1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes

AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
Stefan Metzmacher 2022-11-24 18:26:18 +01:00
parent 4c7f84798a
commit c8e53394b9
4 changed files with 14 additions and 3 deletions

View File

@ -7,11 +7,16 @@
only in 'active directory domain controller' mode), will
reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
<para>You can set this to yes if all domain members support aes.
This will prevent downgrade attacks.</para>
<para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
starting with Server 2008R2 and Windows 7, it's available in Samba
starting with 4.0, however third party domain members like NetApp ONTAP
still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
<para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
<para>This option overrides the 'allow nt4 crypto' option.</para>
</description>
<value type="default">no</value>
<value type="default">yes</value>
</samba:parameter>

View File

@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");

View File

@ -1622,6 +1622,8 @@ sub provision_ad_dc_ntvfs($$$)
client min protocol = CORE
server min protocol = LANMAN1
reject md5 clients = no
CVE_2020_1472:warn_about_unused_debug_level = 3
server require schannel:schannel0\$ = no
server require schannel:schannel1\$ = no
@ -1987,6 +1989,8 @@ sub provision_ad_dc($$$$$$$)
lpq cache time = 0
print notify backchannel = yes
reject md5 clients = no
CVE_2020_1472:warn_about_unused_debug_level = 3
server require schannel:schannel0\$ = no
server require schannel:schannel1\$ = no

View File

@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.require_strong_key = true;
Globals.reject_md5_servers = true;
Globals.server_schannel = true;
Globals.reject_md5_clients = true;
Globals.read_raw = true;
Globals.write_raw = true;
Globals.null_passwords = false;