diff options
author | Günther Deschner <gd@samba.org> | 2020-09-17 14:23:16 +0200 |
---|---|---|
committer | Karolin Seeger <kseeger@samba.org> | 2020-09-18 12:58:23 +0200 |
commit | 912cc29a9950d6385f4e372b5141900f87a464b7 (patch) | |
tree | bba7f6786102680dea6058c207c157af2c810cf8 | |
parent | 6a6f64fc8c3c515294010b2876667a6e157a486b (diff) | |
download | samba-912cc29a9950d6385f4e372b5141900f87a464b7.tar.gz |
CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no"
This allows to add expections for individual workstations, when using "server schannel = yes".
"server schannel = auto" is very insecure and will be removed soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Günther Deschner <gd@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | source3/rpc_server/netlogon/srv_netlog_nt.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 50455ee4bce..28381405ebd 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -1073,6 +1073,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, { NTSTATUS status; bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; struct loadparm_context *lp_ctx; struct netlogon_creds_CredentialState *creds = NULL; enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; @@ -1105,7 +1106,11 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, return status; } - if (schannel_global_required) { + schannel_required = lp_parm_bool(GLOBAL_SECTION_SNUM, + "server require schannel", + creds->account_name, + schannel_global_required); + if (schannel_required) { if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { *creds_out = creds; return NT_STATUS_OK; |