sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-25 17:57:42 +03:00
Code

CVE-2020-25719 CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member)

Browse Source 
AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set
on the service account, which can only be explicitly configured,
but that's an invalid configuration!

We still try to support standalone servers in an MIT realm,
as legacy setup.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[jsutton@samba.org Removed knownfail entries]
This commit is contained in:
Stefan Metzmacher 2021-10-05 18:11:57 +02:00 committed by Jule Anger
parent e2d5b4d709
commit e2d271cb6b
2 changed files with 23 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
auth/gensec/gensec_util.c
View File

@ -25,6 +25,8 @@
#include "auth/gensec/gensec_internal.h"
#include "auth/common_auth.h"
#include "../lib/util/asn1.h"
#include "param/param.h"
#include "libds/common/roles.h"
#undef DBGC_CLASS
#define DBGC_CLASS DBGC_AUTH
@ -48,10 +50,27 @@ NTSTATUS gensec_generate_session_info_pac(TALLOC_CTX *mem_ctx,
session_info_flags |= AUTH_SESSION_INFO_DEFAULT_GROUPS;
if (!pac_blob) {
if (gensec_setting_bool(gensec_security->settings, "gensec", "require_pac", false)) {
DEBUG(1, ("Unable to find PAC in ticket from %s, failing to allow access\n",
principal_string));
return NT_STATUS_ACCESS_DENIED;
enum server_role server_role =
lpcfg_server_role(gensec_security->settings->lp_ctx);
/*
* For any domain setup (DC or member) we require having
* a PAC, as the service ticket comes from an AD DC,
* which will always provide a PAC, unless
* UF_NO_AUTH_DATA_REQUIRED is configured for our
* account, but that's just an invalid configuration,
* the admin configured for us!
*
* As a legacy case, we still allow kerberos tickets from an MIT
* realm, but only in standalone mode. In that mode we'll only
* ever accept a kerberos authentication with a keytab file
* being explicitly configured via the 'keytab method' option.
*/
if (server_role != ROLE_STANDALONE) {
DBG_WARNING("Unable to find PAC in ticket from %s, "
"failing to allow access\n",
principal_string);
return NT_STATUS_NO_IMPERSONATION_TOKEN;
}
DBG_NOTICE("Unable to find PAC for %s, resorting to local "
"user lookup\n", principal_string);

4
selftest/knownfail.d/no-pac
View File

@ -1,4 +0,0 @@
^samba.tests.krb5.test_ccache.samba.tests.krb5.test_ccache.CcacheTests.test_ccache_no_pac
^samba.tests.krb5.test_ldap.samba.tests.krb5.test_ldap.LdapTests.test_ldap_no_pac
^samba.tests.krb5.test_rpc.samba.tests.krb5.test_rpc.RpcTests.test_rpc_no_pac
^samba.tests.krb5.test_smb.samba.tests.krb5.test_smb.SmbTests.test_smb_no_pac