The branch, v4-17-test has been updated via 5048d63c92e CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports via 701c98858c9 CVE-2022-37966 samba-tool: add 'domain trust modify' command via dd4832f10a7 CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes" via 17db57685f6 CVE-2022-37966 param: Add support for new option "kdc supported enctypes" via 428aa9b001d CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default via 91be2dbb305 CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no" via 2d1f56c67e6 CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows. via 82739352398 CVE-2022-37966 python:tests/krb5: test much more etype combinations via c642bd9f2e9 CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message via afc05bec7ec CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest via d1b65794c8c CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes via 0f63356c8bb CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req() via 6a4531ad9fb CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022 via bf633c58114 CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18 via 9c106afa804 CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only via bf27c7ba92e CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default. via d7efa582a41 CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values via 42c12b8c36d CVE-2022-37966 s4:kdc: use the strongest possible keys via ceda758dd73 CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK via e741eac059f CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED via 96fcd2b2b1f CVE-2022-37966 s3:net_ads: no longer reference des encryption types via 8b9e670c5ce CVE-2022-37966 s3:libnet: no longer reference des encryption types via edccbf1a637 CVE-2022-37966 s3:libads: no longer reference des encryption types via c894010ae87 CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types via e2e29876b69 CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES* via b10529349fb CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES* via d022b9fa3ae CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES* via 91680bf61f5 CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES* via 425dc5a2a09 CVE-2022-37966 system_mitkrb5: require support for aes enctypes via 4ad0303ece5 CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True) via 5f8854208d7 CVE-2022-37966 s4:kdc: also limit the krbtgt history to their strongest keys via 82f3c2876a8 CVE-2022-37966 kdc: Assume trust objects support AES by default via 71e538e7e03 CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added via 3d85ff9dd57 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC via 64bfe0ef786 CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added via 123b3c056af CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected Users group via d8cef2fa342 CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects via 42150ff93ba CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation via 350a2e5fda5 CVE-2022-37966 third_party/heimdal: Fix error message typo via ac8a4665a8d CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys" via 3d276a19e30 CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes" via 25918f9c16c CVE-2022-37967 Add new PAC checksum via 6ff9fc58cd3 CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key via 15835e21e84 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types via 649854b0fad CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req() via 4870b9c8e57 CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class via 91dcb8d0442 CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string via 362de0199e3 CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy" via 9fa6585a4cc CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy' via d08d54c944d CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used via fea5bde53c4 CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038 via c5eda69a10b CVE-2022-37966 s3:utils: Fix old-style function definition via 9166254b4bb CVE-2022-37966 s3:client: Fix old-style function definition via 523f9aa70a8 CVE-2022-37966 s3:param: Fix old-style function definition via f4d487bda53 CVE-2022-38023 testparm: warn about unsecure schannel related options via 0d4f8c70446 CVE-2022-38023 testparm: warn about server/client schannel != yes via e5e03583f19 CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]" via 8f7d77ecb52 CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel() via 65d8624cd21 CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options via de639278eb1 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() via cf649bf2772 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function via ff1c42ee451 CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no' via f0cdff380b8 CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations via 1d2e938ab67 CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT" via 2cb10f9648e CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no" via 277bd2c6d31 CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes' via c919351058b CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM via f69766398ef CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes via eb1f1c37548 CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled via 07518e76dc9 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade() via 84d53540268 CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default via a656f2a3d66 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto' via 4d143e92adf CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages via a31898e1769 CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check() via 911874a9582 CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check() via 93566433316 CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check() via b04f9cd924e CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind via 15253c4da88 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes via ff5f2c81e97 CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" via 6c7aa761f3b CVE-2022-38023 s3:net: add and use net_warn_member_options() helper via 285ecad0a84 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options() via d39c37292f9 CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db() via 810b57b19dd CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden" via 121c471b5ee CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides" via fd50943b2a4 selftest: make filter-subunit much more efficient for large knownfail lists from 8578a24c288 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting()
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-17-test - Log ----------------------------------------------------------------- commit 5048d63c92ea2a8ccdb1a5a25ac19b2a423ca09d Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 29 14:14:32 2022 +0100 CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184 (similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92) Autobuild-User(v4-17-test): Stefan Metzmacher <me...@samba.org> Autobuild-Date(v4-17-test): Wed Dec 14 12:40:42 UTC 2022 on sn-devel-184 commit 701c98858c994f49d828cfa1434344e37ae50a74 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 6 12:55:45 2022 +0100 CVE-2022-37966 samba-tool: add 'domain trust modify' command For now it only allows the admin to modify the msDS-SupportedEncryptionTypes values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> (cherry picked from commit d1999c152acdf939b4cd7eb446dd9921d3edae29) commit dd4832f10a734589f853a95aca6d724644d001c0 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 09:39:19 2022 +0100 CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit cca3c024fc514bee79bb60a686e470605cc98d6f) commit 17db57685f6cbdb410742045b43aee174193ff4e Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 29 14:13:36 2022 +0100 CVE-2022-37966 param: Add support for new option "kdc supported enctypes" This allows admins to disable enctypes completely if required. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727) commit 428aa9b001db5c0f56a519eaeb884616a2f88073 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 09:05:51 2022 +0100 CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default In order to allow better upgrades we need the default value for smb.conf to the same even if the effective default value of the software changes in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad) commit 91be2dbb30501dc82d942c92d637ffc55518f174 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 09:02:41 2022 +0100 CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no" This is not squashed in order to allow easier backports... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4) commit 2d1f56c67e604288939f1dba0d8b338fbaedd5a9 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 24 15:44:40 2022 +0100 CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows. We need to take the value from the msDS-SupportedEncryptionTypes attribute and only take the default if there's no value or if the value is 0. For krbtgt and DC accounts we need to force support for ARCFOUR-HMAC-MD5 and AES encryption types and add the related bits in addtition. (Note for krbtgt msDS-SupportedEncryptionTypes is completely ignored the hardcoded value is the default, so there's no AES256-SK for krbtgt). For UF_USE_DES_KEY_ONLY on the account we reset the value to 0, these accounts are in fact disabled completely, as they always result in KRB5KDC_ERR_ETYPE_NOSUPP. Then we try to get all encryption keys marked in supported_enctypes, and the available_enctypes is a reduced set depending on what keys are actually stored in the database. We select the supported session key enctypes by the available keys and in addition based on AES256-SK as well as the "kdc force enable rc4 weak session keys" option. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit fde745ec3491a4fd7b23e053a67093a2ccaf0905) commit 8273935239846045477f99f7dd655d9d37c8c43e Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 29 17:11:01 2022 +0100 CVE-2022-37966 python:tests/krb5: test much more etype combinations This tests work out the difference between - msDS-SupportedEncryptionTypes value or it's default - software defined extra flags for DC accounts - accounts with only an nt hash being stored - the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 1dfa91682efd3b12d7d6af75287efb12ebd9e526) commit c642bd9f2e98c9fbfe8d3f71def94fd1e76b65f0 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 29 20:59:52 2022 +0100 CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit c7c576208960e336da276e251ad7a526e1b3ed45) commit afc05bec7ec0ab38bebc3e0a8afb105ae10eafef Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 29 16:42:58 2022 +0100 CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest This will allow us to create tests accounts with only an nt4 hash stored, without any aes keys. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 77bd3258f1db0ddf4639a83a81a1aad3ee52c87d) commit d1b65794c8c9ef62912a8bcbebe38651fb71adf2 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 29 20:27:14 2022 +0100 CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit f434a30ee7c40aac4a223fcabac9ddd160a155a5) commit 0f63356c8bb0216b64947ddb7f80bba70492fb54 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 29 14:15:40 2022 +0100 CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit d8fd6a22b67a2b3ae03a2e428cc4987f07af6e29) commit 6a4531ad9fb1425c2d3246dcb505d3db08c0325a Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 29 09:48:09 2022 +0100 CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022 I'm using the following options: SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \ SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \ DOMAIN=W2022-L7 REALM=W2022-L7.BASE \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \ CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \ FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1 in order to run these: python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368) commit bf633c58114ddf9f9e3a729e623e9bd421dee322 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 29 15:45:56 2022 +0100 CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 4ebbe7e40754eeb1c8f221dd59018c3e681ab2ab) commit 9c106afa804aa6d3380869f70e3bf7057dab43c4 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Mar 24 14:09:50 2022 +0100 CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 271cd82cd681d723572fcaeed24052dc98a83612) commit bf27c7ba92e6a15456cfe4915bbce423fdd2fbe7 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 29 15:42:27 2022 +0100 CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 9e69289b099b47e0352ef67ef7e6529d11688e9a) commit d7efa582a41082d87c844461342e1f9e3ca932a3 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Feb 3 16:27:15 2022 +0100 CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values For now this is only for debugging in order to see DRSUAPI_ATTID_msDS_SupportedEncryptionTypes in the replication meta data. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit f1c5fa28c460f7e011049606b1b9ef96443e5e1f) commit 42c12b8c36d6466cae5197b84650a27944e059cd Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 7 18:03:45 2017 +0100 CVE-2022-37966 s4:kdc: use the strongest possible keys BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794) commit ceda758dd731b7d18ffa40cb32a960bf44fb30fa Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 23 15:27:14 2022 +0100 CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 621b8c3927b63776146940b183b03b3ea77fd2d7) commit e741eac059fb07b2e421c6b181175c985659004f Author: Stefan Metzmacher <me...@samba.org> Date: Tue Nov 22 09:48:45 2022 +0100 CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit b7260c89e0df18822fa276e681406ec4d3921caa) commit 96fcd2b2b1f7933ccc5f42701c818365b59d2932 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 23 15:20:40 2022 +0100 CVE-2022-37966 s3:net_ads: no longer reference des encryption types We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 4cedaa643bf95ef2628f1b631feda833bb2e7da1) commit 8b9e670c5ce4e3dd70736e49ea0b22c122cdd298 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 23 15:20:40 2022 +0100 CVE-2022-37966 s3:libnet: no longer reference des encryption types We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 40b47c194d7c41fbc6515b6029d5afafb0911232) commit edccbf1a637fc437a358ab49800ec7cdbcba9768 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 23 15:20:40 2022 +0100 CVE-2022-37966 s3:libads: no longer reference des encryption types We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit a683507e560a499336c50b88abcd853d49618bf4) commit c894010ae87aa496b8380798ee270f1b5f69f54e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 23 15:20:40 2022 +0100 CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types We no longer have support for des encryption types in the kerberos libraries anyway. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 16b805c8f376e0992a8bbb359d6bd8f0f96229db) commit e2e29876b69397c02ba480b17f53204a78d458ff Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 23 15:19:48 2022 +0100 CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES* aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit f3fe1f2ce64ed36be5b001fb4fea92428e73e4e3) commit b10529349fb41842a49f1942bdda65a9ef72b47a Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 23 15:19:48 2022 +0100 CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES* aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 1a36c348d7a984bed8d0f3de5bf9bebd1cb3c47a) commit d022b9fa3ae3b7284393f96afb0faddc0526e5ab Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 23 15:18:02 2022 +0100 CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES* aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 2bd27955ce1000c13b468934eed8b0fdeb66e3bf) commit 91680bf61f5067bf5b3b9eb2ec811be5b676e6ad Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 23 15:16:51 2022 +0100 CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES* aes encryption types are always supported. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit c9b10ee32c7e91521d024477a28fb7a622e4eb04) commit 425dc5a2a09421b09ae634fe8b51e0ca1b0544f1 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 23 15:12:47 2022 +0100 CVE-2022-37966 system_mitkrb5: require support for aes enctypes This will never fail as we already require a version that supports aes, but this makes it clearer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit a80f8e1b826ee3f9bbb22752464a73b97c2a612d) commit 4ad0303ece5390e5ed73b6863fef51f88ebaca00 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 23 15:12:14 2022 +0100 CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 9da028c46f70db60a80d47f5dadbec194510211f) commit 5f8854208d7fe93cb128376d7df88b3723a3bd6a Author: Stefan Metzmacher <me...@samba.org> Date: Sun Dec 4 21:05:39 2022 +0100 CVE-2022-37966 s4:kdc: also limit the krbtgt history to their strongest keys BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 6b46b764fc5760d3bf83bb1ea5fa398d993cf68d) commit 82f3c2876a80fa58425db3ee0ab15900680fe0ba Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 22 11:32:34 2022 +1300 CVE-2022-37966 kdc: Assume trust objects support AES by default As part of matching the behaviour of Windows, assume that trust objects support AES256, but not RC4, if not specified otherwise. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 4bb50c868c8ed14372cb7d27e53cdaba265fc33d) commit 71e538e7e03b0624a8f094c506cde7a3e604bf3e Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 1 15:20:47 2022 +1300 CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. We set the etypes available for session keys depending on the encryption types that are supported by the principal. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219 Pair-Programmed-With: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> (similar to commit 975e43fc45531fdea14b93a3b1529b3218a177e6) [jsut...@samba.org Fixed knownfail conflicts] commit 3d85ff9dd5760168618d8f338a154b25e7605b52 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 23 16:05:04 2022 +1300 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC This shows that changes around RC4 encryption types do not break older functional levels where only RC4 keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5) commit 64bfe0ef7868b23e12f465ca9a37f8a8ee161a70 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Nov 18 12:11:39 2022 +1300 CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> (similar to commit 371d7e63fcb966ab54915a3dedb888d48adbf0c0) [jsut...@samba.org Removed unneeded fast_tests.py change, added non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and tests.py] commit 123b3c056af8dc3e024e22e49be6d8dd54b29b49 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Nov 21 18:05:36 2022 +1300 CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected Users group Extend the RC4 Protected Users tests to use different preauth etypes. This helps test the nuances of the new expected behaviour and allows the tests to continue passing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit a7a0b9ad0757d6586905d64bc645a8946fe5c10e) commit d8cef2fa342394b20e11d66d03bdf4790523a3ef Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Nov 21 13:47:06 2022 +1300 CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects As we will assume, as part of the fixes for CVE-2022-37966, that trust objects with no msDS-SupportedEncryptionTypes attribute support AES keys, RC4 support must now be explicitly indicated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 086646865eef247a54897f5542495a2105563a5e) commit 42150ff93bad105f74d867ef1a4683d90f3bb1a3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Nov 21 13:45:22 2022 +1300 CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation This option does the opposite of what the documentation claims. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 6b155b22e6afa52ce29cc475840c1d745b0f1f5e) commit 350a2e5fda56eea26a5a238272df8d46f19ccf84 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Nov 21 14:01:47 2022 +1300 CVE-2022-37966 third_party/heimdal: Fix error message typo BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit d6b3d68efc296190a133b4e38137bdfde39257f4) commit ac8a4665a8d4c61cae7f830648f2859319653e79 Author: Andrew Bartlett <abart...@samba.org> Date: Fri Nov 18 13:44:28 2022 +1300 CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys" Pair-Programmed-With: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 commit 3d276a19e301ef126da59045b654fffea28a6d82 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 15 18:14:36 2022 +1300 CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes" This matches the Windows registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit d861d4eb28bd4c091955c11669edcf867b093a6f) commit 25918f9c16c1e74d9fd5ea9fd1901f4eba157324 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 9 13:45:13 2022 +1300 CVE-2022-37967 Add new PAC checksum BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231 Pair-Programmed-With: Andrew Bartlett <abart...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (similar to commit a50a2be622afaa7a280312ea12f5eb9c9a0c41da) [jsut...@samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py] commit 6ff9fc58cd3a4cea1cf2c565e0060427c6e9af77 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 1 14:47:12 2022 +1300 CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key We need to select server, not client, to compare client etypes against. (It is not useful to compare the client-supplied encryption types with the client's own long-term keys.) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (similar to commit 538315a2aa6d03b7639b49eb1576efa8755fefec) [jsut...@samba.org Fixed knownfail conflicts] commit 15835e21e846b8668701ee832c1e1b6a9df3d7f4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 25 19:32:27 2022 +1300 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types The KDC should leave the choice of ticket encryption type up to the target service, and admit no influence from the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (similar to commit 177334c04230d0ad74bfc2b6825ffbebd5afb9af) [jsut...@samba.org Fixed conflicts in usage.py, knownfails, tests.py] commit 649854b0fad3903723ec8ff3596895a8d8a783b6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Oct 26 14:29:54 2022 +1300 CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req() This lets us select the encryption types we claim to support in the request body. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de) [jsut...@samba.org Adapted to 4.17 version of function taking different parameters] commit 4870b9c8e57098af66120762e6ba05905bbc6760 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Oct 26 14:26:01 2022 +1300 CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class We will use it for testing our handling of encryption types. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (similar to commit 50e075d2db21e9f23d686684ea3df9454b6b560e) [jsut...@samba.org Adapted to 4.17 version of function] commit 91dcb8d0442d15d4c946d13ee240852a0a9cb8fc Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 1 12:34:57 2022 +1300 CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string This makes it easier to test against a server that is not accessible via DNS. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> (cherry picked from commit c7cd6889177e8c705bb637172a60a5cf26734a3f) commit 362de0199e3ab61ba5df2ddc99809036d5589d5d Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 5 21:45:08 2022 +0100 CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 0248907e34945153ff2be62dc11d75c956a05932) commit 9fa6585a4cc0f42bccfd28319e80d984d6839d86 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 5 21:36:23 2022 +0100 CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy' BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit c0c25cc0217b082c12330a8c47869c8428a20d0c) commit d08d54c944def6b3b9d25b3f05e84b67b651f2f6 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 5 21:31:37 2022 +0100 CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit a4f6f51cbed53775cdfedc7eec2f28c7beb875cc) commit fea5bde53c41b07ae0fb15f4af0f0bab7f376a46 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 20 12:36:44 2022 +1300 CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038 This demonstrates the behaviour of Windows 11 22H2 over Kerberos, which changed to use a year 9999 date for a forever timetime in tickets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184 (cherry picked from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit c5eda69a10b20c7a9ec09dd75d74dbf2c18d49e6 Author: Andreas Schneider <a...@samba.org> Date: Thu Oct 27 08:47:32 2022 +0200 CVE-2022-37966 s3:utils: Fix old-style function definition Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit b787692b5e915031d4653bf375995320ed1aca07) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 9166254b4bb57cfe9fce5df7dc0e0a273c8c64bb Author: Andreas Schneider <a...@samba.org> Date: Thu Oct 27 08:46:39 2022 +0200 CVE-2022-37966 s3:client: Fix old-style function definition Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 81f4335dfb847c041bfd3d6110fc8f1d5741d41f) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 523f9aa70a88ca49a9165b0f72df48592f365fd5 Author: Andreas Schneider <a...@samba.org> Date: Thu Oct 27 08:44:58 2022 +0200 CVE-2022-37966 s3:param: Fix old-style function definition Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit 80dc3bc2b80634ab7c6c71fa1f9b94f0216322b2) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit f4d487bda5387ef5bb8a20f5e431d6f680b0c819 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 6 13:36:17 2022 +0100 CVE-2022-38023 testparm: warn about unsecure schannel related options BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb) commit 0d4f8c70446a7fe473d0aa5ed6579f418828a98f Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 15:13:47 2022 +0100 CVE-2022-38023 testparm: warn about server/client schannel != yes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e) commit e5e03583f194ec783f70d2a08c2fbd862e5be0e9 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 25 14:05:30 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]" By default we'll now require schannel connections with privacy/sealing/encryption. But we allow exceptions for specific computer/trust accounts. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1) commit 8f7d77ecb522146ab63c61136bd4e3d314511e72 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Dec 2 14:31:26 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel() It's enough to warn the admin once per connection. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a) commit 65d8624cd2187f896b4edf2b917b505538837866 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 25 16:53:35 2022 +0100 CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470) commit de639278eb130ca899a457fd4004bc45eee2c809 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 17:15:36 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() We'll soon add some additional contraints in dcesrv_netr_check_schannel(), which are also required for dcesrv_netr_LogonSamLogonEx(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662) commit cf649bf27723eff5fe0de8fd77b9c6577eb7d4bb Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 16:57:24 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function This will allow us to reuse the function in other places. As it will also get some additional checks soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07) commit ff1c42ee45126824df6b4ec73f4aff8f91a406af Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 14:57:20 2022 +0100 CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no' Instead of using the generic deprecated option use the specific allow nt4 crypto:COMPUTERACCOUNT = yes and server reject md5 schannel:COMPUTERACCOUNT = no in order to allow legacy tests for pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768) commit f0cdff380b8265d43b16e4558e240448d9fca346 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 25 13:13:36 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations This allows the admin to notice what's wrong in order to adjust the configuration if required. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381) commit 1d2e938ab674e19e879987dccf778d584b65a6fb Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 25 14:02:11 2022 +0100 CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1) commit 2cb10f9648e82e5c407ab976e3e673c07451b1dd Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 25 13:31:14 2022 +0100 CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b) commit 277bd2c6d312ce7ca348fd4071fe10ac18a0b4f7 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 25 13:13:36 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes' This makes it more flexible when we change the global default to 'reject md5 servers = yes'. 'allow nt4 crypto = no' is already the default. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f) commit c919351058b5c26476ed3f7093994f0f26c70e54 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 25 10:31:08 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', which means we'll need use the account name from our SAM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2) commit f69766398ef0526c7327f0b046c51320c5b9723a Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 24 18:26:18 2022 +0100 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0, so there's no reason to allow md5 clients by default. However some third party domain members may need it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1) commit eb1f1c375488e5803660a342c7ce9b80367d3dda Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 25 10:10:33 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 4c7f84798acd1e3218209d66d1a92e9f42954d51) commit 07518e76dc941f2630842608d36ef76705f9fb20 Author: Stefan Metzmacher <me...@samba.org> Date: Fri Nov 25 09:54:17 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade() We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', which means we'll need the downgrade detection in more places. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561) commit 84d5354026887f088c8bbf25d46738935105de56 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Nov 28 15:02:13 2022 +0100 CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default For generic tests we should use the best available features. And AES will be required by default soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66) commit a656f2a3d66eed1a3f57077443b14f067bea18e7 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 12:26:01 2022 +0100 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto' Instead of using the generic deprecated option use the specific server require schannel:COMPUTERACCOUNT = no in order to allow legacy tests for pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c) commit 4d143e92adf4c8ca5ababb4a934edd34bc0ad706 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 12:37:03 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages In order to avoid generating useless debug messages during make test, we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3' and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings. Review with: git show -w BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d) commit a31898e1769fc42c9699a4e5d754be1df0628acd Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 12:37:03 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check() This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e) commit 911874a95825e37746f8c0d0f6b8511a0115d6a2 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 12 14:03:50 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check() This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145) commit 935664333165c57168f9e666c20b886f611dbc96 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Dec 12 14:03:50 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check() This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150) commit b04f9cd924e935fdc65334b61ae68a72eea911ad Author: Stefan Metzmacher <me...@samba.org> Date: Tue Dec 6 10:56:29 2022 +0100 CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind This will simplify the following changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0) commit 15253c4da8850a0fd8b07fdebf3ee86c4538912e Author: Stefan Metzmacher <me...@samba.org> Date: Thu Nov 24 18:22:23 2022 +0100 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no reason to allow md5 servers by default. Note the change in netlogon_creds_cli_context_global() is only cosmetic, but avoids confusion while reading the code. Check with: git show -U35 libcli/auth/netlogon_creds_cli.c BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584) commit ff5f2c81e97660d63ef000179db2a83917bf3ed0 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 14:59:36 2022 +0100 CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" This avoids advising insecure defaults for the global options. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef) commit 6c7aa761f3b92105eac57da6a235ce5cd68f0bc4 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 16:16:05 2022 +0100 CVE-2022-38023 s3:net: add and use net_warn_member_options() helper This makes sure domain member related 'net' commands print warnings about unsecure smb.conf options. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a) commit 285ecad0a84b97dc08cec50869d1bfb72ca1e347 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 14:47:33 2022 +0100 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options() This warns the admin about insecure options BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 7e7adf86e59e8a673fbe87de46cef0d62221e800) commit d39c37292f937073cb7ccc35b96aaea31b06bd5d Author: Stefan Metzmacher <me...@samba.org> Date: Wed Nov 30 14:46:59 2022 +0100 CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209) commit 810b57b19dd464a7cad163e127e7428bd782e68d Author: Ralph Boehme <s...@samba.org> Date: Tue Dec 6 16:05:26 2022 +0100 CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251) commit 121c471b5ee0c63a2882f7442616b761f19c5292 Author: Ralph Boehme <s...@samba.org> Date: Tue Dec 6 16:00:36 2022 +0100 CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Ralph Boehme <s...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> (cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9) commit fd50943b2a470265ceb0e84de3a8e0d83c287138 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Dec 6 17:16:00 2022 +1300 selftest: make filter-subunit much more efficient for large knownfail lists By compiling the knownfail lists ahead of time we change a 20min test into a 90sec test. This could be improved further by combining this into a single regular expression, but this is enough for now. The 'reason' is thankfully not used. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15258 Pair-programmed-with: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abart...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 22128c718cadd34af892df102bd52df6a6b03303) ----------------------------------------------------------------------- Summary of changes: buildtools/wafsamba/samba_autoconf.py | 4 +- docs-xml/manpages/samba-tool.8.xml | 5 + docs-xml/smbdotconf/logon/allownt4crypto.xml | 85 +- docs-xml/smbdotconf/logon/rejectmd5clients.xml | 101 +- .../security/allowdcerpcauthlevelconnect.xml | 2 +- docs-xml/smbdotconf/security/clientschannel.xml | 2 +- .../security/kdcdefaultdomainsupportedenctypes.xml | 42 + .../security/kdcforceenablerc4weaksessionkeys.xml | 24 + .../smbdotconf/security/kdcsupportedenctypes.xml | 40 + .../security/kerberosencryptiontypes.xml | 12 +- docs-xml/smbdotconf/security/serverschannel.xml | 47 +- .../security/serverschannelrequireseal.xml | 118 ++ docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 9 +- docs-xml/smbdotconf/winbind/requirestrongkey.xml | 4 +- lib/krb5_wrap/krb5_samba.c | 6 - lib/param/loadparm.c | 147 ++ libcli/auth/netlogon_creds_cli.c | 88 +- libcli/auth/netlogon_creds_cli.h | 4 +- librpc/idl/drsuapi.idl | 9 + librpc/idl/krb5pac.idl | 4 +- librpc/idl/netlogon.idl | 1 + librpc/idl/security.idl | 1 + python/samba/drs_utils.py | 12 +- python/samba/netcmd/domain.py | 130 +- python/samba/tests/krb5/alias_tests.py | 6 +- .../samba/tests/krb5/as_canonicalization_tests.py | 5 +- python/samba/tests/krb5/as_req_tests.py | 28 +- python/samba/tests/krb5/compatability_tests.py | 22 + python/samba/tests/krb5/etype_tests.py | 597 ++++++++ python/samba/tests/krb5/fast_tests.py | 11 +- python/samba/tests/krb5/kdc_base_test.py | 131 +- python/samba/tests/krb5/kdc_tgs_tests.py | 467 ++++-- python/samba/tests/krb5/kpasswd_tests.py | 8 +- python/samba/tests/krb5/lockout_tests.py | 11 +- python/samba/tests/krb5/nt_hash_tests.py | 8 +- python/samba/tests/krb5/pac_align_tests.py | 6 +- python/samba/tests/krb5/protected_users_tests.py | 55 +- python/samba/tests/krb5/raw_testcase.py | 129 +- python/samba/tests/krb5/rfc4120_constants.py | 1 + python/samba/tests/krb5/rodc_tests.py | 8 +- python/samba/tests/krb5/s4u_tests.py | 122 +- python/samba/tests/krb5/salt_tests.py | 6 +- python/samba/tests/krb5/spn_tests.py | 8 +- python/samba/tests/krb5/test_ccache.py | 6 +- python/samba/tests/krb5/test_idmap_nss.py | 6 +- python/samba/tests/krb5/test_ldap.py | 6 +- python/samba/tests/krb5/test_min_domain_uid.py | 7 +- python/samba/tests/krb5/test_rpc.py | 6 +- python/samba/tests/krb5/test_smb.py | 6 +- python/samba/tests/usage.py | 1 + selftest/knownfail_mit_kdc | 1601 +++++++++++++++++++- selftest/subunithelper.py | 32 +- selftest/target/Samba4.pm | 126 +- source3/client/clitar.c | 2 +- source3/libads/kerberos.c | 6 +- source3/libads/kerberos_keytab.c | 4 - source3/libnet/libnet_join.c | 9 +- source3/param/loadparm.c | 7 +- source3/rpc_client/cli_netlogon.c | 2 +- source3/utils/destroy_netlogon_creds_cli.c | 2 +- source3/utils/net.c | 6 + source3/utils/net_ads.c | 27 +- source3/utils/net_dom.c | 2 + source3/utils/net_join.c | 2 + source3/utils/net_offlinejoin.c | 2 + source3/utils/net_proto.h | 2 + source3/utils/net_rpc.c | 10 + source3/utils/net_util.c | 14 + source3/utils/ntlm_auth.c | 12 +- source3/utils/testparm.c | 89 +- source3/winbindd/winbindd_cm.c | 41 +- source4/dsdb/pydsdb.c | 1 + source4/kdc/db-glue.c | 251 ++- source4/kdc/kdc-heimdal.c | 23 +- source4/kdc/pac-glue.c | 24 + source4/kdc/sdb.c | 91 ++ source4/kdc/sdb.h | 12 + source4/kdc/sdb_to_hdb.c | 28 +- source4/kdc/wdc-samba4.c | 2 +- source4/libnet/libnet_join.c | 4 +- source4/libnet/libnet_passwd.c | 75 + source4/libnet/libnet_passwd.h | 7 + source4/libnet/py_net.c | 18 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1044 +++++++++++-- source4/selftest/tests.py | 36 +- source4/torture/ntp/ntp_signd.c | 2 +- source4/torture/rpc/lsa.c | 4 +- source4/torture/rpc/netlogon.c | 24 +- source4/torture/rpc/netlogon_crypto.c | 2 +- source4/torture/rpc/remote_pac.c | 14 +- source4/torture/rpc/samba3rpc.c | 15 +- third_party/heimdal/kdc/kerberos5.c | 45 +- third_party/heimdal/kdc/krb5tgs.c | 8 +- third_party/heimdal/kdc/misc.c | 4 +- third_party/heimdal/lib/hdb/hdb.asn1 | 3 +- third_party/heimdal/lib/krb5/init_creds_pw.c | 2 +- third_party/heimdal/lib/krb5/pac.c | 169 ++- wscript_configure_system_mitkrb5 | 4 +- 98 files changed, 5813 insertions(+), 661 deletions(-) create mode 100644 docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml create mode 100644 docs-xml/smbdotconf/security/kdcsupportedenctypes.xml create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml create mode 100755 python/samba/tests/krb5/etype_tests.py Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py index 3ca2f334190..834acb70097 100644 --- a/buildtools/wafsamba/samba_autoconf.py +++ b/buildtools/wafsamba/samba_autoconf.py @@ -185,7 +185,8 @@ def CHECK_TYPE_IN(conf, t, headers=None, alternate=None, define=None, cflags='') @conf def CHECK_VARIABLE(conf, v, define=None, always=False, - headers=None, msg=None, lib=None): + headers=None, msg=None, lib=None, + mandatory=False): '''check for a variable declaration (or define)''' if define is None: define = 'HAVE_%s' % v.upper() @@ -209,6 +210,7 @@ def CHECK_VARIABLE(conf, v, define=None, always=False, lib=lib, headers=headers, define=define, + mandatory=mandatory, always=always) diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 9a40bb1bec4..8e9279cc518 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -676,6 +676,11 @@ <para>Create a domain or forest trust.</para> </refsect3> +<refsect3> + <title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title> + <para>Modify a domain or forest trust.</para> +</refsect3> + <refsect3> <title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title> <para>Delete a domain trust.</para> diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml index 03dc8fa93f7..ee63e6cc245 100644 --- a/docs-xml/smbdotconf/logon/allownt4crypto.xml +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml @@ -1,11 +1,18 @@ <samba:parameter name="allow nt4 crypto" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para> + This option is deprecated and will be removed in future, + as it is a security problem if not set to "no" (which will be + the hardcoded behavior in future). + </para> + <para>This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will - reject clients which does not support NETLOGON_NEG_STRONG_KEYS + reject clients which do not support NETLOGON_NEG_STRONG_KEYS nor NETLOGON_NEG_SUPPORTS_AES.</para> <para>This option was added with Samba 4.2.0. It may lock out clients @@ -18,8 +25,82 @@ <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para> - <para>This option yields precedence to the 'reject md5 clients' option.</para> + <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para>This allows admins to use "yes" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para> + + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="reject md5 clients"/>' options.</para> </description> <value type="default">no</value> </samba:parameter> + +<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members which required 'allow nt4 crypto = yes', + it is possible to specify an explicit exception per computer account + by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "yes", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will log a warning in the log files at log level 5, + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para> + + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="reject md5 clients"/>' options.</para> + <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' + is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para> + + <programlisting> + allow nt4 crypto:LEGACYCOMPUTER1$ = yes + server reject md5 schannel:LEGACYCOMPUTER1$ = no + allow nt4 crypto:NASBOX$ = yes + server reject md5 schannel:NASBOX$ = no + allow nt4 crypto:LEGACYCOMPUTER2$ = yes + server reject md5 schannel:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml index 41684ef1080..fe7701d9277 100644 --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml @@ -1,17 +1,110 @@ <samba:parameter name="reject md5 clients" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para> + This option is deprecated and will be removed in a future release, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in the future). + </para> + <para>This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para> - <para>You can set this to yes if all domain members support aes. - This will prevent downgrade attacks.</para> + <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows + starting with Server 2008R2 and Windows 7, it's available in Samba + starting with 4.0, however third party domain members like NetApp ONTAP + still uses RC4 (HMAC-MD5), see + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink> + for more details. + </para> + + <para>The default changed from 'no' to 'yes', with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para>This allows admins to use "no" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para> + + <para>When set to 'yes' this option overrides the + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and + '<smbconfoption name="allow nt4 crypto"/>' options and implies + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'. + </para> +</description> + +<value type="default">yes</value> +</samba:parameter> + +<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members or trusted domains, + which required "reject md5 clients = no" before, + it is possible to specify an explicit exception per computer account + by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will log a warning in the log files at log level 5 + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para> + + <para>When set to 'yes' this option overrides the + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and + '<smbconfoption name="allow nt4 crypto"/>' options and implies + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'. + </para> - <para>This option takes precedence to the 'allow nt4 crypto' option.</para> + <programlisting> + server reject md5 schannel:LEGACYCOMPUTER1$ = no + server reject md5 schannel:NASBOX$ = no + server reject md5 schannel:LEGACYCOMPUTER2$ = no + </programlisting> </description> -<value type="default">no</value> </samba:parameter> diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml index 03531adbfb3..8bccab391cc 100644 --- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml @@ -15,7 +15,7 @@ <para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para> - <para>This option yields precedence to the implementation specific restrictions. + <para>This option is over-ridden by the implementation specific restrictions. E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. </para> diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml index 5b07da95050..d124ad48181 100644 --- a/docs-xml/smbdotconf/security/clientschannel.xml +++ b/docs-xml/smbdotconf/security/clientschannel.xml @@ -23,7 +23,7 @@ <para>Note that for active directory domains this is hardcoded to <smbconfoption name="client schannel">yes</smbconfoption>.</para> - <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para> + <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para> </description> <value type="default">yes</value> <value type="example">auto</value> diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml new file mode 100644 index 00000000000..984611167b5 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml @@ -0,0 +1,42 @@ +<samba:parameter name="kdc default domain supported enctypes" + type="integer" + context="G" + handler="handle_kdc_default_domain_supported_enctypes" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + Set the default value of <constant>msDS-SupportedEncryptionTypes</constant> for service accounts in Active Directory that are missing this value or where <constant>msDS-SupportedEncryptionTypes</constant> is set to 0. + </para> + + <para> + This allows Samba administrators to match the configuration flexibility provided by the + <constant>HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes</constant> Registry Value on Windows. + </para> + <para> + Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed in hexadecimal or as a list of Kerberos encryption type names. + </para> + <para> + Specified values are ORed together bitwise, and those currently supported consist of: + </para><itemizedlist> + <listitem> + <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para> + <para>Known on Windows as Kerberos RC4 encryption</para> + </listitem> + <listitem> + <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para> + <para>Known on Windows as Kerberos AES 128 bit encryption</para> + </listitem> + <listitem> + <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para> + <para>Known on Windows as Kerberos AES 256 bit encryption</para> + </listitem> + <listitem> + <para><constant>aes256-cts-hmac-sha1-96-sk</constant>, <constant>aes256-cts-sk</constant>, <constant>0x20</constant>, or <constant>32</constant></para> + <para>Allow AES session keys. When this is set, it indicates to the KDC that AES session keys can be used, even when <constant>aes256-cts</constant> and <constant>aes128-cts</constant> are not set. This allows use of AES keys against hosts otherwise only configured with RC4 for ticket keys (which is the default).</para> + </listitem> +</itemizedlist> + +</description> + +<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk</comment></value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml new file mode 100644 index 00000000000..1cb46d74a36 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml @@ -0,0 +1,24 @@ +<samba:parameter name="kdc force enable rc4 weak session keys" + type="boolean" + context="G" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + <constant>RFC8429</constant> declares that + <constant>rc4-hmac</constant> Kerberos ciphers are weak and + there are known attacks on Active Directory use of this + cipher suite. + </para> + <para> + However for compatibility with Microsoft Windows this option + allows the KDC to assume that regardless of the value set in + a service account's + <constant>msDS-SupportedEncryptionTypes</constant> attribute + that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as + found in a service keytab) can be used if the potentially + older client requests it. + </para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml new file mode 100644 index 00000000000..5e028bbb2be --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml @@ -0,0 +1,40 @@ +<samba:parameter name="kdc supported enctypes" + type="integer" + context="G" + handler="handle_kdc_supported_enctypes" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + On an active directory domain controller, this is the list of supported encryption types for local running kdc. + </para> + + <para> + This allows Samba administrators to remove support for weak/unused encryption types, similar + the configuration flexibility provided by the <constant>Network security: Configure encryption types allowed for Kerberos</constant> + GPO/Local Policies/Security Options Value, which results in the + <constant>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes</constant> Registry Value on Windows. + </para> + <para> + Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed as hexadecimal or a list of Kerberos encryption type names. + </para> + <para> + Specified values are ORed together bitwise, and those currently supported consist of: + </para><itemizedlist> + <listitem> + <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para> + <para>Known on Windows as Kerberos RC4 encryption</para> + </listitem> + <listitem> + <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para> + <para>Known on Windows as Kerberos AES 128 bit encryption</para> + </listitem> + <listitem> + <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para> + <para>Known on Windows as Kerberos AES 256 bit encryption</para> + </listitem> +</itemizedlist> + +</description> + +<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96</comment></value> +</samba:parameter> diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml index 2c3c6c5d5fc..a245af55f5f 100644 --- a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml +++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml @@ -37,15 +37,9 @@ </para> <para>When set to <constant>legacy</constant>, only RC4-HMAC-MD5 - is allowed. Avoiding AES this way has one a very specific use. - Normally, the encryption type is negotiated between the peers. - However, there is one scenario in which a Windows read-only domain - controller (RODC) advertises AES encryption, but then proxies the - request to a writeable DC which may not support AES encryption, - leading to failure of the handshake. Setting this parameter to - <constant>legacy</constant> would cause samba not to negotiate AES - encryption. It is assumed of course that the weaker legacy - encryption types are acceptable for the setup. + is allowed. AVOID using this option, because of + <ulink url="https://www.samba.org/samba/security/CVE-2022-37966.html">CVE-2022-37966</ulink> see + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15237">https://bugzilla.samba.org/show_bug.cgi?id=15237</ulink>. </para> </description> diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml index cd2543113f3..5c69f0f64df 100644 --- a/docs-xml/smbdotconf/security/serverschannel.xml +++ b/docs-xml/smbdotconf/security/serverschannel.xml @@ -12,18 +12,36 @@ the hardcoded behavior in future). </para> - <para> - Samba will complain in the log files at log level 0, - about the security problem if the option is not set to "yes". + <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead! </para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + <para> - See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 + This allows admins to use "auto" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options. </para> - <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option. + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>. </para> - <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para> + <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para> + + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="server schannel require seal"/>' options.</para> </description> @@ -48,6 +66,9 @@ about the security problem if the option is not set to "no", but the related computer is actually using the netlogon secure channel (schannel) feature. + (The log level can be adjusted with + '<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). </para> <para> @@ -56,15 +77,25 @@ </para> <para> - See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 -- Samba Shared Repository