CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 4bde0f339775b2273a349df5165cde6a49379987..8bf36faf8edc5dcb2c12c06682d46e99873cc4df 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -250,12 +250,6 @@
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b
 #
-# SPN tests
-#
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_instance_spn_computer
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_our_domain_spn_computer
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_our_realm_spn_computer
-#
 # KDC TGT tests
 #
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index b5b131103531168137c936daf7d867be7232d804..b4e819c83dfb103e2a964eebd8fdf13b92fe4259 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -381,12 +381,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008dc
 ^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008r2dc
 #
-# SPN tests
-#
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_instance_spn_computer
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_our_domain_spn_computer
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_our_realm_spn_computer
-#
 # Alias tests
 #
 ^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_delete

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index d55bf1663d467d02c190d12533b930839d81028a..0f19e8d1c933ba6e8f3442bc873ab5e7cd7959fc 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -968,6 +968,29 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                        entry_ex->entry.flags.server = 0;
                }
        }
+
+       /*
+        * We restrict a 3-part SPN ending in my domain/realm to full
+        * domain controllers.
+        *
+        * This avoids any cases where (eg) a demoted DC still has
+        * these more restricted SPNs.
+        */
+       if (krb5_princ_size(context, principal) > 2) {
+               char *third_part
+                       = smb_krb5_principal_get_comp_string(mem_ctx,
+                                                            context,
+                                                            principal,
+                                                            2);
+               bool is_our_realm =
+                        lpcfg_is_my_domain_or_realm(lp_ctx,
+                                                    third_part);
+               bool is_dc = userAccountControl &
+                       (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT);
+               if (is_our_realm && !is_dc) {
+                       entry_ex->entry.flags.server = 0;
+               }
+       }
        /*
         * To give the correct type of error to the client, we must
         * not just return the entry without .server set, we must