diff options
author | Andrew Bartlett <abartlet@samba.org> | 2017-07-03 13:10:35 +1200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2017-07-04 06:57:20 +0200 |
commit | d10e27c350d6e4b389fa15cdbc32dc0689e4fcc6 (patch) | |
tree | 315ace9cbeebc5d0693b5a73e3c676631c241ee2 | |
parent | 1319f199587ac82742ab39850bd2ea38d7c013ad (diff) | |
download | samba-d10e27c350d6e4b389fa15cdbc32dc0689e4fcc6.tar.gz |
auth: Disable SChannel authentication if we are not a DC
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
-rw-r--r-- | auth/gensec/schannel.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c index 41f635182cf..8e58e73cacd 100644 --- a/auth/gensec/schannel.c +++ b/auth/gensec/schannel.c @@ -34,6 +34,7 @@ #include "param/param.h" #include "auth/gensec/gensec_toplevel_proto.h" #include "lib/crypto/crypto.h" +#include "libds/common/roles.h" struct schannel_state { struct gensec_security *gensec; @@ -723,9 +724,23 @@ static NTSTATUS schannel_session_info(struct gensec_security *gensec_security, return NT_STATUS_OK; } +/* + * Reduce the attack surface by ensuring schannel is not availble when + * we are not a DC + */ static NTSTATUS schannel_server_start(struct gensec_security *gensec_security) { - return NT_STATUS_OK; + enum server_role server_role + = lpcfg_server_role(gensec_security->settings->lp_ctx); + + switch (server_role) { + case ROLE_DOMAIN_BDC: + case ROLE_DOMAIN_PDC: + case ROLE_ACTIVE_DIRECTORY_DC: + return NT_STATUS_OK; + default: + return NT_STATUS_NOT_IMPLEMENTED; + } } static NTSTATUS schannel_client_start(struct gensec_security *gensec_security) |