diff options
author | Andrew Bartlett <abartlet@samba.org> | 2009-04-09 14:22:04 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2009-04-14 16:23:44 +1000 |
commit | 53afa1adacb239fd942b3b58707c8e4c55639175 (patch) | |
tree | eb78cd8d92bdf2a45223fc383edef90b2c5f1507 /libcli | |
parent | baf7274fed2f1ae7a9e3a57160bf5471566e636c (diff) | |
download | samba-53afa1adacb239fd942b3b58707c8e4c55639175.tar.gz samba-53afa1adacb239fd942b3b58707c8e4c55639175.tar.xz samba-53afa1adacb239fd942b3b58707c8e4c55639175.zip |
libcli/auth Push schannel check into common libcli/auth
This means we have a single choke point to ensure the remote client is
using schannel.
Andrew Bartlett
Diffstat (limited to 'libcli')
-rw-r--r-- | libcli/auth/schannel_state.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/libcli/auth/schannel_state.c b/libcli/auth/schannel_state.c index c3f087d7dc..b45249e9e2 100644 --- a/libcli/auth/schannel_state.c +++ b/libcli/auth/schannel_state.c @@ -147,7 +147,7 @@ NTSTATUS schannel_store_session_key(struct ldb_context *ldb, /* We don't need a transaction here, as we either add or * modify records, never delete them, so it must exist */ - if (ret != 0) { + if (ret != LDB_SUCCESS) { DEBUG(0,("Unable to add %s to session key db - %s\n", ldb_dn_get_linearized(msg->dn), ldb_errstring(ldb))); return NT_STATUS_INTERNAL_DB_CORRUPTION; @@ -263,8 +263,9 @@ NTSTATUS schannel_fetch_session_key(struct ldb_context *ldb, */ NTSTATUS schannel_creds_server_step_check(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, - bool schannel_in_use, const char *computer_name, + bool schannel_required_for_call, + bool schannel_in_use, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator, struct netlogon_creds_CredentialState **creds_out) @@ -285,8 +286,12 @@ NTSTATUS schannel_creds_server_step_check(struct ldb_context *ldb, nt_status = schannel_fetch_session_key(ldb, ldb, computer_name, &creds); - /* Ensure that once the client and server agree on schannel, that all future calls must use it */ - if (creds->negotiate_flags & NETLOGON_NEG_SCHANNEL && !schannel_in_use) { + /* If we are flaged that schannel is required for a call, and + * it is not in use, then make this an error */ + + /* It would be good to make this mandetory once schannel is + * negoiated, bu this is not what windows does */ + if (schannel_required_for_call && !schannel_in_use) { DEBUG(0,("schannel_creds_server_step_check: client %s not using schannel for netlogon, despite negotiating it\n", creds->computer_name )); return NT_STATUS_ACCESS_DENIED; |