From b16fecbd920bec9f93687a7b2205cecea3d1da7b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 12 Mar 2025 15:23:11 +0100 Subject: [PATCH] auth: let make_user_info_dc_pac() cross check PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID If there's a mismatch someone doing strange things... Signed-off-by: Stefan Metzmacher Reviewed-by: Ralph Boehme --- auth/auth_sam_reply.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c index 2123094bf0a..a21093059cd 100644 --- a/auth/auth_sam_reply.c +++ b/auth/auth_sam_reply.c @@ -969,6 +969,40 @@ NTSTATUS make_user_info_dc_pac(TALLOC_CTX *mem_ctx, if (pac_upn_dns_info->flags & PAC_UPN_DNS_FLAG_CONSTRUCTED) { user_info_dc->info->user_principal_constructed = true; } + + if (pac_upn_dns_info->flags & PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID) { + const struct PAC_UPN_DNS_INFO_SAM_NAME_AND_SID *ei = + &pac_upn_dns_info->ex.sam_name_and_sid; + const struct auth_SidAttr *psid = + &user_info_dc->sids[PRIMARY_USER_SID_INDEX]; + bool match = true; + + if (ei->objectsid != NULL) { + match = dom_sid_equal(ei->objectsid, &psid->sid); + } + if (!match) { + struct dom_sid_buf sb1 = {}; + struct dom_sid_buf sb2 = {}; + + DBG_WARNING("Mismatching PAC_UPN_DNS " + "objectSid[%s] LOGON_INFO[%s]\n", + dom_sid_str_buf(ei->objectsid, &sb1), + dom_sid_str_buf(&psid->sid, &sb2)); + talloc_free(user_info_dc); + return NT_STATUS_INVALID_TOKEN; + } + + match = strequal(ei->samaccountname, + user_info_dc->info->account_name); + if (!match) { + DBG_WARNING("Mismatching PAC_UPN_DNS " + "sAMAccountName[%s] LOGON_INFO[%s]\n", + ei->samaccountname, + user_info_dc->info->account_name); + talloc_free(user_info_dc); + return NT_STATUS_INVALID_TOKEN; + } + } } *_user_info_dc = user_info_dc; -- 2.47.3