CVE-2020-25718 kdc: Return ERR_POLICY if RODC krbtgt account is invalid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 7d0597fa2790ffeef08b0f7715d07f6c0a3047f8..5b6fb0ddf692fa474fe7e5cc2528d51fd08d4107 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -265,16 +265,10 @@
 # KDC TGT tests
 #
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_no_krbtgt_link
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_no_partial_secrets
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_not_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_no_krbtgt_link
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_no_partial_secrets
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_not_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_no_krbtgt_link
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_no_partial_secrets
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_not_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_mac
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_upn_dns_info_ex_upn_mac
@@ -307,8 +301,6 @@
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_srealm
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_no_krbtgt_link
-^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_no_partial_secrets
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed
 #
 # PAC request tests

diff --git a/source4/dsdb/common/rodc_helper.c b/source4/dsdb/common/rodc_helper.c
index 1cd644c6def05587a6a4c3198f72a2b8eb1bf709..e81ecef79c0272b826e1b135e4864261b85815c6 100644 (file)
--- a/source4/dsdb/common/rodc_helper.c
+++ b/source4/dsdb/common/rodc_helper.c
@@ -176,7 +176,7 @@ WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ct
                DBG_ERR("Attempt to use an RODC account that is not an RODC: %s\n",
                        ldb_dn_get_linearized(rodc_msg->dn));
                TALLOC_FREE(frame);
-               return WERR_DS_DRA_SECRETS_DENIED;
+               return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
        }
 
        werr = samdb_result_sid_array_dn(sam_ctx, rodc_msg,

diff --git a/source4/kdc/pac-glue.c b/source4/kdc/pac-glue.c
index c94e4f08e76ca53d632fee5396868c3e10d0e5c8..cb0a923fc2d8417bb1c2c532d92cce8946d4878b 100644 (file)
--- a/source4/kdc/pac-glue.c
+++ b/source4/kdc/pac-glue.c
@@ -1141,7 +1141,7 @@ WERROR samba_rodc_confirm_user_is_allowed(uint32_t num_object_sids,
                DBG_ERR("krbtgt account %s has no msDS-KrbTgtLinkBL to find RODC machine account for allow/deny list\n",
                        ldb_dn_get_linearized(rodc->msg->dn));
                TALLOC_FREE(frame);
-               return WERR_DS_DRA_BAD_DN;
+               return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
        }
 
        /*
@@ -1166,7 +1166,7 @@ WERROR samba_rodc_confirm_user_is_allowed(uint32_t num_object_sids,
                        ldb_dn_get_linearized(rodc->msg->dn),
                        ldb_errstring(rodc->kdc_db_ctx->samdb));
                TALLOC_FREE(frame);
-               return WERR_DS_DRA_BAD_DN;
+               return WERR_DOMAIN_CONTROLLER_NOT_FOUND;
        }
 
        if (rodc_machine_account->count != 1) {

diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 715070181207ab6abeae0eb67edbfebd02ebbfea..c9bf5dd9cf57afe1cb4b69077cba40d803f1ade7 100644 (file)
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -276,7 +276,11 @@ static krb5_error_code samba_wdc_reget_pac2(krb5_context context,
                                                          client_skdc_entry);
                if (!W_ERROR_IS_OK(werr)) {
                        talloc_free(mem_ctx);
-                       return KRB5KDC_ERR_TGT_REVOKED;
+                       if (W_ERROR_EQUAL(werr, WERR_DOMAIN_CONTROLLER_NOT_FOUND)) {
+                               return KRB5KDC_ERR_POLICY;
+                       } else {
+                               return KRB5KDC_ERR_TGT_REVOKED;
+                       }
                }
        }