git.samba.org - samba.git/commit

author	Ralph Boehme <slow@samba.org>
	Fri, 8 Oct 2021 10:33:16 +0000 (12:33 +0200)
committer	Joseph Sutton <josephsutton@catalyst.net.nz>
	Wed, 3 Nov 2021 21:09:05 +0000 (10:09 +1300)
commit	39b060eeea6d364c7b7b575fda7a6877ce6e2a9a
tree	4932b45d5f949e416af07600ecff2c18f854c876	tree
parent	651b74b12b9d995f442fd02e90ca0a1ce12d4a52	commit \| diff

CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam()

So far we tried getpwnam("DOMAIN\account") first and
always did a fallback to getpwnam("account") completely
ignoring the domain part, this just causes problems
as we mix "DOMAIN1\account", "DOMAIN2\account",
and "account"!

As we require a running winbindd for domain member setups
we should no longer do a fallback to just "account" for
users served by winbindd!

For users of the local SAM don't use this code path,
as check_sam_security() doesn't call check_account().

The only case where smb_getpwnam("account") happens is
when map_username() via ("username map [script]") mapped
"DOMAIN\account" to something without '\', but that is
explicitly desired by the admin.

Note: use 'git show -w'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Ralph Boehme <slow@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/knownfail.d/ktest	[new file with mode: 0644]	blob
source3/auth/auth_util.c		diff \| blob \| history