File _service:tar_scm_kernel_repo:backport-0034-CVE-... of Package samba

File _service:tar_scm_kernel_repo:backport-0034-CVE-2020-25722-kdc-Do-not-honour-a-request-for-a-3-p.patch of Package samba

From b6ab45da636118da83443516eee7d314f19b4e22 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Mon, 4 Oct 2021 15:18:34 +1300
Subject: [PATCH 235/266] CVE-2020-25722 kdc: Do not honour a request for a
 3-part SPN (ending in our domain/realm) unless a DC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Conflict:remove test
Reference:https://gitlab.com/samba-team/samba/-/commit/b6ab45da636118da83443516eee7d314f19b4e22

---
 source4/kdc/db-glue.c          | 23 +++++++++++++++++++++++
 1 files changed, 23 insertions(+), 0 deletions(-)

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index d55bf1663d4..0f19e8d1c93 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -968,6 +968,29 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
 			entry_ex->entry.flags.server = 0;
 		}
 	}
+
+	/*
+	 * We restrict a 3-part SPN ending in my domain/realm to full
+	 * domain controllers.
+	 *
+	 * This avoids any cases where (eg) a demoted DC still has
+	 * these more restricted SPNs.
+	 */
+	if (krb5_princ_size(context, principal) > 2) {
+		char *third_part
+			= smb_krb5_principal_get_comp_string(mem_ctx,
+							     context,
+							     principal,
+							     2);
+		bool is_our_realm =
+			 lpcfg_is_my_domain_or_realm(lp_ctx,
+						     third_part);
+		bool is_dc = userAccountControl &
+			(UF_SERVER_TRUST_ACCOUNT | UF_PARTIAL_SECRETS_ACCOUNT);
+		if (is_our_realm && !is_dc) {
+			entry_ex->entry.flags.server = 0;
+		}
+	}
 	/*
 	 * To give the correct type of error to the client, we must
 	 * not just return the entry without .server set, we must
-- 
2.23.0