CVE-2020-25722 kdc: Do not honour a request for a 3-part SPN (ending in our domain...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index e59316c59cdb208e5a172fbf95272f14b48136d9..e26d6b10ec19342b1b4ffafe6dd6773e70481c2a 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -88,12 +88,6 @@
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b
 #
-# SPN tests
-#
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_instance_spn_computer
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_our_domain_spn_computer
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_our_realm_spn_computer
-#
 # KDC TGT tests
 #
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 7a15d9059c92d1ad79d81fa564e441547e2d3ee0..22cd0b50ad75b741c19eead77b01f7d8479cbff1 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -359,12 +359,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008dc
 ^samba4.rpc.pac on ncacn_np.netr-mem-arcfour.verify-sig-arcfour.fl2008r2dc
 #
-# SPN tests
-#
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_instance_spn_computer
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_our_domain_spn_computer
-^samba.tests.krb5.spn_tests.samba.tests.krb5.spn_tests.SpnTests.test_spn_3_part_our_realm_spn_computer
-#
 # Alias tests
 #
 ^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_delete

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 8fe4f1ea3e9417b4fb1bd02cb76872a701af3bab..aff74f2ee7152767a020333cfab9d3aa86dbc240 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -970,6 +970,29 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
                        entry_ex->entry.flags.server = 0;
                }
        }
+
+       /*
+        * We restrict a 3-part SPN ending in my domain/realm to full
+        * domain controllers.
+        *
+        * This avoids any cases where (eg) a demoted DC still has
+        * these more restricted SPNs.
+        */
+       if (krb5_princ_size(context, principal) > 2) {
+               char *third_part
+                       = smb_krb5_principal_get_comp_string(mem_ctx,
+                                                            context,
+                                                            principal,
+                                                            2);
+               bool is_our_realm =
+                        lpcfg_is_my_domain_or_realm(lp_ctx,
+                                                    third_part);
+               bool is_dc = userAccountControl &
+                       (UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT);
+               if (is_our_realm && !is_dc) {
+                       entry_ex->entry.flags.server = 0;
+               }
+       }
        /*
         * To give the correct type of error to the client, we must
         * not just return the entry without .server set, we must