From 06a46f79dd6ac3f3d70c1e099571265d1475dedf Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 29 Oct 2021 15:43:28 +1300
Subject: [PATCH] CVE-2020-25718 tests/krb5: Only fetch RODC account
 credentials when necessary

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 python/samba/tests/krb5/kdc_base_test.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 4b4f1486f60..f64bd0b206e 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -710,9 +710,6 @@ class KDCBaseTest(RawKerberosTest):
             self.assertFalse(not_delegated)
 
         samdb = self.get_samdb()
-        rodc_samdb = self.get_rodc_samdb()
-
-        rodc_dn = self.get_server_dn(rodc_samdb)
 
         user_name = self.get_new_username()
         if name_prefix is not None:
@@ -764,6 +761,9 @@ class KDCBaseTest(RawKerberosTest):
         # Handle secret replication to the RODC.
 
         if allowed_replication or revealed_to_rodc:
+            rodc_samdb = self.get_rodc_samdb()
+            rodc_dn = self.get_server_dn(rodc_samdb)
+
             # Allow replicating this account's secrets if requested, or allow
             # it only temporarily if we're about to replicate them.
             allowed_cleanup = self.add_to_group(
@@ -784,6 +784,9 @@ class KDCBaseTest(RawKerberosTest):
                                 revealed=revealed_to_rodc)
 
         if denied_replication:
+            rodc_samdb = self.get_rodc_samdb()
+            rodc_dn = self.get_server_dn(rodc_samdb)
+
             # Deny replicating this account's secrets to the RODC.
             self.add_to_group(dn, rodc_dn, 'msDS-NeverRevealGroup')
 
-- 
2.47.2