14802 – need to check 'winbind use default domain' still works and is secure

Bug 14802 - need to check 'winbind use default domain' still works and is secure

Summary: need to check 'winbind use default domain' still works and is secure

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.15.0rc2
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:	CVE-2020-25717
Blocks:
	Show dependency tree / graph

Reported:	2021-08-18 10:29 UTC by Andrew Bartlett
Modified:	2022-06-26 22:38 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2020-25717

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2021-08-18 10:29:52 UTC

the 'winbind use default domain' option is both unloved and places domain usernames in the same namespace as local users.  We need to check that an attacker with control over names in the samAccountName can't force a domain PAC-based kerberos ticket to map to a local user.

Comment 1 Andrew Bartlett 2021-11-03 04:10:54 UTC

This codepath now closely mirrors the NTLM codepath so should now be secure in the security patch set.

Opening this bug to vendors.

Comment 2 Andrew Bartlett 2022-06-26 22:37:35 UTC

The PAC-based lookup for a username only looks up DOMAIN\user by default, which is always an alias even if 'winbind use default domain = yes' is set, so this isn't a problem now bug 14556 (CVE-2020-25717) is fixed