mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-2031 s4:kdc: Fix canonicalisation of kadmin/changepw principal
Since this principal goes through the samba_kdc_fetch_server() path, setting the canonicalisation flag would cause the principal to be replaced with the sAMAccountName; this meant requests to kadmin/changepw@REALM would result in a ticket to krbtgt@REALM. Now we properly handle canonicalisation for the kadmin/changepw principal. View with 'git show -b'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
parent
186f0c6e48
commit
c0282bbbc1
@ -1 +0,0 @@
|
||||
^samba4.blackbox.kpasswd.MIT kpasswd.change.user.password
|
@ -57,8 +57,6 @@
|
||||
#
|
||||
# Kpasswd tests
|
||||
#
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_lifetime.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
|
||||
|
@ -7,25 +7,3 @@
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self\(
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_none\(
|
||||
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_true\(
|
||||
#
|
||||
# Kpasswd tests
|
||||
#
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_change_expired_password.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_empty.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_from_rodc.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_initial.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_seq_number.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_non_initial.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_expired_password.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_access.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_and_realm_no_access.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_princ_only.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_set_target_realm_only.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_lifetime_tgs.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_tgs.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_too_weak.ad_dc
|
||||
^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_wrong_key.ad_dc
|
||||
|
@ -931,6 +931,7 @@ static krb5_error_code samba_kdc_get_entry_principal(
|
||||
const char *samAccountName,
|
||||
enum samba_kdc_ent_type ent_type,
|
||||
unsigned flags,
|
||||
bool is_kadmin_changepw,
|
||||
krb5_const_principal in_princ,
|
||||
krb5_principal *out_princ)
|
||||
{
|
||||
@ -950,46 +951,52 @@ static krb5_error_code samba_kdc_get_entry_principal(
|
||||
* fixed UPPER case realm, but the as-sent username
|
||||
*/
|
||||
|
||||
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) {
|
||||
/*
|
||||
* When requested to do so, ensure that the
|
||||
* both realm values in the principal are set
|
||||
* to the upper case, canonical realm
|
||||
*/
|
||||
code = smb_krb5_make_principal(context,
|
||||
out_princ,
|
||||
lpcfg_realm(lp_ctx),
|
||||
"krbtgt",
|
||||
lpcfg_realm(lp_ctx),
|
||||
NULL);
|
||||
if (code != 0) {
|
||||
/*
|
||||
* We need to ensure that the kadmin/changepw principal isn't able to
|
||||
* issue krbtgt tickets, even if canonicalization is turned on.
|
||||
*/
|
||||
if (!is_kadmin_changepw) {
|
||||
if (ent_type == SAMBA_KDC_ENT_TYPE_KRBTGT && canon) {
|
||||
/*
|
||||
* When requested to do so, ensure that the
|
||||
* both realm values in the principal are set
|
||||
* to the upper case, canonical realm
|
||||
*/
|
||||
code = smb_krb5_make_principal(context,
|
||||
out_princ,
|
||||
lpcfg_realm(lp_ctx),
|
||||
"krbtgt",
|
||||
lpcfg_realm(lp_ctx),
|
||||
NULL);
|
||||
if (code != 0) {
|
||||
return code;
|
||||
}
|
||||
smb_krb5_principal_set_type(context,
|
||||
*out_princ,
|
||||
KRB5_NT_SRV_INST);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ((canon && flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) ||
|
||||
(ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL)) {
|
||||
/*
|
||||
* SDB_F_CANON maps from the canonicalize flag in the
|
||||
* packet, and has a different meaning between AS-REQ
|
||||
* and TGS-REQ. We only change the principal in the
|
||||
* AS-REQ case.
|
||||
*
|
||||
* The SDB_F_FORCE_CANON if for new MIT KDC code that
|
||||
* wants the canonical name in all lookups, and takes
|
||||
* care to canonicalize only when appropriate.
|
||||
*/
|
||||
code = smb_krb5_make_principal(context,
|
||||
out_princ,
|
||||
lpcfg_realm(lp_ctx),
|
||||
samAccountName,
|
||||
NULL);
|
||||
return code;
|
||||
}
|
||||
smb_krb5_principal_set_type(context,
|
||||
*out_princ,
|
||||
KRB5_NT_SRV_INST);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
if ((canon && flags & (SDB_F_FORCE_CANON|SDB_F_FOR_AS_REQ)) ||
|
||||
(ent_type == SAMBA_KDC_ENT_TYPE_ANY && in_princ == NULL)) {
|
||||
/*
|
||||
* SDB_F_CANON maps from the canonicalize flag in the
|
||||
* packet, and has a different meaning between AS-REQ
|
||||
* and TGS-REQ. We only change the principal in the
|
||||
* AS-REQ case.
|
||||
*
|
||||
* The SDB_F_FORCE_CANON if for new MIT KDC code that
|
||||
* wants the canonical name in all lookups, and takes
|
||||
* care to canonicalize only when appropriate.
|
||||
*/
|
||||
code = smb_krb5_make_principal(context,
|
||||
out_princ,
|
||||
lpcfg_realm(lp_ctx),
|
||||
samAccountName,
|
||||
NULL);
|
||||
return code;
|
||||
}
|
||||
|
||||
/*
|
||||
@ -1305,6 +1312,7 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
|
||||
samAccountName,
|
||||
ent_type,
|
||||
flags,
|
||||
entry->flags.change_pw,
|
||||
principal,
|
||||
&entry->principal);
|
||||
if (ret != 0) {
|
||||
|
Loading…
Reference in New Issue
Block a user