Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at
Bug 2021728 (CVE-2020-25721) - CVE-2020-25721 samba: Kerberos acceptors need easy access to stableAD identifiers (eg objectSid)
Summary: CVE-2020-25721 samba: Kerberos acceptors need easy access to stableAD identif...
Alias: CVE-2020-25721
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2021729
TreeView+ depends on / blocked
Reported: 2021-11-10 03:31 UTC by Huzaifa S. Sidhpurwala
Modified: 2023-03-14 12:16 UTC (History)
16 users (show)

Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14
Doc Type: No Doc Update
Doc Text:
Clone Of:
Last Closed: 2021-11-10 04:27:37 UTC

Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2021-11-10 03:31:32 UTC
As per upstream report:

In order to avoid issues like CVE-2020-25717 AD Kerberos accepting services need access to unique, and ideally long-term stable identifiers of a user to perform authorization.

The AD PAC provides this, but the most useful information is kept in a buffer which is NDR encoded, which means that so far in Free Software
only Samba and applications which use Samba components under the hood like FreeIPA and SSSD decode PAC.

Recognising that the issues seen in Samba are not unique, Samba now provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a
way that can be parsed using basic pointer handling.

From this, future non-Samba based Kerberised applications can easily obtain the user's SID, in the same packing as objectSID in LDAP, confident
that the ticket represents a specific user, not matter subsequent renames.

This will allow such non-Samba applications to avoid confusing one Kerberos user for another, even if they have the same string name (due
to the gap between time of ticket printing by the KDC and time of ticket acceptance).

Comment 1 Huzaifa S. Sidhpurwala 2021-11-10 03:31:59 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021729]

Note You need to log in before you can comment on or make changes to this bug.