LATER... CVE-2020-1472(ZeroLogon): s4:rpc_server: require schannel for non workstatio...
authorStefan Metzmacher <metze@samba.org>
Wed, 16 Sep 2020 08:18:45 +0000 (10:18 +0200)
committerStefan Metzmacher <metze@samba.org>
Wed, 16 Sep 2020 18:23:27 +0000 (20:23 +0200)
This means domain trust and domain controller accounts are protected,
even if "server schannel = auto" is used.

FAILS to much tests...

source4/rpc_server/netlogon/dcerpc_netlogon.c

index fc97728350b54c2f746dcc0a680375e489c76fbd..8b052a8102e5727d8e8d0f3fde4a2fa0df51234f 100644 (file)
@@ -670,6 +670,10 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
                        log_escape(mem_ctx, creds->account_name));
        }
 
+       if (creds->secure_channel_type != SEC_CHAN_WKSTA) {
+               schannel_required = true;
+       }
+
        if (schannel_required) {
                if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
                        DBG_ERR("CVE-2020-1472(ZeroLogin): "