From: Andreas Schneider <asn@samba.org>
Date: Mon, 9 Aug 2021 15:22:52 +0000 (+0200)
Subject: CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server... 
X-Git-Tag: samba-4.13.14~62
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d86977088cd16e2ce7f0029ef78d0282c1535115;p=thirdparty%2Fsamba.git

CVE-2020-25719 mit_samba: The samba_princ_needs_pac check should be on the server entry

This does the same check as the hdb plugin now. The client check is already
done earlier.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index be6ea83c042..d11e1640ee9 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -486,6 +486,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
 	DATA_BLOB *deleg_blob = NULL;
 	struct samba_kdc_entry *client_skdc_entry = NULL;
 	struct samba_kdc_entry *krbtgt_skdc_entry = NULL;
+	struct samba_kdc_entry *server_skdc_entry = NULL;
 	bool is_in_db = false;
 	bool is_untrusted = false;
 	size_t num_types = 0;
@@ -499,6 +500,7 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
 	ssize_t srv_checksum_idx = -1;
 	ssize_t kdc_checksum_idx = -1;
 	krb5_pac new_pac = NULL;
+	bool ok;
 
 	if (client != NULL) {
 		client_skdc_entry =
@@ -510,6 +512,16 @@ krb5_error_code mit_samba_reget_pac(struct mit_samba_context *ctx,
 		return EINVAL;
 	}
 
+	server_skdc_entry =
+		talloc_get_type_abort(server->e_data,
+				      struct samba_kdc_entry);
+
+	/* The account may be set not to want the PAC */
+	ok = samba_princ_needs_pac(server_skdc_entry);
+	if (!ok) {
+		return EINVAL;
+	}
+
 	if (krbtgt == NULL) {
 		return EINVAL;
 	}