From 0248907e34945153ff2be62dc11d75c956a05932 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Dec 2022 21:45:08 +0100
Subject: [PATCH] CVE-2022-37966 libcli/auth: let
 netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 libcli/auth/netlogon_creds_cli.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 0f4f7ad761e..118c81f6246 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -269,10 +269,12 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
 	bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
 	int global_client_schannel = lpcfg_client_schannel(lp_ctx);
 	bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
+	int global_kerberos_enctypes = lpcfg_kerberos_encryption_types(lp_ctx);
 	static bool warned_global_reject_md5_servers = false;
 	static bool warned_global_require_strong_key = false;
 	static bool warned_global_client_schannel = false;
 	static bool warned_global_seal_secure_channel = false;
+	static bool warned_global_kerberos_encryption_types = false;
 	static int warned_global_pid = 0;
 	int current_pid = tevent_cached_getpid();
 
@@ -281,6 +283,7 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
 		warned_global_require_strong_key = false;
 		warned_global_client_schannel = false;
 		warned_global_seal_secure_channel = false;
+		warned_global_kerberos_encryption_types = false;
 		warned_global_pid = current_pid;
 	}
 
@@ -323,6 +326,18 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
 			"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
 		warned_global_seal_secure_channel = true;
 	}
+
+	if (global_kerberos_enctypes == KERBEROS_ETYPES_LEGACY &&
+	    !warned_global_kerberos_encryption_types)
+	{
+		/*
+		 * We want admins to notice their misconfiguration!
+		 */
+		DBG_ERR("CVE-2022-37966: "
+			"Please void 'kerberos encryption types = legacy', "
+			"See https://bugzilla.samba.org/show_bug.cgi?id=15237\n");
+		warned_global_kerberos_encryption_types = true;
+	}
 }
 
 NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,