From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 30 Apr 2024 23:09:40 +0000 (+0200)
Subject: s4:rpc_server/lsa: allow krb5+privacy instead of schannel
X-Git-Tag: tdb-1.4.13~356
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d002f371ecab65bba4752398c0bf710a717e3069;p=thirdparty%2Fsamba.git

s4:rpc_server/lsa: allow krb5+privacy instead of schannel

With netr_ServerAuthenticateKerberos() clients also use
krb5 for lsa_LookupSids3 and lsa_LookupNames4.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/source4/rpc_server/lsa/lsa_lookup.c b/source4/rpc_server/lsa/lsa_lookup.c
index ca3ad4f961e..2c13127beb0 100644
--- a/source4/rpc_server/lsa/lsa_lookup.c
+++ b/source4/rpc_server/lsa/lsa_lookup.c
@@ -674,6 +674,8 @@ static NTSTATUS schannel_call_setup(struct dcesrv_call_state *dce_call,
 	enum dcerpc_transport_t transport =
 		dcerpc_binding_get_transport(dce_call->conn->endpoint->ep_description);
 	enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+	enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+
 	if (transport != NCACN_IP_TCP) {
 		/* We can't call DCESRV_FAULT() in the sub-function */
 		dce_call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
@@ -687,8 +689,14 @@ static NTSTATUS schannel_call_setup(struct dcesrv_call_state *dce_call,
 	 * NB. gensec requires schannel connections to
 	 * have at least DCERPC_AUTH_LEVEL_INTEGRITY.
 	 */
-	dcesrv_call_auth_info(dce_call, &auth_type, NULL);
-	if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+	dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
+	if (auth_type == DCERPC_AUTH_TYPE_KRB5 &&
+	    auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
+	{
+		/* ok */
+	} else if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+		/* ok - implies at least DCERPC_AUTH_LEVEL_INTEGRITY. */
+	} else {
 		/* We can't call DCESRV_FAULT() in the sub-function */
 		dce_call->fault_code = DCERPC_FAULT_ACCESS_DENIED;
 		return NT_STATUS_ACCESS_DENIED;