[SCM] Samba Shared Repository - branch master updated
Andreas Schneider
asn at samba.org
Tue Jun 14 15:39:02 UTC 2022
The branch, master has been updated
via 81aa4efa7b7 s4:kdc: Make RBCD access check less strict
from 971441ca524 third_party/heimdal: Fix build with gcc version 12.1
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 81aa4efa7b7d1d22206572fcc377375579659dd1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 2 10:50:33 2022 +1200
s4:kdc: Make RBCD access check less strict
Windows only requires SEC_ADS_CONTROL_ACCESS for the check to pass.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Tue Jun 14 15:38:23 UTC 2022 on sn-devel-184
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/kdc_base_test.py | 2 +-
source4/kdc/db-glue.c | 7 ++++++-
2 files changed, 7 insertions(+), 2 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 22db004f879..d9efde8273a 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -363,7 +363,7 @@ class KDCBaseTest(RawKerberosTest):
owner_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
ace = security.ace()
- ace.access_mask = security.SEC_ADS_GENERIC_ALL
+ ace.access_mask = security.SEC_ADS_CONTROL_ACCESS
ace.trustee = security.dom_sid(sid)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 6965ca68563..172a34194c6 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -3039,7 +3039,12 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
struct auth_user_info_dc *user_info_dc = NULL;
struct auth_session_info *session_info = NULL;
uint32_t session_info_flags = AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
- uint32_t access_desired = SEC_ADS_GENERIC_ALL; /* => 0x000f01ff */
+ /*
+ * Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access
+ * in security descriptors it creates for RBCD, its KDC only requires
+ * SEC_ADS_CONTROL_ACCESS for the access check to succeed.
+ */
+ uint32_t access_desired = SEC_ADS_CONTROL_ACCESS;
uint32_t access_granted = 0;
NTSTATUS nt_status;
TALLOC_CTX *mem_ctx = NULL;
--
Samba Shared Repository
More information about the samba-cvs
mailing list