mirror of
https://github.com/samba-team/samba.git
synced 2025-01-21 18:04:06 +03:00
CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
In order to allow better upgrades we need the default value for smb.conf to the same even if the effective default value of the software changes in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad) [jsutton@samba.org Fixed conflicts]
This commit is contained in:
parent
693a247d3b
commit
34fc0da786
@ -38,5 +38,5 @@
|
|||||||
|
|
||||||
</description>
|
</description>
|
||||||
|
|
||||||
<value type="default">36<comment>equivalent to: rc4-hmac aes256-cts-hmac-sha1-96-sk</comment></value>
|
<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk</comment></value>
|
||||||
</samba:parameter>
|
</samba:parameter>
|
||||||
|
@ -3076,10 +3076,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|||||||
"min domain uid",
|
"min domain uid",
|
||||||
"1000");
|
"1000");
|
||||||
|
|
||||||
lpcfg_do_global_parameter(lp_ctx,
|
|
||||||
"kdc default domain supported enctypes",
|
|
||||||
"rc4-hmac aes256-cts-hmac-sha1-96-sk");
|
|
||||||
|
|
||||||
for (i = 0; parm_table[i].label; i++) {
|
for (i = 0; parm_table[i].label; i++) {
|
||||||
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
|
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
|
||||||
lp_ctx->flags[i] |= FLAG_DEFAULT;
|
lp_ctx->flags[i] |= FLAG_DEFAULT;
|
||||||
|
@ -63,6 +63,8 @@ class EtypeTests(KdcTgsBaseTests):
|
|||||||
lp = self.get_lp()
|
lp = self.get_lp()
|
||||||
self.default_supported_enctypes = lp.get(
|
self.default_supported_enctypes = lp.get(
|
||||||
'kdc default domain supported enctypes')
|
'kdc default domain supported enctypes')
|
||||||
|
if self.default_supported_enctypes == 0:
|
||||||
|
self.default_supported_enctypes = rc4_bit | aes256_sk_bit
|
||||||
|
|
||||||
def _server_creds(self, supported=None, force_nt4_hash=False,
|
def _server_creds(self, supported=None, force_nt4_hash=False,
|
||||||
account_type=None):
|
account_type=None):
|
||||||
|
@ -58,6 +58,9 @@ from samba.ndr import ndr_pack, ndr_unpack
|
|||||||
from samba import net
|
from samba import net
|
||||||
from samba.samdb import SamDB, dsdb_Dn
|
from samba.samdb import SamDB, dsdb_Dn
|
||||||
|
|
||||||
|
rc4_bit = security.KERB_ENCTYPE_RC4_HMAC_MD5
|
||||||
|
aes256_sk_bit = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK
|
||||||
|
|
||||||
from samba.tests import delete_force
|
from samba.tests import delete_force
|
||||||
import samba.tests.krb5.kcrypto as kcrypto
|
import samba.tests.krb5.kcrypto as kcrypto
|
||||||
from samba.tests.krb5.raw_testcase import (
|
from samba.tests.krb5.raw_testcase import (
|
||||||
@ -633,7 +636,8 @@ class KDCBaseTest(RawKerberosTest):
|
|||||||
if supported_enctypes is None:
|
if supported_enctypes is None:
|
||||||
lp = self.get_lp()
|
lp = self.get_lp()
|
||||||
supported_enctypes = lp.get('kdc default domain supported enctypes')
|
supported_enctypes = lp.get('kdc default domain supported enctypes')
|
||||||
|
if supported_enctypes == 0:
|
||||||
|
supported_enctypes = rc4_bit | aes256_sk_bit
|
||||||
supported_enctypes = int(supported_enctypes)
|
supported_enctypes = int(supported_enctypes)
|
||||||
|
|
||||||
if extra_bits is not None:
|
if extra_bits is not None:
|
||||||
|
@ -982,9 +982,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|||||||
|
|
||||||
Globals.min_domain_uid = 1000;
|
Globals.min_domain_uid = 1000;
|
||||||
|
|
||||||
Globals.kdc_default_domain_supported_enctypes =
|
|
||||||
KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
|
|
||||||
|
|
||||||
/* Now put back the settings that were set with lp_set_cmdline() */
|
/* Now put back the settings that were set with lp_set_cmdline() */
|
||||||
apply_lp_set_cmdline();
|
apply_lp_set_cmdline();
|
||||||
}
|
}
|
||||||
|
@ -953,7 +953,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
|
|||||||
bool force_rc4 = lpcfg_kdc_force_enable_rc4_weak_session_keys(lp_ctx);
|
bool force_rc4 = lpcfg_kdc_force_enable_rc4_weak_session_keys(lp_ctx);
|
||||||
struct ldb_message_element *objectclasses;
|
struct ldb_message_element *objectclasses;
|
||||||
struct ldb_val computer_val;
|
struct ldb_val computer_val;
|
||||||
uint32_t default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);
|
uint32_t config_default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);
|
||||||
|
uint32_t default_supported_enctypes =
|
||||||
|
config_default_supported_enctypes != 0 ?
|
||||||
|
config_default_supported_enctypes :
|
||||||
|
ENC_RC4_HMAC_MD5 | ENC_HMAC_SHA1_96_AES256_SK;
|
||||||
uint32_t supported_enctypes
|
uint32_t supported_enctypes
|
||||||
= ldb_msg_find_attr_as_uint(msg,
|
= ldb_msg_find_attr_as_uint(msg,
|
||||||
"msDS-SupportedEncryptionTypes",
|
"msDS-SupportedEncryptionTypes",
|
||||||
|
Loading…
x
Reference in New Issue
Block a user