From: Stefan Metzmacher Date: Mon, 4 Oct 2021 16:03:55 +0000 (+0200) Subject: CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() X-Git-Tag: ldb-2.5.0~244 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=57abb7f8f8884f52f1d194c5c74e067aecd0d3dd;p=thirdparty%2Fsamba.git CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() We always require a running winbindd on a domain member, so we should better fail a request instead of silently alter the behaviour, which results in a different unix token, just because winbindd might be restarted. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett --- diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c index 26fa227e9b0..dec854d85c3 100644 --- a/source3/auth/auth_util.c +++ b/source3/auth/auth_util.c @@ -570,13 +570,11 @@ NTSTATUS create_local_token(TALLOC_CTX *mem_ctx, } /* - * If winbind is not around, we can not make much use of the SIDs the - * domain controller provided us with. Likewise if the user name was - * mapped to some local unix user. + * If the user name was mapped to some local unix user, + * we can not make much use of the SIDs the + * domain controller provided us with. */ - - if (((lp_server_role() == ROLE_DOMAIN_MEMBER) && !winbind_ping()) || - (server_info->nss_token)) { + if (server_info->nss_token) { char *found_username = NULL; status = create_token_from_username(session_info, server_info->unix_name,