[SCM] Samba Shared Repository - branch v4-16-stable updated
Jule Anger
janger at samba.org
Thu Dec 15 16:31:48 UTC 2022
The branch, v4-16-stable has been updated
via 6cc6e233b5c VERSION: Disable GIT_SNAPSHOT for the 4.16.8 release.
via 64d7270f282 WHATSNEW: Add release notes for Samba 4.16.8.
via d5a8e41313d CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports
via 160e566d590 CVE-2022-37966 samba-tool: add 'domain trust modify' command
via cdc71cfd273 CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes"
via 4477651a0de CVE-2022-37966 param: Add support for new option "kdc supported enctypes"
via be57176c3ab CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
via e7d3998bcc8 CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no"
via 906dbd0a4bd CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows.
via c8afae7869a CVE-2022-37966 python:tests/krb5: test much more etype combinations
via 8e6d2953ba1 CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message
via f4dc5721be3 CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
via aeb7c646bb0 CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes
via b20acd876c8 CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
via 3ea9946f652 CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
via dd69e432ee8 CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18
via 55476d01ffc CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
via f11edc1741e CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default.
via b40b03d0601 CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values
via ec1a2225a0f CVE-2022-37966 s4:kdc: use the strongest possible keys
via 679904dc0df CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK
via 052cfe5a4a1 CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
via 1d2318ec326 CVE-2022-37966 s3:net_ads: no longer reference des encryption types
via f8839f39f0a CVE-2022-37966 s3:libnet: no longer reference des encryption types
via 3e4a521a2aa CVE-2022-37966 s3:libads: no longer reference des encryption types
via b2201628245 CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types
via 0c7af9838fe CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES*
via c0bbcc442b8 CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES*
via 836646d4a02 CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES*
via 911750da81a CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES*
via 8842d0197d1 CVE-2022-37966 system_mitkrb5: require support for aes enctypes
via 001ed425ea1 CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True)
via c13c60ffbf7 CVE-2022-37966 kdc: Assume trust objects support AES by default
via a836bcf22ce CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
via da9da918f75 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC
via f29efb011f6 CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added
via 71fcd5366a0 CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
via b8996509387 CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation
via 31543f2902e CVE-2022-37966 third_party/heimdal: Fix error message typo
via 545c20fd321 CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
via 4c2dc48598d CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
via 0601bb94c62 CVE-2022-37967 Add new PAC checksum
via a9c836d0442 CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key
via 8d208ab0616 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types
via 9ed5a352ca1 CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()
via cc2bea27a64 CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class
via 2408d405d31 CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string
via 91b74c701ac CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
via 12e4e94853f CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy'
via 05206c09237 CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used
via a65fc1fa476 CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038
via 397a390aa86 CVE-2022-37966 s3:utils: Fix old-style function definition
via a89385f2ab7 CVE-2022-37966 s3:client: Fix old-style function definition
via 130c4877b38 CVE-2022-37966 s3:param: Fix old-style function definition
via 0fee9c469c0 CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys()
via 3dec660ae2b CVE-2022-37966 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys()
via c09df344f0e CVE-2022-38023 testparm: warn about unsecure schannel related options
via 587ff282a9d CVE-2022-38023 testparm: warn about server/client schannel != yes
via 03730459feb CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
via 1d9c939ebaa CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel()
via d04da3d7008 CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
via 9f809e2dd39 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
via abba8c4579f CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function
via 3f7cd285b79 CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no'
via 729e905776c CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations
via 80d0238679f CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
via 3075f65e5d5 CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"
via d2dc3622d45 CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes'
via c25546926f5 CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM
via bc78864cb5f CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
via 852763adc22 CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled
via 35ff1221013 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade()
via 3f4c9c13b1f CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default
via 066dafb07a1 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto'
via 82af786a36b CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages
via 88018634c78 CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check()
via 0c32166174b CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check()
via a5996700ade CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check()
via 2139565c2fe CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
via 08e2a933933 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
via a2388a06cba CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
via 8a7df0920b7 CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
via 1fe8857b4d9 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
via b0dbc395510 CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
via 421398ce5eb CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
via af08dd3e25a CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
via 4d099f8f678 selftest: make filter-subunit much more efficient for large knownfail lists
via a1136ed2e05 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting()
via 2736d267aa9 CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec
via d7eccdbb028 CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test
via 994464eee20 s3:utils: Fix stack smashing in net offlinejoin
via 885e3fc12de smbd: reject FILE_ATTRIBUTE_TEMPORARY on directories
via 8c2f27d442f torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directory
via 7edddbc684c CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit
via 33f74aea5d5 nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim
via 399522d048e nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t, not try and embedd it directly.
via b11ceb58fee s3:rpc_server: Fix include directive substitution when enumerating shares
via ef39898066c s3:tests: Add substitution test for listing shares
via 5ade6d20f35 s3:tests: Add substitution test for include directive
via 450dd63bdf9 lib/replace: fix memory leak in snprintf replacements
via 83da21f4292 VERSION: Bump version up to Samba 4.16.8...
via 722abdcf35c Merge tag 'samba-4.16.7' into v4-16-test
via b57c2bb4725 heimdal: Fix the 32-bit build on FreeBSD
via eeea6587e92 third_party/heimdal: Introduce macro for common plugin structure elements
via 618395a7eaf s3: libsmbclient: Fix smbc_stat() to return ENOENT on a non-existent file.
via efa48817d3c s4: torture: libsmbclient: Add a torture test to ensure smbc_stat() returns ENOENT on a non-existent file.
via f7a84cffe9d s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time
via bc16a8abe3f lib/tsocket: avoid endless cpu-spinning in tstream_bsd_fde_handler()
via aeb7dd2ca89 lib/tsocket: remember the first error as tstream_bsd->error
via d8d5146d167 lib/tsocket: check for errors indicated by poll() before getsockopt(fd, SOL_SOCKET, SO_ERROR)
via 119bf609985 lib/tsocket: split out tsocket_bsd_error() from tsocket_bsd_pending()
via c805ccba339 lib/tsocket: Add tests for loop on EAGAIN
via c2095819c31 VERSION: Bump version up to Samba 4.16.7...
via a9011093133 Merge tag 'samba-4.16.6' into v4-16-test
via c28d971b12b s4:messaging: let imessaging_client_init() use imessaging_init_discard_incoming()
via 04d0d5a0366 s3:auth_samba4: make use of imessaging_init_discard_incoming()
via 6ba44033e38 s4:messaging: add imessaging_init_discard_incoming()
via 4d7e31b9816 s3/utils: check result of talloc_strdup
via 9a18da112c4 s3/utils: Check return of talloc_strdup
via e69d2b3f9d2 s3/param: Check return of talloc_strdup
via 7480f9c01d6 s4/lib/registry: Fix use after free with popt 1.19
via 5383d625cbb s3/utils: Fix use after free with popt 1.19
via 4b35fa3f85e s3/utils: Fix use after free with popt 1.19
via 1efcc10c9d4 s3/utils: Add missing poptFreeContext
via da11c48d9b6 s3/param: Fix use after free with popt-1.19
via 0503e0df3b6 s3/rpcclient: Duplicate string returned from poptGetArg
via 3e0ce4513b0 vfs_fruit: add missing calls to tevent_req_received()
via 6c7af405580 s3: VFS: fruit. Implement fsync_send()/fsync_recv().
via 24bc377a0ec s4: smbtorture: Add fsync_resource_fork test to fruit tests.
via b3e8e8185fc smbXsrv_client: handle NAME_NOT_FOUND from smb2srv_client_connection_{pass,drop}()
via 0fa03f112f7 smbXsrv_client: make sure we only wait for smb2srv_client_mc_negprot_filter once and only when needed
via 935f1ec476e smbXsrv_client: call smb2srv_client_connection_{pass,drop}() before dbwrap_watched_watch_send()
via 68a233322bd smbXsrv_client: fix a debug message in smbXsrv_client_global_verify_record()
via f806366dd4a smbXsrv_client: ignore NAME_NOT_FOUND from smb2srv_client_connection_passed
via 52dd57d4b30 smbXsrv_client: notify a different node to drop a connection by client guid.
via ada5ef9d847 smbXsrv_client: correctly check in negotiate_request.length smbXsrv_client_connection_pass[ed]_*
via 1a4d3a2db79 python-drs: Add client-side debug and fallback for GET_ANC
via 0a8330ab7dc s4-libnet: Add messages to object count mismatch failures
via 584a4c00575 selftest: Enable "old Samba" mode regarding GET_ANC/GET_TGT
via a0e0c7e9894 s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT
via 997b8f8341f selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs clone-dc-database
via 2d2156b01de selftest: Prepare for "old Samba" mode regarding getncchanges GET_ANC/GET_TGT
via dd2c5f96981 pytest/samba_tool_drs_no_dns: use TestCaseInTempDir.rm_files/.rm_dirs
via 42b5bfa68e2 pytest/samba_tool_drs: use TestCaseInTempDir.rm_files/.rm_dirs
via 6a6db20068f pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirs
via fba1864d7a7 pytest/join: use TestCaseInTempDir.rm_files/dirs
via 6e217c047d2 pytest/samdb_api: use TestCaseInTempDir.rm_files
via 70de6108924 pytest/downgradedatabase: use TestCaseInTempDir.rm_files
via 2003f7cf749 pytest: add file removal helpers for TestCaseInTempDir
via 7c2697e9c84 s3:auth: Flush the GETPWSID in memory cache for NTLM auth
via 2f71273a736 s3: smbd: Fix memory leak in smbd_server_connection_terminate_done().
via 04e54799b2b vfs_gpfs: Protect against timestamps before the Unix epoch
via 08383bedc3b lib: Map ERANGE to NT_STATUS_INTEGER_OVERFLOW
via 729bbca5e88 vfs_gpfs: Prevent mangling of GPFS timestamps after 2106
via 6a0280d9553 CVE-2021-20251 dsdb/common: Remove transaction logic from samdb_set_password()
via d0cd367da4c s4:rpc_server: Add transaction for dcesrv_samr_SetUserInfo()
via f7f1106b2ed s4:rpc_server: Use sam_ctx consistently in dcesrv_samr_SetUserInfo()
via c56e2e2e700 s3:rpc_server: Use a done goto label for dcesrv_samr_SetUserInfo()
via f78ff75c51f CVE-2021-20251 s4-rpc_server: Extend scope of transaction for ChangePasswordUser3
via 317d36710b5 s3:rpc_server: Use BURN_STR() to zero password
via d9a144e8c4e lib:replace: Add macro BURN_STR() to zero memory of a string
via 3cab9f6a34e libcli:auth: Keep passwords from convert_string_talloc() secret
via a3aebea4893 lib:util: Check memset_s() error code in talloc_keep_secret_destructor()
via ae3b615236c CVE-2021-20251 s3: Ensure bad password count atomic updates for SAMR password change
via 69abe0c2b0a CVE-2021-20251 s3: ensure bad password count atomic updates
via 05447dfb201 CVE-2021-20251 s4:auth_winbind: Check return status of authsam_logon_success_accounting()
via 96c24b58b8c CVE-2021-20251 s4-rpc_server: Check badPwdCount update return status
via 74d8c3d5843 CVE-2021-20251 s4:kdc: Check badPwdCount update return status
via 5eb5daaa152 CVE-2021-20251 s4:kdc: Check return status of authsam_logon_success_accounting()
via 29b31129fd3 CVE-2021-20251 s4:kdc: Move logon success accounting code into existing branch
via f58d7e42009 CVE-2021-20251 s4:dsdb: Make badPwdCount update atomic
via f725f2f2442 CVE-2021-20251 s4:dsdb: Update bad password count inside transaction
via 2fe2485b93d CVE-2021-20251 s4-auth: Pass through error code from badPwdCount update
via 6a70d006917 CVE-2021-20251 auth4: Avoid reading the database twice by precaculating some variables
via dd38fae8c8d CVE-2021-20251 auth4: Inline samdb_result_effective_badPwdCount() in authsam_logon_success_accounting()
via 0d6da5250be CVE-2021-20251 auth4: Split authsam_calculate_lastlogon_sync_interval() out
via 6b826a375a1 CVE-2021-20251 auth4: Return only the result message and free the surrounding result
via a9aae34d5a9 CVE-2021-20251 auth4: Add missing newline to debug message on PSO read failure
via 79f791ff0eb CVE-2021-20251 s4 auth: make bad password count increment atomic
via a1a440c1014 CVE-2021-20251 auth4: Detect ACCOUNT_LOCKED_OUT error for password change
via 8580b90a87b CVE-2021-20251 s4 auth test: Unit tests for source4/auth/sam.c
via 9dcf447d822 CVE-2021-20251 auth4: Reread the user record if a bad password is noticed.
via 831335aaaad CVE-2021-20251 s4 auth: Prepare to make bad password count increment atomic
via 740c4c2b953 CVE-2021-20251 auth4: split samdb_result_msds_LockoutObservationWindow() out
via bc30ca2117c CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the user
via 0e3ac110df7 CVE-2021-20251 tests/krb5: Convert password lockout tests to use os.fork() and os.pipe()
via 63020bf13c0 CVE-2021-20251 tests/krb5: Add tests for password lockout race
via b7351888e82 CVE-2021-20251 lib:crypto: Add md4_hash_blob() for hashing data with MD4
via 3542483de3f CVE-2021-20251 lib:crypto: Add des_crypt_blob_16() for encrypting data with DES
via f0c44d9e53d CVE-2021-20251 tests/krb5: Add PasswordKey_from_creds()
via d41566d1bd0 third_party: Update socket_wrapper to version 1.3.4
from fc0f1090f4c VERSION: Disable GIT_SNAPSHOT for the 4.16.7 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-stable
- Log -----------------------------------------------------------------
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 152 +-
buildtools/wafsamba/samba_autoconf.py | 4 +-
buildtools/wafsamba/samba_third_party.py | 2 +-
docs-xml/manpages/samba-tool.8.xml | 5 +
docs-xml/smbdotconf/logon/allownt4crypto.xml | 85 +-
docs-xml/smbdotconf/logon/rejectmd5clients.xml | 101 +-
.../security/allowdcerpcauthlevelconnect.xml | 2 +-
docs-xml/smbdotconf/security/clientschannel.xml | 2 +-
.../security/kdcdefaultdomainsupportedenctypes.xml | 42 +
.../security/kdcforceenablerc4weaksessionkeys.xml | 24 +
.../smbdotconf/security/kdcsupportedenctypes.xml | 40 +
.../security/kerberosencryptiontypes.xml | 12 +-
docs-xml/smbdotconf/security/serverschannel.xml | 47 +-
.../security/serverschannelrequireseal.xml | 118 +
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 9 +-
docs-xml/smbdotconf/winbind/requirestrongkey.xml | 4 +-
lib/crypto/py_crypto.c | 100 +
lib/crypto/wscript_build | 2 +-
lib/krb5_wrap/krb5_samba.c | 6 -
lib/param/loadparm.c | 147 ++
lib/replace/replace.h | 11 +
lib/replace/snprintf.c | 2 +
lib/tsocket/tests/socketpair_tcp.c | 89 +
.../tsocket/tests/socketpair_tcp.h | 30 +-
lib/tsocket/tests/test_tstream.c | 517 ++++
lib/tsocket/tsocket_bsd.c | 274 +-
lib/tsocket/wscript_build | 6 +
lib/util/talloc_keep_secret.c | 15 +-
libcli/auth/netlogon_creds_cli.c | 88 +-
libcli/auth/netlogon_creds_cli.h | 4 +-
libcli/auth/smbencrypt.c | 1 +
librpc/idl/drsuapi.idl | 9 +
librpc/idl/krb5pac.idl | 4 +-
librpc/idl/messaging.idl | 1 +
librpc/idl/netlogon.idl | 1 +
librpc/idl/security.idl | 1 +
nsswitch/pam_winbind.c | 24 +-
python/samba/drs_utils.py | 59 +-
python/samba/join.py | 54 +-
python/samba/netcmd/domain.py | 130 +-
python/samba/tests/__init__.py | 35 +
python/samba/tests/blackbox/downgradedatabase.py | 14 +-
python/samba/tests/join.py | 6 +-
python/samba/tests/krb5/alias_tests.py | 6 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 5 +-
python/samba/tests/krb5/as_req_tests.py | 28 +-
python/samba/tests/krb5/compatability_tests.py | 22 +
python/samba/tests/krb5/etype_tests.py | 597 +++++
python/samba/tests/krb5/fast_tests.py | 11 +-
python/samba/tests/krb5/kdc_base_test.py | 133 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 467 +++-
python/samba/tests/krb5/kpasswd_tests.py | 8 +-
python/samba/tests/krb5/lockout_tests.py | 1069 ++++++++
python/samba/tests/krb5/pac_align_tests.py | 6 +-
python/samba/tests/krb5/raw_testcase.py | 160 +-
python/samba/tests/krb5/rfc4120_constants.py | 2 +
python/samba/tests/krb5/rodc_tests.py | 8 +-
python/samba/tests/krb5/s4u_tests.py | 122 +-
python/samba/tests/krb5/salt_tests.py | 6 +-
python/samba/tests/krb5/spn_tests.py | 8 +-
python/samba/tests/krb5/test_ccache.py | 6 +-
python/samba/tests/krb5/test_idmap_nss.py | 6 +-
python/samba/tests/krb5/test_ldap.py | 6 +-
python/samba/tests/krb5/test_min_domain_uid.py | 7 +-
python/samba/tests/krb5/test_rpc.py | 6 +-
python/samba/tests/krb5/test_smb.py | 6 +-
python/samba/tests/samdb.py | 8 +-
python/samba/tests/samdb_api.py | 10 +-
python/samba/tests/source_chars.py | 1 +
python/samba/tests/usage.py | 2 +
selftest/knownfail | 1 +
selftest/knownfail.d/samba-4.5-emulation | 4 +
selftest/knownfail_mit_kdc | 1588 ++++++++++-
selftest/subunithelper.py | 32 +-
selftest/target/Samba3.pm | 19 +-
selftest/target/Samba4.pm | 138 +-
selftest/tests.py | 5 +
source3/auth/auth_samba4.c | 8 +-
source3/auth/check_samsec.c | 85 +-
source3/client/clitar.c | 2 +-
source3/lib/errmap_unix.c | 3 +
source3/libads/kerberos.c | 6 +-
source3/libads/kerberos_keytab.c | 4 -
source3/libnet/libnet_join.c | 9 +-
source3/librpc/idl/smbXsrv.idl | 28 +
source3/libsmb/libsmb_file.c | 39 +-
source3/modules/vfs_fruit.c | 114 +-
source3/modules/vfs_gpfs.c | 43 +-
source3/param/loadparm.c | 7 +-
source3/param/test_lp_load.c | 7 +-
source3/rpc_client/cli_netlogon.c | 2 +-
source3/rpc_server/samr/srv_samr_chgpasswd.c | 83 +-
source3/rpc_server/samr/srv_samr_nt.c | 6 +-
source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 8 +
source3/rpcclient/rpcclient.c | 2 +-
source3/script/tests/test_substitutions.sh | 27 +
source3/smbd/dosmode.c | 7 +
source3/smbd/smb2_server.c | 1 +
source3/smbd/smbXsrv_client.c | 335 ++-
source3/utils/destroy_netlogon_creds_cli.c | 2 +-
source3/utils/mdsearch.c | 1 +
source3/utils/net.c | 6 +
source3/utils/net_ads.c | 27 +-
source3/utils/net_dom.c | 2 +
source3/utils/net_join.c | 2 +
source3/utils/net_offlinejoin.c | 13 +-
source3/utils/net_proto.h | 2 +
source3/utils/net_rpc.c | 10 +
source3/utils/net_util.c | 14 +
source3/utils/ntlm_auth.c | 12 +-
source3/utils/pdbedit.c | 12 +-
source3/utils/testparm.c | 100 +-
source3/winbindd/winbindd_cm.c | 41 +-
source4/auth/ntlm/auth_sam.c | 7 +-
source4/auth/ntlm/auth_winbind.c | 7 +-
source4/auth/sam.c | 716 ++++-
source4/auth/tests/sam.c | 2746 ++++++++++++++++++++
source4/auth/wscript_build | 11 +
source4/dsdb/common/util.c | 57 +-
source4/dsdb/pydsdb.c | 1 +
source4/dsdb/repl/replicated_objects.c | 11 +
source4/dsdb/samdb/ldb_modules/password_hash.c | 62 +-
source4/kdc/db-glue.c | 300 ++-
source4/kdc/hdb-samba4.c | 51 +-
source4/kdc/kdc-heimdal.c | 23 +-
source4/kdc/mit_samba.c | 4 +-
source4/kdc/sdb.c | 91 +
source4/kdc/sdb.h | 12 +
source4/kdc/sdb_to_hdb.c | 28 +-
source4/kdc/wdc-samba4.c | 23 +-
source4/ldap_server/ldap_server.c | 5 +
source4/lib/messaging/messaging.c | 74 +-
source4/lib/messaging/messaging.h | 5 +
source4/lib/messaging/messaging_internal.h | 9 +
source4/lib/registry/tools/regpatch.c | 2 +-
source4/libnet/libnet_join.c | 4 +-
source4/libnet/libnet_passwd.c | 75 +
source4/libnet/libnet_passwd.h | 7 +
source4/libnet/py_net.c | 18 +-
source4/rpc_server/drsuapi/getncchanges.c | 52 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 1044 ++++++--
source4/rpc_server/samr/dcesrv_samr.c | 124 +-
source4/rpc_server/samr/samr_password.c | 83 +-
source4/selftest/tests.py | 59 +-
source4/torture/drs/python/samba_tool_drs.py | 13 +-
.../torture/drs/python/samba_tool_drs_critical.py | 98 +
.../torture/drs/python/samba_tool_drs_no_dns.py | 14 +-
source4/torture/libsmbclient/libsmbclient.c | 63 +
source4/torture/ntp/ntp_signd.c | 2 +-
source4/torture/rpc/lsa.c | 4 +-
source4/torture/rpc/netlogon.c | 24 +-
source4/torture/rpc/netlogon_crypto.c | 2 +-
source4/torture/rpc/remote_pac.c | 14 +-
source4/torture/rpc/samba3rpc.c | 15 +-
source4/torture/smb2/create.c | 47 +
source4/torture/vfs/fruit.c | 80 +
third_party/heimdal/kdc/csr_authorizer_plugin.h | 4 +-
third_party/heimdal/kdc/gss_preauth.c | 2 +-
.../heimdal/kdc/gss_preauth_authorizer_plugin.h | 4 +-
third_party/heimdal/kdc/kdc-plugin.h | 4 +-
third_party/heimdal/kdc/kerberos5.c | 45 +-
third_party/heimdal/kdc/krb5tgs.c | 8 +-
third_party/heimdal/kdc/misc.c | 4 +-
third_party/heimdal/kdc/token_validator_plugin.h | 4 +-
.../heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq | Bin 0 -> 55 bytes
third_party/heimdal/lib/asn1/gen_decode.c | 12 +-
third_party/heimdal/lib/asn1/gen_encode.c | 4 +-
third_party/heimdal/lib/asn1/gen_free.c | 7 +
third_party/heimdal/lib/asn1/gen_template.c | 5 +-
third_party/heimdal/lib/asn1/krb5.asn1 | 1 +
third_party/heimdal/lib/base/common_plugin.h | 6 +-
third_party/heimdal/lib/base/heimbase-svc.h | 5 +
third_party/heimdal/lib/base/log.c | 2 +-
third_party/heimdal/lib/base/plugin.c | 2 +-
third_party/heimdal/lib/hdb/hdb-ldap.c | 3 +-
third_party/heimdal/lib/hdb/hdb.asn1 | 3 +-
third_party/heimdal/lib/hdb/hdb.c | 40 +-
third_party/heimdal/lib/hdb/hdb.h | 4 +-
third_party/heimdal/lib/hdb/test_namespace.c | 8 +-
third_party/heimdal/lib/kadm5/kadm5-hook.h | 6 +-
third_party/heimdal/lib/krb5/an2ln_plugin.h | 6 +-
third_party/heimdal/lib/krb5/db_plugin.h | 6 +-
third_party/heimdal/lib/krb5/init_creds_pw.c | 2 +-
third_party/heimdal/lib/krb5/kuserok_plugin.h | 6 +-
third_party/heimdal/lib/krb5/locate_plugin.h | 6 +-
third_party/heimdal/lib/krb5/pac.c | 169 +-
third_party/heimdal/lib/krb5/send_to_kdc_plugin.h | 5 +-
third_party/heimdal/lib/krb5/store-int.c | 2 +-
third_party/heimdal/lib/krb5/ticket.c | 2 +-
third_party/socket_wrapper/socket_wrapper.c | 18 +-
third_party/socket_wrapper/wscript | 2 +-
wscript_configure_system_mitkrb5 | 4 +-
193 files changed, 13171 insertions(+), 1181 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
create mode 100644 docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml
create mode 100644 lib/tsocket/tests/socketpair_tcp.c
copy source3/lib/namearray.c => lib/tsocket/tests/socketpair_tcp.h (61%)
create mode 100644 lib/tsocket/tests/test_tstream.c
create mode 100755 python/samba/tests/krb5/etype_tests.py
create mode 100755 python/samba/tests/krb5/lockout_tests.py
create mode 100644 selftest/knownfail.d/samba-4.5-emulation
create mode 100644 source4/auth/tests/sam.c
create mode 100644 source4/torture/drs/python/samba_tool_drs_critical.py
create mode 100644 third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 2184d6f7481..f78e4ac5ed1 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=16
-SAMBA_VERSION_RELEASE=7
+SAMBA_VERSION_RELEASE=8
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4f085269066..c2aeab4afbe 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,152 @@
+ ==============================
+ Release Notes for Samba 4.16.8
+ December 15, 2022
+ ==============================
+
+
+This is the latest stable release of the Samba 4.16 release series.
+It also contains security changes in order to address the following defects
+
+o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
+ RC4-HMAC Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A Samba Active Directory DC will issue weak rc4-hmac
+ session keys for use between modern clients and servers
+ despite all modern Kerberos implementations supporting
+ the aes256-cts-hmac-sha1-96 cipher.
+
+ On Samba Active Directory DCs and members
+ 'kerberos encryption types = legacy' would force
+ rc4-hmac as a client even if the server supports
+ aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.
+
+ https://www.samba.org/samba/security/CVE-2022-37966.html
+
+o CVE-2022-37967: This is the Samba CVE for the Windows
+ Kerberos Elevation of Privilege Vulnerability
+ disclosed by Microsoft on Nov 8 2022.
+
+ A service account with the special constrained
+ delegation permission could forge a more powerful
+ ticket than the one it was presented with.
+
+ https://www.samba.org/samba/security/CVE-2022-37967.html
+
+o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
+ same algorithms as rc4-hmac cryptography in Kerberos,
+ and so must also be assumed to be weak.
+
+ https://www.samba.org/samba/security/CVE-2022-38023.html
+
+Note that there are several important behavior changes
+included in this release, which may cause compatibility problems
+interacting with system still expecting the former behavior.
+Please read the advisories of CVE-2022-37966,
+CVE-2022-37967 and CVE-2022-38023 carefully!
+
+samba-tool got a new 'domain trust modify' subcommand
+-----------------------------------------------------
+
+This allows "msDS-SupportedEncryptionTypes" to be changed
+on trustedDomain objects. Even against remote DCs (including Windows)
+using the --local-dc-ipaddress= (and other --local-dc-* options).
+See 'samba-tool domain trust modify --help' for further details.
+
+smb.conf changes
+----------------
+
+ Parameter Name Description Default
+ -------------- ----------- -------
+ allow nt4 crypto Deprecated no
+ allow nt4 crypto:COMPUTERACCOUNT New
+ kdc default domain supported enctypes New (see manpage)
+ kdc supported enctypes New (see manpage)
+ kdc force enable rc4 weak session keys New No
+ reject md5 clients New Default, Deprecated Yes
+ reject md5 servers New Default, Deprecated Yes
+ server schannel Deprecated Yes
+ server schannel require seal New, Deprecated Yes
+ server schannel require seal:COMPUTERACCOUNT New
+ winbind sealed pipes Deprecated Yes
+
+Changes since 4.16.7
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
+ same size.
+
+o Andrew Bartlett <abartlet at samba.org>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15258: filter-subunit is inefficient with large numbers of knownfails.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 15240: CVE-2022-38023.
+ * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from
+ Windows.
+ * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
+ atomically.
+ * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing
+ vulnerability.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15230: Memory leak in snprintf replacement functions.
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15240: CVE-2022-38023.
+ * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC
+ (CVE-2021-20251 regression).
+
+o Noel Power <noel.power at suse.com>
+ * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the
+ same size.
+
+o Andreas Schneider <asn at samba.org>
+ * BUG 15237: CVE-2022-37966.
+ * BUG 15243: %U for include directive doesn't work for share listing
+ (netshareenum).
+ * BUG 15257: Stack smashing in net offlinejoin requestodj.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue.
+ * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry.
+ * BUG 15231: CVE-2022-37967.
+ * BUG 15237: CVE-2022-37966.
+
+o Nicolas Williams <nico at twosigma.com>
+ * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of
+ user-controlled pointer in FAST.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.16.7
November 15, 2022
@@ -43,8 +192,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.16.6
October 25, 2022
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index 78927d85193..53febc8be93 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -184,7 +184,8 @@ def CHECK_TYPE_IN(conf, t, headers=None, alternate=None, define=None):
@conf
def CHECK_VARIABLE(conf, v, define=None, always=False,
- headers=None, msg=None, lib=None):
+ headers=None, msg=None, lib=None,
+ mandatory=False):
'''check for a variable declaration (or define)'''
if define is None:
define = 'HAVE_%s' % v.upper()
@@ -208,6 +209,7 @@ def CHECK_VARIABLE(conf, v, define=None, always=False,
lib=lib,
headers=headers,
define=define,
+ mandatory=mandatory,
always=always)
diff --git a/buildtools/wafsamba/samba_third_party.py b/buildtools/wafsamba/samba_third_party.py
index f046ebc96da..10635a3d46b 100644
--- a/buildtools/wafsamba/samba_third_party.py
+++ b/buildtools/wafsamba/samba_third_party.py
@@ -24,7 +24,7 @@ Build.BuildContext.CHECK_CMOCKA = CHECK_CMOCKA
@conf
def CHECK_SOCKET_WRAPPER(conf):
- return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.3.3')
+ return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.3.4')
Build.BuildContext.CHECK_SOCKET_WRAPPER = CHECK_SOCKET_WRAPPER
@conf
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 9a40bb1bec4..8e9279cc518 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -676,6 +676,11 @@
<para>Create a domain or forest trust.</para>
</refsect3>
+<refsect3>
+ <title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+ <para>Modify a domain or forest trust.</para>
+</refsect3>
+
<refsect3>
<title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Delete a domain trust.</para>
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index 03dc8fa93f7..ee63e6cc245 100644
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -1,11 +1,18 @@
<samba:parameter name="allow nt4 crypto"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "no" (which will be
+ the hardcoded behavior in future).
+ </para>
+
<para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
- reject clients which does not support NETLOGON_NEG_STRONG_KEYS
+ reject clients which do not support NETLOGON_NEG_STRONG_KEYS
nor NETLOGON_NEG_SUPPORTS_AES.</para>
<para>This option was added with Samba 4.2.0. It may lock out clients
@@ -18,8 +25,82 @@
<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
- <para>This option yields precedence to the 'reject md5 clients' option.</para>
+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "yes" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
</description>
<value type="default">no</value>
</samba:parameter>
+
+<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
+ it is possible to specify an explicit exception per computer account
+ by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "yes",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+ <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
+
+ <programlisting>
+ allow nt4 crypto:LEGACYCOMPUTER1$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ allow nt4 crypto:NASBOX$ = yes
+ server reject md5 schannel:NASBOX$ = no
+ allow nt4 crypto:LEGACYCOMPUTER2$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index 41684ef1080..fe7701d9277 100644
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -1,17 +1,110 @@
<samba:parameter name="reject md5 clients"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>
+ This option is deprecated and will be removed in a future release,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in the future).
+ </para>
+
<para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
- <para>You can set this to yes if all domain members support aes.
- This will prevent downgrade attacks.</para>
+ <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
+ starting with Server 2008R2 and Windows 7, it's available in Samba
+ starting with 4.0, however third party domain members like NetApp ONTAP
+ still uses RC4 (HMAC-MD5), see
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink>
+ for more details.
+ </para>
+
+ <para>The default changed from 'no' to 'yes', with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "no" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members or trusted domains,
+ which required "reject md5 clients = no" before,
+ it is possible to specify an explicit exception per computer account
+ by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "no",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
- <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
+ <programlisting>
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ server reject md5 schannel:NASBOX$ = no
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ </programlisting>
</description>
-<value type="default">no</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
index 03531adbfb3..8bccab391cc 100644
--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -15,7 +15,7 @@
<para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
- <para>This option yields precedence to the implementation specific restrictions.
+ <para>This option is over-ridden by the implementation specific restrictions.
E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
</para>
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 5b07da95050..d124ad48181 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -23,7 +23,7 @@
<para>Note that for active directory domains this is hardcoded to
<smbconfoption name="client schannel">yes</smbconfoption>.</para>
- <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
+ <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para>
</description>
<value type="default">yes</value>
<value type="example">auto</value>
diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
new file mode 100644
index 00000000000..984611167b5
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
@@ -0,0 +1,42 @@
+<samba:parameter name="kdc default domain supported enctypes"
+ type="integer"
+ context="G"
+ handler="handle_kdc_default_domain_supported_enctypes"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Set the default value of <constant>msDS-SupportedEncryptionTypes</constant> for service accounts in Active Directory that are missing this value or where <constant>msDS-SupportedEncryptionTypes</constant> is set to 0.
+ </para>
+
--
Samba Shared Repository
More information about the samba-cvs
mailing list