From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 Oct 2021 17:57:18 +0000 (+0200)
Subject: CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level... 
X-Git-Tag: samba-4.13.14~152
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c703f7a5642174d0e52aec91a6817d5cc56f47ab;p=thirdparty%2Fsamba.git

CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors

Mapping everything to ACCESS_DENIED makes it hard to debug problems,
which may happen because of our more restrictive behaviour in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c
index 8044e6d8af0..86585ad690c 100644
--- a/source3/auth/auth_generic.c
+++ b/source3/auth/auth_generic.c
@@ -166,7 +166,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx,
 	if (!NT_STATUS_IS_OK(status)) {
 		DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n",
 			  nt_errstr(status)));
-		status = NT_STATUS_ACCESS_DENIED;
+		status = nt_status_squash(status);
 		goto done;
 	}