git.samba.org - samba.git/commit

author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Thu, 26 May 2022 04:39:20 +0000 (16:39 +1200)
committer	Jule Anger <janger@samba.org>
	Sun, 24 Jul 2022 09:42:02 +0000 (11:42 +0200)
commit	c0c4b7a4bd229bd36d586faec6249baaba8e7adc
tree	207292f15da485e7b13c7ce0cb0f4f0df0228bc9	tree
parent	997f50c66471071efb8e02d8efbe4bf5d932e7ee	commit \| diff

CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal

This plugin is now only used by the kpasswd service. Thus, ensuring we
only look up the kadmin/changepw principal means we can't be fooled into
accepting tickets for other service principals. We make sure not to
specify a specific kvno, to ensure that we do not accept RODC-issued
tickets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Fixed knownfail conflicts]

[jsutton@samba.org Renamed entry to entry_ex; fixed knownfail conflicts;
retained knownfail for test_kpasswd_from_rodc which now causes the KDC
to panic]

selftest/knownfail_heimdal_kdc		diff \| blob \| history
source4/kdc/hdb-samba4-plugin.c		diff \| blob \| history
source4/kdc/hdb-samba4.c		diff \| blob \| history
source4/kdc/kdc-glue.h		diff \| blob \| history