From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 4 Oct 2021 15:29:34 +0000 (+0200)
Subject: CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out... 
X-Git-Tag: ldb-2.5.0~262
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e23000f27823243ad797eb39581f83c3ad50b2b;p=thirdparty%2Fsamba.git

CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true

We need to make sure that temporary failures don't trigger a fallback
to the local SAM that silently ignores the domain name part for users.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/auth/ntlm/auth.c b/source4/auth/ntlm/auth.c
index e54eb7719f5..4c66f2c23cb 100644
--- a/source4/auth/ntlm/auth.c
+++ b/source4/auth/ntlm/auth.c
@@ -169,6 +169,11 @@ _PUBLIC_ NTSTATUS auth_check_password(struct auth4_context *auth_ctx,
 	/*TODO: create a new event context here! */
 	ev = auth_ctx->event_ctx;
 
+	/*
+	 * We are authoritative by default
+	 */
+	*pauthoritative = 1;
+
 	subreq = auth_check_password_send(mem_ctx,
 					  ev,
 					  auth_ctx,