The Samba-Bugzilla – Attachment 17047 Details for
Bug 14922
Kerberos authentication on standalone server in MIT realm broken
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patches for v4-13-test
tmp413.diff.txt (text/plain), 2.00 KB, created by
Stefan Metzmacher
on 2021-12-07 10:22:32 UTC
(
hide
)
Description:
Patches for v4-13-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2021-12-07 10:22:32 UTC
Size:
2.00 KB
patch
obsolete
>From fde6df1ccee90982da82642f451b58bbc4bb0e6b Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Fri, 26 Nov 2021 10:57:17 +0100 >Subject: [PATCH] CVE-2020-25717: s3-auth: fix MIT Realm regression > >This looks like a regression introduced by the recent security fixes. This >commit should hopefully fixes it. > >As a quick solution it might be possible to use the username map script based on >the example in https://bugzilla.samba.org/show_bug.cgi?id=14901#c0. We're not >sure this behaves identical, but it might work in the standalone server case. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14922 > >Reported-at: https://lists.samba.org/archive/samba/2021-November/238720.html > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Ralph Boehme <slow@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 1e61de8306604a0d3858342df8a1d2412d8d418b) >--- > source3/auth/user_krb5.c | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c >index b8f37cbeee05..169bf563368f 100644 >--- a/source3/auth/user_krb5.c >+++ b/source3/auth/user_krb5.c >@@ -46,6 +46,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, > char *fuser = NULL; > char *unixuser = NULL; > struct passwd *pw = NULL; >+ bool may_retry = false; > > DEBUG(3, ("Kerberos ticket principal name is [%s]\n", princ_name)); > >@@ -71,6 +72,7 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, > domain = realm; > } else { > domain = lp_workgroup(); >+ may_retry = true; > } > > fuser = talloc_asprintf(mem_ctx, >@@ -89,6 +91,13 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx, > *mapped_to_guest = false; > > pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); >+ if (may_retry && pw == NULL && !*is_mapped) { >+ fuser = talloc_strdup(mem_ctx, user); >+ if (!fuser) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ pw = smb_getpwnam(mem_ctx, fuser, &unixuser, true); >+ } > if (pw) { > if (!unixuser) { > return NT_STATUS_NO_MEMORY; >-- >2.25.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17047">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 14922
:
17045
|
17046
| 17047