From 53afa1adacb239fd942b3b58707c8e4c55639175 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Thu, 9 Apr 2009 14:22:04 +1000 Subject: [PATCH] libcli/auth Push schannel check into common libcli/auth This means we have a single choke point to ensure the remote client is using schannel. Andrew Bartlett --- libcli/auth/schannel_state.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/libcli/auth/schannel_state.c b/libcli/auth/schannel_state.c index c3f087d7dc6..b45249e9e2b 100644 --- a/libcli/auth/schannel_state.c +++ b/libcli/auth/schannel_state.c @@ -147,7 +147,7 @@ NTSTATUS schannel_store_session_key(struct ldb_context *ldb, /* We don't need a transaction here, as we either add or * modify records, never delete them, so it must exist */ - if (ret != 0) { + if (ret != LDB_SUCCESS) { DEBUG(0,("Unable to add %s to session key db - %s\n", ldb_dn_get_linearized(msg->dn), ldb_errstring(ldb))); return NT_STATUS_INTERNAL_DB_CORRUPTION; @@ -263,8 +263,9 @@ NTSTATUS schannel_fetch_session_key(struct ldb_context *ldb, */ NTSTATUS schannel_creds_server_step_check(struct ldb_context *ldb, TALLOC_CTX *mem_ctx, - bool schannel_in_use, const char *computer_name, + bool schannel_required_for_call, + bool schannel_in_use, struct netr_Authenticator *received_authenticator, struct netr_Authenticator *return_authenticator, struct netlogon_creds_CredentialState **creds_out) @@ -285,8 +286,12 @@ NTSTATUS schannel_creds_server_step_check(struct ldb_context *ldb, nt_status = schannel_fetch_session_key(ldb, ldb, computer_name, &creds); - /* Ensure that once the client and server agree on schannel, that all future calls must use it */ - if (creds->negotiate_flags & NETLOGON_NEG_SCHANNEL && !schannel_in_use) { + /* If we are flaged that schannel is required for a call, and + * it is not in use, then make this an error */ + + /* It would be good to make this mandetory once schannel is + * negoiated, bu this is not what windows does */ + if (schannel_required_for_call && !schannel_in_use) { DEBUG(0,("schannel_creds_server_step_check: client %s not using schannel for netlogon, despite negotiating it\n", creds->computer_name )); return NT_STATUS_ACCESS_DENIED; -- 2.34.1