From: Stefan Metzmacher Date: Mon, 4 Oct 2021 16:03:55 +0000 (+0200) Subject: CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() X-Git-Tag: samba-4.13.14~146 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e8e0bea9b333315ec1ff9eb1d36d4e810ca95941;p=thirdparty%2Fsamba.git CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() We always require a running winbindd on a domain member, so we should better fail a request instead of silently alter the behaviour, which results in a different unix token, just because winbindd might be restarted. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index d81313a0495..065b525500f 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -576,13 +576,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, } /* - * If winbind is not around, we can not make much use of the SIDs the - * domain controller provided us with. Likewise if the user name was - * mapped to some local unix user. + * If the user name was mapped to some local unix user, + * we can not make much use of the SIDs the + * domain controller provided us with. */ - - if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || - (server_info->nss_token)) { + if (server_info->nss_token) { char *found_username = NULL; status = create_token_from_username(session_info, server_info->unix_name,