[SCM] Samba Shared Repository - branch v4-16-test updated

Stefan Metzmacher metze at samba.org
Wed Dec 14 11:34:02 UTC 2022


The branch, v4-16-test has been updated
       via  d5a8e41313d CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
       via  160e566d590 CVE-2022-37966 samba-tool: add 'domain trust modify' command
       via  cdc71cfd273 CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
       via  4477651a0de CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
       via  be57176c3ab CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
       via  e7d3998bcc8 CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
       via  906dbd0a4bd CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
       via  c8afae7869a CVE-2022-37966 python:tests/krb5: test much more etype combinations
       via  8e6d2953ba1 CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
       via  f4dc5721be3 CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
       via  aeb7c646bb0 CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
       via  b20acd876c8 CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
       via  3ea9946f652 CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
       via  dd69e432ee8 CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
       via  55476d01ffc CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
       via  f11edc1741e CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
       via  b40b03d0601 CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
       via  ec1a2225a0f CVE-2022-37966 s4:kdc: use the strongest possible keys
       via  679904dc0df CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
       via  052cfe5a4a1 CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
       via  1d2318ec326 CVE-2022-37966 s3:net_ads: no longer reference des encryption types
       via  f8839f39f0a CVE-2022-37966 s3:libnet: no longer reference des encryption types
       via  3e4a521a2aa CVE-2022-37966 s3:libads: no longer reference des encryption types
       via  b2201628245 CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
       via  0c7af9838fe CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
       via  c0bbcc442b8 CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
       via  836646d4a02 CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
       via  911750da81a CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
       via  8842d0197d1 CVE-2022-37966 system_mitkrb5: require support for aes enctypes
       via  001ed425ea1 CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
       via  c13c60ffbf7 CVE-2022-37966 kdc: Assume trust objects support AES by default
       via  a836bcf22ce CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
       via  da9da918f75 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
       via  f29efb011f6 CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
       via  71fcd5366a0 CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
       via  b8996509387 CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
       via  31543f2902e CVE-2022-37966 third_party/heimdal: Fix error message typo
       via  545c20fd321 CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
       via  4c2dc48598d CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
       via  0601bb94c62 CVE-2022-37967 Add new PAC checksum
       via  a9c836d0442 CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
       via  8d208ab0616 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
       via  9ed5a352ca1 CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
       via  cc2bea27a64 CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
       via  2408d405d31 CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
       via  91b74c701ac CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
       via  12e4e94853f CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
       via  05206c09237 CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
       via  a65fc1fa476 CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038
       via  397a390aa86 CVE-2022-37966 s3:utils: Fix old-style function definition
       via  a89385f2ab7 CVE-2022-37966 s3:client: Fix old-style function definition
       via  130c4877b38 CVE-2022-37966 s3:param: Fix old-style function definition
       via  0fee9c469c0 CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
       via  3dec660ae2b CVE-2022-37966 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
       via  c09df344f0e CVE-2022-38023 testparm: warn about unsecure schannel related options
       via  587ff282a9d CVE-2022-38023 testparm: warn about server/client schannel != yes
       via  03730459feb CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
       via  1d9c939ebaa CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
       via  d04da3d7008 CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
       via  9f809e2dd39 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
       via  abba8c4579f CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
       via  3f7cd285b79 CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
       via  729e905776c CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
       via  80d0238679f CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
       via  3075f65e5d5 CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
       via  d2dc3622d45 CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
       via  c25546926f5 CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
       via  bc78864cb5f CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
       via  852763adc22 CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled
       via  35ff1221013 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
       via  3f4c9c13b1f CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
       via  066dafb07a1 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
       via  82af786a36b CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
       via  88018634c78 CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
       via  0c32166174b CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
       via  a5996700ade CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
       via  2139565c2fe CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
       via  08e2a933933 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
       via  a2388a06cba CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
       via  8a7df0920b7 CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
       via  1fe8857b4d9 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
       via  b0dbc395510 CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
       via  421398ce5eb CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
       via  af08dd3e25a CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
       via  4d099f8f678 selftest: make filter-subunit much more efficient for large knownfail lists
      from  a1136ed2e05 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting()

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test


- Log -----------------------------------------------------------------
commit d5a8e41313d6645898bca3771131da92860b715b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 29 14:14:32 2022 +0100

    CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
    
    This allows the tests to be executed without an explicit
    PYTHONPATH="bin/python".
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184
    
    (similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92)
    [jsutton at samba.org Fixed conflicts; removed changes to non-existent
     tests]
    
    Autobuild-User(v4-16-test): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(v4-16-test): Wed Dec 14 11:34:00 UTC 2022 on sn-devel-184

commit 160e566d59011cfc9e5002f306314f1e9a37371b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Dec 6 12:55:45 2022 +0100

    CVE-2022-37966 samba-tool: add 'domain trust modify' command
    
    For now it only allows the admin to modify
    the msDS-SupportedEncryptionTypes values.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    (cherry picked from commit d1999c152acdf939b4cd7eb446dd9921d3edae29)

commit cdc71cfd273fed0d7907f05897a77335dee374e1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 09:39:19 2022 +0100

    CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit cca3c024fc514bee79bb60a686e470605cc98d6f)

commit 4477651a0de470f826cc548b78feb14305a6ba2b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 29 14:13:36 2022 +0100

    CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
    
    This allows admins to disable enctypes completely if required.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727)

commit be57176c3abd01635859e3d3195c3afc091610db
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 09:05:51 2022 +0100

    CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
    
    In order to allow better upgrades we need the default value for smb.conf to the
    same even if the effective default value of the software changes in future.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)

commit e7d3998bcc8dd4bae40ce5c5854d8c1a39c92809
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 09:02:41 2022 +0100

    CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
    
    This is not squashed in order to allow easier backports...
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4)

commit 906dbd0a4bdc89d14c971c1bd4e6c3059eefb2c6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Mar 24 15:44:40 2022 +0100

    CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
    
    We need to take the value from the msDS-SupportedEncryptionTypes
    attribute and only take the default if there's no value or
    if the value is 0.
    
    For krbtgt and DC accounts we need to force support for
    ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits
    in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is
    completely ignored the hardcoded value is the default, so there's
    no AES256-SK for krbtgt).
    
    For UF_USE_DES_KEY_ONLY on the account we reset
    the value to 0, these accounts are in fact disabled completely,
    as they always result in KRB5KDC_ERR_ETYPE_NOSUPP.
    
    Then we try to get all encryption keys marked in
    supported_enctypes, and the available_enctypes
    is a reduced set depending on what keys are
    actually stored in the database.
    
    We select the supported session key enctypes by the available
    keys and in addition based on AES256-SK as well as the
    "kdc force enable rc4 weak session keys" option.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit fde745ec3491a4fd7b23e053a67093a2ccaf0905)
    
    [jsutton at samba.org Adapted to older KDC code]

commit c8afae7869a8aa53da90bf1748eb8ce2e8d763aa
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 29 17:11:01 2022 +0100

    CVE-2022-37966 python:tests/krb5: test much more etype combinations
    
    This tests work out the difference between
    - msDS-SupportedEncryptionTypes value or it's default
    - software defined extra flags for DC accounts
    - accounts with only an nt hash being stored
    - the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 1dfa91682efd3b12d7d6af75287efb12ebd9e526)

commit 8e6d2953ba1ac44a2395cbcdd202a4f38ee16c98
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 29 20:59:52 2022 +0100

    CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit c7c576208960e336da276e251ad7a526e1b3ed45)

commit f4dc5721be379b292bcc175e35c49bc6dee82b73
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 29 16:42:58 2022 +0100

    CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
    
    This will allow us to create tests accounts with only an nt4 hash
    stored, without any aes keys.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 77bd3258f1db0ddf4639a83a81a1aad3ee52c87d)
    
    [jsutton at samba.org Fixed conflicts in parameters]

commit aeb7c646bb03d468f2cc167153dd54d79848cabb
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 29 20:27:14 2022 +0100

    CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit f434a30ee7c40aac4a223fcabac9ddd160a155a5)

commit b20acd876c892dd9b2fdf74c8d2dc1a2f95a32ab
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 29 14:15:40 2022 +0100

    CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit d8fd6a22b67a2b3ae03a2e428cc4987f07af6e29)

commit 3ea9946f652a04373f3a51597aae4aa24c912eb0
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 29 09:48:09 2022 +0100

    CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
    
    I'm using the following options:
    
    SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
    SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
    DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
    ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
    CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
    FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1
    
    in order to run these:
    
    python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
    python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    (cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368)
    [jsutton at samba.org Fixed conflicts in parameters; brought in rep_padata
     non-None assertion]

commit dd69e432ee80317b691f92a7515917cfda894488
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 29 15:45:56 2022 +0100

    CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 4ebbe7e40754eeb1c8f221dd59018c3e681ab2ab)

commit 55476d01ffcc8115d4170e2b0b2cc8252d0227a7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Mar 24 14:09:50 2022 +0100

    CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 271cd82cd681d723572fcaeed24052dc98a83612)

commit f11edc1741ea584552e608947cc08956c67cbf9e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 29 15:42:27 2022 +0100

    CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 9e69289b099b47e0352ef67ef7e6529d11688e9a)

commit b40b03d0601394cc3a8e7923229aa8d53b2d815f
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Feb 3 16:27:15 2022 +0100

    CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
    
    For now this is only for debugging in order to see
    DRSUAPI_ATTID_msDS_SupportedEncryptionTypes in the replication meta
    data.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit f1c5fa28c460f7e011049606b1b9ef96443e5e1f)

commit ec1a2225a0f73f81c46530203775fd5ac703858a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 7 18:03:45 2017 +0100

    CVE-2022-37966 s4:kdc: use the strongest possible keys
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794)

commit 679904dc0dfd187704a1fe2b9d9fb1b498773516
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 15:27:14 2022 +0100

    CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 621b8c3927b63776146940b183b03b3ea77fd2d7)

commit 052cfe5a4a1a02bcad0fce53e8e4a1002aa787fd
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Nov 22 09:48:45 2022 +0100

    CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit b7260c89e0df18822fa276e681406ec4d3921caa)

commit 1d2318ec326f3e530de1d9baf8c4ba3c80603f82
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 15:20:40 2022 +0100

    CVE-2022-37966 s3:net_ads: no longer reference des encryption types
    
    We no longer have support for des encryption types in the kerberos
    libraries anyway.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 4cedaa643bf95ef2628f1b631feda833bb2e7da1)

commit f8839f39f0a7e344c5b46d1e952bf4c7dc5017a6
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 15:20:40 2022 +0100

    CVE-2022-37966 s3:libnet: no longer reference des encryption types
    
    We no longer have support for des encryption types in the kerberos
    libraries anyway.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 40b47c194d7c41fbc6515b6029d5afafb0911232)

commit 3e4a521a2aaa9da223132ad97f7052460d951a9d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 15:20:40 2022 +0100

    CVE-2022-37966 s3:libads: no longer reference des encryption types
    
    We no longer have support for des encryption types in the kerberos
    libraries anyway.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit a683507e560a499336c50b88abcd853d49618bf4)

commit b220162824537232ec87cf2194966d590c2165b7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 15:20:40 2022 +0100

    CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
    
    We no longer have support for des encryption types in the kerberos
    libraries anyway.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 16b805c8f376e0992a8bbb359d6bd8f0f96229db)

commit 0c7af9838fecf1bb900029876496a8a7517bd3a9
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 15:19:48 2022 +0100

    CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
    
    aes encryption types are always supported.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit f3fe1f2ce64ed36be5b001fb4fea92428e73e4e3)

commit c0bbcc442b8725a9c2b6352514df80c4c0d71dae
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 15:19:48 2022 +0100

    CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
    
    aes encryption types are always supported.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 1a36c348d7a984bed8d0f3de5bf9bebd1cb3c47a)

commit 836646d4a02028a96b9974ddf7c36c6d54f25f45
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 15:18:02 2022 +0100

    CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
    
    aes encryption types are always supported.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 2bd27955ce1000c13b468934eed8b0fdeb66e3bf)

commit 911750da81abc99ee57bcb0d6129fec85bf6b761
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 15:16:51 2022 +0100

    CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
    
    aes encryption types are always supported.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit c9b10ee32c7e91521d024477a28fb7a622e4eb04)

commit 8842d0197d1055d35516c293192fc9c5121b46b7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 15:12:47 2022 +0100

    CVE-2022-37966 system_mitkrb5: require support for aes enctypes
    
    This will never fail as we already require a version that supports aes,
    but this makes it clearer.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit a80f8e1b826ee3f9bbb22752464a73b97c2a612d)

commit 001ed425ea19b42cb815be71188d49209bfddbd7
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 23 15:12:14 2022 +0100

    CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 9da028c46f70db60a80d47f5dadbec194510211f)

commit c13c60ffbf7f86011594268cc48a1f9f1991f664
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Nov 22 11:32:34 2022 +1300

    CVE-2022-37966 kdc: Assume trust objects support AES by default
    
    As part of matching the behaviour of Windows, assume that trust objects
    support AES256, but not RC4, if not specified otherwise.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 4bb50c868c8ed14372cb7d27e53cdaba265fc33d)

commit a836bcf22ce87cf93e7d3cbf975d1baaa8f32c3b
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 1 15:20:47 2022 +1300

    CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
    
    ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this
    CVE to indicate that additionally, AES session keys are available. We
    set the etypes available for session keys depending on the encryption
    types that are supported by the principal.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
    
    Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    (similar to commit 975e43fc45531fdea14b93a3b1529b3218a177e6)
    [jsutton at samba.org Fixed knownfail conflicts]
    
    [jsutton at samba.org Adapted to older KDC code; fixed knownfail conflicts]

commit da9da918f7510a1b8120479b8ec505b6b2397e93
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 23 16:05:04 2022 +1300

    CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
    
    This shows that changes around RC4 encryption types do not break older
    functional levels where only RC4 keys are available.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5)
    
    [jsutton at samba.org Fixed import conflict]

commit f29efb011f62a94d4cd6de4aca8722f743008f78
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Nov 18 12:11:39 2022 +1300

    CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
    
    ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE
    to indicate that additionally, AES session keys are available.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    (similar to commit 371d7e63fcb966ab54915a3dedb888d48adbf0c0)
    [jsutton at samba.org Removed unneeded fast_tests.py change, added
     non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and
     tests.py]
    
    [jsutton at samba.org Fixed conflicts in tests and knownfails]

commit 71fcd5366a0971b982cb553d442bcb11f71f9ace
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Nov 21 13:47:06 2022 +1300

    CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
    
    As we will assume, as part of the fixes for CVE-2022-37966, that trust
    objects with no msDS-SupportedEncryptionTypes attribute support AES
    keys, RC4 support must now be explicitly indicated.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 086646865eef247a54897f5542495a2105563a5e)

commit b8996509387b76f118577821a132542a9a7cb549
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Nov 21 13:45:22 2022 +1300

    CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
    
    This option does the opposite of what the documentation claims.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 6b155b22e6afa52ce29cc475840c1d745b0f1f5e)

commit 31543f2902e64ddc999670cfe4a4f0513159a547
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Nov 21 14:01:47 2022 +1300

    CVE-2022-37966 third_party/heimdal: Fix error message typo
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit d6b3d68efc296190a133b4e38137bdfde39257f4)

commit 545c20fd321f8eb5feebd11c825942755b374fdc
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Fri Nov 18 13:44:28 2022 +1300

    CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
    
    Pair-Programmed-With: Joseph Sutton <josephsutton at catalyst.net.nz>
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

commit 4c2dc48598dda4bf0d5a166ed3d05ab7b4a3abfb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Nov 15 18:14:36 2022 +1300

    CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
    
    This matches the Windows registry key
    
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit d861d4eb28bd4c091955c11669edcf867b093a6f)
    
    [jsutton at samba.org Fixed header include conflict]

commit 0601bb94c62b7e64b1f943523120196727b118ed
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Nov 9 13:45:13 2022 +1300

    CVE-2022-37967 Add new PAC checksum
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231
    
    Pair-Programmed-With: Andrew Bartlett <abartlet at samba.org>
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    (similar to commit a50a2be622afaa7a280312ea12f5eb9c9a0c41da)
    [jsutton at samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py]
    
    [jsutton at samba.org Fixed conflicts in kdc_base_test.py, raw_testcase.py,
     knownfails, tests.py. Adapted KDC PAC changes to older function.]

commit a9c836d0442b60a3b5dbc3ddbedf6f866e633e79
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 1 14:47:12 2022 +1300

    CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
    
    We need to select server, not client, to compare client etypes against.
    
    (It is not useful to compare the client-supplied encryption types with
    the client's own long-term keys.)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    
    (similar to commit 538315a2aa6d03b7639b49eb1576efa8755fefec)
    [jsutton at samba.org Fixed knownfail conflicts]
    
    [jsutton at samba.org Fixed knownfail conflicts]

commit 8d208ab0616068ed1272d81e968d8f3d33953ca6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Oct 25 19:32:27 2022 +1300

    CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
    
    The KDC should leave the choice of ticket encryption type up to the
    target service, and admit no influence from the client.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    (similar to commit 177334c04230d0ad74bfc2b6825ffbebd5afb9af)
    [jsutton at samba.org Fixed conflicts in usage.py, knownfails, tests.py]
    
    [jsutton at samba.org Fixed knownfail conflicts]

commit 9ed5a352ca1707ba0cb06bfa785f0e8d5049666d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Oct 26 14:29:54 2022 +1300

    CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
    
    This lets us select the encryption types we claim to support in the
    request body.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    (similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de)
    [jsutton at samba.org Adapted to 4.17 version of function taking different
     parameters]

commit cc2bea27a640b43c4eed5846fb1bbd3e5ad5d0ad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Oct 26 14:26:01 2022 +1300

    CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
    
    We will use it for testing our handling of encryption types.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    (similar to commit 50e075d2db21e9f23d686684ea3df9454b6b560e)
    [jsutton at samba.org Adapted to 4.17 version of function]

commit 2408d405d31274a97b67baf04a36d58e50341050
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Nov 1 12:34:57 2022 +1300

    CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
    
    This makes it easier to test against a server that is not accessible via DNS.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit c7cd6889177e8c705bb637172a60a5cf26734a3f)

commit 91b74c701acd7e64a1aa1119782305d2132adc31
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Dec 5 21:45:08 2022 +0100

    CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 0248907e34945153ff2be62dc11d75c956a05932)

commit 12e4e94853fd5b9a614dc0a6fb62acbe93f83be1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Dec 5 21:36:23 2022 +0100

    CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit c0c25cc0217b082c12330a8c47869c8428a20d0c)

commit 05206c09237e3437e521808c9fa828ea6a8248b4
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Dec 5 21:31:37 2022 +0100

    CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit a4f6f51cbed53775cdfedc7eec2f28c7beb875cc)

commit a65fc1fa476a45de402d6127b4ce5a26e761508f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Oct 20 12:36:44 2022 +1300

    CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038
    
    This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
    which changed to use a year 9999 date for a forever timetime in
    tickets.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
    
    (cherry picked from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 397a390aa86b83ef46126d3df7335a6f4c7d7845
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Oct 27 08:47:32 2022 +0200

    CVE-2022-37966 s3:utils: Fix old-style function definition
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit b787692b5e915031d4653bf375995320ed1aca07)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit a89385f2ab705d9cdcd7acebd3388da0d4c399c0
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Oct 27 08:46:39 2022 +0200

    CVE-2022-37966 s3:client: Fix old-style function definition
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 81f4335dfb847c041bfd3d6110fc8f1d5741d41f)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 130c4877b3870c660635750d08849e2a2d7d5673
Author: Andreas Schneider <asn at samba.org>
Date:   Thu Oct 27 08:44:58 2022 +0200

    CVE-2022-37966 s3:param: Fix old-style function definition
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit 80dc3bc2b80634ab7c6c71fa1f9b94f0216322b2)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 0fee9c469c08538c6eb4c07cc0b127033f6c1c80
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Apr 11 15:43:00 2022 +1200

    CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 2f17cbf3b295663a91e4facb0dc8f09ef4a77f4a)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    [jsutton at samba.org Removed changes to protected_users_tests.py]
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 3dec660ae2bd1067ea2314917197f44aedef9ba3
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Wed Mar 23 13:07:29 2022 +1300

    CVE-2022-37966 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
    
    By putting this in the caller we potentially allow samba_kdc_message2entry_keys()
    to be reused by a non-KDC caller.
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    (cherry picked from commit 29eb7e2488e2c55ceacb859a57836a08cbb7f8e8)
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
    
    [jsutton at samba.org Adapted to older code without support for Protected
     Users or older keys; kept still-needed 'kdc_db_ctx'
     samba_kdc_message2entry_keys() parameter]
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit c09df344f0e37d48768ec606cbeb25b0f6250a24
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Dec 6 13:36:17 2022 +0100

    CVE-2022-38023 testparm: warn about unsecure schannel related options
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb)

commit 587ff282a9d087e659ac507347694e0e488bfa32
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 15:13:47 2022 +0100

    CVE-2022-38023 testparm: warn about server/client schannel != yes
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e)

commit 03730459feb0a86e6a56c29af2af6fb4e516d587
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 25 14:05:30 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
    
    By default we'll now require schannel connections with
    privacy/sealing/encryption.
    
    But we allow exceptions for specific computer/trust accounts.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)

commit 1d9c939ebaa711aba3f58860f2091b7b96e76690
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Dec 2 14:31:26 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
    
    It's enough to warn the admin once per connection.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)

commit d04da3d7008d7bcd55eff70400d5834342925013
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 25 16:53:35 2022 +0100

    CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470)

commit 9f809e2dd39e9f5dce5454fb64dd0472ebcb2e10
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 17:15:36 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
    
    We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
    which are also required for dcesrv_netr_LogonSamLogonEx().
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662)

commit abba8c4579f41f267d9b48d2adaac2b5228edcb0
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 16:57:24 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
    
    This will allow us to reuse the function in other places.
    As it will also get some additional checks soon.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07)

commit 3f7cd285b79a113cacec0309fce9bfb303c0f417
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 14:57:20 2022 +0100

    CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
    
    Instead of using the generic deprecated option use the specific
    allow nt4 crypto:COMPUTERACCOUNT = yes and
    server reject md5 schannel:COMPUTERACCOUNT = no
    in order to allow legacy tests for pass.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768)

commit 729e905776c5a90e6d4a4855fb82300125a65fd4
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 25 13:13:36 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
    
    This allows the admin to notice what's wrong in order to adjust the
    configuration if required.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381)

commit 80d0238679fb6c0e7df96a8f628f8d4696e8190c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 25 14:02:11 2022 +0100

    CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)

commit 3075f65e5d5e440bcb7b0721e603fe174b764827
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 25 13:31:14 2022 +0100

    CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b)

commit d2dc3622d4522cbc224fcae384475bf7430988cf
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 25 13:13:36 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
    
    This makes it more flexible when we change the global default to
    'reject md5 servers = yes'.
    
    'allow nt4 crypto = no' is already the default.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f)

commit c25546926f57b66c9b19c8a0fca8a40e85aa400a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 25 10:31:08 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
    
    We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
    which means we'll need use the account name from our SAM.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)

commit bc78864cb5ff3d37c4efe59888f6150671fc0897
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Nov 24 18:26:18 2022 +0100

    CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
    
    AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
    so there's no reason to allow md5 clients by default.
    However some third party domain members may need it.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1)

commit 852763adc2211347f105cc181ca8abfd79490073
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 25 10:10:33 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 4c7f84798acd1e3218209d66d1a92e9f42954d51)

commit 35ff1221013b5bce7901ebd2bd5ba0089a058de2
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Nov 25 09:54:17 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
    
    We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
    which means we'll need the downgrade detection in more places.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561)

commit 3f4c9c13b1fe79351537fa064f9b39f6cd6f68b1
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Nov 28 15:02:13 2022 +0100

    CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
    
    For generic tests we should use the best available features.
    
    And AES will be required by default soon.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)

commit 066dafb07a1ee96af75677a1b4c25f8f4a28e0dd
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 12:26:01 2022 +0100

    CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
    
    Instead of using the generic deprecated option use the specific
    server require schannel:COMPUTERACCOUNT = no in order to allow
    legacy tests for pass.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c)

commit 82af786a36bd070f1191e6040a65a46893d10b3a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 12:37:03 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
    
    In order to avoid generating useless debug messages during make test,
    we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
    and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
    
    Review with: git show -w
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d)

commit 88018634c78b589185e877e6d7e4f10894c32a0b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 12:37:03 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
    
    This will simplify the following changes.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e)

commit 0c32166174b36af5a31758dafe88820ff03b9aa9
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Dec 12 14:03:50 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
    
    This will simplify the following changes.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)

commit a5996700aded774bcaf61c48af900b8f8d5bb112
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Dec 12 14:03:50 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
    
    This will simplify the following changes.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150)

commit 2139565c2fe0f928ed15393d2b8216392b04f36b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Dec 6 10:56:29 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
    
    This will simplify the following changes.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)

commit 08e2a933933a3044914c95be1667b3072436ceed
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Nov 24 18:22:23 2022 +0100

    CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
    
    AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
    reason to allow md5 servers by default.
    
    Note the change in netlogon_creds_cli_context_global() is only cosmetic,
    but avoids confusion while reading the code. Check with:
    
     git show -U35 libcli/auth/netlogon_creds_cli.c
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584)

commit a2388a06cba159ef51af12e69682c6651b836783
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 14:59:36 2022 +0100

    CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
    
    This avoids advising insecure defaults for the global options.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef)

commit 8a7df0920b76c1a8887200b99e032cc4cb3fc9db
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 16:16:05 2022 +0100

    CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
    
    This makes sure domain member related 'net' commands print warnings
    about unsecure smb.conf options.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a)

commit 1fe8857b4d90809ff5b160c73e3d2c28acd3ce65
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 14:47:33 2022 +0100

    CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
    
    This warns the admin about insecure options
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    (similar to commit 7e7adf86e59e8a673fbe87de46cef0d62221e800)
    [jsutton at samba.org Replaced call to tevent_cached_getpid() with one to
     getpid()]

commit b0dbc395510a90f47d306eab7ff91ad95ccf6268
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Nov 30 14:46:59 2022 +0100

    CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209)

commit 421398ce5ebd9c031ae2c3333d8119d39f616feb
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Dec 6 16:05:26 2022 +0100

    CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251)

commit af08dd3e25a660c3bb4427f4dc3cd847cc083112
Author: Ralph Boehme <slow at samba.org>
Date:   Tue Dec 6 16:00:36 2022 +0100

    CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Ralph Boehme <slow at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    (cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9)

commit 4d099f8f678373736a195dfe367bb688c72036b9
Author: Andrew Bartlett <abartlet at samba.org>
Date:   Tue Dec 6 17:16:00 2022 +1300

    selftest: make filter-subunit much more efficient for large knownfail lists
    
    By compiling the knownfail lists ahead of time we change a 20min test
    into a 90sec test.
    
    This could be improved further by combining this into a single regular expression,
    but this is enough for now.  The 'reason' is thankfully not used.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15258
    
    Pair-programmed-with: Joseph Sutton <josephsutton at catalyst.net.nz>
    
    Signed-off-by: Andrew Bartlett <abartlet at samba.org>
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    (cherry picked from commit 22128c718cadd34af892df102bd52df6a6b03303)

-----------------------------------------------------------------------

Summary of changes:
 buildtools/wafsamba/samba_autoconf.py              |    4 +-
 docs-xml/manpages/samba-tool.8.xml                 |    5 +
 docs-xml/smbdotconf/logon/allownt4crypto.xml       |   85 +-
 docs-xml/smbdotconf/logon/rejectmd5clients.xml     |  101 +-
 .../security/allowdcerpcauthlevelconnect.xml       |    2 +-
 docs-xml/smbdotconf/security/clientschannel.xml    |    2 +-
 .../security/kdcdefaultdomainsupportedenctypes.xml |   42 +
 .../security/kdcforceenablerc4weaksessionkeys.xml  |   24 +
 .../smbdotconf/security/kdcsupportedenctypes.xml   |   40 +
 .../security/kerberosencryptiontypes.xml           |   12 +-
 docs-xml/smbdotconf/security/serverschannel.xml    |   47 +-
 .../security/serverschannelrequireseal.xml         |  118 ++
 docs-xml/smbdotconf/winbind/rejectmd5servers.xml   |    9 +-
 docs-xml/smbdotconf/winbind/requirestrongkey.xml   |    4 +-
 lib/krb5_wrap/krb5_samba.c                         |    6 -
 lib/param/loadparm.c                               |  147 ++
 libcli/auth/netlogon_creds_cli.c                   |   88 +-
 libcli/auth/netlogon_creds_cli.h                   |    4 +-
 librpc/idl/drsuapi.idl                             |    9 +
 librpc/idl/krb5pac.idl                             |    4 +-
 librpc/idl/netlogon.idl                            |    1 +
 librpc/idl/security.idl                            |    1 +
 python/samba/drs_utils.py                          |   12 +-
 python/samba/netcmd/domain.py                      |  130 +-
 python/samba/tests/krb5/alias_tests.py             |    6 +-
 .../samba/tests/krb5/as_canonicalization_tests.py  |    5 +-
 python/samba/tests/krb5/as_req_tests.py            |   28 +-
 python/samba/tests/krb5/compatability_tests.py     |   22 +
 python/samba/tests/krb5/etype_tests.py             |  597 ++++++++
 python/samba/tests/krb5/fast_tests.py              |   11 +-
 python/samba/tests/krb5/kdc_base_test.py           |  133 +-
 python/samba/tests/krb5/kdc_tgs_tests.py           |  467 ++++--
 python/samba/tests/krb5/kpasswd_tests.py           |    8 +-
 python/samba/tests/krb5/lockout_tests.py           |   11 +-
 python/samba/tests/krb5/pac_align_tests.py         |    6 +-
 python/samba/tests/krb5/raw_testcase.py            |  133 +-
 python/samba/tests/krb5/rfc4120_constants.py       |    1 +
 python/samba/tests/krb5/rodc_tests.py              |    8 +-
 python/samba/tests/krb5/s4u_tests.py               |  122 +-
 python/samba/tests/krb5/salt_tests.py              |    6 +-
 python/samba/tests/krb5/spn_tests.py               |    8 +-
 python/samba/tests/krb5/test_ccache.py             |    6 +-
 python/samba/tests/krb5/test_idmap_nss.py          |    6 +-
 python/samba/tests/krb5/test_ldap.py               |    6 +-
 python/samba/tests/krb5/test_min_domain_uid.py     |    7 +-
 python/samba/tests/krb5/test_rpc.py                |    6 +-
 python/samba/tests/krb5/test_smb.py                |    6 +-
 python/samba/tests/usage.py                        |    1 +
 selftest/knownfail_mit_kdc                         | 1578 +++++++++++++++++++-
 selftest/subunithelper.py                          |   32 +-
 selftest/target/Samba4.pm                          |  126 +-
 source3/client/clitar.c                            |    2 +-
 source3/libads/kerberos.c                          |    6 +-
 source3/libads/kerberos_keytab.c                   |    4 -
 source3/libnet/libnet_join.c                       |    9 +-
 source3/param/loadparm.c                           |    7 +-
 source3/rpc_client/cli_netlogon.c                  |    2 +-
 source3/utils/destroy_netlogon_creds_cli.c         |    2 +-
 source3/utils/net.c                                |    6 +
 source3/utils/net_ads.c                            |   27 +-
 source3/utils/net_dom.c                            |    2 +
 source3/utils/net_join.c                           |    2 +
 source3/utils/net_offlinejoin.c                    |    2 +
 source3/utils/net_proto.h                          |    2 +
 source3/utils/net_rpc.c                            |   10 +
 source3/utils/net_util.c                           |   14 +
 source3/utils/ntlm_auth.c                          |   12 +-
 source3/utils/testparm.c                           |   89 +-
 source3/winbindd/winbindd_cm.c                     |   41 +-
 source4/dsdb/pydsdb.c                              |    1 +
 source4/kdc/db-glue.c                              |  300 +++-
 source4/kdc/kdc-heimdal.c                          |   23 +-
 source4/kdc/sdb.c                                  |   91 ++
 source4/kdc/sdb.h                                  |   12 +
 source4/kdc/sdb_to_hdb.c                           |   28 +-
 source4/kdc/wdc-samba4.c                           |   23 +-
 source4/libnet/libnet_join.c                       |    4 +-
 source4/libnet/libnet_passwd.c                     |   75 +
 source4/libnet/libnet_passwd.h                     |    7 +
 source4/libnet/py_net.c                            |   18 +-
 source4/rpc_server/netlogon/dcerpc_netlogon.c      | 1044 +++++++++++--
 source4/selftest/tests.py                          |   32 +-
 source4/torture/ntp/ntp_signd.c                    |    2 +-
 source4/torture/rpc/lsa.c                          |    4 +-
 source4/torture/rpc/netlogon.c                     |   24 +-
 source4/torture/rpc/netlogon_crypto.c              |    2 +-
 source4/torture/rpc/remote_pac.c                   |   14 +-
 source4/torture/rpc/samba3rpc.c                    |   15 +-
 third_party/heimdal/kdc/kerberos5.c                |   45 +-
 third_party/heimdal/kdc/krb5tgs.c                  |    8 +-
 third_party/heimdal/kdc/misc.c                     |    4 +-
 third_party/heimdal/lib/hdb/hdb.asn1               |    3 +-
 third_party/heimdal/lib/krb5/init_creds_pw.c       |    2 +-
 third_party/heimdal/lib/krb5/pac.c                 |  169 ++-
 wscript_configure_system_mitkrb5                   |    4 +-
 95 files changed, 5775 insertions(+), 661 deletions(-)
 create mode 100644 docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
 create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
 create mode 100644 docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
 create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml
 create mode 100755 python/samba/tests/krb5/etype_tests.py


Changeset truncated at 500 lines:

diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index 78927d85193..53febc8be93 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -184,7 +184,8 @@ def CHECK_TYPE_IN(conf, t, headers=None, alternate=None, define=None):
 
 @conf
 def CHECK_VARIABLE(conf, v, define=None, always=False,
-                   headers=None, msg=None, lib=None):
+                   headers=None, msg=None, lib=None,
+                   mandatory=False):
     '''check for a variable declaration (or define)'''
     if define is None:
         define = 'HAVE_%s' % v.upper()
@@ -208,6 +209,7 @@ def CHECK_VARIABLE(conf, v, define=None, always=False,
                       lib=lib,
                       headers=headers,
                       define=define,
+                      mandatory=mandatory,
                       always=always)
 
 
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 9a40bb1bec4..8e9279cc518 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -676,6 +676,11 @@
 	<para>Create a domain or forest trust.</para>
 </refsect3>
 
+<refsect3>
+	<title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+	<para>Modify a domain or forest trust.</para>
+</refsect3>
+
 <refsect3>
 	<title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
 	<para>Delete a domain trust.</para>
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index 03dc8fa93f7..ee63e6cc245 100644
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -1,11 +1,18 @@
 <samba:parameter name="allow nt4 crypto"
                  context="G"
                  type="boolean"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
+	<para>
+	This option is deprecated and will be removed in future,
+	as it is a security problem if not set to "no" (which will be
+	the hardcoded behavior in future).
+	</para>
+
 	<para>This option controls whether the netlogon server (currently
 	only in 'active directory domain controller' mode), will
-	reject clients which does not support NETLOGON_NEG_STRONG_KEYS
+	reject clients which do not support NETLOGON_NEG_STRONG_KEYS
 	nor NETLOGON_NEG_SUPPORTS_AES.</para>
 
 	<para>This option was added with Samba 4.2.0. It may lock out clients
@@ -18,8 +25,82 @@
 
 	<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
 
-	<para>This option yields precedence to the 'reject md5 clients' option.</para>
+	<para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
+	Which is available with the patches for
+	<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+	see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
+
+	<para>
+	Samba will log an error in the log files at log level 0
+	if legacy a client is rejected or allowed without an explicit,
+	'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
+	for the client. The message will indicate
+	the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+	line to be added, if the legacy client software requires it. (The log level can be adjusted with
+	'<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+	</para>
+
+	<para>This allows admins to use "yes" only for a short grace period,
+	in order to collect the explicit
+	'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
+
+	<para>This option is over-ridden by the effective value of 'yes' from
+	the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+	and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
 </description>
 
 <value type="default">no</value>
 </samba:parameter>
+
+<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
+	it is possible to specify an explicit exception per computer account
+	by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
+	Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+	the computer account (including the trailing '$' sign).
+    </para>
+
+    <para>
+	Samba will log a complaint in the log files at log level 0
+	about the security problem if the option is set to "yes",
+	but the related computer does not require it.
+	(The log level can be adjusted with
+	'<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+    </para>
+
+    <para>
+	Samba will log a warning in the log files at log level 5,
+	if a setting is still needed for the specified computer account.
+    </para>
+
+    <para>
+	See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+	<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+    </para>
+
+    <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
+
+    <para>This option is over-ridden by the effective value of 'yes' from
+    the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+    and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+    <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+    is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
+
+    <programlisting>
+	allow nt4 crypto:LEGACYCOMPUTER1$ = yes
+	server reject md5 schannel:LEGACYCOMPUTER1$ = no
+	allow nt4 crypto:NASBOX$ = yes
+	server reject md5 schannel:NASBOX$ = no
+	allow nt4 crypto:LEGACYCOMPUTER2$ = yes
+	server reject md5 schannel:LEGACYCOMPUTER2$ = no
+    </programlisting>
+</description>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index 41684ef1080..fe7701d9277 100644
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -1,17 +1,110 @@
 <samba:parameter name="reject md5 clients"
                  context="G"
                  type="boolean"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
+	<para>
+	This option is deprecated and will be removed in a future release,
+	as it is a security problem if not set to "yes" (which will be
+	the hardcoded behavior in the future).
+	</para>
+
 	<para>This option controls whether the netlogon server (currently
 	only in 'active directory domain controller' mode), will
 	reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
 
-	<para>You can set this to yes if all domain members support aes.
-	This will prevent downgrade attacks.</para>
+	<para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
+	starting with Server 2008R2 and Windows 7, it's available in Samba
+	starting with 4.0, however third party domain members like NetApp ONTAP
+	still uses RC4 (HMAC-MD5), see
+	<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink>
+	for more details.
+	</para>
+
+	<para>The default changed from 'no' to 'yes', with the patches for
+	<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+	see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+	</para>
+
+	<para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account
+	'<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead!
+	Which is available with the patches for
+	<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+	see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+	</para>
+
+	<para>
+	Samba will log an error in the log files at log level 0
+	if legacy a client is rejected or allowed without an explicit,
+	'<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+	for the client. The message will indicate
+	the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+	line to be added, if the legacy client software requires it. (The log level can be adjusted with
+	'<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+	</para>
+
+	<para>This allows admins to use "no" only for a short grace period,
+	in order to collect the explicit
+	'<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+	<para>When set to 'yes' this option overrides the
+	'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+	'<smbconfoption name="allow nt4 crypto"/>' options and implies
+	'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+	</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>If you still have legacy domain members or trusted domains,
+	which required "reject md5 clients = no" before,
+	it is possible to specify an explicit exception per computer account
+	by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'.
+	Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+	the computer account (including the trailing '$' sign).
+    </para>
+
+    <para>
+	Samba will log a complaint in the log files at log level 0
+	about the security problem if the option is set to "no",
+	but the related computer does not require it.
+	(The log level can be adjusted with
+	'<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+    </para>
+
+    <para>
+	Samba will log a warning in the log files at log level 5
+	if a setting is still needed for the specified computer account.
+    </para>
+
+    <para>
+	See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+	<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+    </para>
+
+    <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para>
+
+    <para>When set to 'yes' this option overrides the
+    '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+    '<smbconfoption name="allow nt4 crypto"/>' options and implies
+    '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+    </para>
 
-	<para>This option takes precedence to the 'allow nt4 crypto' option.</para>
+    <programlisting>
+	server reject md5 schannel:LEGACYCOMPUTER1$ = no
+	server reject md5 schannel:NASBOX$ = no
+	server reject md5 schannel:LEGACYCOMPUTER2$ = no
+    </programlisting>
 </description>
 
-<value type="default">no</value>
 </samba:parameter>
diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
index 03531adbfb3..8bccab391cc 100644
--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -15,7 +15,7 @@
 	<para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
 	winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
 
-	<para>This option yields precedence to the implementation specific restrictions.
+	<para>This option is over-ridden by the implementation specific restrictions.
 	E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
 	The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
 	</para>
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 5b07da95050..d124ad48181 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -23,7 +23,7 @@
     <para>Note that for active directory domains this is hardcoded to
     <smbconfoption name="client schannel">yes</smbconfoption>.</para>
 
-    <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
+    <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para>
 </description>
 <value type="default">yes</value>
 <value type="example">auto</value>
diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
new file mode 100644
index 00000000000..984611167b5
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
@@ -0,0 +1,42 @@
+<samba:parameter name="kdc default domain supported enctypes"
+                 type="integer"
+                 context="G"
+                 handler="handle_kdc_default_domain_supported_enctypes"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+  <para>
+    Set the default value of <constant>msDS-SupportedEncryptionTypes</constant> for service accounts in Active Directory that are missing this value or where <constant>msDS-SupportedEncryptionTypes</constant> is set to 0.
+  </para>
+
+  <para>
+    This allows Samba administrators to match the configuration flexibility provided by the
+    <constant>HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes</constant> Registry Value on Windows.
+  </para>
+  <para>
+    Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed in hexadecimal or as a list of Kerberos encryption type names.
+  </para>
+  <para>
+    Specified values are ORed together bitwise, and those currently supported consist of:
+    </para><itemizedlist>
+   <listitem>
+       <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para>
+       <para>Known on Windows as Kerberos RC4 encryption</para>
+   </listitem>
+   <listitem>
+       <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para>
+       <para>Known on Windows as Kerberos AES 128 bit encryption</para>
+   </listitem>
+   <listitem>
+       <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para>
+       <para>Known on Windows as Kerberos AES 256 bit encryption</para>
+   </listitem>
+   <listitem>
+       <para><constant>aes256-cts-hmac-sha1-96-sk</constant>, <constant>aes256-cts-sk</constant>, <constant>0x20</constant>, or <constant>32</constant></para>
+       <para>Allow AES session keys. When this is set, it indicates to the KDC that AES session keys can be used, even when <constant>aes256-cts</constant> and <constant>aes128-cts</constant> are not set.  This allows use of AES keys against hosts otherwise only configured with RC4 for ticket keys (which is the default).</para>
+   </listitem>
+</itemizedlist>
+
+</description>
+
+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk</comment></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
new file mode 100644
index 00000000000..1cb46d74a36
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="kdc force enable rc4 weak session keys"
+                 type="boolean"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	  <constant>RFC8429</constant> declares that
+	  <constant>rc4-hmac</constant> Kerberos ciphers are weak and
+	  there are known attacks on Active Directory use of this
+	  cipher suite.
+	</para>
+	<para>
+	  However for compatibility with Microsoft Windows this option
+	  allows the KDC to assume that regardless of the value set in
+	  a service account's
+	  <constant>msDS-SupportedEncryptionTypes</constant> attribute
+	  that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as
+	  found in a service keytab) can be used if the potentially
+	  older client requests it.
+	</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
new file mode 100644
index 00000000000..5e028bbb2be
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="kdc supported enctypes"
+                 type="integer"
+                 context="G"
+                 handler="handle_kdc_supported_enctypes"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+  <para>
+    On an active directory domain controller, this is the list of supported encryption types for local running kdc.
+  </para>
+
+  <para>
+    This allows Samba administrators to remove support for weak/unused encryption types, similar
+    the configuration flexibility provided by the <constant>Network security: Configure encryption types allowed for Kerberos</constant>
+    GPO/Local Policies/Security Options Value, which results in the
+    <constant>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes</constant> Registry Value on Windows.
+  </para>
+  <para>
+    Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed as hexadecimal or a list of Kerberos encryption type names.
+  </para>
+  <para>
+    Specified values are ORed together bitwise, and those currently supported consist of:
+    </para><itemizedlist>
+   <listitem>
+       <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para>
+       <para>Known on Windows as Kerberos RC4 encryption</para>
+   </listitem>
+   <listitem>
+       <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para>
+       <para>Known on Windows as Kerberos AES 128 bit encryption</para>
+   </listitem>
+   <listitem>
+       <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para>
+       <para>Known on Windows as Kerberos AES 256 bit encryption</para>
+   </listitem>
+</itemizedlist>
+
+</description>
+
+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96</comment></value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
index 2c3c6c5d5fc..a245af55f5f 100644
--- a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
+++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
@@ -37,15 +37,9 @@
     </para>
 
     <para>When set to <constant>legacy</constant>, only RC4-HMAC-MD5
-    is allowed. Avoiding AES this way has one a very specific use.
-    Normally, the encryption type is negotiated between the peers.
-    However, there is one scenario in which a Windows read-only domain
-    controller (RODC) advertises AES encryption, but then proxies the
-    request to a writeable DC which may not support AES encryption,
-    leading to failure of the handshake. Setting this parameter to
-    <constant>legacy</constant> would cause samba not to negotiate AES
-    encryption. It is assumed of course that the weaker legacy
-    encryption types are acceptable for the setup.
+    is allowed. AVOID using this option, because of
+    <ulink url="https://www.samba.org/samba/security/CVE-2022-37966.html">CVE-2022-37966</ulink> see
+    <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15237">https://bugzilla.samba.org/show_bug.cgi?id=15237</ulink>.
     </para>
 </description>
 
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index b682d086f76..42a657912ca 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -12,18 +12,36 @@
 	the hardcoded behavior in future).
     </para>
 
-    <para>
-	Samba will complain in the log files at log level 0,
-	about the security problem if the option is not set to "yes".
+    <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead!
     </para>
+
+    <para>
+	Samba will log an error in the log files at log level 0
+	if legacy a client is rejected or allowed without an explicit,
+	'<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+	for the client. The message will indicate
+	the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
+	line to be added, if the legacy client software requires it. (The log level can be adjusted with
+	'<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+	</para>
+
     <para>
-	See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
+	This allows admins to use "auto" only for a short grace period,
+	in order to collect the explicit
+	'<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options.
     </para>
 
-    <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
+    <para>
+	See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
+	<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
     </para>
 
-    <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
+    <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
+
+    <para>This option is over-ridden by the effective value of 'yes' from
+    the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
+    and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
 
 </description>
 
@@ -48,6 +66,9 @@
 	about the security problem if the option is not set to "no",
 	but the related computer is actually using the netlogon
 	secure channel (schannel) feature.
+	(The log level can be adjusted with
+	'<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
     </para>
 
     <para>
@@ -56,15 +77,25 @@
     </para>
 
     <para>
-	See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497


-- 
Samba Shared Repository



More information about the samba-cvs mailing list