From fa65ceb3dc3469019ec801d0a2a2272ae32308ed Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Fri, 29 Oct 2021 15:53:33 +1300
Subject: [PATCH] CVE-2020-25718 heimdal:kdc: Add comment about tests for
 tickets of users not revealed to an RODC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14886

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 selftest/knownfail_heimdal_kdc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 38c383450a7..0f62627ae31 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -88,7 +88,9 @@
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b
 #
-# KDC TGT tests
+# https://bugzilla.samba.org/show_bug.cgi?id=14886: Tests for accounts not revealed to the RODC
+#
+# The KDC should not accept tickets from an RODC for accounts not in the msDS-RevealedUsers list.
 #
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_not_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_not_revealed
-- 
2.11.4.GIT