[SCM] Samba Shared Repository - branch v4-15-test updated
Stefan Metzmacher
metze at samba.org
Wed Dec 14 10:31:24 UTC 2022
The branch, v4-15-test has been updated
via d1cfdcf3a3d CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
via 48d6042dddf CVE-2022-37966 samba-tool: add 'domain trust modify' command
via 89b1c78b520 CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
via 18996e99712 CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
via 34fc0da7869 CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
via 693a247d3b2 CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
via ee9ffe50e99 CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
via 1815d339417 CVE-2022-37966 python:tests/krb5: test much more etype combinations
via d6b9e8b3397 CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
via 25d88118903 CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
via c768a27bc13 CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
via 9049c5442aa CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
via a1e91681158 CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
via 1db952fab82 CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
via 91a030cbf58 CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
via eed3d6a3962 CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
via 0d7dc04404d CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
via 527a164b410 CVE-2022-37966 s4:kdc: use the strongest possible keys
via 8b8835b09fa CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
via f644fc69971 CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
via 716149ed2bc CVE-2022-37966 s3:net_ads: no longer reference des encryption types
via 5f9e13ce20a CVE-2022-37966 s3:libnet: no longer reference des encryption types
via 153e4a39142 CVE-2022-37966 s3:libads: no longer reference des encryption types
via ac6563e70ad CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
via ece27efe594 CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
via c23c17a8d75 CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
via 6db1a9a9648 CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
via c0a367ad02a CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
via 5127bcfded4 CVE-2022-37966 system_mitkrb5: require support for aes enctypes
via a4deabde39e CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
via a7e2f5d32e5 CVE-2022-37966 kdc: Assume trust objects support AES by default
via 1e32bfc0fdd CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
via 701b2650d1b CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with AES256 rather than RC4
via 590228fd72f CVE-2022-37966 auth/credentials: Allow specifying password to cli_credentials_get_aes256_key()
via eefa5532055 CVE-2022-37966 auth/credentials: Add cli_credentials_get_aes256_key()
via 33e5f0b4a44 CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data signatures
via cc6196fa005 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
via c273cb75625 CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
via 84c28b05a0a CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
via 0ad59767324 CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
via 1c06e8b08ca CVE-2022-37966 third_party/heimdal: Fix error message typo
via 36d5770585a CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
via 1daea832104 CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
via d775f1ed43a CVE-2022-37967 Add new PAC checksum
via 4650ce1fa5c CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
via fed97f46265 CVE-2022-37966 selftest: Don't strictly check etype-info when obtaining a TGT
via 07edcef7463 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
via 92763515d9f CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
via b4be18abf9b CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
via e24512a20ae CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
via e2ac180984e CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
via 30202568a18 CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
via 097fa693ded CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
via 4543bd706e5 CVE-2022-37966 s3:utils: Fix old-style function definition
via 6f94a270722 CVE-2022-37966 s3:client: Fix old-style function definition
via 0fe0643e0b7 CVE-2022-37966 s3:param: Fix old-style function definition
via 25402db19b9 CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
via 8f40d9b7dd2 CVE-2022-37966 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
via 86834042a18 CVE-2022-37966 s4:kdc: Set supported enctypes in KDC entry
via d09d8f995c9 CVE-2022-37966 tests/krb5: Update supported enctype checking
via 900c6e2268d CVE-2022-37966 tests/krb5: Check encrypted-pa-data if present
via d10dfa85819 CVE-2022-38023 testparm: warn about unsecure schannel related options
via 28ac3faa51c CVE-2022-38023 testparm: warn about server/client schannel != yes
via 93e4e50d250 CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
via 15792b4035d CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
via dba546dbfa5 CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
via 2b0dc83e064 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
via 57986cad714 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
via 08b69ca61f7 CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
via ba1482a18a8 CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
via b7f0e7f2ccc CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
via 4cb1e57caaf CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
via a0c68f4caaa CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
via 5154471bca2 CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
via ade168df393 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
via 33a814d745c CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
via 90f06ad6d7d CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
via 0be35930722 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
via e02e8ad46b0 CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
via 643b4c1b95e CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
via b9269801ed6 CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
via 9669a41693b CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
via de121d6c613 CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
via 18bcf0b6496 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
via f1cb8950583 CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
via 4dc0b8d0a89 CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
via ae1f4644245 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
via deffd8ea00f CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
via ddafd6dc770 CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
via 1040fa4c235 CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
via 26249f6c065 selftest: make filter-subunit much more efficient for large knownfail lists
from 2ea3f2db808 CVE-2022-45141 source4/heimdal: Fix check-des
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit d1cfdcf3a3dd44be993f3c543eaf65c53ecdf7a9
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 29 14:14:32 2022 +0100
CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
This allows the tests to be executed without an explicit
PYTHONPATH="bin/python".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184
(similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92)
[jsutton at samba.org Fixed conflicts; removed changes to non-existent
tests]
[jsutton at samba.org Fixed conflicts; removed changes to non-existent
tests]
[metze at samba.org private autobuild and a pipeline passes]
commit 48d6042dddff6790a87039a095ae7489e3596bf2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 6 12:55:45 2022 +0100
CVE-2022-37966 samba-tool: add 'domain trust modify' command
For now it only allows the admin to modify
the msDS-SupportedEncryptionTypes values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit d1999c152acdf939b4cd7eb446dd9921d3edae29)
commit 89b1c78b520f32e54e8a025511908b06158deef0
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 09:39:19 2022 +0100
CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cca3c024fc514bee79bb60a686e470605cc98d6f)
commit 18996e9971224210aa50cff9796c805dc594c296
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 29 14:13:36 2022 +0100
CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
This allows admins to disable enctypes completely if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727)
commit 34fc0da78699827674245ea5f00282107054ba9c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 09:05:51 2022 +0100
CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)
[jsutton at samba.org Fixed conflicts]
commit 693a247d3b270677ec6f42189002c647a1e20e19
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 09:02:41 2022 +0100
CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
This is not squashed in order to allow easier backports...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4)
commit ee9ffe50e99d2778d0d17fb65d6b27911d211f91
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 24 15:44:40 2022 +0100
CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
We need to take the value from the msDS-SupportedEncryptionTypes
attribute and only take the default if there's no value or
if the value is 0.
For krbtgt and DC accounts we need to force support for
ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits
in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is
completely ignored the hardcoded value is the default, so there's
no AES256-SK for krbtgt).
For UF_USE_DES_KEY_ONLY on the account we reset
the value to 0, these accounts are in fact disabled completely,
as they always result in KRB5KDC_ERR_ETYPE_NOSUPP.
Then we try to get all encryption keys marked in
supported_enctypes, and the available_enctypes
is a reduced set depending on what keys are
actually stored in the database.
We select the supported session key enctypes by the available
keys and in addition based on AES256-SK as well as the
"kdc force enable rc4 weak session keys" option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fde745ec3491a4fd7b23e053a67093a2ccaf0905)
[jsutton at samba.org Adapted to older KDC code]
[jsutton at samba.org Adapted to older KDC code]
commit 1815d339417261605820cb17f240c75fae01289a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 29 17:11:01 2022 +0100
CVE-2022-37966 python:tests/krb5: test much more etype combinations
This tests work out the difference between
- msDS-SupportedEncryptionTypes value or it's default
- software defined extra flags for DC accounts
- accounts with only an nt hash being stored
- the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1dfa91682efd3b12d7d6af75287efb12ebd9e526)
commit d6b9e8b33978a1b85b487e8363476a3356af893d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 29 20:59:52 2022 +0100
CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c7c576208960e336da276e251ad7a526e1b3ed45)
commit 25d881189032a8563931fce116eba02556101f7b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 29 16:42:58 2022 +0100
CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
This will allow us to create tests accounts with only an nt4 hash
stored, without any aes keys.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 77bd3258f1db0ddf4639a83a81a1aad3ee52c87d)
[jsutton at samba.org Fixed conflicts in parameters]
commit c768a27bc13fff024db18f2101680d15c2268743
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 29 20:27:14 2022 +0100
CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f434a30ee7c40aac4a223fcabac9ddd160a155a5)
commit 9049c5442aaeccba6e9e68f230679349fa38217a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 29 14:15:40 2022 +0100
CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d8fd6a22b67a2b3ae03a2e428cc4987f07af6e29)
commit a1e91681158d24c453cd23ab9f8760189e7de813
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 29 09:48:09 2022 +0100
CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
I'm using the following options:
SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1
in order to run these:
python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368)
[jsutton at samba.org Fixed conflicts in parameters; brought in rep_padata
non-None assertion]
[jsutton at samba.org Fixed parameter conflicts in as_req_tests.py; removed
changes to non-existent check_reply_padata()]
commit 1db952fab82eddf0d4100080a64da33786f7c882
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 29 15:45:56 2022 +0100
CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4ebbe7e40754eeb1c8f221dd59018c3e681ab2ab)
commit 91a030cbf5862c7ea77d4aa5961f582a28875ef2
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Mar 24 14:09:50 2022 +0100
CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 271cd82cd681d723572fcaeed24052dc98a8361)
[jsutton at samba.org Adapted to older version of libnet_SetPassword() that
doesn't set FIPS lax mode]
commit eed3d6a3962e8e9d7076486679fedc9e0ec93acb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 29 15:42:27 2022 +0100
CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9e69289b099b47e0352ef67ef7e6529d11688e9a)
commit 0d7dc04404dee3f1ddce219f3ed1db736716eef7
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Feb 3 16:27:15 2022 +0100
CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
For now this is only for debugging in order to see
DRSUAPI_ATTID_msDS_SupportedEncryptionTypes in the replication meta
data.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f1c5fa28c460f7e011049606b1b9ef96443e5e1f)
commit 527a164b410f87c6f2a9b508d8261214819f8ef3
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 7 18:03:45 2017 +0100
CVE-2022-37966 s4:kdc: use the strongest possible keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794)
[jsutton at samba.org Adapted to configuration parameters having been
renamed from {as,tgs} to {tgt,svc}]
commit 8b8835b09fa45c0cd3aba5d5aa504fcfd290386f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 15:27:14 2022 +0100
CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 621b8c3927b63776146940b183b03b3ea77fd2d7)
commit f644fc69971c776102f0b60fe184134a413d13e1
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Nov 22 09:48:45 2022 +0100
CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b7260c89e0df18822fa276e681406ec4d3921caa)
commit 716149ed2bcc2e67eb598cbb5f77e6240f8d155e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 15:20:40 2022 +0100
CVE-2022-37966 s3:net_ads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4cedaa643bf95ef2628f1b631feda833bb2e7da1)
commit 5f9e13ce20a0bd9f80820f1d1afedfee035ba0e2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 15:20:40 2022 +0100
CVE-2022-37966 s3:libnet: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 40b47c194d7c41fbc6515b6029d5afafb0911232)
commit 153e4a391420f1d492d7af3a3cfb71dabf98e08f
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 15:20:40 2022 +0100
CVE-2022-37966 s3:libads: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a683507e560a499336c50b88abcd853d49618bf4)
commit ac6563e70ade2152a82e56f0b0ff2c43af084946
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 15:20:40 2022 +0100
CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 16b805c8f376e0992a8bbb359d6bd8f0f96229db)
commit ece27efe594372748c625b7c60c7461b9f39cd67
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 15:19:48 2022 +0100
CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f3fe1f2ce64ed36be5b001fb4fea92428e73e4e3)
commit c23c17a8d7546df897654c4205d421de98c0598b
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 15:19:48 2022 +0100
CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1a36c348d7a984bed8d0f3de5bf9bebd1cb3c47a)
commit 6db1a9a9648980de2257bb8034838323cd6b84ef
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 15:18:02 2022 +0100
CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2bd27955ce1000c13b468934eed8b0fdeb66e3bf)
commit c0a367ad02a7384013389c0b1feabf77a48ac659
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 15:16:51 2022 +0100
CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c9b10ee32c7e91521d024477a28fb7a622e4eb04)
commit 5127bcfded4c242776bdcc42e8fb5296362d017d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 15:12:47 2022 +0100
CVE-2022-37966 system_mitkrb5: require support for aes enctypes
This will never fail as we already require a version that supports aes,
but this makes it clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a80f8e1b826ee3f9bbb22752464a73b97c2a612d)
[jsutton at samba.org Fixed conflicts due to missing lib='krb5' argument]
commit a4deabde39e0219945d0725ee5c1a79591e8fd2d
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 23 15:12:14 2022 +0100
CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9da028c46f70db60a80d47f5dadbec194510211f)
commit a7e2f5d32e59758ca714e292e3aa0e51821a9d43
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 22 11:32:34 2022 +1300
CVE-2022-37966 kdc: Assume trust objects support AES by default
As part of matching the behaviour of Windows, assume that trust objects
support AES256, but not RC4, if not specified otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4bb50c868c8ed14372cb7d27e53cdaba265fc33d)
[jsutton at samba.org Added knownfail removals]
commit 1e32bfc0fdd5394268eb86f60de521722f783a50
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 1 15:20:47 2022 +1300
CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
CVE to indicate that additionally, AES session keys are available. We
set the etypes available for session keys depending on the encryption
types that are supported by the principal.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit 975e43fc45531fdea14b93a3b1529b3218a177e6)
[jsutton at samba.org Fixed knownfail conflicts]
[jsutton at samba.org Adapted to older KDC code; fixed knownfail conflicts]
[jsutton at samba.org Fixed knownfail conflicts; adapted to older KDC and
Heimdal code]
commit 701b2650d1b47adac55f948c4e055d5ecc52e1da
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Nov 25 11:48:59 2022 +1300
CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with AES256 rather than RC4
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
[This is 4.15 only]
commit 590228fd72f66412a8188b3b09d2d71e91b0d568
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Nov 25 11:48:41 2022 +1300
CVE-2022-37966 auth/credentials: Allow specifying password to cli_credentials_get_aes256_key()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
[This is 4.15 only]
commit eefa55320558ce8da7fb9d90038c2f778487da44
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 9 14:35:05 2022 +1200
CVE-2022-37966 auth/credentials: Add cli_credentials_get_aes256_key()
This allows us to generate AES256 keys from a given password and salt.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0d9835e1e497d667ce49f00d5127d2231055793f)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 33e5f0b4a44c0d8231b4176a881cd7279dbe9292
Author: Nicolas Williams <nico at cryptonector.com>
Date: Tue Nov 8 19:54:45 2011 -0600
CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data signatures
We were using the enctype from the PA-TGS-REQ's AP-REQ's Ticket to
decide what key from the service's realm's krbtgt principal to use.
This breaks when: a) we're doing cross-realm, b) the service's
realm's krbtgt principal doesn't have keys for the enctype used in
the cross-realm TGT.
The fix is to pick the correct key (strongest or first, per-config)
from the service's realm's krbtgt principal.
(backported from Heimdal commit 8586d9f88efcf60b971466f0d83ea0bc1962e24f)
[jsutton at samba.org Fixed conflicts due to different Heimdal revision]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[This is 4.15 only]
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit cc6196fa005187c93486a83348b1d69a94219b1e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 23 16:05:04 2022 +1300
CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5)
[jsutton at samba.org Fixed import conflict]
commit c273cb75625c144fc31ede19dcf3c301e209c371
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Nov 18 12:11:39 2022 +1300
CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE
to indicate that additionally, AES session keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit 371d7e63fcb966ab54915a3dedb888d48adbf0c0)
[jsutton at samba.org Removed unneeded fast_tests.py change, added
non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and
tests.py]
[jsutton at samba.org Fixed conflicts in tests and knownfails]
[jsutton at samba.org Fixed conflicts in raw_testcase.py, tests.py; moved
test_fast_rc4 knownfail to 'KDC TGS tests' section with other FAST
knownfails]
commit 84c28b05a0a590a0edea616cd0f267e2be44d0a0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Nov 21 13:47:06 2022 +1300
CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
As we will assume, as part of the fixes for CVE-2022-37966, that trust
objects with no msDS-SupportedEncryptionTypes attribute support AES
keys, RC4 support must now be explicitly indicated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 086646865eef247a54897f5542495a2105563a5e)
commit 0ad597673246af62c88453236d1eab731368ad08
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Nov 21 13:45:22 2022 +1300
CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
This option does the opposite of what the documentation claims.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6b155b22e6afa52ce29cc475840c1d745b0f1f5e)
commit 1c06e8b08ca3d8adecd044919758e949f50de7c7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Nov 21 14:01:47 2022 +1300
CVE-2022-37966 third_party/heimdal: Fix error message typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d6b3d68efc296190a133b4e38137bdfde39257f4)
[jsutton at samba.org Adapted to older Heimdal version]
commit 36d5770585ab3abfe1a17f78709728805482388c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Nov 18 13:44:28 2022 +1300
CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
commit 1daea832104e46cfc4ea9700024bda35271a7672
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 15 18:14:36 2022 +1300
CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
This matches the Windows registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d861d4eb28bd4c091955c11669edcf867b093a6f)
[jsutton at samba.org Fixed header include conflict]
[jsutton at samba.org Fixed loadparm conflicts]
commit d775f1ed43a1c130b08636ad428a0f07fa88b31e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 9 13:45:13 2022 +1300
CVE-2022-37967 Add new PAC checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit a50a2be622afaa7a280312ea12f5eb9c9a0c41da)
[jsutton at samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py]
[jsutton at samba.org Fixed conflicts in kdc_base_test.py, raw_testcase.py,
knownfails, tests.py. Adapted KDC PAC changes to older function.]
[jsutton at samba.org Fixed conflict in raw_testcase.py; adapted to older
Heimdal version]
commit 4650ce1fa5ce1f1da46829bd95bffbb748ed90ca
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 1 14:47:12 2022 +1300
CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
We need to select server, not client, to compare client etypes against.
(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(similar to commit 538315a2aa6d03b7639b49eb1576efa8755fefec)
[jsutton at samba.org Fixed knownfail conflicts]
[jsutton at samba.org Fixed knownfail conflicts]
[jsutton at samba.org Fixed knownfail conflicts; adapted to older Heimdal
version]
commit fed97f46265834f53a895de2460d01321b6f32a7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 23 15:15:40 2022 +1300
CVE-2022-37966 selftest: Don't strictly check etype-info when obtaining a TGT
This padata type is less well tested in Samba 4.15 than we should like,
and hence the encryption type tests reveal some inconsistencies that
cause the tests to fail. Not strictly checking them in these tests
allows them to continue passing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
[This is 4.15 only]
commit 07edcef7463103ebb9d3eb6e25c945c1abf1e5d2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 25 19:32:27 2022 +1300
CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
The KDC should leave the choice of ticket encryption type up to the
target service, and admit no influence from the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 177334c04230d0ad74bfc2b6825ffbebd5afb9af)
[jsutton at samba.org Fixed conflicts in usage.py, knownfails, tests.py]
[jsutton at samba.org Fixed knownfail conflicts]
[jsutton at samba.org Added new enctype bits; re-added expect_edata
parameter to _test_as_exchange(); fixed conflicts in usage.py,
knownfails, tests.py]
commit 92763515d9f0bb8ed56c721d752db1fb7a268407
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 26 14:29:54 2022 +1300
CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
This lets us select the encryption types we claim to support in the
request body.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de)
[jsutton at samba.org Adapted to 4.17 version of function taking different
parameters]
commit b4be18abf9b9f7ee3361a8a2841f8e700440ce42
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 26 14:26:01 2022 +1300
CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
We will use it for testing our handling of encryption types.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(similar to commit 50e075d2db21e9f23d686684ea3df9454b6b560e)
[jsutton at samba.org Adapted to 4.17 version of function]
commit e24512a20ae479ee1dce33d9e3587cc1e58ff4c2
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 1 12:34:57 2022 +1300
CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
This makes it easier to test against a server that is not accessible via DNS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit c7cd6889177e8c705bb637172a60a5cf26734a3f)
commit e2ac180984e36f54999e970eafb0f05ed90b0fd4
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 5 21:45:08 2022 +0100
CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0248907e34945153ff2be62dc11d75c956a05932)
[abartlet at samba.org Added missing loadparm to netlogon_creds_cli]
commit 30202568a181966ea7c56a33dad5e4942e524b75
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 5 21:36:23 2022 +0100
CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c0c25cc0217b082c12330a8c47869c8428a20d0c)
commit 097fa693ded841cf81ffaf143f3501aa1ff45892
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 5 21:31:37 2022 +0100
CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit a4f6f51cbed53775cdfedc7eec2f28c7beb875cc)
commit 4543bd706e53844f0585aaa48a574bf8fe2050de
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 27 08:47:32 2022 +0200
CVE-2022-37966 s3:utils: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit b787692b5e915031d4653bf375995320ed1aca07)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 6f94a270722594b521cbef6387b440759e2cb3ac
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 27 08:46:39 2022 +0200
CVE-2022-37966 s3:client: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 81f4335dfb847c041bfd3d6110fc8f1d5741d41f)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 0fe0643e0b7c283a4e49ae4be772fa6a83fe978d
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 27 08:44:58 2022 +0200
CVE-2022-37966 s3:param: Fix old-style function definition
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 80dc3bc2b80634ab7c6c71fa1f9b94f0216322b2)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 25402db19b95d6ce74faa252dbc4b7d86c0c1dbd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Apr 11 15:43:00 2022 +1200
CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2f17cbf3b295663a91e4facb0dc8f09ef4a77f4a)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[jsutton at samba.org Removed changes to protected_users_tests.py]
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8f40d9b7dd280920dbbd41614a48eac918e2bcc8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Mar 23 13:07:29 2022 +1300
CVE-2022-37966 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
By putting this in the caller we potentially allow samba_kdc_message2entry_keys()
to be reused by a non-KDC caller.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 29eb7e2488e2c55ceacb859a57836a08cbb7f8e8)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[jsutton at samba.org Adapted to older code without support for Protected
Users or older keys; kept still-needed 'kdc_db_ctx'
samba_kdc_message2entry_keys() parameter]
Reviewed-by: Stefan Metzmacher <metze at samba.org>
[jsutton at samba.org Adapted to older db-glue code]
commit 86834042a187e7ef0c805b4a2fbe4d63b6437794
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 24 16:59:12 2021 +1300
CVE-2022-37966 s4:kdc: Set supported enctypes in KDC entry
This allows us to return the supported enctypes to the client as
PA-SUPPORTED-ENCTYPES padata.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit cb382f7cddebabde3dac2b4bdb50d5b864463abf)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[jsutton at samba.org Adapted to Samba 4.15; removed FAST-supported bit for
KDC]
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d09d8f995c9a12a0c96aecdbc9f6dac4f5864890
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 23 15:59:21 2021 +1300
CVE-2022-37966 tests/krb5: Update supported enctype checking
We now do not expect the claims or compound ID bits to be set unless
explicitly specified, nor the DES bits.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit e9caa1edef846cdea2a719976ee0fd5bd8531048)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
commit 900c6e2268dbd2625e679af1550d4874247cd1b1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 30 09:45:13 2021 +1300
CVE-2022-37966 tests/krb5: Check encrypted-pa-data if present
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f94bdb41fccdb085d8f8f5a1a5e4a56581839e8e)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
[jsutton at samba.org Fixed MIT knownfail conflict; added import of PADATA_REQ_ENC_PA_REP constant]
commit d10dfa85819750f4665dc5fa974f35ce7871acf8
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 6 13:36:17 2022 +0100
CVE-2022-38023 testparm: warn about unsecure schannel related options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
commit 28ac3faa51c66b005a90c527393fa7c2d43d4c31
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 15:13:47 2022 +0100
CVE-2022-38023 testparm: warn about server/client schannel != yes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e)
commit 93e4e50d250a85c9b0308c3f899ab00f47f427df
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 25 14:05:30 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with
privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)
commit 15792b4035d520ad5a0bf4888fa5d6bedb8937aa
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Dec 2 14:31:26 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
It's enough to warn the admin once per connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)
commit dba546dbfa5dcaa22ed828c2f5b7fa9c8cb6242e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 25 16:53:35 2022 +0100
CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470)
commit 2b0dc83e0642f7b1f41b6184fb6e20320cd96b63
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 17:15:36 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
which are also required for dcesrv_netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662)
commit 57986cad714cc2f738c7482208204ed4e18b1f19
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 16:57:24 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
This will allow us to reuse the function in other places.
As it will also get some additional checks soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07)
commit 08b69ca61f747a74c5a6634d25ce35e43e145ecd
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 14:57:20 2022 +0100
CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
Instead of using the generic deprecated option use the specific
allow nt4 crypto:COMPUTERACCOUNT = yes and
server reject md5 schannel:COMPUTERACCOUNT = no
in order to allow legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768)
[metze at samba.org fixed conflict in 4.15]
commit ba1482a18a807a5db4d1bd84640a0d5d83fcd9c3
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 25 13:13:36 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
This allows the admin to notice what's wrong in order to adjust the
configuration if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381)
[metze at samba.org remove lpcfg_weak_crypto() check for 4.15]
commit b7f0e7f2ccc9c07b2daa0dc6d66ea117108e9a4f
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 25 14:02:11 2022 +0100
CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)
commit 4cb1e57caaf537c760de95a4a4e300ff8c711dfe
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 25 13:31:14 2022 +0100
CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b)
commit a0c68f4caaa0771dcde074906956335c9e458bdf
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 25 13:13:36 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
This makes it more flexible when we change the global default to
'reject md5 servers = yes'.
'allow nt4 crypto = no' is already the default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f)
commit 5154471bca2162c14c91ebd02148be521e333817
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 25 10:31:08 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need use the account name from our SAM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)
commit ade168df393064dd25a6e540e06332dcd1803297
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 24 18:26:18 2022 +0100
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1)
commit 33a814d745c0c2dd4e49582fbee892471620bfcd
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Nov 25 09:54:17 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need the downgrade detection in more places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561)
commit 90f06ad6d7d00fc51a2d64557cf58739fef851c1
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Nov 28 15:02:13 2022 +0100
CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
For generic tests we should use the best available features.
And AES will be required by default soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
commit 0be35930722530e5befa16a65a16232393258057
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 12:26:01 2022 +0100
CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c)
commit e02e8ad46b02a4c16f575b6371eea8ea66dee067
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 12:37:03 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
Review with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d)
commit 643b4c1b95e40e46af14afa60aa42b0fcf1cf446
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 12:37:03 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e)
commit b9269801ed6bc034da924cdedd0b6a2938a1379f
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 12 14:03:50 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)
commit 9669a41693b8da410cf57e21f2de7c7e6e4c4235
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Dec 12 14:03:50 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150)
commit de121d6c613c6e83e49f2622391d1705077646a4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Dec 6 10:56:29 2022 +0100
CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)
commit 18bcf0b6496d4ed9d76d23f82674935bd275dc3b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Nov 24 18:22:23 2022 +0100
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.
Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:
git show -U35 libcli/auth/netlogon_creds_cli.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584)
commit f1cb8950583c12eaa5cbe907d0b16923f7187541
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 14:59:36 2022 +0100
CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
This avoids advising insecure defaults for the global options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef)
commit 4dc0b8d0a89b0aea865f8508ca3f0d68f50c6f12
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 16:16:05 2022 +0100
CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
This makes sure domain member related 'net' commands print warnings
about unsecure smb.conf options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a)
commit ae1f4644245237fe76bb162af8e95c42903e4eca
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 14:47:33 2022 +0100
CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
This warns the admin about insecure options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(similar to commit 7e7adf86e59e8a673fbe87de46cef0d62221e800)
[jsutton at samba.org Replaced call to tevent_cached_getpid() with one to
getpid()]
commit deffd8ea00fecbbf61c4a26279176fe0ae3fe438
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Nov 30 14:46:59 2022 +0100
CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209)
commit ddafd6dc7706e74e74ce96039ac8006b9b2e05ad
Author: Ralph Boehme <slow at samba.org>
Date: Tue Dec 6 16:05:26 2022 +0100
CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251)
commit 1040fa4c23509234af5ca5bf4c190c80183d39b4
Author: Ralph Boehme <slow at samba.org>
Date: Tue Dec 6 16:00:36 2022 +0100
CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9)
commit 26249f6c06591ba87d45e2a0f7322082a157fa06
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Dec 6 17:16:00 2022 +1300
selftest: make filter-subunit much more efficient for large knownfail lists
By compiling the knownfail lists ahead of time we change a 20min test
into a 90sec test.
This could be improved further by combining this into a single regular expression,
but this is enough for now. The 'reason' is thankfully not used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15258
Pair-programmed-with: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 22128c718cadd34af892df102bd52df6a6b03303)
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials.h | 7 +
auth/credentials/credentials_krb5.c | 59 +
buildtools/wafsamba/samba_autoconf.py | 4 +-
docs-xml/manpages/samba-tool.8.xml | 5 +
docs-xml/smbdotconf/logon/allownt4crypto.xml | 85 +-
docs-xml/smbdotconf/logon/rejectmd5clients.xml | 101 +-
.../security/allowdcerpcauthlevelconnect.xml | 2 +-
docs-xml/smbdotconf/security/clientschannel.xml | 2 +-
.../security/kdcdefaultdomainsupportedenctypes.xml | 42 +
.../security/kdcforceenablerc4weaksessionkeys.xml | 24 +
.../smbdotconf/security/kdcsupportedenctypes.xml | 40 +
.../security/kerberosencryptiontypes.xml | 12 +-
docs-xml/smbdotconf/security/serverschannel.xml | 47 +-
.../security/serverschannelrequireseal.xml | 118 ++
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 9 +-
docs-xml/smbdotconf/winbind/requirestrongkey.xml | 4 +-
lib/krb5_wrap/krb5_samba.c | 6 -
lib/param/loadparm.c | 147 ++
libcli/auth/netlogon_creds_cli.c | 89 +-
libcli/auth/netlogon_creds_cli.h | 4 +-
librpc/idl/drsuapi.idl | 9 +
librpc/idl/krb5pac.idl | 4 +-
librpc/idl/netlogon.idl | 4 +
librpc/idl/security.idl | 1 +
python/samba/drs_utils.py | 12 +-
python/samba/netcmd/domain.py | 130 +-
python/samba/tests/krb5/alias_tests.py | 6 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 5 +-
python/samba/tests/krb5/as_req_tests.py | 21 +-
python/samba/tests/krb5/compatability_tests.py | 22 +
python/samba/tests/krb5/etype_tests.py | 597 ++++++++
python/samba/tests/krb5/fast_tests.py | 11 +-
python/samba/tests/krb5/kdc_base_test.py | 159 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 467 ++++--
python/samba/tests/krb5/kpasswd_tests.py | 8 +-
python/samba/tests/krb5/raw_testcase.py | 253 +++-
python/samba/tests/krb5/rfc4120_constants.py | 4 +
python/samba/tests/krb5/rodc_tests.py | 8 +-
python/samba/tests/krb5/s4u_tests.py | 122 +-
python/samba/tests/krb5/salt_tests.py | 6 +-
python/samba/tests/krb5/spn_tests.py | 8 +-
python/samba/tests/krb5/test_ccache.py | 6 +-
python/samba/tests/krb5/test_idmap_nss.py | 6 +-
python/samba/tests/krb5/test_ldap.py | 6 +-
python/samba/tests/krb5/test_min_domain_uid.py | 7 +-
python/samba/tests/krb5/test_rpc.py | 6 +-
python/samba/tests/krb5/test_smb.py | 6 +-
python/samba/tests/usage.py | 1 +
selftest/knownfail_heimdal_kdc | 1 +
selftest/knownfail_mit_kdc | 1580 +++++++++++++++++++-
selftest/subunithelper.py | 32 +-
selftest/target/Samba4.pm | 121 +-
source3/client/clitar.c | 2 +-
source3/libads/kerberos.c | 6 +-
source3/libads/kerberos_keytab.c | 4 -
source3/libnet/libnet_join.c | 9 +-
source3/param/loadparm.c | 7 +-
source3/rpc_client/cli_netlogon.c | 2 +-
source3/utils/destroy_netlogon_creds_cli.c | 2 +-
source3/utils/net.c | 6 +
source3/utils/net_ads.c | 27 +-
source3/utils/net_dom.c | 2 +
source3/utils/net_join.c | 2 +
source3/utils/net_offlinejoin.c | 2 +
source3/utils/net_proto.h | 2 +
source3/utils/net_rpc.c | 10 +
source3/utils/net_util.c | 14 +
source3/utils/ntlm_auth.c | 12 +-
source3/utils/testparm.c | 89 +-
source3/winbindd/winbindd_cm.c | 41 +-
source4/dsdb/pydsdb.c | 1 +
source4/heimdal/kdc/kerberos5.c | 45 +-
source4/heimdal/kdc/krb5tgs.c | 65 +-
source4/heimdal/kdc/misc.c | 4 +-
source4/heimdal/lib/hdb/hdb.asn1 | 6 +-
source4/heimdal/lib/krb5/init_creds_pw.c | 2 +-
source4/heimdal/lib/krb5/pac.c | 172 ++-
source4/kdc/db-glue.c | 295 +++-
source4/kdc/kdc-heimdal.c | 23 +-
source4/kdc/samba_kdc.h | 1 +
source4/kdc/sdb.c | 91 ++
source4/kdc/sdb.h | 12 +
source4/kdc/sdb_to_hdb.c | 28 +-
source4/kdc/wdc-samba4.c | 23 +-
source4/libnet/libnet_join.c | 4 +-
source4/libnet/libnet_passwd.c | 71 +
source4/libnet/libnet_passwd.h | 7 +
source4/libnet/py_net.c | 18 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 1013 +++++++++++--
source4/selftest/tests.py | 32 +-
source4/torture/ntp/ntp_signd.c | 2 +-
source4/torture/rpc/lsa.c | 54 +-
source4/torture/rpc/netlogon.c | 24 +-
source4/torture/rpc/remote_pac.c | 14 +-
source4/torture/rpc/samba3rpc.c | 15 +-
wscript_configure_system_mitkrb5 | 4 +-
96 files changed, 5991 insertions(+), 710 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
create mode 100644 docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml
create mode 100755 python/samba/tests/krb5/etype_tests.py
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 551b1611826..6fd43472ae0 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -344,4 +344,11 @@ NTSTATUS netlogon_creds_session_encrypt(
struct netlogon_creds_CredentialState *state,
DATA_BLOB data);
+int cli_credentials_get_aes256_key(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ const char *password,
+ const char *salt,
+ DATA_BLOB *aes_256);
+
#endif /* __CREDENTIALS_H__ */
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index d2e7a76a69e..39b7b8dd57e 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1459,3 +1459,62 @@ _PUBLIC_ void cli_credentials_set_target_service(struct cli_credentials *cred, c
cred->target_service = talloc_strdup(cred, target_service);
}
+_PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ const char *password,
+ const char *salt,
+ DATA_BLOB *aes_256)
+{
+ struct smb_krb5_context *smb_krb5_context = NULL;
+ krb5_error_code krb5_ret;
+ int ret;
+ krb5_data cleartext_data;
+ krb5_data salt_data;
+ krb5_keyblock key;
+
+ if (cred->password_will_be_nt_hash) {
+ DEBUG(1,("cli_credentials_get_aes256_key: cannot generate AES256 key using NT hash\n"));
+ return EINVAL;
+ }
+
+ cleartext_data.data = discard_const_p(char, password);
+ cleartext_data.length = strlen(password);
+
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx,
+ &smb_krb5_context);
+ if (ret != 0) {
+ return ret;
+ }
+
+ salt_data.data = discard_const_p(char, salt);
+ salt_data.length = strlen(salt);
+
+ /*
+ * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
+ * the salt and the cleartext password
+ */
+ krb5_ret = smb_krb5_create_key_from_string(smb_krb5_context->krb5_context,
+ NULL,
+ &salt_data,
+ &cleartext_data,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ &key);
+ if (krb5_ret != 0) {
+ DEBUG(1,("cli_credentials_get_aes256_key: "
+ "generation of a aes256-cts-hmac-sha1-96 key failed: %s",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ krb5_ret, mem_ctx)));
+ return EINVAL;
+ }
+ *aes_256 = data_blob_talloc(mem_ctx,
+ KRB5_KEY_DATA(&key),
+ KRB5_KEY_LENGTH(&key));
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &key);
+ if (aes_256->data == NULL) {
+ return ENOMEM;
+ }
+ talloc_keep_secret(aes_256->data);
+
+ return 0;
+}
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index 4d2aea6c941..e17e667532b 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -184,7 +184,8 @@ def CHECK_TYPE_IN(conf, t, headers=None, alternate=None, define=None):
@conf
def CHECK_VARIABLE(conf, v, define=None, always=False,
- headers=None, msg=None, lib=None):
+ headers=None, msg=None, lib=None,
+ mandatory=False):
'''check for a variable declaration (or define)'''
if define is None:
define = 'HAVE_%s' % v.upper()
@@ -208,6 +209,7 @@ def CHECK_VARIABLE(conf, v, define=None, always=False,
lib=lib,
headers=headers,
define=define,
+ mandatory=mandatory,
always=always)
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 9a40bb1bec4..8e9279cc518 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -676,6 +676,11 @@
<para>Create a domain or forest trust.</para>
</refsect3>
+<refsect3>
+ <title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+ <para>Modify a domain or forest trust.</para>
+</refsect3>
+
<refsect3>
<title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Delete a domain trust.</para>
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index 03dc8fa93f7..ee63e6cc245 100644
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -1,11 +1,18 @@
<samba:parameter name="allow nt4 crypto"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "no" (which will be
+ the hardcoded behavior in future).
+ </para>
+
<para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
- reject clients which does not support NETLOGON_NEG_STRONG_KEYS
+ reject clients which do not support NETLOGON_NEG_STRONG_KEYS
nor NETLOGON_NEG_SUPPORTS_AES.</para>
<para>This option was added with Samba 4.2.0. It may lock out clients
@@ -18,8 +25,82 @@
<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
- <para>This option yields precedence to the 'reject md5 clients' option.</para>
+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "yes" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
</description>
<value type="default">no</value>
</samba:parameter>
+
+<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
+ it is possible to specify an explicit exception per computer account
+ by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "yes",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+ <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
+
+ <programlisting>
+ allow nt4 crypto:LEGACYCOMPUTER1$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ allow nt4 crypto:NASBOX$ = yes
+ server reject md5 schannel:NASBOX$ = no
+ allow nt4 crypto:LEGACYCOMPUTER2$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index 41684ef1080..fe7701d9277 100644
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -1,17 +1,110 @@
<samba:parameter name="reject md5 clients"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>
+ This option is deprecated and will be removed in a future release,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in the future).
+ </para>
+
<para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
- <para>You can set this to yes if all domain members support aes.
- This will prevent downgrade attacks.</para>
+ <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
+ starting with Server 2008R2 and Windows 7, it's available in Samba
+ starting with 4.0, however third party domain members like NetApp ONTAP
+ still uses RC4 (HMAC-MD5), see
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink>
+ for more details.
+ </para>
+
+ <para>The default changed from 'no' to 'yes', with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "no" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members or trusted domains,
+ which required "reject md5 clients = no" before,
+ it is possible to specify an explicit exception per computer account
+ by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "no",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
- <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
+ <programlisting>
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ server reject md5 schannel:NASBOX$ = no
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ </programlisting>
</description>
-<value type="default">no</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
index 03531adbfb3..8bccab391cc 100644
--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -15,7 +15,7 @@
<para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
- <para>This option yields precedence to the implementation specific restrictions.
+ <para>This option is over-ridden by the implementation specific restrictions.
E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
</para>
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 5b07da95050..d124ad48181 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -23,7 +23,7 @@
<para>Note that for active directory domains this is hardcoded to
<smbconfoption name="client schannel">yes</smbconfoption>.</para>
- <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
+ <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para>
</description>
<value type="default">yes</value>
<value type="example">auto</value>
diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
new file mode 100644
index 00000000000..984611167b5
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
@@ -0,0 +1,42 @@
+<samba:parameter name="kdc default domain supported enctypes"
+ type="integer"
+ context="G"
+ handler="handle_kdc_default_domain_supported_enctypes"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Set the default value of <constant>msDS-SupportedEncryptionTypes</constant> for service accounts in Active Directory that are missing this value or where <constant>msDS-SupportedEncryptionTypes</constant> is set to 0.
+ </para>
+
+ <para>
+ This allows Samba administrators to match the configuration flexibility provided by the
+ <constant>HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes</constant> Registry Value on Windows.
+ </para>
+ <para>
+ Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed in hexadecimal or as a list of Kerberos encryption type names.
+ </para>
+ <para>
+ Specified values are ORed together bitwise, and those currently supported consist of:
+ </para><itemizedlist>
+ <listitem>
+ <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para>
+ <para>Known on Windows as Kerberos RC4 encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para>
+ <para>Known on Windows as Kerberos AES 128 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para>
+ <para>Known on Windows as Kerberos AES 256 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96-sk</constant>, <constant>aes256-cts-sk</constant>, <constant>0x20</constant>, or <constant>32</constant></para>
+ <para>Allow AES session keys. When this is set, it indicates to the KDC that AES session keys can be used, even when <constant>aes256-cts</constant> and <constant>aes128-cts</constant> are not set. This allows use of AES keys against hosts otherwise only configured with RC4 for ticket keys (which is the default).</para>
+ </listitem>
+</itemizedlist>
+
+</description>
+
+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk</comment></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
new file mode 100644
index 00000000000..1cb46d74a36
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="kdc force enable rc4 weak session keys"
+ type="boolean"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ <constant>RFC8429</constant> declares that
+ <constant>rc4-hmac</constant> Kerberos ciphers are weak and
+ there are known attacks on Active Directory use of this
+ cipher suite.
+ </para>
+ <para>
+ However for compatibility with Microsoft Windows this option
+ allows the KDC to assume that regardless of the value set in
+ a service account's
+ <constant>msDS-SupportedEncryptionTypes</constant> attribute
+ that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as
+ found in a service keytab) can be used if the potentially
+ older client requests it.
+ </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
new file mode 100644
index 00000000000..5e028bbb2be
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="kdc supported enctypes"
+ type="integer"
+ context="G"
+ handler="handle_kdc_supported_enctypes"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ On an active directory domain controller, this is the list of supported encryption types for local running kdc.
+ </para>
+
+ <para>
+ This allows Samba administrators to remove support for weak/unused encryption types, similar
+ the configuration flexibility provided by the <constant>Network security: Configure encryption types allowed for Kerberos</constant>
+ GPO/Local Policies/Security Options Value, which results in the
+ <constant>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes</constant> Registry Value on Windows.
+ </para>
+ <para>
+ Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed as hexadecimal or a list of Kerberos encryption type names.
+ </para>
+ <para>
+ Specified values are ORed together bitwise, and those currently supported consist of:
+ </para><itemizedlist>
+ <listitem>
+ <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para>
+ <para>Known on Windows as Kerberos RC4 encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para>
+ <para>Known on Windows as Kerberos AES 128 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para>
+ <para>Known on Windows as Kerberos AES 256 bit encryption</para>
+ </listitem>
+</itemizedlist>
+
+</description>
+
+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96</comment></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
index 2c3c6c5d5fc..a245af55f5f 100644
--
Samba Shared Repository
More information about the samba-cvs
mailing list