CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server...

This does the same check as the hdb plugin now. The client check is already
done earlier.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index be6ea83c04201efe4c0234804fa4372d50d740d6..d11e1640ee980b2fe81793c7ac4054af96aa05fa 100644 (file)
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -486,6 +486,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
        DATA_BLOB *deleg_blob = NULL;
        struct samba_kdc_entry *client_skdc_entry = NULL;
        struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
+       struct samba_kdc_entry *server_skdc_entry = NULL;
        bool is_in_db = false;
        bool is_untrusted = false;
        size_t num_types = 0;
@@ -499,6 +500,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
        ssize_t srv_checksum_idx = -1;
        ssize_t kdc_checksum_idx = -1;
        krb5_pac new_pac = NULL;
+       bool ok;
 
        if (client != NULL) {
                client_skdc_entry =
@@ -510,6 +512,16 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
                return EINVAL;
        }
 
+       server_skdc_entry =
+               talloc_get_type_abort(server->e_data,
+                                     struct samba_kdc_entry);
+
+       /* The account may be set not to want the PAC */
+       ok = samba_princ_needs_pac(server_skdc_entry);
+       if (!ok) {
+               return EINVAL;
+       }
+
        if (krbtgt == NULL) {
                return EINVAL;
        }