sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-21 18:04:06 +03:00
Code

CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal

Browse Source 
Since this principal goes through the samba_kdc_fetch_server() path,
setting the canonicalisation flag would cause the principal to be
replaced with the sAMAccountName; this meant requests to
kadmin/changepw@REALM would result in a ticket to krbtgt@REALM. Now we
properly handle canonicalisation for the kadmin/changepw principal.

View with 'git show -b'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>

[jsutton@samba.org Adapted entry to entry_ex->entry; removed MIT KDC
 1.20-specific knownfails]
This commit is contained in:
Joseph Sutton 2022-05-18 16:56:01 +12:00 committed by Jule Anger
parent fa4742e1b9
commit 3cab628936
3 changed files with 46 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
selftest/knownfail.d/kadmin_changepw
View File

@ -1 +0,0 @@
^samba4.blackbox.kpasswd.MIT kpasswd.change.user.password

2
selftest/knownfail_heimdal_kdc
View File

@ -274,8 +274,6 @@
#
# Kpasswd tests
#
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc

8
source4/kdc/db-glue.c
View File

@ -830,6 +830,7 @@ static krb5_error_code samba_kdc_get_entry_principal(
const char *samAccountName,
enum samba_kdc_ent_type ent_type,
unsigned flags,
bool is_kadmin_changepw,
krb5_const_principal in_princ,
krb5_principal *out_princ)
{
@ -849,6 +850,11 @@ static krb5_error_code samba_kdc_get_entry_principal(
* fixed UPPER case realm, but the as-sent username
*/
/*
* We need to ensure that the kadmin/changepw principal isn't able to
* issue krbtgt tickets, even if canonicalization is turned on.
*/
if (!is_kadmin_changepw) {
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) {
/*
* When requested to do so, ensure that the
@ -890,6 +896,7 @@ static krb5_error_code samba_kdc_get_entry_principal(
NULL);
return code;
}
}
/*
* For a krbtgt entry, this appears to be required regardless of the
@ -1194,6 +1201,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
samAccountName,
ent_type,
flags,
entry_ex->entry.flags.change_pw,
principal,
&entry_ex->entry.principal);
if (ret != 0) {