git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f867164)
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel...
authorStefan Metzmacher <metze@samba.org>
Wed, 16 Sep 2020 08:56:53 +0000 (10:56 +0200)
committerKarolin Seeger <kseeger@samba.org>
Fri, 18 Sep 2020 10:45:37 +0000 (12:45 +0200)
This allows to add expections for individual workstations, when using "server schannel = yes".
"server schannel = auto" is very insecure and will be removed soon.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497

Signed-off-by: Stefan Metzmacher <metze@samba.org>
source4/rpc_server/netlogon/dcerpc_netlogon.c patch | blob | history

diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index afc0687b882c4b2466b8e94e9ef5df758454f36e..051513adc08832ef0e93f2648cfedd6913a78142 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -622,6 +622,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
        NTSTATUS nt_status;
        int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
        bool schannel_global_required = (schannel == true);
+       bool schannel_required = schannel_global_required;
        struct netlogon_creds_CredentialState *creds = NULL;
        enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
        uint16_t opnum = dce_call->pkt.u.request.opnum;
@@ -644,7 +645,13 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
                return nt_status;
        }
 
-       if (schannel_global_required) {
+       schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx,
+                                           NULL,
+                                           "server require schannel",
+                                           creds->account_name,
+                                           schannel_global_required);
+
+       if (schannel_required) {
                if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
                        *creds_out = creds;
                        return NT_STATUS_OK;
Samba Shared Repository