mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
As we will assume, as part of the fixes for CVE-2022-37966, that trust objects with no msDS-SupportedEncryptionTypes attribute support AES keys, RC4 support must now be explicitly indicated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
parent
6b155b22e6
commit
086646865e
@ -2307,11 +2307,14 @@ class cmd_domain_trust_create(DomainTrustCommand):
|
||||
if treat_as_external:
|
||||
raise CommandError("--treat-as-external requires --type=forest")
|
||||
|
||||
enc_types = None
|
||||
enc_types = lsa.TrustDomainInfoSupportedEncTypes()
|
||||
if use_aes_keys:
|
||||
enc_types = lsa.TrustDomainInfoSupportedEncTypes()
|
||||
enc_types.enc_types = security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
|
||||
enc_types.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
|
||||
else:
|
||||
# CVE-2022-37966: Trust objects are no longer assumed to support
|
||||
# RC4, so we must indicate support explicitly.
|
||||
enc_types.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5
|
||||
|
||||
local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION
|
||||
local_policy_access |= lsa.LSA_POLICY_TRUST_ADMIN
|
||||
|
Loading…
Reference in New Issue
Block a user