Don't sign NTP packets to disabled accounts

(As this would allow an offline attack on their password)

Andrew Bartlett

diff --git a/source/ntp_signd/ntp_signd.c b/source/ntp_signd/ntp_signd.c
index fdd97e475c17e5d148ccab663bb66262ce12e712..c1ac7dbcf4338e52dff72ba9eaf572ce0f400316 100644 (file)
--- a/source/ntp_signd/ntp_signd.c
+++ b/source/ntp_signd/ntp_signd.c
@@ -123,9 +123,10 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input)
        struct signed_reply signed_reply;
        enum ndr_err_code ndr_err;
        struct ldb_result *res;
-       const char *attrs[] = { "unicodePwd", NULL };
+       const char *attrs[] = { "unicodePwd", "userAccountControl", NULL };
        struct MD5Context ctx;
        struct samr_Password *nt_hash;
+       uint32_t user_account_control;
        int ret;
 
        NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
@@ -184,6 +185,14 @@ static NTSTATUS ntp_signd_recv(void *private, DATA_BLOB wrapped_input)
                return signing_failure(ntp_signdconn, sign_request.packet_id);
        }
 
+       user_account_control = ldb_msg_find_attr_as_uint(res->msgs[0], "userAccountControl", 0);
+
+       if (user_account_control & UF_ACCOUNTDISABLE) {
+               DEBUG(1, ("Account for SID [%s] is disabled\n", dom_sid_string(tmp_ctx, sid)));
+               talloc_free(tmp_ctx);
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        nt_hash = samdb_result_hash(tmp_ctx, res->msgs[0], "unicodePwd");
        if (!nt_hash) {
                DEBUG(1, ("No unicodePwd found on record of SID %s for NTP signing\n", dom_sid_string(tmp_ctx, sid)));