IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

ipa-kdb: Use proper account flags for Kerberos principal in PAC

Browse Source 
As part of CVE-2020-25717 mitigations, Samba expects correct user
account flags in the PAC. This means for services and host principals we
should be using ACB_WSTRUST or ACB_SVRTRUST depending on whether they
run on IPA clients ("workstation" or "domain member") or IPA servers
("domain controller").

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Alexander Bokovoy 2021-10-29 22:30:53 +03:00 committed by Rob Crittenden
parent 0022bd70d9
commit 3042a1d544
1 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
daemons/ipa-kdb/ipa_kdb_mspac.c
View File

@ -648,6 +648,11 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.logon_count = 0; /* we do not have this info yet */
info3->base.bad_password_count = 0; /* we do not have this info yet */
/* Use AES keys by default to detect changes.
* This bit is not used by Windows clients and servers so we can
* clear it after detecting the changes */
info3->base.acct_flags = ACB_USE_AES_KEYS;
if ((is_host || is_service)) {
/* it is either host or service, so get the hostname first */
char *sep = strchr(info3->base.account_name.string, '/');
@ -655,11 +660,13 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
ipactx,
sep ? sep + 1 : info3->base.account_name.string);
if (is_master) {
/* Well know RID of domain controllers group */
/* Well known RID of domain controllers group */
info3->base.rid = 516;
info3->base.acct_flags |= ACB_SVRTRUST;
} else {
/* Well know RID of domain computers group */
/* Well known RID of domain computers group */
info3->base.rid = 515;
info3->base.acct_flags |= ACB_WSTRUST;
}
} else {
ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
@ -799,9 +806,13 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
/* always zero out, not used for Krb, only NTLM */
memset(&info3->base.LMSessKey, '\0', sizeof(info3->base.LMSessKey));
/* TODO: fill based on objectclass, user vs computer, etc... */
info3->base.acct_flags = ACB_NORMAL; /* samr_AcctFlags */
/* If account type was not set before, default to ACB_NORMAL */
if (!(info3->base.acct_flags & ~ACB_USE_AES_KEYS)) {
info3->base.acct_flags |= ACB_NORMAL; /* samr_AcctFlags */
}
/* Clear ACB_USE_AES_KEYS as it is not used by Windows */
info3->base.acct_flags &= ~ACB_USE_AES_KEYS;
info3->base.sub_auth_status = 0;
info3->base.last_successful_logon = 0;
info3->base.last_failed_logon = 0;