CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unuse...

This code is only every called in standalone mode on a MIT realm,
it means we never have a PAC and we also don't have winbindd arround.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 7d00cfa95c767b2240a9c634bbdfb86a5c813486..8649dd87efcf98cfb2384bc1812e11f1f7635f50 100644 (file)
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -214,7 +214,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
        }
 
        status = get_user_from_kerberos_info(tmp_ctx, rhost,
-                                            princ_name, NULL,
+                                            princ_name,
                                             &is_mapped, &is_guest,
                                             &ntuser, &ntdomain,
                                             &username, &pw);

diff --git a/source3/auth/proto.h b/source3/auth/proto.h
index 097b17fee44a270fab951f7d8ff74225cdcecd45..46fae447347f19b79bedcdd9c2fa1050bac4c5e2 100644 (file)
--- a/source3/auth/proto.h
+++ b/source3/auth/proto.h
@@ -423,7 +423,6 @@ struct PAC_LOGON_INFO;
 NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
                                     const char *cli_name,
                                     const char *princ_name,
-                                    struct PAC_LOGON_INFO *logon_info,
                                     bool *is_mapped,
                                     bool *mapped_to_guest,
                                     char **ntuser,

diff --git a/source3/auth/user_krb5.c b/source3/auth/user_krb5.c
index 074e8c7eb7111a2a40a979d1f817eb4b9d70cc58..7b69ca6c222e957c06fd28777a3920a4017d2bcd 100644 (file)
--- a/source3/auth/user_krb5.c
+++ b/source3/auth/user_krb5.c
@@ -31,7 +31,6 @@
 NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
                                     const char *cli_name,
                                     const char *princ_name,
-                                    struct PAC_LOGON_INFO *logon_info,
                                     bool *is_mapped,
                                     bool *mapped_to_guest,
                                     char **ntuser,
@@ -40,8 +39,8 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
                                     struct passwd **_pw)
 {
        NTSTATUS status;
-       char *domain = NULL;
-       char *realm = NULL;
+       const char *domain = NULL;
+       const char *realm = NULL;
        char *user = NULL;
        char *p;
        char *fuser = NULL;
@@ -62,55 +61,16 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
                return NT_STATUS_NO_MEMORY;
        }
 
-       realm = talloc_strdup(talloc_tos(), p + 1);
-       if (!realm) {
-               return NT_STATUS_NO_MEMORY;
-       }
+       realm = p + 1;
 
        if (!strequal(realm, lp_realm())) {
                DEBUG(3, ("Ticket for foreign realm %s@%s\n", user, realm));
                if (!lp_allow_trusted_domains()) {
                        return NT_STATUS_LOGON_FAILURE;
                }
-       }
-
-       if (logon_info && logon_info->info3.base.logon_domain.string) {
-               domain = talloc_strdup(mem_ctx,
-                                       logon_info->info3.base.logon_domain.string);
-               if (!domain) {
-                       return NT_STATUS_NO_MEMORY;
-               }
-               DEBUG(10, ("Domain is [%s] (using PAC)\n", domain));
+               domain = realm;
        } else {
-
-               /* If we have winbind running, we can (and must) shorten the
-                  username by using the short netbios name. Otherwise we will
-                  have inconsistent user names. With Kerberos, we get the
-                  fully qualified realm, with ntlmssp we get the short
-                  name. And even w2k3 does use ntlmssp if you for example
-                  connect to an ip address. */
-
-               wbcErr wbc_status;
-               struct wbcDomainInfo *info = NULL;
-
-               DEBUG(10, ("Mapping [%s] to short name using winbindd\n",
-                          realm));
-
-               wbc_status = wbcDomainInfo(realm, &info);
-
-               if (WBC_ERROR_IS_OK(wbc_status)) {
-                       domain = talloc_strdup(mem_ctx,
-                                               info->short_name);
-                       wbcFreeMemory(info);
-               } else {
-                       DEBUG(3, ("Could not find short name: %s\n",
-                                 wbcErrorString(wbc_status)));
-                       domain = talloc_strdup(mem_ctx, realm);
-               }
-               if (!domain) {
-                       return NT_STATUS_NO_MEMORY;
-               }
-               DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain));
+               domain = lp_workgroup();
        }
 
        fuser = talloc_asprintf(mem_ctx,
@@ -175,7 +135,11 @@ NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
                return NT_STATUS_NO_MEMORY;
        }
        *ntuser = user;
-       *ntdomain = domain;
+       *ntdomain = talloc_strdup(mem_ctx, domain);
+       if (*ntdomain == NULL) {
+               return NT_STATUS_NO_MEMORY;
+       }
+
        *_pw = pw;
 
        return NT_STATUS_OK;
@@ -282,7 +246,6 @@ NTSTATUS make_session_info_krb5(TALLOC_CTX *mem_ctx,
 NTSTATUS get_user_from_kerberos_info(TALLOC_CTX *mem_ctx,
                                     const char *cli_name,
                                     const char *princ_name,
-                                    struct PAC_LOGON_INFO *logon_info,
                                     bool *is_mapped,
                                     bool *mapped_to_guest,
                                     char **ntuser,