mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.
Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:
git show -U35 libcli/auth/netlogon_creds_cli.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1c6c112990
)
This commit is contained in:
parent
a2388a06cb
commit
08e2a93393
@ -13,10 +13,13 @@
|
|||||||
This will prevent downgrade attacks.</para>
|
This will prevent downgrade attacks.</para>
|
||||||
|
|
||||||
<para>The behavior can be controlled per netbios domain
|
<para>The behavior can be controlled per netbios domain
|
||||||
by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
|
by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
|
||||||
|
|
||||||
|
<para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
|
||||||
|
see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
|
||||||
|
|
||||||
<para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
|
<para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
|
||||||
</description>
|
</description>
|
||||||
|
|
||||||
<value type="default">no</value>
|
<value type="default">yes</value>
|
||||||
</samba:parameter>
|
</samba:parameter>
|
||||||
|
@ -2666,6 +2666,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|||||||
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
|
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
|
||||||
lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False");
|
lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False");
|
||||||
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
|
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
|
||||||
|
lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True");
|
||||||
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
|
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
|
||||||
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
|
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
|
||||||
lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR);
|
lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR);
|
||||||
|
@ -341,8 +341,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
|
|||||||
const char *client_computer;
|
const char *client_computer;
|
||||||
uint32_t proposed_flags;
|
uint32_t proposed_flags;
|
||||||
uint32_t required_flags = 0;
|
uint32_t required_flags = 0;
|
||||||
bool reject_md5_servers = false;
|
bool reject_md5_servers = true;
|
||||||
bool require_strong_key = false;
|
bool require_strong_key = true;
|
||||||
int require_sign_or_seal = true;
|
int require_sign_or_seal = true;
|
||||||
bool seal_secure_channel = true;
|
bool seal_secure_channel = true;
|
||||||
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
||||||
|
@ -664,6 +664,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|||||||
Globals.client_schannel = true;
|
Globals.client_schannel = true;
|
||||||
Globals.winbind_sealed_pipes = true;
|
Globals.winbind_sealed_pipes = true;
|
||||||
Globals.require_strong_key = true;
|
Globals.require_strong_key = true;
|
||||||
|
Globals.reject_md5_servers = true;
|
||||||
Globals.server_schannel = true;
|
Globals.server_schannel = true;
|
||||||
Globals.read_raw = true;
|
Globals.read_raw = true;
|
||||||
Globals.write_raw = true;
|
Globals.write_raw = true;
|
||||||
|
Loading…
Reference in New Issue
Block a user