From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 Oct 2021 17:57:18 +0000 (+0200)
Subject: CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level... 
X-Git-Tag: ldb-2.5.0~250
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=97d54027910b7d3fa04bd6c1b72448a85cdf5d7c;p=thirdparty%2Fsamba.git

CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors

Mapping everything to ACCESS_DENIED makes it hard to debug problems,
which may happen because of our more restrictive behaviour in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 0bd81b25cd4..61abbab2a02 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -166,7 +166,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
 			  nt_errstr(status)));
-		status = NT_STATUS_ACCESS_DENIED;
+		status = nt_status_squash(status);
 		goto done;
 	}