CVE-2021-20251 s4:kdc: Check badPwdCount update return status

If the account has been locked out in the meantime (indicated by
NT_STATUS_ACCOUNT_LOCKED_OUT), we should return the appropriate error
code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 8d3e4fd564cbbe4272ece83068492f81b74b7970..99f687e32126abe1b466176fc7925a1d386ee5b6 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -142,7 +142,3 @@
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc
-#
-# Lockout tests
-#
-^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_kdc.ad_dc:local

diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index b17ef6aaf6a53000c39d622857b8adc21d1b9273..699ef9a577cc8fd4db8d38033624f7f488031a35 100644 (file)
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -706,8 +706,13 @@ static krb5_error_code hdb_samba4_audit(krb5_context context,
                } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_TIME_SKEW) {
                        status = NT_STATUS_TIME_DIFFERENCE_AT_DC;
                } else if (hdb_auth_status == KDC_AUTH_EVENT_WRONG_LONG_TERM_KEY) {
-                       authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
-                       status = NT_STATUS_WRONG_PASSWORD;
+                       status = authsam_update_bad_pwd_count(kdc_db_ctx->samdb, p->msg, domain_dn);
+                       if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) {
+                               final_ret = KRB5KDC_ERR_CLIENT_REVOKED;
+                               r->error_code = final_ret;
+                       } else {
+                               status = NT_STATUS_WRONG_PASSWORD;
+                       }
                        rwdc_fallback = kdc_db_ctx->rodc;
                } else if (hdb_auth_status == KDC_AUTH_EVENT_CLIENT_LOCKED_OUT) {
                        status = NT_STATUS_ACCOUNT_LOCKED_OUT;