/* Store off the state so we can continue after client disconnect. */
become_root();
- status = schannel_store_session_key(p->mem_ctx, creds);
+ status = schannel_save_creds_state(p->mem_ctx,
+ NULL, lp_private_dir(), creds);
unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return _netr_ServerAuthenticate3(p, &a);
}
+/*************************************************************************
+ * If schannel is required for this call test that it actually is available.
+ *************************************************************************/
+static NTSTATUS schannel_check_required(struct pipe_auth_data *auth_info,
+ const char *computer_name,
+ bool integrity, bool privacy)
+{
+ if (auth_info && auth_info->auth_type == PIPE_AUTH_TYPE_SCHANNEL) {
+ if (!privacy && !integrity) {
+ return NT_STATUS_OK;
+ }
+
+ if ((!privacy && integrity) &&
+ auth_info->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+ return NT_STATUS_OK;
+ }
+
+ if ((privacy || integrity) &&
+ auth_info->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ return NT_STATUS_OK;
+ }
+ }
+
+ /* test didn't pass */
+ DEBUG(0, ("schannel_check_required: [%s] is not using schannel\n",
+ computer_name));
+
+ return NT_STATUS_ACCESS_DENIED;
+}
+
/*************************************************************************
*************************************************************************/
struct netlogon_creds_CredentialState **creds_out)
{
NTSTATUS status;
- struct tdb_context *tdb;
bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
- bool schannel_in_use = (p->auth.auth_type == PIPE_AUTH_TYPE_SCHANNEL) ? true:false; /* &&
- (p->auth.auth_level == DCERPC_AUTH_LEVEL_INTEGRITY ||
- p->auth.auth_level == DCERPC_AUTH_LEVEL_PRIVACY); */
- tdb = open_schannel_session_store(mem_ctx);
- if (!tdb) {
- return NT_STATUS_ACCESS_DENIED;
+ if (schannel_global_required) {
+ status = schannel_check_required(&p->auth,
+ computer_name,
+ false, false);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
}
- status = schannel_creds_server_step_check_tdb(tdb, mem_ctx,
- computer_name,
- schannel_global_required,
- schannel_in_use,
- received_authenticator,
- return_authenticator,
- creds_out);
- tdb_close(tdb);
+ status = schannel_check_creds_state(mem_ctx, NULL,
+ lp_private_dir(),
+ computer_name,
+ received_authenticator,
+ return_authenticator,
+ creds_out);
return status;
}
struct netlogon_creds_CredentialState *creds = NULL;
become_root();
- status = schannel_fetch_session_key(p->mem_ctx, r->in.computer_name, &creds);
+ status = schannel_get_creds_state(p->mem_ctx,
+ NULL, lp_private_dir(),
+ r->in.computer_name, &creds);
unbecome_root();
if (!NT_STATUS_IS_OK(status)) {
return status;