[SCM] Samba Shared Repository - branch v4-15-stable updated
Jule Anger
janger at samba.org
Thu Dec 15 16:31:11 UTC 2022
The branch, v4-15-stable has been updated
via 861b4f9fde0 VERSION: Disable GIT_SNAPSHOT for the 4.15.13 release.
via 00479fb662f WHATSNEW: Add release notes for Samba 4.15.13.
via 2620bea3af8 kdc: avoid re-encoding KDC-REQ-BODY
via ff5d6ada80e tests/krb5: Add test requesting a TGT expiring post-2038
via fd3cdcc1800 tests/krb5: Add test requesting a service ticket expiring post-2038
via d1cfdcf3a3d CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
via 48d6042dddf CVE-2022-37966 samba-tool: add 'domain trust modify' command
via 89b1c78b520 CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
via 18996e99712 CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
via 34fc0da7869 CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
via 693a247d3b2 CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
via ee9ffe50e99 CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
via 1815d339417 CVE-2022-37966 python:tests/krb5: test much more etype combinations
via d6b9e8b3397 CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
via 25d88118903 CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
via c768a27bc13 CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
via 9049c5442aa CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
via a1e91681158 CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
via 1db952fab82 CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
via 91a030cbf58 CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
via eed3d6a3962 CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
via 0d7dc04404d CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
via 527a164b410 CVE-2022-37966 s4:kdc: use the strongest possible keys
via 8b8835b09fa CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
via f644fc69971 CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
via 716149ed2bc CVE-2022-37966 s3:net_ads: no longer reference des encryption types
via 5f9e13ce20a CVE-2022-37966 s3:libnet: no longer reference des encryption types
via 153e4a39142 CVE-2022-37966 s3:libads: no longer reference des encryption types
via ac6563e70ad CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
via ece27efe594 CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
via c23c17a8d75 CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
via 6db1a9a9648 CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
via c0a367ad02a CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
via 5127bcfded4 CVE-2022-37966 system_mitkrb5: require support for aes enctypes
via a4deabde39e CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
via a7e2f5d32e5 CVE-2022-37966 kdc: Assume trust objects support AES by default
via 1e32bfc0fdd CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
via 701b2650d1b CVE-2022-37966 s4:torture: Expect referral ticket enc-part encrypted with AES256 rather than RC4
via 590228fd72f CVE-2022-37966 auth/credentials: Allow specifying password to cli_credentials_get_aes256_key()
via eefa5532055 CVE-2022-37966 auth/credentials: Add cli_credentials_get_aes256_key()
via 33e5f0b4a44 CVE-2022-37966 Fix enctype selection issues for PAC and other authz-data signatures
via cc6196fa005 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
via c273cb75625 CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
via 84c28b05a0a CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
via 0ad59767324 CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
via 1c06e8b08ca CVE-2022-37966 third_party/heimdal: Fix error message typo
via 36d5770585a CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
via 1daea832104 CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
via d775f1ed43a CVE-2022-37967 Add new PAC checksum
via 4650ce1fa5c CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
via fed97f46265 CVE-2022-37966 selftest: Don't strictly check etype-info when obtaining a TGT
via 07edcef7463 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
via 92763515d9f CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
via b4be18abf9b CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
via e24512a20ae CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
via e2ac180984e CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
via 30202568a18 CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
via 097fa693ded CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
via 4543bd706e5 CVE-2022-37966 s3:utils: Fix old-style function definition
via 6f94a270722 CVE-2022-37966 s3:client: Fix old-style function definition
via 0fe0643e0b7 CVE-2022-37966 s3:param: Fix old-style function definition
via 25402db19b9 CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
via 8f40d9b7dd2 CVE-2022-37966 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
via 86834042a18 CVE-2022-37966 s4:kdc: Set supported enctypes in KDC entry
via d09d8f995c9 CVE-2022-37966 tests/krb5: Update supported enctype checking
via 900c6e2268d CVE-2022-37966 tests/krb5: Check encrypted-pa-data if present
via d10dfa85819 CVE-2022-38023 testparm: warn about unsecure schannel related options
via 28ac3faa51c CVE-2022-38023 testparm: warn about server/client schannel != yes
via 93e4e50d250 CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
via 15792b4035d CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
via dba546dbfa5 CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
via 2b0dc83e064 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
via 57986cad714 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
via 08b69ca61f7 CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
via ba1482a18a8 CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
via b7f0e7f2ccc CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
via 4cb1e57caaf CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
via a0c68f4caaa CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
via 5154471bca2 CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
via ade168df393 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
via 33a814d745c CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
via 90f06ad6d7d CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
via 0be35930722 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
via e02e8ad46b0 CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
via 643b4c1b95e CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
via b9269801ed6 CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
via 9669a41693b CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
via de121d6c613 CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
via 18bcf0b6496 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
via f1cb8950583 CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
via 4dc0b8d0a89 CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
via ae1f4644245 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
via deffd8ea00f CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
via ddafd6dc770 CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
via 1040fa4c235 CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
via 26249f6c065 selftest: make filter-subunit much more efficient for large knownfail lists
via 2ea3f2db808 CVE-2022-45141 source4/heimdal: Fix check-des
via 2be27ec1d7f CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection
via 73c7c6ec9bc CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding PA-ENC-TS-ENC
via b4c3ce6fb9b CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec
via f3672577a8e CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit
via 0b4f495e810 VERSION: Bump version up to Samba 4.15.13...
from b86b889c522 VERSION: Disable GIT_SNAPSHOT for the 4.15.12 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 152 +-
auth/credentials/credentials.h | 7 +
auth/credentials/credentials_krb5.c | 59 +
buildtools/wafsamba/samba_autoconf.py | 4 +-
docs-xml/manpages/samba-tool.8.xml | 5 +
docs-xml/smbdotconf/logon/allownt4crypto.xml | 85 +-
docs-xml/smbdotconf/logon/rejectmd5clients.xml | 101 +-
.../security/allowdcerpcauthlevelconnect.xml | 2 +-
docs-xml/smbdotconf/security/clientschannel.xml | 2 +-
.../security/kdcdefaultdomainsupportedenctypes.xml | 42 +
.../security/kdcforceenablerc4weaksessionkeys.xml | 24 +
.../smbdotconf/security/kdcsupportedenctypes.xml | 40 +
.../security/kerberosencryptiontypes.xml | 12 +-
docs-xml/smbdotconf/security/serverschannel.xml | 47 +-
.../security/serverschannelrequireseal.xml | 118 ++
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 9 +-
docs-xml/smbdotconf/winbind/requirestrongkey.xml | 4 +-
lib/krb5_wrap/krb5_samba.c | 6 -
lib/param/loadparm.c | 147 ++
libcli/auth/netlogon_creds_cli.c | 89 +-
libcli/auth/netlogon_creds_cli.h | 4 +-
librpc/idl/drsuapi.idl | 9 +
librpc/idl/krb5pac.idl | 4 +-
librpc/idl/netlogon.idl | 4 +
librpc/idl/security.idl | 1 +
python/samba/drs_utils.py | 12 +-
python/samba/netcmd/domain.py | 130 +-
python/samba/tests/krb5/alias_tests.py | 6 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 5 +-
python/samba/tests/krb5/as_req_tests.py | 28 +-
python/samba/tests/krb5/compatability_tests.py | 22 +
python/samba/tests/krb5/etype_tests.py | 597 ++++++++
python/samba/tests/krb5/fast_tests.py | 11 +-
python/samba/tests/krb5/kdc_base_test.py | 159 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 481 ++++--
python/samba/tests/krb5/kpasswd_tests.py | 8 +-
python/samba/tests/krb5/raw_testcase.py | 253 +++-
python/samba/tests/krb5/rfc4120_constants.py | 4 +
python/samba/tests/krb5/rodc_tests.py | 8 +-
python/samba/tests/krb5/s4u_tests.py | 122 +-
python/samba/tests/krb5/salt_tests.py | 6 +-
python/samba/tests/krb5/spn_tests.py | 8 +-
python/samba/tests/krb5/test_ccache.py | 6 +-
python/samba/tests/krb5/test_idmap_nss.py | 6 +-
python/samba/tests/krb5/test_ldap.py | 6 +-
python/samba/tests/krb5/test_min_domain_uid.py | 7 +-
python/samba/tests/krb5/test_rpc.py | 6 +-
python/samba/tests/krb5/test_smb.py | 6 +-
python/samba/tests/usage.py | 1 +
selftest/knownfail_heimdal_kdc | 1 +
selftest/knownfail_mit_kdc | 1580 +++++++++++++++++++-
selftest/subunithelper.py | 32 +-
selftest/target/Samba4.pm | 121 +-
source3/client/clitar.c | 2 +-
source3/libads/kerberos.c | 6 +-
source3/libads/kerberos_keytab.c | 4 -
source3/libnet/libnet_join.c | 9 +-
source3/param/loadparm.c | 7 +-
source3/rpc_client/cli_netlogon.c | 2 +-
source3/utils/destroy_netlogon_creds_cli.c | 2 +-
source3/utils/net.c | 6 +
source3/utils/net_ads.c | 27 +-
source3/utils/net_dom.c | 2 +
source3/utils/net_join.c | 2 +
source3/utils/net_offlinejoin.c | 2 +
source3/utils/net_proto.h | 2 +
source3/utils/net_rpc.c | 10 +
source3/utils/net_util.c | 14 +
source3/utils/ntlm_auth.c | 12 +-
source3/utils/testparm.c | 89 +-
source3/winbindd/winbindd_cm.c | 41 +-
source4/dsdb/pydsdb.c | 1 +
source4/heimdal/kdc/kerberos5.c | 48 +-
source4/heimdal/kdc/krb5tgs.c | 99 +-
source4/heimdal/kdc/misc.c | 4 +-
source4/heimdal/kdc/pkinit.c | 16 +-
source4/heimdal/lib/asn1/gen_decode.c | 12 +-
source4/heimdal/lib/asn1/gen_free.c | 7 +
source4/heimdal/lib/asn1/krb5.opt | 1 +
source4/heimdal/lib/hdb/hdb.asn1 | 6 +-
source4/heimdal/lib/krb5/init_creds_pw.c | 2 +-
source4/heimdal/lib/krb5/pac.c | 172 ++-
source4/heimdal/lib/krb5/store-int.c | 2 +-
source4/kdc/db-glue.c | 295 +++-
source4/kdc/kdc-heimdal.c | 23 +-
source4/kdc/samba_kdc.h | 1 +
source4/kdc/sdb.c | 91 ++
source4/kdc/sdb.h | 12 +
source4/kdc/sdb_to_hdb.c | 28 +-
source4/kdc/wdc-samba4.c | 23 +-
source4/libnet/libnet_join.c | 4 +-
source4/libnet/libnet_passwd.c | 71 +
source4/libnet/libnet_passwd.h | 7 +
source4/libnet/py_net.c | 18 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 1013 +++++++++++--
source4/selftest/tests.py | 32 +-
source4/torture/ntp/ntp_signd.c | 2 +-
source4/torture/rpc/lsa.c | 54 +-
source4/torture/rpc/netlogon.c | 24 +-
source4/torture/rpc/remote_pac.c | 14 +-
source4/torture/rpc/samba3rpc.c | 15 +-
wscript_configure_system_mitkrb5 | 4 +-
103 files changed, 6193 insertions(+), 758 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
create mode 100644 docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml
create mode 100755 python/samba/tests/krb5/etype_tests.py
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index db3716dfa51..04074a39547 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=15
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4c2a4bd596f..af861d8246d 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,152 @@
+ ===============================
+ Release Notes for Samba 4.15.13
+ December 15, 2022
+ ===============================
+
+
+This is the latest stable release of the Samba 4.15 release series.
+It also contains security changes in order to address the following defects:
+
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+ RC4-HMAC Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A Samba Active Directory DC will issue weak rc4-hmac
+ session keys for use between modern clients and servers
+ despite all modern Kerberos implementations supporting
+ the aes256-cts-hmac-sha1-96 cipher.
+
+ On Samba Active Directory DCs and members
+ 'kerberos encryption types = legacy' would force
+ rc4-hmac as a client even if the server supports
+ aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+ https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+ Kerberos Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A service account with the special constrained
+ delegation permission could forge a more powerful
+ ticket than the one it was presented with.
+
+ https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+ same algorithms as rc4-hmac cryptography in Kerberos,
+ and so must also be assumed to be weak.
+
+ https://www.samba.org/samba/security/CVE-2022-38023.html
+
+o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege
+ Vulnerability was disclosed by Microsoft on Nov 8 2022
+ and per RFC8429 it is assumed that rc4-hmac is weak,
+
+ Vulnerable Samba Active Directory DCs will issue rc4-hmac
+ encrypted tickets despite the target server supporting
+ better encryption (eg aes256-cts-hmac-sha1-96).
+
+ https://www.samba.org/samba/security/CVE-2022-45141.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-----------------------------------------------------
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow nt4 crypto Deprecated no
+ allow nt4 crypto:COMPUTERACCOUNT New
+ kdc default domain supported enctypes New (see manpage)
+ kdc supported enctypes New (see manpage)
+ kdc force enable rc4 weak session keys New No
+ reject md5 clients New Default, Deprecated Yes
+ reject md5 servers New Default, Deprecated Yes
+ server schannel Deprecated Yes
+ server schannel require seal New, Deprecated Yes
+ server schannel require seal:COMPUTERACCOUNT New
+ winbind sealed pipes Deprecated Yes
+
+Changes since 4.15.12
+---------------------
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 15240: CVE-2022-38023.
+
+o Luke Howard <lukeh at padl.com>
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
+ Windows.
+ * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
+ vulnerability.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15240: CVE-2022-38023.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15237: CVE-2022-37966.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15231: CVE-2022-37967.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico at cryptonector.com>
+ * BUG 15214: CVE-2022-45141.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico at twosigma.com>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
===============================
Release Notes for Samba 4.15.12
November 15, 2022
@@ -42,8 +191,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
===============================
Release Notes for Samba 4.15.11
October 25, 2022
diff --git a/auth/credentials/credentials.h b/auth/credentials/credentials.h
index 551b1611826..6fd43472ae0 100644
--- a/auth/credentials/credentials.h
+++ b/auth/credentials/credentials.h
@@ -344,4 +344,11 @@ NTSTATUS netlogon_creds_session_encrypt(
struct netlogon_creds_CredentialState *state,
DATA_BLOB data);
+int cli_credentials_get_aes256_key(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ const char *password,
+ const char *salt,
+ DATA_BLOB *aes_256);
+
#endif /* __CREDENTIALS_H__ */
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index d2e7a76a69e..39b7b8dd57e 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1459,3 +1459,62 @@ _PUBLIC_ void cli_credentials_set_target_service(struct cli_credentials *cred, c
cred->target_service = talloc_strdup(cred, target_service);
}
+_PUBLIC_ int cli_credentials_get_aes256_key(struct cli_credentials *cred,
+ TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ const char *password,
+ const char *salt,
+ DATA_BLOB *aes_256)
+{
+ struct smb_krb5_context *smb_krb5_context = NULL;
+ krb5_error_code krb5_ret;
+ int ret;
+ krb5_data cleartext_data;
+ krb5_data salt_data;
+ krb5_keyblock key;
+
+ if (cred->password_will_be_nt_hash) {
+ DEBUG(1,("cli_credentials_get_aes256_key: cannot generate AES256 key using NT hash\n"));
+ return EINVAL;
+ }
+
+ cleartext_data.data = discard_const_p(char, password);
+ cleartext_data.length = strlen(password);
+
+ ret = cli_credentials_get_krb5_context(cred, lp_ctx,
+ &smb_krb5_context);
+ if (ret != 0) {
+ return ret;
+ }
+
+ salt_data.data = discard_const_p(char, salt);
+ salt_data.length = strlen(salt);
+
+ /*
+ * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
+ * the salt and the cleartext password
+ */
+ krb5_ret = smb_krb5_create_key_from_string(smb_krb5_context->krb5_context,
+ NULL,
+ &salt_data,
+ &cleartext_data,
+ ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ &key);
+ if (krb5_ret != 0) {
+ DEBUG(1,("cli_credentials_get_aes256_key: "
+ "generation of a aes256-cts-hmac-sha1-96 key failed: %s",
+ smb_get_krb5_error_message(smb_krb5_context->krb5_context,
+ krb5_ret, mem_ctx)));
+ return EINVAL;
+ }
+ *aes_256 = data_blob_talloc(mem_ctx,
+ KRB5_KEY_DATA(&key),
+ KRB5_KEY_LENGTH(&key));
+ krb5_free_keyblock_contents(smb_krb5_context->krb5_context, &key);
+ if (aes_256->data == NULL) {
+ return ENOMEM;
+ }
+ talloc_keep_secret(aes_256->data);
+
+ return 0;
+}
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index 4d2aea6c941..e17e667532b 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -184,7 +184,8 @@ def CHECK_TYPE_IN(conf, t, headers=None, alternate=None, define=None):
@conf
def CHECK_VARIABLE(conf, v, define=None, always=False,
- headers=None, msg=None, lib=None):
+ headers=None, msg=None, lib=None,
+ mandatory=False):
'''check for a variable declaration (or define)'''
if define is None:
define = 'HAVE_%s' % v.upper()
@@ -208,6 +209,7 @@ def CHECK_VARIABLE(conf, v, define=None, always=False,
lib=lib,
headers=headers,
define=define,
+ mandatory=mandatory,
always=always)
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 9a40bb1bec4..8e9279cc518 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -676,6 +676,11 @@
<para>Create a domain or forest trust.</para>
</refsect3>
+<refsect3>
+ <title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+ <para>Modify a domain or forest trust.</para>
+</refsect3>
+
<refsect3>
<title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Delete a domain trust.</para>
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index 03dc8fa93f7..ee63e6cc245 100644
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -1,11 +1,18 @@
<samba:parameter name="allow nt4 crypto"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "no" (which will be
+ the hardcoded behavior in future).
+ </para>
+
<para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
- reject clients which does not support NETLOGON_NEG_STRONG_KEYS
+ reject clients which do not support NETLOGON_NEG_STRONG_KEYS
nor NETLOGON_NEG_SUPPORTS_AES.</para>
<para>This option was added with Samba 4.2.0. It may lock out clients
@@ -18,8 +25,82 @@
<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
- <para>This option yields precedence to the 'reject md5 clients' option.</para>
+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "yes" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
</description>
<value type="default">no</value>
</samba:parameter>
+
+<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
+ it is possible to specify an explicit exception per computer account
+ by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "yes",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+ <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
+
+ <programlisting>
+ allow nt4 crypto:LEGACYCOMPUTER1$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ allow nt4 crypto:NASBOX$ = yes
+ server reject md5 schannel:NASBOX$ = no
+ allow nt4 crypto:LEGACYCOMPUTER2$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index 41684ef1080..fe7701d9277 100644
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -1,17 +1,110 @@
<samba:parameter name="reject md5 clients"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>
+ This option is deprecated and will be removed in a future release,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in the future).
+ </para>
+
<para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
- <para>You can set this to yes if all domain members support aes.
- This will prevent downgrade attacks.</para>
+ <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
+ starting with Server 2008R2 and Windows 7, it's available in Samba
+ starting with 4.0, however third party domain members like NetApp ONTAP
+ still uses RC4 (HMAC-MD5), see
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink>
+ for more details.
+ </para>
+
+ <para>The default changed from 'no' to 'yes', with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "no" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members or trusted domains,
+ which required "reject md5 clients = no" before,
+ it is possible to specify an explicit exception per computer account
+ by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "no",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list