git.samba.org - samba.git/commit

author	Ralph Boehme <slow@samba.org>
	Fri, 8 Oct 2021 10:33:16 +0000 (12:33 +0200)
committer	Jule Anger <janger@samba.org>
	Tue, 9 Nov 2021 19:45:33 +0000 (19:45 +0000)
commit	8f79ee99a6a3390ccb409ac1b5f543488e7bd784
tree	496fae6708a2084059f15ddeb69b9e1243b576c7	tree
parent	dd0423bfbbce2d9f1f8a62c21cf612e5c755b616	commit \| diff

CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()

So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!

As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!

For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().

The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]") mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.

Note: use 'git show -w'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/knownfail.d/ktest	[new file with mode: 0644]	blob
source3/auth/auth_util.c		diff \| blob \| history