DelegationNotAllowed not being enforced

Description

The S4U (MS-SFU) Kerberos delegation model includes a feature allowing
for a subset of clients to be opted out of constrained delegation in
any way, either S4U2Self or regular Kerberos authentication, by
forcing all tickets for these clients to be non-forwardable. In AD
this is implemented by a user attribute delegation_not_allowed (aka
not-delegated), which translates to disallow-forwardable.

However the Samba AD DC does not do that for S4U2Self and does set the
forwardable flag even if the impersonated client has the not-delegated
flag set.

Note: while the experimental MIT AD-DC build does not support S4U, it
should still be patched due to a related bug in regular authentication.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Workaround and mitigation

Only clients configured directly in LDAP or via a Windows tools
could have been marked as sensitive and so have been expected to have
this protection. Therefore most Samba sites will not have been using
this feature and so are not impacted either way.

Credits

Originally reported by Isaac Boukris of Red Hat and the Samba Team.

Patches provided by Isaac Boukris of Red Hat and the Samba Team.

Advisory written by Andrew Bartlett of Catalyst and Isaac Boukris of
Red Hat and the Samba Team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team