Andreas Schneider
parent d1e829bbab
commit d37643c204
1 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
source3/rpc_server/lsa/srv_lsa_nt.c
View File

@ -1126,10 +1126,13 @@ NTSTATUS _lsa_LookupSids3(struct pipes_struct *p,
}
/* No policy handle on this call. Restrict to crypto connections. */
if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_lsa_LookupSids3: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;
if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
p->auth.auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
DEBUG(1, ("_lsa_LookupSids3: The client %s is not using "
"a secure connection over netlogon\n",
get_remote_machine_name() ));
p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
return NT_STATUS_ACCESS_DENIED;
}
q.in.handle = NULL;
@ -1432,10 +1435,13 @@ NTSTATUS _lsa_LookupNames4(struct pipes_struct *p,
}
/* No policy handle on this call. Restrict to crypto connections. */
if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
DEBUG(0,("_lsa_lookup_names4: client %s not using schannel for netlogon\n",
get_remote_machine_name() ));
return NT_STATUS_INVALID_PARAMETER;
if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL ||
p->auth.auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) {
DEBUG(1, ("_lsa_LookupNames4: The client %s is not using "
"a secure connection over netlogon\n",
get_remote_machine_name()));
p->fault_state = DCERPC_FAULT_ACCESS_DENIED;
return NT_STATUS_ACCESS_DENIED;
}
q.in.handle = NULL;