git.samba.org - samba.git/commit

author	Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
	Fri, 22 Oct 2021 00:17:34 +0000 (13:17 +1300)
committer	Jule Anger <janger@samba.org>
	Mon, 8 Nov 2021 09:52:11 +0000 (10:52 +0100)
commit	4439ac7bb6e8fcb1610fa94923c3daaed3e4c958
tree	572bb2cebb717c6a4f9cc886a0e1c86c69785c08	tree
parent	90957fba9ff7e4653e24912ae584078e43559e5d	commit \| diff

CVE-2020-25722 s4/dsdb/samldb: check for clashes in UPNs/samaccountnames

We already know duplicate sAMAccountNames and UserPrincipalNames are bad,
but we also have to check against the values these imply in each other.

For example, imagine users with SAM account names "Alice" and "Bob" in
the realm "example.com". If they do not have explicit UPNs, by the logic
of MS-ADTS 5.1.1.1.1 they use the implict UPNs "alice@example.com" and
"bob@example.com", respectively. If Bob's UPN gets set to
"alice@example.com", it will clash with Alice's implicit one.

Therefore we refuse to allow a UPN that implies an existing SAM account
name and vice versa.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

selftest/knownfail.d/ldap_upn_sam_account		diff \| blob \| history
source4/dsdb/samdb/ldb_modules/samldb.c		diff \| blob \| history