CVE-2021-20251 s4:kdc: Check return status of authsam_logon_success_accounting()

If we find that the user has been locked out sometime during the request
(due to a race), we will now return an error code.

Note that we cannot avoid the MIT KDC aspect of the issue by checking
the return status of mit_samba_zero_bad_password_count(), because
kdb_vftabl::audit_as_req() returning void means we cannot pass on the
result.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index f8bacc26f3f842d97e4a8ab086c9714904374db7..b17ef6aaf6a53000c39d622857b8adc21d1b9273 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -652,14 +652,21 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                         * well.  However before we do that, we need to pass
                         * in the PAC here or re-calculate it.
                         */
-                       authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
-                                                        domain_dn, true, &send_to_sam);
-                       if (kdc_db_ctx->rodc && send_to_sam != NULL) {
+                       status = authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg,
+                                                                 domain_dn, true, &send_to_sam);
+                       if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+                               final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
+                               r->error_code = final_ret;
+                               rwdc_fallback = kdc_db_ctx->rodc;
+                       } else if (!NT_STATUS_IS_OK(status)) {
+                               final_ret = KRB5KRB_ERR_GENERIC;
+                               r->error_code = final_ret;
+                               rwdc_fallback = kdc_db_ctx->rodc;
+                       } else if (kdc_db_ctx->rodc && send_to_sam != NULL) {
                                reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam);
                        }
 
                        /* This is the final sucess */
-                       status = NT_STATUS_OK;
                } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) {
                        /*
                         * This was only a pre-authentication success,