CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level...

Mapping everything to ACCESS_DENIED makes it hard to debug problems,
which may happen because of our more restrictive behaviour in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 0bd81b25cd45b0f56c7335b6987fdf2eef83ad19..61abbab2a0291f2d06e1114cdcde80ba33e507ca 100644 (file)
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -166,7 +166,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
        if (!NT_STATUS_IS_OK(status)) {
                DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
                          nt_errstr(status)));
-               status = NT_STATUS_ACCESS_DENIED;
+               status = nt_status_squash(status);
                goto done;
        }