From b1e740896ebae14ba64250da2f718e1d707e9eed Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 1 Jul 2022 15:04:41 +1200 Subject: [PATCH] CVE-2021-20251 s4:kdc: Check return status of authsam_logon_success_accounting() If we find that the user has been locked out sometime during the request (due to a race), we will now return an error code. Note that we cannot avoid the MIT KDC aspect of the issue by checking the return status of mit_samba_zero_bad_password_count(), because kdb_vftabl::audit_as_req() returning void means we cannot pass on the result. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 Signed-off-by: Joseph Sutton Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- source4/kdc/hdb-samba4.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c index f8bacc26f3f..b17ef6aaf6a 100644 --- a/source4/kdc/hdb-samba4.c +++ b/source4/kdc/hdb-samba4.c @@ -652,14 +652,21 @@ static krb5_error_code hdb_samba4_audit(krb5_context context, * well. However before we do that, we need to pass * in the PAC here or re-calculate it. */ - authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg, - domain_dn, true, &send_to_sam); - if (kdc_db_ctx->rodc && send_to_sam != NULL) { + status = authsam_logon_success_accounting(kdc_db_ctx->samdb, p->msg, + domain_dn, true, &send_to_sam); + if (NT_STATUS_EQUAL(status, NT_STATUS_ACCOUNT_LOCKED_OUT)) { + final_ret = KRB5KDC_ERR_CLIENT_REVOKED; + r->error_code = final_ret; + rwdc_fallback = kdc_db_ctx->rodc; + } else if (!NT_STATUS_IS_OK(status)) { + final_ret = KRB5KRB_ERR_GENERIC; + r->error_code = final_ret; + rwdc_fallback = kdc_db_ctx->rodc; + } else if (kdc_db_ctx->rodc && send_to_sam != NULL) { reset_bad_password_netlogon(frame, kdc_db_ctx, send_to_sam); } /* This is the final sucess */ - status = NT_STATUS_OK; } else if (hdb_auth_status == KDC_AUTH_EVENT_VALIDATED_LONG_TERM_KEY) { /* * This was only a pre-authentication success, -- 2.47.3