diff options
author | Stefan Metzmacher <metze@samba.org> | 2018-11-08 12:44:30 +0100 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2019-01-12 03:13:35 +0100 |
commit | fc596ef1c733c75e56a4790b70641f7ca8fb9828 (patch) | |
tree | 4fd0370ee6b4f6434e084aea521020a69343cda6 /source4 | |
parent | 10816794c0210c622d6f2f75ac518a651ef7ce7c (diff) | |
download | samba-fc596ef1c733c75e56a4790b70641f7ca8fb9828.tar.gz |
s4:rpc_server/lsa: make use of dcesrv_call_auth_info()
It's enough to check the auth_type for DCERPC_AUTH_TYPE_SCHANNEL,
there's no need to also check the auth_level for integrity or privacy.
The gensec layer already required at least DCERPC_AUTH_LEVEL_INTEGRITY,
see schannel_update_internal().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=7113
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11892
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/rpc_server/lsa/lsa_lookup.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c index 7e28791336b..a2723dc6849 100644 --- a/source4/rpc_server/lsa/lsa_lookup.c +++ b/source4/rpc_server/lsa/lsa_lookup.c @@ -676,7 +676,7 @@ NTSTATUS dcesrv_lsa_LookupSids3(struct dcesrv_call_state *dce_call, { enum dcerpc_transport_t transport = dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description); - const struct dcesrv_auth *auth = &dce_call->conn->auth_state; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; struct dcesrv_lsa_LookupSids_base_state *state = NULL; NTSTATUS status; @@ -687,9 +687,12 @@ NTSTATUS dcesrv_lsa_LookupSids3(struct dcesrv_call_state *dce_call, /* * We don't have policy handles on this call. So this must be restricted * to crypto connections only. + * + * NB. gensec requires schannel connections to + * have at least DCERPC_AUTH_LEVEL_INTEGRITY. */ - if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL || - auth->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) { + dcesrv_call_auth_info(dce_call, &auth_type, NULL); + if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED); } @@ -1295,7 +1298,7 @@ NTSTATUS dcesrv_lsa_LookupNames4(struct dcesrv_call_state *dce_call, TALLOC_CTX { enum dcerpc_transport_t transport = dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description); - const struct dcesrv_auth *auth = &dce_call->conn->auth_state; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; struct dcesrv_lsa_LookupNames_base_state *state = NULL; NTSTATUS status; @@ -1307,8 +1310,8 @@ NTSTATUS dcesrv_lsa_LookupNames4(struct dcesrv_call_state *dce_call, TALLOC_CTX * We don't have policy handles on this call. So this must be restricted * to crypto connections only. */ - if (auth->auth_type != DCERPC_AUTH_TYPE_SCHANNEL || - auth->auth_level < DCERPC_AUTH_LEVEL_INTEGRITY) { + dcesrv_call_auth_info(dce_call, &auth_type, NULL); + if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { DCESRV_FAULT(DCERPC_FAULT_ACCESS_DENIED); } |