CVE-2020-25718 s4-rpc_server: Remove unused attributes in RODC check

In particular the objectGUID is no longer used, and in the NETLOGON case
the special case for msDS-KrbTgtLink does not apply.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

2 files changed, 1 insertions, 4 deletions

diff --git a/source4/rpc_server/drsuapi/getncchanges.c b/source4/rpc_server/drsuapi/getncchanges.c
index 11a6c93d4cd..3ec5acb5353 100644
--- a/source4/rpc_server/drsuapi/getncchanges.c
+++ b/source4/rpc_server/drsuapi/getncchanges.c
@@ -1171,7 +1171,6 @@ static WERROR getncchanges_repl_secret(struct drsuapi_bind_state *b_state,
 	const char *rodc_attrs[] = { "msDS-KrbTgtLink",
 				     "msDS-NeverRevealGroup",
 				     "msDS-RevealOnDemandGroup",
-				     "objectGUID",
 				     "userAccountControl",
 				     NULL };
 	const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 5838eebc6cc..904f430079a 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -2851,10 +2851,8 @@ static bool sam_rodc_access_check(struct ldb_context *sam_ctx,
 				  struct dom_sid *user_sid,
 				  struct ldb_dn *obj_dn)
 {
-	const char *rodc_attrs[] = { "msDS-KrbTgtLink",
-				     "msDS-NeverRevealGroup",
+	const char *rodc_attrs[] = { "msDS-NeverRevealGroup",
 				     "msDS-RevealOnDemandGroup",
-				     "objectGUID",
 				     "userAccountControl",
 				     NULL };
 	const char *obj_attrs[] = { "tokenGroups", "objectSid", "UserAccountControl", "msDS-KrbTgtLinkBL", NULL };