2025-01-10 01:18:15 +03:00 · 2013-12-06 11:38:21 +01:00 · 2013-12-06 11:38:21 +01:00 · 87bdc88328
commit 87bdc88328
parent 3d45d4dc3c
3 changed files with 36 additions and 0 deletions
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@ -0,0 +1,26 @@
+<samba:parameter name="allow nt4 crypto"
+                 context="G"
+                 type="boolean"
+                 advanced="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether the netlogon server (currently
+	only in 'active directory domain controller' mode), will
+	reject clients which does not support NETLOGON_NEG_STRONG_KEYS
+	nor NETLOGON_NEG_SUPPORTS_AES.</para>
+
+	<para>This option was added with Samba 4.2.0. It may lock out clients
+	which worked fine with Samba versions up to 4.1.x. as the effective default
+	was "yes" there, while it is "no" now.</para>
+
+	<para>If you have clients without RequireStrongKey = 1 in the registry,
+	you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
+	</para>
+
+	<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
+
+	<para>This option yields precedence to the 'reject md5 clients' option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
--- a/lib/param/param_functions.c
+++ b/lib/param/param_functions.c
@ -154,6 +154,7 @@ FN_LOCAL_PARM_BOOL(kernel_change_notify, bKernelChangeNotify)
 FN_LOCAL_BOOL(durable_handles, bDurableHandles)

 FN_GLOBAL_BOOL(allow_insecure_widelinks, bAllowInsecureWidelinks)
+FN_GLOBAL_BOOL(allow_nt4_crypto, bAllowNT4Crypto)
 FN_GLOBAL_BOOL(allow_trusted_domains, bAllowTrustedDomains)
 FN_GLOBAL_BOOL(async_smb_echo_handler, bAsyncSMBEchoHandler)
 FN_GLOBAL_BOOL(bind_interfaces_only, bBindInterfacesOnly)
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@ -4316,6 +4316,15 @@ static struct parm_struct parm_table[] = {
 		.special	= NULL,
 		.enum_list	= NULL
 	},
+	{
+		.label		= "allow nt4 crypto",
+		.type		= P_BOOL,
+		.p_class	= P_GLOBAL,
+		.offset		= GLOBAL_VAR(bAllowNT4Crypto),
+		.special	= NULL,
+		.enum_list	= NULL,
+		.flags		= FLAG_ADVANCED,
+	},

 	{N_("TLS options"), P_SEP, P_SEPARATOR},