Bug 15253 - RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression)
Summary: RODC doesn't reset badPwdCount reliable via an RWDC (CVE-2021-20251 regression)
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.17.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Stefan Metzmacher
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: CVE-2021-20251
Blocks: 15238
  Show dependency treegraph
 
Reported: 2022-11-22 13:00 UTC by Stefan Metzmacher
Modified: 2022-12-15 16:34 UTC (History)
3 users (show)

See Also:


Attachments
Patch for v4-17-test (8.92 KB, text/plain)
2022-12-07 19:38 UTC, Stefan Metzmacher
abartlet: review+
Details
Patch for v4-16-test (8.92 KB, text/plain)
2022-12-07 19:39 UTC, Stefan Metzmacher
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2022-11-22 13:00:15 UTC
[33(192)/67 at 5m2s] samba4.ldap.rodc_rwdc.python(rodc)(rodc:local) fails randomly

This happens after commit 7b8e32efc336fb728e0c7e3dd6fbe2ed54122124
("CVE-2021-20251 auth4: Reread the user record if a bad password is noticed.")

We may read the objeGUID for the account from already free'ed memory
and may send the wrong objectGUID to the RWDC...
Comment 1 Samba QA Contact 2022-11-24 12:06:28 UTC
This bug was referenced in samba master:

1414269dccfd7cb831889cc92df35920b034457c
73ec7253139cf4704135ec7abfa6a669e158fddc
44192d5f2cae2350d7de109690799dea1a2a2e16
Comment 2 Stefan Metzmacher 2022-12-07 19:38:37 UTC
Created attachment 17681 [details]
Patch for v4-17-test
Comment 3 Stefan Metzmacher 2022-12-07 19:39:27 UTC
Created attachment 17682 [details]
Patch for v4-16-test
Comment 4 Samba QA Contact 2022-12-12 13:39:04 UTC
This bug was referenced in samba v4-17-test:

8578a24c288a95619f1a74c4aecc8753b96e149b
Comment 5 Samba QA Contact 2022-12-12 15:53:10 UTC
This bug was referenced in samba v4-16-test:

a1136ed2e05a2adca83a57a0402a165de631be58
Comment 6 Stefan Metzmacher 2022-12-12 15:55:02 UTC
Pushed to v4-{16,17}-test
Comment 7 Samba QA Contact 2022-12-15 16:33:54 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.8):

a1136ed2e05a2adca83a57a0402a165de631be58
Comment 8 Samba QA Contact 2022-12-15 16:34:31 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.4):

8578a24c288a95619f1a74c4aecc8753b96e149b