1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00

dcesrv_core: alter_context logon failures should result in DCERPC_FAULT_ACCESS_DENIED

We should use DCERPC_FAULT_ACCESS_DENIED as default for
gensec status results of e.g. NT_STATUS_LOGON_FAILURE or
NT_STATUS_INVALID_PARAMTER.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 31a422b7e5)
This commit is contained in:
Stefan Metzmacher 2020-11-12 16:41:21 +01:00 committed by Jule Anger
parent b6dd675372
commit fd7bfa6ad2
2 changed files with 14 additions and 3 deletions

View File

@ -1905,7 +1905,20 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
status = dcesrv_auth_complete(call, status);
if (!NT_STATUS_IS_OK(status)) {
status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
/*
* NT_STATUS_ACCESS_DENIED from gensec means
* a signing check or decryption failure,
* which should result in DCERPC_FAULT_SEC_PKG_ERROR.
*
* Any other status, e.g. NT_STATUS_LOGON_FAILURE or
* NT_STATUS_INVALID_PARAMETER should result in
* DCERPC_FAULT_ACCESS_DENIED.
*/
if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
} else {
status = dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED);
}
dcesrv_conn_auth_wait_finished(conn, status);
return;
}

View File

@ -9,5 +9,3 @@
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_ntlm_auth3
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_alter
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_auth3
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_schannel_invalid_alter_no_padding.*chgdcpass
^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_schannel_invalid_alter_tail_padding.*chgdcpass