From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 27 Oct 2021 20:45:36 +0000 (+1300)
Subject: CVE-2020-25722 s4/provision: add host/ SPNs at the start
X-Git-Tag: ldb-2.5.0~220
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0a555cf097a5a8d38c7b61edaee838dd0973a989;p=thirdparty%2Fsamba.git

CVE-2020-25722 s4/provision: add host/ SPNs at the start

There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.

This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/selftest/knownfail.d/cve-2020-25722-provision b/selftest/knownfail.d/cve-2020-25722-provision
new file mode 100644
index 00000000000..7fd4b4b3763
--- /dev/null
+++ b/selftest/knownfail.d/cve-2020-25722-provision
@@ -0,0 +1,4 @@
+samba4.blackbox.dbcheck.release-4-0-0
+samba4.blackbox.dbcheck.release-4-0-0.quick
+samba4.blackbox.upgradeprovision.release-4-0-0
+samba4.blackbox.functionalprep.check_databases_same
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index f77ac5710ec..92bf4d9cf8f 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -15,11 +15,16 @@ localPolicyFlags: 0
 operatingSystem: Samba
 operatingSystemVersion: ${SAMBA_VERSION_STRING}
 sAMAccountName: ${NETBIOSNAME}$
-# The "servicePrincipalName" updates are now handled by the "samba_spnupdate"
-# script
 userAccountControl: 532480
 clearTextPassword:: ${MACHINEPASS_B64}
 objectSid: ${DOMAINSID}-${DCRID}
+# While some "servicePrincipalName" updates might be handled by the
+# "samba_spnupdate" script, we need to get the basics in here before
+# we add any others.
+servicePrincipalName: HOST/${DNSNAME}
+servicePrincipalName: HOST/${NETBIOSNAME}
+servicePrincipalName: HOST/${DNSNAME}/${DNSNAME}
+
 
 dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
 objectClass: rIDSet