[SCM] Samba Shared Repository - branch master updated

Andreas Schneider asn at samba.org
Tue Jun 14 15:39:02 UTC 2022 

The branch, master has been updated
       via  81aa4efa7b7 s4:kdc: Make RBCD access check less strict
      from  971441ca524 third_party/heimdal: Fix build with gcc version 12.1

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 81aa4efa7b7d1d22206572fcc377375579659dd1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon May 2 10:50:33 2022 +1200

    s4:kdc: Make RBCD access check less strict
    
    Windows only requires SEC_ADS_CONTROL_ACCESS for the check to pass.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Tue Jun 14 15:38:23 UTC 2022 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 python/samba/tests/krb5/kdc_base_test.py | 2 +-
 source4/kdc/db-glue.c                    | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 22db004f879..d9efde8273a 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -363,7 +363,7 @@ class KDCBaseTest(RawKerberosTest):
         owner_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
 
         ace = security.ace()
-        ace.access_mask = security.SEC_ADS_GENERIC_ALL
+        ace.access_mask = security.SEC_ADS_CONTROL_ACCESS
 
         ace.trustee = security.dom_sid(sid)
 
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 6965ca68563..172a34194c6 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3039,7 +3039,12 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
 	struct auth_user_info_dc *user_info_dc = NULL;
 	struct auth_session_info *session_info = NULL;
 	uint32_t session_info_flags = AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
-	uint32_t access_desired = SEC_ADS_GENERIC_ALL; /* => 0x000f01ff */
+	/*
+	 * Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access
+	 * in security descriptors it creates for RBCD, its KDC only requires
+	 * SEC_ADS_CONTROL_ACCESS for the access check to succeed.
+	 */
+	uint32_t access_desired = SEC_ADS_CONTROL_ACCESS;
 	uint32_t access_granted = 0;
 	NTSTATUS nt_status;
 	TALLOC_CTX *mem_ctx = NULL;


-- 
Samba Shared Repository

More information about the samba-cvs mailing list