s4:kdc: Make RBCD access check less strict

Windows only requires SEC_ADS_CONTROL_ACCESS for the check to pass.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Jun 14 15:38:23 UTC 2022 on sn-devel-184

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 22db004f879e47fe4f93f260974d5900c6cc2868..d9efde8273a8302cf4c226bc105f5b4a08645060 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -363,7 +363,7 @@ class KDCBaseTest(RawKerberosTest):
         owner_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 
         ace = security.ace()
-        ace.access_mask = security.SEC_ADS_GENERIC_ALL
+        ace.access_mask = security.SEC_ADS_CONTROL_ACCESS
 
         ace.trustee = security.dom_sid(sid)
 

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 6965ca685630af1469c1908754465d20d03c4cd5..172a34194c69dd48df842a18c87d6c6c0392bb97 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3039,7 +3039,12 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
        struct auth_user_info_dc *user_info_dc = NULL;
        struct auth_session_info *session_info = NULL;
        uint32_t session_info_flags = AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
-       uint32_t access_desired = SEC_ADS_GENERIC_ALL; /* => 0x000f01ff */
+       /*
+        * Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access
+        * in security descriptors it creates for RBCD, its KDC only requires
+        * SEC_ADS_CONTROL_ACCESS for the access check to succeed.
+        */
+       uint32_t access_desired = SEC_ADS_CONTROL_ACCESS;
        uint32_t access_granted = 0;
        NTSTATUS nt_status;
        TALLOC_CTX *mem_ctx = NULL;