s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import

This allows us to continue to avoid CVE-2020-25719 in particular
and pass our tests for expected FAST behaviour as the patches
we requested by upstream to be conditional, not hard-coded.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
index c05380f08419071723e41c5cdb8ec573a4418803..2abb5eab9253e6f78e7b862b3a06ab7a35774bd4 100644 (file)
--- a/source4/kdc/kdc-heimdal.c
+++ b/source4/kdc/kdc-heimdal.c
@@ -412,6 +412,24 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
 
        kdc_config->force_include_pa_etype_salt = true;
 
+       /*
+        * For Samba CVE-2020-25719 Require PAC to be present
+        * This instructs Heimdal to match AD behaviour,
+        * as seen after Microsoft's CVE-2021-42287 when
+        * PacRequestorEnforcement is set to 2.
+        *
+        * Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
+        * REF: https://support.microsoft.com/en-au/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
+        */
+
+       kdc_config->require_pac = true;
+
+       /*
+        * Match Windows and RFC6113 and Windows but break older
+        * Heimdal clients.
+        */
+       kdc_config->enable_armored_pa_enc_timestamp = false;
+
        /* Register hdb-samba4 hooks for use as a keytab */
 
        kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);