From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 29 Oct 2021 02:43:28 +0000 (+1300)
Subject: CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
X-Git-Tag: samba-4.13.14~31
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=06a46f79dd6ac3f3d70c1e099571265d1475dedf;p=thirdparty%2Fsamba.git

CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 4b4f1486f60..f64bd0b206e 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -710,9 +710,6 @@ class KDCBaseTest(RawKerberosTest):
             self.assertFalse(not_delegated)
 
         samdb = self.get_samdb()
-        rodc_samdb = self.get_rodc_samdb()
-
-        rodc_dn = self.get_server_dn(rodc_samdb)
 
         user_name = self.get_new_username()
         if name_prefix is not None:
@@ -764,6 +761,9 @@ class KDCBaseTest(RawKerberosTest):
         # Handle secret replication to the RODC.
 
         if allowed_replication or revealed_to_rodc:
+            rodc_samdb = self.get_rodc_samdb()
+            rodc_dn = self.get_server_dn(rodc_samdb)
+
             # Allow replicating this account's secrets if requested, or allow
             # it only temporarily if we're about to replicate them.
             allowed_cleanup = self.add_to_group(
@@ -784,6 +784,9 @@ class KDCBaseTest(RawKerberosTest):
                                 revealed=revealed_to_rodc)
 
         if denied_replication:
+            rodc_samdb = self.get_rodc_samdb()
+            rodc_dn = self.get_server_dn(rodc_samdb)
+
             # Deny replicating this account's secrets to the RODC.
             self.add_to_group(dn, rodc_dn, 'msDS-NeverRevealGroup')