Bug 14802 - need to check 'winbind use default domain' still works and is secure
Summary: need to check 'winbind use default domain' still works and is secure
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.15.0rc2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on: CVE-2020-25717
  Show dependency treegraph
Reported: 2021-08-18 10:29 UTC by Andrew Bartlett
Modified: 2022-06-26 22:38 UTC (History)
1 user (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-08-18 10:29:52 UTC
the 'winbind use default domain' option is both unloved and places domain usernames in the same namespace as local users.  We need to check that an attacker with control over names in the samAccountName can't force a domain PAC-based kerberos ticket to map to a local user.
Comment 1 Andrew Bartlett 2021-11-03 04:10:54 UTC
This codepath now closely mirrors the NTLM codepath so should now be secure in the security patch set.

Opening this bug to vendors.
Comment 2 Andrew Bartlett 2022-06-26 22:37:35 UTC
The PAC-based lookup for a username only looks up DOMAIN\user by default, which is always an alias even if 'winbind use default domain = yes' is set, so this isn't a problem now bug 14556 (CVE-2020-25717) is fixed