From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 1 Oct 2021 02:57:41 +0000 (+1300)
Subject: CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing
X-Git-Tag: samba-4.13.14~46
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a12d50c533459d5d7b6e2343b16e92c2dac8ebf1;p=thirdparty%2Fsamba.git

CVE-2020-25718 s4-rpc_server: Add in debug messages into RODC processing

These are added for the uncommon cases.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---

diff --git a/source4/rpc_server/common/sid_helper.c b/source4/rpc_server/common/sid_helper.c
index 78cb35d3fc1..c6e7fbeb7ab 100644
--- a/source4/rpc_server/common/sid_helper.c
+++ b/source4/rpc_server/common/sid_helper.c
@@ -151,12 +151,18 @@ WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ct
 	if (samdb_result_dn(sam_ctx, frame,
 			    obj_msg, "msDS-KrbTgtLinkBL", NULL)) {
 		TALLOC_FREE(frame);
+		DBG_INFO("Denied attempt to replicate to/act as a RODC krbtgt trust account %s using RODC: %s\n",
+			 ldb_dn_get_linearized(obj_msg->dn),
+			 ldb_dn_get_linearized(rodc_msg->dn));
 		return WERR_DS_DRA_SECRETS_DENIED;
 	}
 
 	if (ldb_msg_find_attr_as_uint(obj_msg,
 				      "userAccountControl", 0) &
 	    UF_INTERDOMAIN_TRUST_ACCOUNT) {
+		DBG_INFO("Denied attempt to replicate to/act as a inter-domain trust account %s using RODC: %s\n",
+			 ldb_dn_get_linearized(obj_msg->dn),
+			 ldb_dn_get_linearized(rodc_msg->dn));
 		TALLOC_FREE(frame);
 		return WERR_DS_DRA_SECRETS_DENIED;
 	}
@@ -167,9 +173,9 @@ WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ct
 					     0);
 	if ((rodc_uac & UF_PARTIAL_SECRETS_ACCOUNT)
 	    != UF_PARTIAL_SECRETS_ACCOUNT) {
-		TALLOC_FREE(frame);
 		DBG_ERR("Attempt to use an RODC account that is not an RODC: %s\n",
 			ldb_dn_get_linearized(rodc_msg->dn));
+		TALLOC_FREE(frame);
 		return WERR_DS_DRA_SECRETS_DENIED;
 	}
 
@@ -178,6 +184,9 @@ WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ct
 					 &num_never_reveal_sids,
 					 &never_reveal_sids);
 	if (!W_ERROR_IS_OK(werr)) {
+		DBG_ERR("Failed to parse msDS-NeverRevealGroup on %s: %s\n",
+			ldb_dn_get_linearized(rodc_msg->dn),
+			win_errstr(werr));
 		TALLOC_FREE(frame);
 		return WERR_DS_DRA_SECRETS_DENIED;
 	}
@@ -187,6 +196,9 @@ WERROR samdb_confirm_rodc_allowed_to_repl_to_sid_list(struct ldb_context *sam_ct
 					 &num_reveal_sids,
 					 &reveal_sids);
 	if (!W_ERROR_IS_OK(werr)) {
+		DBG_ERR("Failed to parse msDS-RevealOnDemandGroup on %s: %s\n",
+			ldb_dn_get_linearized(rodc_msg->dn),
+			win_errstr(werr));
 		TALLOC_FREE(frame);
 		return WERR_DS_DRA_SECRETS_DENIED;
 	}
@@ -247,6 +259,10 @@ WERROR samdb_confirm_rodc_allowed_to_repl_to(struct ldb_context *sam_ctx,
 					  &token_sids,
 					  object_sid, 1);
 	if (!W_ERROR_IS_OK(werr) || token_sids==NULL) {
+		DBG_ERR("Failed to get tokenGroups on %s to confirm access via RODC %s: %s\n",
+			ldb_dn_get_linearized(obj_msg->dn),
+			ldb_dn_get_linearized(rodc_msg->dn),
+			win_errstr(werr));
 		return WERR_DS_DRA_SECRETS_DENIED;
 	}