git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 27629a5)
CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check
authorAndrew Bartlett <abartlet@samba.org>
Thu, 30 Sep 2021 23:29:49 +0000 (12:29 +1300)
committerJule Anger <janger@samba.org>
Mon, 8 Nov 2021 09:52:12 +0000 (10:52 +0100)
In particular the objectGUID is no longer used, and in the NETLOGON case
the special case for msDS-KrbTgtLink does not apply.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
source4/rpc_server/drsuapi/getncchanges.c patch | blob | history
source4/rpc_server/netlogon/dcerpc_netlogon.c patch | blob | history

diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 11a6c93d4cdb081563239861fc8bdb233ea7ab06..3ec5acb5353d3022a7099d7e7624d09415f84919 100644 (file)
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -1171,7 +1171,6 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
        const char *rodc_attrs[] = { "msDS-KrbTgtLink",
                                     "msDS-NeverRevealGroup",
                                     "msDS-RevealOnDemandGroup",
-                                    "objectGUID",
                                     "userAccountControl",
                                     NULL };
        const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index efdd95b8689beb4a6046e4b82af99b3959543b22..edefdee39ca83f8cc339624b91580b516b293588 100644 (file)
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2845,10 +2845,8 @@ static bool sam_rodc_access_check(struct ldb_context *sam_ctx,
                                  struct dom_sid *user_sid,
                                  struct ldb_dn *obj_dn)
 {
-       const char *rodc_attrs[] = { "msDS-KrbTgtLink",
-                                    "msDS-NeverRevealGroup",
+       const char *rodc_attrs[] = { "msDS-NeverRevealGroup",
                                     "msDS-RevealOnDemandGroup",
-                                    "objectGUID",
                                     "userAccountControl",
                                     NULL };
        const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };
Samba Shared Repository