From b0ebabd95886892a7f1bca6f5a71fa29fb520dc9 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Fri, 5 Nov 2021 13:51:33 +0100 Subject: [PATCH] CVE-2020-25717: s3:auth: Always require a PAC in domain mode AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set on the service account, which can only be explicitly configured, but that's an invalid configuration! We still try to support standalone servers in an MIT realm, as legacy setup. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Samuel Cabrero --- source3/auth/user_krb5.c | 17 ++++++++++++----- source3/smbd/sesssetup.c | 8 ++++++++ source3/smbd/smb2_sesssetup.c | 7 +++++++ source3/utils/ntlm_auth.c | 9 +++++++++ 4 files changed, 36 insertions(+), 5 deletions(-) diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c index e52149afd7e..06ee8628e0c 100644 --- a/source3/auth/user_krb5.c +++ b/source3/auth/user_krb5.c @@ -213,16 +213,23 @@ NTSTATUS make_server_info_krb5(TALLOC_CTX *mem_ctx, } } else { - /* - * We didn't get a PAC, we have to make up the user - * ourselves. Try to ask the pdb backend to provide - * SID consistency with ntlmssp session setup - */ struct samu *sampass; /* The stupid make_server_info_XX functions here don't take a talloc context. */ struct auth_serversupplied_info *tmp = NULL; + if (lp_server_role() != ROLE_STANDALONE) { + status = NT_STATUS_ACCESS_DENIED; + DEBUG(2, ("make_server_info_krb5: Kerberos ticket " + "has no PAC: %s\n", nt_errstr(status))); + return status; + } + + /* + * We didn't get a PAC, we have to make up the user + * ourselves. Try to ask the pdb backend to provide + * SID consistency with ntlmssp session setup + */ sampass = samu_new(talloc_tos()); if (sampass == NULL) { return NT_STATUS_NO_MEMORY; diff --git a/source3/smbd/sesssetup.c b/source3/smbd/sesssetup.c index 75c2a1551d1..9e4370539df 100644 --- a/source3/smbd/sesssetup.c +++ b/source3/smbd/sesssetup.c @@ -345,6 +345,14 @@ static void reply_spnego_kerberos(struct smb_request *req, return; } + if (lp_server_role() != ROLE_STANDALONE && logon_info == NULL) { + DEBUG(2, ("Unable to find PAC in ticket from %s, failing " + "to allow access\n", principal)); + ret = NT_STATUS_NO_IMPERSONATION_TOKEN; + reply_nterror(req, nt_status_squash(ret)); + return; + } + ret = get_user_from_kerberos_info(talloc_tos(), sconn->client_id.name, principal, logon_info, diff --git a/source3/smbd/smb2_sesssetup.c b/source3/smbd/smb2_sesssetup.c index 1f48e332e85..0673e498867 100644 --- a/source3/smbd/smb2_sesssetup.c +++ b/source3/smbd/smb2_sesssetup.c @@ -207,6 +207,13 @@ static NTSTATUS smbd_smb2_session_setup_krb5(struct smbd_smb2_session *session, goto fail; } + if (lp_server_role() != ROLE_STANDALONE && logon_info == NULL) { + DEBUG(2, ("Unable to find PAC in ticket from %s, failing " + "to allow access\n", principal)); + status = NT_STATUS_NO_IMPERSONATION_TOKEN; + goto fail; + } + status = get_user_from_kerberos_info(talloc_tos(), smb2req->sconn->client_id.name, principal, logon_info, diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c index 73f41a7fe66..84119afbc12 100644 --- a/source3/utils/ntlm_auth.c +++ b/source3/utils/ntlm_auth.c @@ -1530,6 +1530,15 @@ static void manage_gss_spnego_request(struct ntlm_auth_state *state, if (NT_STATUS_IS_OK(status)) { + if (lp_server_role() != ROLE_STANDALONE && logon_info == NULL) { + DEBUG(2, ("Unable to find PAC in ticket from %s, failing " + "to allow access\n", principal)); + x_fprintf(x_stdout, "BH Unable to find PAC " + "in ticket from %s, failing " + "to allow access\n", principal); + return; + } + domain = strchr_m(principal, '@'); if (domain == NULL) { -- 2.33.1