mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0, so there's no reason to allow md5 clients by default. However some third party domain members may need it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
parent
4c7f84798a
commit
c8e53394b9
@ -7,11 +7,16 @@
|
||||
only in 'active directory domain controller' mode), will
|
||||
reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
|
||||
|
||||
<para>You can set this to yes if all domain members support aes.
|
||||
This will prevent downgrade attacks.</para>
|
||||
<para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
|
||||
starting with Server 2008R2 and Windows 7, it's available in Samba
|
||||
starting with 4.0, however third party domain members like NetApp ONTAP
|
||||
still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
|
||||
|
||||
<para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
|
||||
see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
|
||||
|
||||
<para>This option overrides the 'allow nt4 crypto' option.</para>
|
||||
</description>
|
||||
|
||||
<value type="default">no</value>
|
||||
<value type="default">yes</value>
|
||||
</samba:parameter>
|
||||
|
@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
||||
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
|
||||
|
||||
lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
|
||||
lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
|
||||
|
||||
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
|
||||
|
||||
|
@ -1622,6 +1622,8 @@ sub provision_ad_dc_ntvfs($$$)
|
||||
client min protocol = CORE
|
||||
server min protocol = LANMAN1
|
||||
|
||||
reject md5 clients = no
|
||||
|
||||
CVE_2020_1472:warn_about_unused_debug_level = 3
|
||||
server require schannel:schannel0\$ = no
|
||||
server require schannel:schannel1\$ = no
|
||||
@ -1987,6 +1989,8 @@ sub provision_ad_dc($$$$$$$)
|
||||
lpq cache time = 0
|
||||
print notify backchannel = yes
|
||||
|
||||
reject md5 clients = no
|
||||
|
||||
CVE_2020_1472:warn_about_unused_debug_level = 3
|
||||
server require schannel:schannel0\$ = no
|
||||
server require schannel:schannel1\$ = no
|
||||
|
@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
||||
Globals.require_strong_key = true;
|
||||
Globals.reject_md5_servers = true;
|
||||
Globals.server_schannel = true;
|
||||
Globals.reject_md5_clients = true;
|
||||
Globals.read_raw = true;
|
||||
Globals.write_raw = true;
|
||||
Globals.null_passwords = false;
|
||||
|
Loading…
Reference in New Issue
Block a user