1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Andrew Bartlett 2022-11-18 13:44:28 +13:00 committed by Stefan Metzmacher
parent d861d4eb28
commit ee18bc29b8
3 changed files with 29 additions and 0 deletions

View File

@ -0,0 +1,24 @@
<samba:parameter name="kdc force enable rc4 weak session keys"
type="boolean"
context="G"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
<constant>RFC8429</constant> declares that
<constant>rc4-hmac</constant> Kerberos ciphers are weak and
there are known attacks on Active Directory use of this
cipher suite.
</para>
<para>
However for compatibility with Microsoft Windows this option
allows the KDC to assume that regardless of the value set in
a service account's
<constant>msDS-SupportedEncryptionTypes</constant> attribute
that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as
found in a service keytab) can be used if the potentially
older client requests it.
</para>
</description>
<value type="default">no</value>
</samba:parameter>

View File

@ -3091,6 +3091,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"kdc default domain supported enctypes",
"rc4-hmac aes256-cts-hmac-sha1-96-sk");
lpcfg_do_global_parameter(lp_ctx,
"kdc force enable rc4 weak session keys",
"no");
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;

View File

@ -995,6 +995,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.kdc_default_domain_supported_enctypes =
KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
Globals.kdc_force_enable_rc4_weak_session_keys = false;
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();