ea8e8a4a8a
Assists Samba to address CVE-2020-25719 Passing in target_server as a string principal means that for an alias we must looking up the DB twice. This is subject to a race and is a poor use of resources, so instead just pass in the record we already got when trying to confirm that the server in S4U2Self is the same as the requesting client. We also avoid doing a name comparison if the HDB plugin provides a validation hook, this allows the HDB layer more freedom to choose how to handle things. In Samba AD the client record has already been bound to the the original client by the SID check in the PAC, so the record is known to match the ticket. Likewise by looking up server only once we ensure that the keys looked up originally (to decrypt) are in the record we confirm the SID for here. Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686 Signed-off-by: Andrew Bartlett <abartlet@samba.org> (Based on Samba commit 05898cfb139ae0674c8251acc9d64c4c3d4c8376)
Heimdal
Heimdal is an implementation of:
- ASN.1/DER,
- PKIX, and
- Kerberos.
For information how to install see here.
There are man pages for most of the commands.
Bug reports and bugs are appreciated. Use GitHub issues.
For more information see the project homepage https://heimdal.software/heimdal/ or the mailing lists:
heimdal-announce@heimdal.software low-volume announcement heimdal-discuss@heimdal.software high-volume discussion
send mail to heimdal-announce-subscribe@heimdal.software and heimdal-discuss-subscribe@heimdal.software respectively to subscribe.
Build Status