packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0011-CVE-2020-25722-s4-provision-add-host-SPNs-at-the-sta.patch
haochenstar 8378df4821 fix CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2016-2124,CVE-2021-3738 
(cherry picked from commit aee849c6c0708056f62f6445e3b5274d1cec6408)
2022-01-19 11:41:35 +08:00

66 lines
2.6 KiB
Diff
Raw Blame History

From 50f5069a73ac689d3b5fb56fdc652aefb57d396a Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 28 Oct 2021 09:45:36 +1300
Subject: [PATCH 146/266] CVE-2020-25722 s4/provision: add host/ SPNs at the
start
There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.
This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Conflict:NA
Reference:https://gitlab.com/samba-team/samba/-/commit/50f5069a73ac689d3b5fb56fdc652aefb57d396a
---
selftest/knownfail.d/cve-2020-25722-provision | 4 ++++
source4/setup/provision_self_join.ldif | 9 +++++++--
2 files changed, 11 insertions(+), 2 deletions(-)
create mode 100644 selftest/knownfail.d/cve-2020-25722-provision
diff --git a/selftest/knownfail.d/cve-2020-25722-provision b/selftest/knownfail.d/cve-2020-25722-provision
new file mode 100644
index 00000000000..7fd4b4b3763
--- /dev/null
+++ b/selftest/knownfail.d/cve-2020-25722-provision
@@ -0,0 +1,4 @@
+samba4.blackbox.dbcheck.release-4-0-0
+samba4.blackbox.dbcheck.release-4-0-0.quick
+samba4.blackbox.upgradeprovision.release-4-0-0
+samba4.blackbox.functionalprep.check_databases_same
diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif
index f77ac5710ec..92bf4d9cf8f 100644
--- a/source4/setup/provision_self_join.ldif
+++ b/source4/setup/provision_self_join.ldif
@@ -15,11 +15,16 @@ localPolicyFlags: 0
operatingSystem: Samba
operatingSystemVersion: ${SAMBA_VERSION_STRING}
sAMAccountName: ${NETBIOSNAME}$
-# The "servicePrincipalName" updates are now handled by the "samba_spnupdate"
-# script
userAccountControl: 532480
clearTextPassword:: ${MACHINEPASS_B64}
objectSid: ${DOMAINSID}-${DCRID}
+# While some "servicePrincipalName" updates might be handled by the
+# "samba_spnupdate" script, we need to get the basics in here before
+# we add any others.
+servicePrincipalName: HOST/${DNSNAME}
+servicePrincipalName: HOST/${NETBIOSNAME}
+servicePrincipalName: HOST/${DNSNAME}/${DNSNAME}
+
dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
objectClass: rIDSet
--
2.23.0
Reference in New Issue View Git Blame Copy Permalink