]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b6dd675)
dcesrv_core: alter_context logon failures should result in DCERPC_FAULT_ACCESS_DENIED
authorStefan Metzmacher <metze@samba.org>
Thu, 12 Nov 2020 15:41:21 +0000 (16:41 +0100)
committerJule Anger <janger@samba.org>
Thu, 7 Nov 2024 08:18:16 +0000 (08:18 +0000)
We should use DCERPC_FAULT_ACCESS_DENIED as default for
gensec status results of e.g. NT_STATUS_LOGON_FAILURE or
NT_STATUS_INVALID_PARAMTER.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit 31a422b7e58d7a670ebedb7c91f240a3134a9624)

librpc/rpc/dcesrv_core.c patch | blob | blame | history
selftest/knownfail.d/dcerpc-auth-pad patch | blob | blame | history

diff --git a/librpc/rpc/dcesrv_core.c b/librpc/rpc/dcesrv_core.c
index 8029ed5e472c6225e23629c58afb04ff23fcc188..0c8c7ebb17c36892e3750a46d9ea5cefa29252a4 100644 (file)
--- a/librpc/rpc/dcesrv_core.c
+++ b/librpc/rpc/dcesrv_core.c
@@ -1905,7 +1905,20 @@ static void dcesrv_alter_done(struct tevent_req *subreq)
 
        status = dcesrv_auth_complete(call, status);
        if (!NT_STATUS_IS_OK(status)) {
-               status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
+               /*
+                * NT_STATUS_ACCESS_DENIED from gensec means
+                * a signing check or decryption failure,
+                * which should result in DCERPC_FAULT_SEC_PKG_ERROR.
+                *
+                * Any other status, e.g. NT_STATUS_LOGON_FAILURE or
+                * NT_STATUS_INVALID_PARAMETER should result in
+                * DCERPC_FAULT_ACCESS_DENIED.
+                */
+               if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+                       status = dcesrv_fault_disconnect(call, DCERPC_FAULT_SEC_PKG_ERROR);
+               } else {
+                       status = dcesrv_fault_disconnect(call, DCERPC_FAULT_ACCESS_DENIED);
+               }
                dcesrv_conn_auth_wait_finished(conn, status);
                return;
        }
diff --git a/selftest/knownfail.d/dcerpc-auth-pad b/selftest/knownfail.d/dcerpc-auth-pad
index b7c23427e22297b19dae4cda9027f0d714905755..e4fdd21e1dcec00515c0a4a4c471ddd765f1f633 100644 (file)
--- a/selftest/knownfail.d/dcerpc-auth-pad
+++ b/selftest/knownfail.d/dcerpc-auth-pad
@@ -9,5 +9,3 @@
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_ntlm_auth3
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_alter
 ^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_auth_tail_pad_spnego_auth3
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_schannel_invalid_alter_no_padding.*chgdcpass
-^samba.tests.dcerpc.raw_protocol.samba.tests.dcerpc.raw_protocol.TestDCERPC_BIND.test_schannel_invalid_alter_tail_padding.*chgdcpass
Mirror of https://github.com/samba-team/samba.git