mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import
This allows us to continue to avoid CVE-2020-25719 in particular and pass our tests for expected FAST behaviour as the patches we requested by upstream to be conditional, not hard-coded. NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN! Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
parent
3dbf967703
commit
ba154d62f7
@ -412,6 +412,24 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
|
||||
|
||||
kdc_config->force_include_pa_etype_salt = true;
|
||||
|
||||
/*
|
||||
* For Samba CVE-2020-25719 Require PAC to be present
|
||||
* This instructs Heimdal to match AD behaviour,
|
||||
* as seen after Microsoft's CVE-2021-42287 when
|
||||
* PacRequestorEnforcement is set to 2.
|
||||
*
|
||||
* Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
|
||||
* REF: https://support.microsoft.com/en-au/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
|
||||
*/
|
||||
|
||||
kdc_config->require_pac = true;
|
||||
|
||||
/*
|
||||
* Match Windows and RFC6113 and Windows but break older
|
||||
* Heimdal clients.
|
||||
*/
|
||||
kdc_config->enable_armored_pa_enc_timestamp = false;
|
||||
|
||||
/* Register hdb-samba4 hooks for use as a keytab */
|
||||
|
||||
kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);
|
||||
|
Loading…
Reference in New Issue
Block a user