mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
1c6c112990
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no reason to allow md5 servers by default. Note the change in netlogon_creds_cli_context_global() is only cosmetic, but avoids confusion while reading the code. Check with: git show -U35 libcli/auth/netlogon_creds_cli.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
26 lines
1023 B
XML
26 lines
1023 B
XML
<samba:parameter name="reject md5 servers"
|
|
context="G"
|
|
type="boolean"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>This option controls whether winbindd requires support
|
|
for aes support for the netlogon secure channel.</para>
|
|
|
|
<para>The following flags will be required NETLOGON_NEG_ARCFOUR,
|
|
NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
|
|
|
|
<para>You can set this to yes if all domain controllers support aes.
|
|
This will prevent downgrade attacks.</para>
|
|
|
|
<para>The behavior can be controlled per netbios domain
|
|
by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
|
|
|
|
<para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
|
|
see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
|
|
|
|
<para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
|
|
</description>
|
|
|
|
<value type="default">yes</value>
|
|
</samba:parameter>
|