The branch, master has been updated via 81aa4efa7b7 s4:kdc: Make RBCD access check less strict from 971441ca524 third_party/heimdal: Fix build with gcc version 12.1
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 81aa4efa7b7d1d22206572fcc377375579659dd1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 2 10:50:33 2022 +1200 s4:kdc: Make RBCD access check less strict Windows only requires SEC_ADS_CONTROL_ACCESS for the check to pass. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Tue Jun 14 15:38:23 UTC 2022 on sn-devel-184 ----------------------------------------------------------------------- Summary of changes: python/samba/tests/krb5/kdc_base_test.py | 2 +- source4/kdc/db-glue.c | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 22db004f879..d9efde8273a 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -363,7 +363,7 @@ class KDCBaseTest(RawKerberosTest): owner_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS) ace = security.ace() - ace.access_mask = security.SEC_ADS_GENERIC_ALL + ace.access_mask = security.SEC_ADS_CONTROL_ACCESS ace.trustee = security.dom_sid(sid) diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index 6965ca68563..172a34194c6 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -3039,7 +3039,12 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd( struct auth_user_info_dc *user_info_dc = NULL; struct auth_session_info *session_info = NULL; uint32_t session_info_flags = AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; - uint32_t access_desired = SEC_ADS_GENERIC_ALL; /* => 0x000f01ff */ + /* + * Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access + * in security descriptors it creates for RBCD, its KDC only requires + * SEC_ADS_CONTROL_ACCESS for the access check to succeed. + */ + uint32_t access_desired = SEC_ADS_CONTROL_ACCESS; uint32_t access_granted = 0; NTSTATUS nt_status; TALLOC_CTX *mem_ctx = NULL; -- Samba Shared Repository