From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 14 Dec 2021 23:30:28 +0000 (+1300)
Subject: s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import
X-Git-Tag: tdb-1.4.6~34
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba154d62f70d1749aea44ddb4dc62439766f1a0b;p=thirdparty%2Fsamba.git

s4:kdc: Set require_pac and no-ENC_TS in FAST for new Heimdal import

This allows us to continue to avoid CVE-2020-25719 in particular
and pass our tests for expected FAST behaviour as the patches
we requested by upstream to be conditional, not hard-coded.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
index c05380f0841..2abb5eab925 100644
--- a/source4/kdc/kdc-heimdal.c
+++ b/source4/kdc/kdc-heimdal.c
@@ -412,6 +412,24 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
 
 	kdc_config->force_include_pa_etype_salt = true;
 
+	/*
+	 * For Samba CVE-2020-25719 Require PAC to be present
+	 * This instructs Heimdal to match AD behaviour,
+	 * as seen after Microsoft's CVE-2021-42287 when
+	 * PacRequestorEnforcement is set to 2.
+	 *
+	 * Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
+	 * REF: https://support.microsoft.com/en-au/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041
+	 */
+
+	kdc_config->require_pac = true;
+
+	/*
+	 * Match Windows and RFC6113 and Windows but break older
+	 * Heimdal clients.
+	 */
+	kdc_config->enable_armored_pa_enc_timestamp = false;
+
 	/* Register hdb-samba4 hooks for use as a keytab */
 
 	kdc->base_ctx = talloc_zero(kdc, struct samba_kdc_base_context);