Author: abartlet
Date: 2007-08-17 05:28:39 +0000 (Fri, 17 Aug 2007)
New Revision: 24504

WebSVN: 
http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=24504

Log:
Try to return more useful error information on why a bind failed.
Note that the correct return for a failed alter_context is a fault,
not a bind_nak.

Andrew Bartlett

Modified:
   branches/SAMBA_4_0/source/auth/gensec/schannel.c
   branches/SAMBA_4_0/source/rpc_server/dcerpc_server.c
   branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c


Changeset:
Modified: branches/SAMBA_4_0/source/auth/gensec/schannel.c
===================================================================
--- branches/SAMBA_4_0/source/auth/gensec/schannel.c    2007-08-17 05:22:58 UTC 
(rev 24503)
+++ branches/SAMBA_4_0/source/auth/gensec/schannel.c    2007-08-17 05:28:39 UTC 
(rev 24504)
@@ -102,6 +102,8 @@
                status = ndr_pull_struct_blob(&in, out_mem_ctx, &bind_schannel, 
                                              
(ndr_pull_flags_fn_t)ndr_pull_schannel_bind);
                if (!NT_STATUS_IS_OK(status)) {
+                       DEBUG(3, ("Could not parse incoming schannel bind: 
%s\n",
+                                 nt_errstr(status)));
                        return status;
                }
                
@@ -119,6 +121,9 @@
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(3, ("Could not find session key for attempted 
schannel connection from %s: %s\n",
                                  workstation, nt_errstr(status)));
+                       if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_HANDLE)) {
+                               return NT_STATUS_LOGON_FAILURE;
+                       }
                        return status;
                }
 

Modified: branches/SAMBA_4_0/source/rpc_server/dcerpc_server.c
===================================================================
--- branches/SAMBA_4_0/source/rpc_server/dcerpc_server.c        2007-08-17 
05:22:58 UTC (rev 24503)
+++ branches/SAMBA_4_0/source/rpc_server/dcerpc_server.c        2007-08-17 
05:28:39 UTC (rev 24504)
@@ -620,7 +620,8 @@
        pkt.u.bind_ack.ctx_list[0].syntax = ndr_transfer_syntax;
        pkt.u.bind_ack.auth_info = data_blob(NULL, 0);
 
-       if (!dcesrv_auth_bind_ack(call, &pkt)) {
+       status = dcesrv_auth_bind_ack(call, &pkt);
+       if (!NT_STATUS_IS_OK(status)) {
                return dcesrv_bind_nak(call, 0);
        }
 
@@ -769,8 +770,15 @@
        pkt.u.alter_resp.auth_info = data_blob(NULL, 0);
        pkt.u.alter_resp.secondary_address = "";
 
-       if (!dcesrv_auth_alter_ack(call, &pkt)) {
-               return dcesrv_bind_nak(call, 0);
+       status = dcesrv_auth_alter_ack(call, &pkt);
+       if (!NT_STATUS_IS_OK(status)) {
+               if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)
+                   || NT_STATUS_EQUAL(status, NT_STATUS_LOGON_FAILURE)
+                   || NT_STATUS_EQUAL(status, NT_STATUS_NO_SUCH_USER)
+                   || NT_STATUS_EQUAL(status, NT_STATUS_WRONG_PASSWORD)) {
+                       return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
+               }
+               return dcesrv_fault(call, 0);
        }
 
        rep = talloc(call, struct data_blob_list_item);

Modified: branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c
===================================================================
--- branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c  2007-08-17 05:22:58 UTC 
(rev 24503)
+++ branches/SAMBA_4_0/source/rpc_server/dcesrv_auth.c  2007-08-17 05:28:39 UTC 
(rev 24504)
@@ -98,13 +98,13 @@
   add any auth information needed in a bind ack, and process the authentication
   information found in the bind.
 */
-BOOL dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct ncacn_packet 
*pkt)
+NTSTATUS dcesrv_auth_bind_ack(struct dcesrv_call_state *call, struct 
ncacn_packet *pkt)
 {
        struct dcesrv_connection *dce_conn = call->conn;
        NTSTATUS status;
 
        if (!call->conn->auth_state.gensec_security) {
-               return True;
+               return NT_STATUS_OK;
        }
 
        status = gensec_update(dce_conn->auth_state.gensec_security,
@@ -117,19 +117,19 @@
                                             
&dce_conn->auth_state.session_info);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(1, ("Failed to establish session_info: %s\n", 
nt_errstr(status)));
-                       return False;
+                       return status;
                }
 
                /* Now that we are authenticated, go back to the generic 
session key... */
                dce_conn->auth_state.session_key = dcesrv_generic_session_key;
-               return True;
+               return NT_STATUS_OK;
        } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) 
{
                dce_conn->auth_state.auth_info->auth_pad_length = 0;
                dce_conn->auth_state.auth_info->auth_reserved = 0;
-               return True;
+               return NT_STATUS_OK;
        } else {
                DEBUG(2, ("Failed to start dcesrv auth negotiate: %s\n", 
nt_errstr(status)));
-               return False;
+               return status;
        }
 }
 
@@ -223,7 +223,7 @@
   add any auth information needed in a alter ack, and process the 
authentication
   information found in the alter.
 */
-BOOL dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct ncacn_packet 
*pkt)
+NTSTATUS dcesrv_auth_alter_ack(struct dcesrv_call_state *call, struct 
ncacn_packet *pkt)
 {
        struct dcesrv_connection *dce_conn = call->conn;
        NTSTATUS status;
@@ -232,11 +232,11 @@
           setup */
        if (!call->conn->auth_state.auth_info ||
            dce_conn->auth_state.auth_info->credentials.length == 0) {
-               return True;
+               return NT_STATUS_OK;
        }
 
        if (!call->conn->auth_state.gensec_security) {
-               return False;
+               return NT_STATUS_INVALID_PARAMETER;
        }
 
        status = gensec_update(dce_conn->auth_state.gensec_security,
@@ -249,20 +249,20 @@
                                             
&dce_conn->auth_state.session_info);
                if (!NT_STATUS_IS_OK(status)) {
                        DEBUG(1, ("Failed to establish session_info: %s\n", 
nt_errstr(status)));
-                       return False;
+                       return status;
                }
 
                /* Now that we are authenticated, got back to the generic 
session key... */
                dce_conn->auth_state.session_key = dcesrv_generic_session_key;
-               return True;
+               return NT_STATUS_OK;
        } else if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) 
{
                dce_conn->auth_state.auth_info->auth_pad_length = 0;
                dce_conn->auth_state.auth_info->auth_reserved = 0;
-               return True;
+               return NT_STATUS_OK;
        }
 
        DEBUG(2, ("Failed to finish dcesrv auth alter_ack: %s\n", 
nt_errstr(status)));
-       return False;
+       return status;
 }
 
 /*

Reply via email to