From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Sat, 9 Jul 2022 03:53:51 +0000 (+1200)
Subject: CVE-2021-20251 s4-auth: Pass through error code from badPwdCount update
X-Git-Tag: talloc-2.4.0~1075
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d8a862cb811489abb67d4cf3a7fbd83d05c7e5cb;p=thirdparty%2Fsamba.git

CVE-2021-20251 s4-auth: Pass through error code from badPwdCount update

The error code may be NT_STATUS_ACCOUNT_LOCKED_OUT, which we use in
preference to NT_STATUS_WRONG_PASSWORD.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index dad59c2684e..8d3e4fd564c 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -146,4 +146,3 @@
 # Lockout tests
 #
 ^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_kdc.ad_dc:local
-^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_ntlm.ad_dc:local
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 38ffac70762..edd7b8f57b1 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -534,7 +534,6 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_kdc.ad_dc:local
 ^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_rename_kdc.ad_dc:local
 ^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_kdc.ad_dc:local
-^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_ntlm.ad_dc:local
 ^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_bad_pwd_kdc.ad_dc:local
 ^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_kdc.ad_dc:local
 ^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_rename_kdc.ad_dc:local
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index 1077762c70e..882d92e26ed 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -716,7 +716,11 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 	}
 
 	TALLOC_FREE(tmp_ctx);
-	return NT_STATUS_WRONG_PASSWORD;
+
+	if (NT_STATUS_IS_OK(nt_status)) {
+		nt_status = NT_STATUS_WRONG_PASSWORD;
+	}
+	return nt_status;
 }
 
 static NTSTATUS authsam_authenticate(struct auth4_context *auth_context,