1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import

This allows us to continue to avoid CVE-2020-25719 in particular
and pass our tests for expected FAST behaviour as the patches
we requested by upstream to be conditional, not hard-coded.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2021-12-15 12:30:28 +13:00 committed by Joseph Sutton
parent 3dbf967703
commit ba154d62f7

View File

@ -412,6 +412,24 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
kdc_config->force_include_pa_etype_salt = true;
/*
* For Samba CVE-2020-25719 Require PAC to be present
* This instructs Heimdal to match AD behaviour,
* as seen after Microsoft's CVE-2021-42287 when
* PacRequestorEnforcement is set to 2.
*
* Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
* REF: https://support.microsoft.com/en-au/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
*/
kdc_config->require_pac = true;
/*
* Match Windows and RFC6113 and Windows but break older
* Heimdal clients.
*/
kdc_config->enable_armored_pa_enc_timestamp = false;
/* Register hdb-samba4 hooks for use as a keytab */
kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);