samba/backport-0014-CVE-2020-25717-s3-auth-Check-minimum-domain-uid.patch

From ce47a81eb5f79dd3f54b300f6a9a7ccac9c1296a Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@samba.org>
Date: Tue, 28 Sep 2021 10:45:11 +0200
Subject: [PATCH 117/266] CVE-2020-25717: s3:auth: Check minimum domain uid

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Removed knownfail on advice from metze]
---
 source3/auth/auth_util.c            | 16 ++++++++++++++++
 1 files changed, 16 insertions(+)
 delete mode 100644 selftest/knownfail.d/min_domain_uid

Conflict:delete a chunk which delete a file do not exist
Reference:https://git.samba.org/samba.git/?p=samba.git;a=patch;h=ce47a81eb5f79dd3f54b300f6a9a7ccac9c1296a

diff --git a/source3/auth/auth_util.c b/source3/auth/auth_util.c
index 4686b29111e..4de4bc74374 100644
--- a/source3/auth/auth_util.c
+++ b/source3/auth/auth_util.c
@@ -2103,6 +2103,22 @@ NTSTATUS make_server_info_info3(TALLOC_CTX *mem_ctx,
 			}
 		}
 		goto out;
+	} else if ((lp_security() == SEC_ADS || lp_security() == SEC_DOMAIN) &&
+		   !is_myname(domain) && pwd->pw_uid < lp_min_domain_uid()) {
+		/*
+		 * !is_myname(domain) because when smbd starts tries to setup
+		 * the guest user info, calling this function with nobody
+		 * username. Nobody is usually uid 65535 but it can be changed
+		 * to a regular user with 'guest account' parameter
+		 */
+		nt_status = NT_STATUS_INVALID_TOKEN;
+		DBG_NOTICE("Username '%s%s%s' is invalid on this system, "
+			   "it does not meet 'min domain uid' "
+			   "restriction (%u < %u): %s\n",
+			   nt_domain, lp_winbind_separator(), nt_username,
+			   pwd->pw_uid, lp_min_domain_uid(),
+			   nt_errstr(nt_status));
+		goto out;
 	}
 
 	result = make_server_info(tmp_ctx);
-- 
2.23.0