== Subject:     Samba AD DC did not always rely on the SID
==              and PAC in Kerberos tickets.
== CVE ID#:     CVE-2020-25719
== Versions:    Samba 4.0.0 and later
== Summary:     The Samba AD DC, could become confused about
==              the user a ticket represents if it did not
==              strictly require a Kerberos PAC and always use
==              the SIDs found within.  The result could include total
==              domain compromise.


Samba as an Active Directory Domain Controller is based on Kerberos,
which provides name-based authentication.  These names are often then
used for authorization.

However Microsoft Windows and Active Direcory is SID-based.  SIDs in
Windows, similar to UIDs in Linux/Unix (if managed well) are globally
unique and survive name changes.  At the meeting of these two
authorization schemes it is possible to confuse a server into acting
as one user when holding a ticket for another.

A Kerberos ticket, once issued, may be valid for some time, often 10
hours but potentially longer.  In Active Directory, it may or may not
carry a PAC, holding the user's SIDs.

A simple example of the problem is on Samba's LDAP server, which
would, unless "gensec:require_pac = true" was set, permit a fall back
to using the name in the Kerberos ticket alone.  (All Samba AD
services fall to the same issue in one way or another, LDAP is just a
good example).

Delegated administrators with the right to create other user or
machine accounts can abuse the race between the time of ticket issue
and the time of presentation (back to the AD DC) to impersonate a
different account, including a highly privileged account.

This could allow total domain compromise.

Behaviour changes

Samba as an AD DC will now always issue a Kerberos PAC in the AD-REQ
and require that tickets presented back to the DC have a PAC, both in
the KDC and elsewhere.

Tickets issued by an unpatched DC that do not have a Kerberos PAC (eg
with the --no-request-pac option to MIT kerberos kinit) will be denied
after the upgrade, even if they are otherwise still valid.

This also means that the Kerberos TCP transport is likely to be
required to connect to the Samba AD DC, as a PAC is unlikely to fit in
a UDP packet.  PAC-free tickets are still supported for target
services (eg NFS), via an flag within the PAC preventing it being
put into the final ticket.

Patch Availability

Patches addressing both these issues have been posted to:

Additionally, Samba  4.15.2, 4.14.10 and 4.13.14 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

This CVSSv3 calculation is assuming the other Samba issues are
addressed, and user/computer creation is an at least partially
privileged action.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)



Originally reported by Andrew Bartlett.

Patches provided by:
 - Andrew Bartlett of Catalyst and the Samba Team.
 - Joseph Sutton of Catalyst and the Samba Team
 - Andreas Schneider of Red Hat and the Samba Team
 - Stefan Metzmacher of SerNet and the Samba Team

Advisory written by Andrew Bartlett of Catalyst

Catalyst would like to particularly thank Red Hat and SerNet for their
contribution to fixing this issue.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team