The branch, v4-16-stable has been updated via 6cc6e233b5c VERSION: Disable GIT_SNAPSHOT for the 4.16.8 release. via 64d7270f282 WHATSNEW: Add release notes for Samba 4.16.8. via d5a8e41313d CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports via 160e566d590 CVE-2022-37966 samba-tool: add 'domain trust modify' command via cdc71cfd273 CVE-2022-37966 s4:kdc: apply restrictions of "kdc supported enctypes" via 4477651a0de CVE-2022-37966 param: Add support for new option "kdc supported enctypes" via be57176c3ab CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default via e7d3998bcc8 CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no" via 906dbd0a4bd CVE-2022-37966 s4:kdc: announce PA-SUPPORTED-ETYPES like windows. via c8afae7869a CVE-2022-37966 python:tests/krb5: test much more etype combinations via 8e6d2953ba1 CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert message via f4dc5721be3 CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest via aeb7c646bb0 CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials attributes via b20acd876c8 CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req() via 3ea9946f652 CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022 via dd69e432ee8 CVE-2022-37966 s4:libnet: allow python bindings to force setting an nthash via SAMR level 18 via 55476d01ffc CVE-2022-37966 s4:libnet: add support LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only via f11edc1741e CVE-2022-37966 s4:libnet: initialize libnet_SetPassword() arguments explicitly to zero by default. via b40b03d0601 CVE-2022-37966 drsuapi.idl: add trustedDomain related ATTID values via ec1a2225a0f CVE-2022-37966 s4:kdc: use the strongest possible keys via 679904dc0df CVE-2022-37966 s4:pydsdb: add ENC_HMAC_SHA1_96_AES256_SK via 052cfe5a4a1 CVE-2022-37966 s3:net_ads: let 'net ads enctypes list' pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED via 1d2318ec326 CVE-2022-37966 s3:net_ads: no longer reference des encryption types via f8839f39f0a CVE-2022-37966 s3:libnet: no longer reference des encryption types via 3e4a521a2aa CVE-2022-37966 s3:libads: no longer reference des encryption types via b2201628245 CVE-2022-37966 lib/krb5_wrap: no longer reference des encryption types via 0c7af9838fe CVE-2022-37966 s3:net_ads: remove unused ifdef HAVE_ENCTYPE_AES* via c0bbcc442b8 CVE-2022-37966 s3:libnet: remove unused ifdef HAVE_ENCTYPE_AES* via 836646d4a02 CVE-2022-37966 s3:libads: remove unused ifdef HAVE_ENCTYPE_AES* via 911750da81a CVE-2022-37966 lib/krb5_wrap: remove unused ifdef HAVE_ENCTYPE_AES* via 8842d0197d1 CVE-2022-37966 system_mitkrb5: require support for aes enctypes via 001ed425ea1 CVE-2022-37966 wafsamba: add support for CHECK_VARIABLE(mandatory=True) via c13c60ffbf7 CVE-2022-37966 kdc: Assume trust objects support AES by default via a836bcf22ce CVE-2022-37966 kdc: Implement new Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added via da9da918f75 CVE-2022-37966 selftest: Run S4U tests against FL2003 DC via f29efb011f6 CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ENC_HMAC_SHA1_96_AES256_SK was added via 71fcd5366a0 CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects via b8996509387 CVE-2022-37966 samba-tool: Fix 'domain trust create' documentation via 31543f2902e CVE-2022-37966 third_party/heimdal: Fix error message typo via 545c20fd321 CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys" via 4c2dc48598d CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes" via 0601bb94c62 CVE-2022-37967 Add new PAC checksum via a9c836d0442 CVE-2022-37966 HEIMDAL: Look up the server keys to combine with clients etype list to select a session key via 8d208ab0616 CVE-2022-37966 tests/krb5: Add a test requesting tickets with various encryption types via 9ed5a352ca1 CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req() via cc2bea27a64 CVE-2022-37966 tests/krb5: Split out _tgs_req() into base class via 2408d405d31 CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the target_hostname binding string via 91b74c701ac CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy" via 12e4e94853f CVE-2022-37966 testparm: warn about 'kerberos encryption types = legacy' via 05206c09237 CVE-2022-37966 docs-xml/smbdotconf: "kerberos encryption types = legacy" should not be used via a65fc1fa476 CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038 via 397a390aa86 CVE-2022-37966 s3:utils: Fix old-style function definition via a89385f2ab7 CVE-2022-37966 s3:client: Fix old-style function definition via 130c4877b38 CVE-2022-37966 s3:param: Fix old-style function definition via 0fee9c469c0 CVE-2022-37966 tests/krb5: Allow passing expected etypes to get_keys() via 3dec660ae2b CVE-2022-37966 s4:kdc: Move supported enc-type handling out of samba_kdc_message2entry_keys() via c09df344f0e CVE-2022-38023 testparm: warn about unsecure schannel related options via 587ff282a9d CVE-2022-38023 testparm: warn about server/client schannel != yes via 03730459feb CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]" via 1d9c939ebaa CVE-2022-38023 s4:rpc_server/netlogon: add a per connection cache to dcesrv_netr_check_schannel() via d04da3d7008 CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options via 9f809e2dd39 CVE-2022-38023 s4:rpc_server/netlogon: make sure all dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() via abba8c4579f CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_check_schannel() function via 3f7cd285b79 CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no' via 729e905776c CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject md5 servers' and 'allow nt4 crypto' misconfigurations via 80d0238679f CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT" via 3075f65e5d5 CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no" via d2dc3622d45 CVE-2022-38023 s4:rpc_server/netlogon: add 'server reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 crypto:COMPUTERACCOUNT = yes' via c25546926f5 CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade check until we found the account in our SAM via bc78864cb5f CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes via 852763adc22 CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled via 35ff1221013 CVE-2022-38023 s4:rpc_server/netlogon: split out dcesrv_netr_ServerAuthenticate3_check_downgrade() via 3f4c9c13b1f CVE-2022-38023 s4:torture: use NETLOGON_NEG_SUPPORTS_AES by default via 066dafb07a1 CVE-2022-38023 selftest:Samba4: avoid global 'server schannel = auto' via 82af786a36b CVE-2022-38023 s4:rpc_server/netlogon: improve CVE-2020-1472(ZeroLogon) debug messages via 88018634c78 CVE-2022-38023 s4:rpc_server/netlogon: re-order checking in dcesrv_netr_creds_server_step_check() via 0c32166174b CVE-2022-38023 s4:rpc_server/netlogon: add talloc_stackframe() to dcesrv_netr_creds_server_step_check() via a5996700ade CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx variable to dcesrv_netr_creds_server_step_check() via 2139565c2fe CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind via 08e2a933933 CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes via a2388a06cba CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" via 8a7df0920b7 CVE-2022-38023 s3:net: add and use net_warn_member_options() helper via 1fe8857b4d9 CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options() via b0dbc395510 CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db() via 421398ce5eb CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden" via af08dd3e25a CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides" via 4d099f8f678 selftest: make filter-subunit much more efficient for large knownfail lists via a1136ed2e05 CVE-2021-20251: s4:auth: fix use after free in authsam_logon_success_accounting() via 2736d267aa9 CVE-2022-44640 HEIMDAL: asn1: invalid free in ASN.1 codec via d7eccdbb028 CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars test via 994464eee20 s3:utils: Fix stack smashing in net offlinejoin via 885e3fc12de smbd: reject FILE_ATTRIBUTE_TEMPORARY on directories via 8c2f27d442f torture: add a test trying to set FILE_ATTRIBUTE_TEMPORARY on a directory via 7edddbc684c CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit via 33f74aea5d5 nsswitch: Fix uninitialized memory when allocating pwdlastset_prelim via 399522d048e nsswitch: Fix pam_set_data()/pam_get_data() to use pointers to a time_t, not try and embedd it directly. via b11ceb58fee s3:rpc_server: Fix include directive substitution when enumerating shares via ef39898066c s3:tests: Add substitution test for listing shares via 5ade6d20f35 s3:tests: Add substitution test for include directive via 450dd63bdf9 lib/replace: fix memory leak in snprintf replacements via 83da21f4292 VERSION: Bump version up to Samba 4.16.8... via 722abdcf35c Merge tag 'samba-4.16.7' into v4-16-test via b57c2bb4725 heimdal: Fix the 32-bit build on FreeBSD via eeea6587e92 third_party/heimdal: Introduce macro for common plugin structure elements via 618395a7eaf s3: libsmbclient: Fix smbc_stat() to return ENOENT on a non-existent file. via efa48817d3c s4: torture: libsmbclient: Add a torture test to ensure smbc_stat() returns ENOENT on a non-existent file. via f7a84cffe9d s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time via bc16a8abe3f lib/tsocket: avoid endless cpu-spinning in tstream_bsd_fde_handler() via aeb7dd2ca89 lib/tsocket: remember the first error as tstream_bsd->error via d8d5146d167 lib/tsocket: check for errors indicated by poll() before getsockopt(fd, SOL_SOCKET, SO_ERROR) via 119bf609985 lib/tsocket: split out tsocket_bsd_error() from tsocket_bsd_pending() via c805ccba339 lib/tsocket: Add tests for loop on EAGAIN via c2095819c31 VERSION: Bump version up to Samba 4.16.7... via a9011093133 Merge tag 'samba-4.16.6' into v4-16-test via c28d971b12b s4:messaging: let imessaging_client_init() use imessaging_init_discard_incoming() via 04d0d5a0366 s3:auth_samba4: make use of imessaging_init_discard_incoming() via 6ba44033e38 s4:messaging: add imessaging_init_discard_incoming() via 4d7e31b9816 s3/utils: check result of talloc_strdup via 9a18da112c4 s3/utils: Check return of talloc_strdup via e69d2b3f9d2 s3/param: Check return of talloc_strdup via 7480f9c01d6 s4/lib/registry: Fix use after free with popt 1.19 via 5383d625cbb s3/utils: Fix use after free with popt 1.19 via 4b35fa3f85e s3/utils: Fix use after free with popt 1.19 via 1efcc10c9d4 s3/utils: Add missing poptFreeContext via da11c48d9b6 s3/param: Fix use after free with popt-1.19 via 0503e0df3b6 s3/rpcclient: Duplicate string returned from poptGetArg via 3e0ce4513b0 vfs_fruit: add missing calls to tevent_req_received() via 6c7af405580 s3: VFS: fruit. Implement fsync_send()/fsync_recv(). via 24bc377a0ec s4: smbtorture: Add fsync_resource_fork test to fruit tests. via b3e8e8185fc smbXsrv_client: handle NAME_NOT_FOUND from smb2srv_client_connection_{pass,drop}() via 0fa03f112f7 smbXsrv_client: make sure we only wait for smb2srv_client_mc_negprot_filter once and only when needed via 935f1ec476e smbXsrv_client: call smb2srv_client_connection_{pass,drop}() before dbwrap_watched_watch_send() via 68a233322bd smbXsrv_client: fix a debug message in smbXsrv_client_global_verify_record() via f806366dd4a smbXsrv_client: ignore NAME_NOT_FOUND from smb2srv_client_connection_passed via 52dd57d4b30 smbXsrv_client: notify a different node to drop a connection by client guid. via ada5ef9d847 smbXsrv_client: correctly check in negotiate_request.length smbXsrv_client_connection_pass[ed]_* via 1a4d3a2db79 python-drs: Add client-side debug and fallback for GET_ANC via 0a8330ab7dc s4-libnet: Add messages to object count mismatch failures via 584a4c00575 selftest: Enable "old Samba" mode regarding GET_ANC/GET_TGT via a0e0c7e9894 s4-rpc_server:getncchanges Add "old Samba" mode regarding GET_ANC/GET_TGT via 997b8f8341f selftest: Add tests for GetNCChanges GET_ANC using samba-tool drs clone-dc-database via 2d2156b01de selftest: Prepare for "old Samba" mode regarding getncchanges GET_ANC/GET_TGT via dd2c5f96981 pytest/samba_tool_drs_no_dns: use TestCaseInTempDir.rm_files/.rm_dirs via 42b5bfa68e2 pytest/samba_tool_drs: use TestCaseInTempDir.rm_files/.rm_dirs via 6a6db20068f pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirs via fba1864d7a7 pytest/join: use TestCaseInTempDir.rm_files/dirs via 6e217c047d2 pytest/samdb_api: use TestCaseInTempDir.rm_files via 70de6108924 pytest/downgradedatabase: use TestCaseInTempDir.rm_files via 2003f7cf749 pytest: add file removal helpers for TestCaseInTempDir via 7c2697e9c84 s3:auth: Flush the GETPWSID in memory cache for NTLM auth via 2f71273a736 s3: smbd: Fix memory leak in smbd_server_connection_terminate_done(). via 04e54799b2b vfs_gpfs: Protect against timestamps before the Unix epoch via 08383bedc3b lib: Map ERANGE to NT_STATUS_INTEGER_OVERFLOW via 729bbca5e88 vfs_gpfs: Prevent mangling of GPFS timestamps after 2106 via 6a0280d9553 CVE-2021-20251 dsdb/common: Remove transaction logic from samdb_set_password() via d0cd367da4c s4:rpc_server: Add transaction for dcesrv_samr_SetUserInfo() via f7f1106b2ed s4:rpc_server: Use sam_ctx consistently in dcesrv_samr_SetUserInfo() via c56e2e2e700 s3:rpc_server: Use a done goto label for dcesrv_samr_SetUserInfo() via f78ff75c51f CVE-2021-20251 s4-rpc_server: Extend scope of transaction for ChangePasswordUser3 via 317d36710b5 s3:rpc_server: Use BURN_STR() to zero password via d9a144e8c4e lib:replace: Add macro BURN_STR() to zero memory of a string via 3cab9f6a34e libcli:auth: Keep passwords from convert_string_talloc() secret via a3aebea4893 lib:util: Check memset_s() error code in talloc_keep_secret_destructor() via ae3b615236c CVE-2021-20251 s3: Ensure bad password count atomic updates for SAMR password change via 69abe0c2b0a CVE-2021-20251 s3: ensure bad password count atomic updates via 05447dfb201 CVE-2021-20251 s4:auth_winbind: Check return status of authsam_logon_success_accounting() via 96c24b58b8c CVE-2021-20251 s4-rpc_server: Check badPwdCount update return status via 74d8c3d5843 CVE-2021-20251 s4:kdc: Check badPwdCount update return status via 5eb5daaa152 CVE-2021-20251 s4:kdc: Check return status of authsam_logon_success_accounting() via 29b31129fd3 CVE-2021-20251 s4:kdc: Move logon success accounting code into existing branch via f58d7e42009 CVE-2021-20251 s4:dsdb: Make badPwdCount update atomic via f725f2f2442 CVE-2021-20251 s4:dsdb: Update bad password count inside transaction via 2fe2485b93d CVE-2021-20251 s4-auth: Pass through error code from badPwdCount update via 6a70d006917 CVE-2021-20251 auth4: Avoid reading the database twice by precaculating some variables via dd38fae8c8d CVE-2021-20251 auth4: Inline samdb_result_effective_badPwdCount() in authsam_logon_success_accounting() via 0d6da5250be CVE-2021-20251 auth4: Split authsam_calculate_lastlogon_sync_interval() out via 6b826a375a1 CVE-2021-20251 auth4: Return only the result message and free the surrounding result via a9aae34d5a9 CVE-2021-20251 auth4: Add missing newline to debug message on PSO read failure via 79f791ff0eb CVE-2021-20251 s4 auth: make bad password count increment atomic via a1a440c1014 CVE-2021-20251 auth4: Detect ACCOUNT_LOCKED_OUT error for password change via 8580b90a87b CVE-2021-20251 s4 auth test: Unit tests for source4/auth/sam.c via 9dcf447d822 CVE-2021-20251 auth4: Reread the user record if a bad password is noticed. via 831335aaaad CVE-2021-20251 s4 auth: Prepare to make bad password count increment atomic via 740c4c2b953 CVE-2021-20251 auth4: split samdb_result_msds_LockoutObservationWindow() out via bc30ca2117c CVE-2021-20251 s4-rpc_server: Use authsam_search_account() to find the user via 0e3ac110df7 CVE-2021-20251 tests/krb5: Convert password lockout tests to use os.fork() and os.pipe() via 63020bf13c0 CVE-2021-20251 tests/krb5: Add tests for password lockout race via b7351888e82 CVE-2021-20251 lib:crypto: Add md4_hash_blob() for hashing data with MD4 via 3542483de3f CVE-2021-20251 lib:crypto: Add des_crypt_blob_16() for encrypting data with DES via f0c44d9e53d CVE-2021-20251 tests/krb5: Add PasswordKey_from_creds() via d41566d1bd0 third_party: Update socket_wrapper to version 1.3.4 from fc0f1090f4c VERSION: Disable GIT_SNAPSHOT for the 4.16.7 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-stable - Log ----------------------------------------------------------------- ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 152 +- buildtools/wafsamba/samba_autoconf.py | 4 +- buildtools/wafsamba/samba_third_party.py | 2 +- docs-xml/manpages/samba-tool.8.xml | 5 + docs-xml/smbdotconf/logon/allownt4crypto.xml | 85 +- docs-xml/smbdotconf/logon/rejectmd5clients.xml | 101 +- .../security/allowdcerpcauthlevelconnect.xml | 2 +- docs-xml/smbdotconf/security/clientschannel.xml | 2 +- .../security/kdcdefaultdomainsupportedenctypes.xml | 42 + .../security/kdcforceenablerc4weaksessionkeys.xml | 24 + .../smbdotconf/security/kdcsupportedenctypes.xml | 40 + .../security/kerberosencryptiontypes.xml | 12 +- docs-xml/smbdotconf/security/serverschannel.xml | 47 +- .../security/serverschannelrequireseal.xml | 118 + docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 9 +- docs-xml/smbdotconf/winbind/requirestrongkey.xml | 4 +- lib/crypto/py_crypto.c | 100 + lib/crypto/wscript_build | 2 +- lib/krb5_wrap/krb5_samba.c | 6 - lib/param/loadparm.c | 147 ++ lib/replace/replace.h | 11 + lib/replace/snprintf.c | 2 + lib/tsocket/tests/socketpair_tcp.c | 89 + .../tsocket/tests/socketpair_tcp.h | 30 +- lib/tsocket/tests/test_tstream.c | 517 ++++ lib/tsocket/tsocket_bsd.c | 274 +- lib/tsocket/wscript_build | 6 + lib/util/talloc_keep_secret.c | 15 +- libcli/auth/netlogon_creds_cli.c | 88 +- libcli/auth/netlogon_creds_cli.h | 4 +- libcli/auth/smbencrypt.c | 1 + librpc/idl/drsuapi.idl | 9 + librpc/idl/krb5pac.idl | 4 +- librpc/idl/messaging.idl | 1 + librpc/idl/netlogon.idl | 1 + librpc/idl/security.idl | 1 + nsswitch/pam_winbind.c | 24 +- python/samba/drs_utils.py | 59 +- python/samba/join.py | 54 +- python/samba/netcmd/domain.py | 130 +- python/samba/tests/__init__.py | 35 + python/samba/tests/blackbox/downgradedatabase.py | 14 +- python/samba/tests/join.py | 6 +- python/samba/tests/krb5/alias_tests.py | 6 +- .../samba/tests/krb5/as_canonicalization_tests.py | 5 +- python/samba/tests/krb5/as_req_tests.py | 28 +- python/samba/tests/krb5/compatability_tests.py | 22 + python/samba/tests/krb5/etype_tests.py | 597 +++++ python/samba/tests/krb5/fast_tests.py | 11 +- python/samba/tests/krb5/kdc_base_test.py | 133 +- python/samba/tests/krb5/kdc_tgs_tests.py | 467 +++- python/samba/tests/krb5/kpasswd_tests.py | 8 +- python/samba/tests/krb5/lockout_tests.py | 1069 ++++++++ python/samba/tests/krb5/pac_align_tests.py | 6 +- python/samba/tests/krb5/raw_testcase.py | 160 +- python/samba/tests/krb5/rfc4120_constants.py | 2 + python/samba/tests/krb5/rodc_tests.py | 8 +- python/samba/tests/krb5/s4u_tests.py | 122 +- python/samba/tests/krb5/salt_tests.py | 6 +- python/samba/tests/krb5/spn_tests.py | 8 +- python/samba/tests/krb5/test_ccache.py | 6 +- python/samba/tests/krb5/test_idmap_nss.py | 6 +- python/samba/tests/krb5/test_ldap.py | 6 +- python/samba/tests/krb5/test_min_domain_uid.py | 7 +- python/samba/tests/krb5/test_rpc.py | 6 +- python/samba/tests/krb5/test_smb.py | 6 +- python/samba/tests/samdb.py | 8 +- python/samba/tests/samdb_api.py | 10 +- python/samba/tests/source_chars.py | 1 + python/samba/tests/usage.py | 2 + selftest/knownfail | 1 + selftest/knownfail.d/samba-4.5-emulation | 4 + selftest/knownfail_mit_kdc | 1588 ++++++++++- selftest/subunithelper.py | 32 +- selftest/target/Samba3.pm | 19 +- selftest/target/Samba4.pm | 138 +- selftest/tests.py | 5 + source3/auth/auth_samba4.c | 8 +- source3/auth/check_samsec.c | 85 +- source3/client/clitar.c | 2 +- source3/lib/errmap_unix.c | 3 + source3/libads/kerberos.c | 6 +- source3/libads/kerberos_keytab.c | 4 - source3/libnet/libnet_join.c | 9 +- source3/librpc/idl/smbXsrv.idl | 28 + source3/libsmb/libsmb_file.c | 39 +- source3/modules/vfs_fruit.c | 114 +- source3/modules/vfs_gpfs.c | 43 +- source3/param/loadparm.c | 7 +- source3/param/test_lp_load.c | 7 +- source3/rpc_client/cli_netlogon.c | 2 +- source3/rpc_server/samr/srv_samr_chgpasswd.c | 83 +- source3/rpc_server/samr/srv_samr_nt.c | 6 +- source3/rpc_server/srvsvc/srv_srvsvc_nt.c | 8 + source3/rpcclient/rpcclient.c | 2 +- source3/script/tests/test_substitutions.sh | 27 + source3/smbd/dosmode.c | 7 + source3/smbd/smb2_server.c | 1 + source3/smbd/smbXsrv_client.c | 335 ++- source3/utils/destroy_netlogon_creds_cli.c | 2 +- source3/utils/mdsearch.c | 1 + source3/utils/net.c | 6 + source3/utils/net_ads.c | 27 +- source3/utils/net_dom.c | 2 + source3/utils/net_join.c | 2 + source3/utils/net_offlinejoin.c | 13 +- source3/utils/net_proto.h | 2 + source3/utils/net_rpc.c | 10 + source3/utils/net_util.c | 14 + source3/utils/ntlm_auth.c | 12 +- source3/utils/pdbedit.c | 12 +- source3/utils/testparm.c | 100 +- source3/winbindd/winbindd_cm.c | 41 +- source4/auth/ntlm/auth_sam.c | 7 +- source4/auth/ntlm/auth_winbind.c | 7 +- source4/auth/sam.c | 716 ++++- source4/auth/tests/sam.c | 2746 ++++++++++++++++++++ source4/auth/wscript_build | 11 + source4/dsdb/common/util.c | 57 +- source4/dsdb/pydsdb.c | 1 + source4/dsdb/repl/replicated_objects.c | 11 + source4/dsdb/samdb/ldb_modules/password_hash.c | 62 +- source4/kdc/db-glue.c | 300 ++- source4/kdc/hdb-samba4.c | 51 +- source4/kdc/kdc-heimdal.c | 23 +- source4/kdc/mit_samba.c | 4 +- source4/kdc/sdb.c | 91 + source4/kdc/sdb.h | 12 + source4/kdc/sdb_to_hdb.c | 28 +- source4/kdc/wdc-samba4.c | 23 +- source4/ldap_server/ldap_server.c | 5 + source4/lib/messaging/messaging.c | 74 +- source4/lib/messaging/messaging.h | 5 + source4/lib/messaging/messaging_internal.h | 9 + source4/lib/registry/tools/regpatch.c | 2 +- source4/libnet/libnet_join.c | 4 +- source4/libnet/libnet_passwd.c | 75 + source4/libnet/libnet_passwd.h | 7 + source4/libnet/py_net.c | 18 +- source4/rpc_server/drsuapi/getncchanges.c | 52 +- source4/rpc_server/netlogon/dcerpc_netlogon.c | 1044 ++++++-- source4/rpc_server/samr/dcesrv_samr.c | 124 +- source4/rpc_server/samr/samr_password.c | 83 +- source4/selftest/tests.py | 59 +- source4/torture/drs/python/samba_tool_drs.py | 13 +- .../torture/drs/python/samba_tool_drs_critical.py | 98 + .../torture/drs/python/samba_tool_drs_no_dns.py | 14 +- source4/torture/libsmbclient/libsmbclient.c | 63 + source4/torture/ntp/ntp_signd.c | 2 +- source4/torture/rpc/lsa.c | 4 +- source4/torture/rpc/netlogon.c | 24 +- source4/torture/rpc/netlogon_crypto.c | 2 +- source4/torture/rpc/remote_pac.c | 14 +- source4/torture/rpc/samba3rpc.c | 15 +- source4/torture/smb2/create.c | 47 + source4/torture/vfs/fruit.c | 80 + third_party/heimdal/kdc/csr_authorizer_plugin.h | 4 +- third_party/heimdal/kdc/gss_preauth.c | 2 +- .../heimdal/kdc/gss_preauth_authorizer_plugin.h | 4 +- third_party/heimdal/kdc/kdc-plugin.h | 4 +- third_party/heimdal/kdc/kerberos5.c | 45 +- third_party/heimdal/kdc/krb5tgs.c | 8 +- third_party/heimdal/kdc/misc.c | 4 +- third_party/heimdal/kdc/token_validator_plugin.h | 4 +- .../heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq | Bin 0 -> 55 bytes third_party/heimdal/lib/asn1/gen_decode.c | 12 +- third_party/heimdal/lib/asn1/gen_encode.c | 4 +- third_party/heimdal/lib/asn1/gen_free.c | 7 + third_party/heimdal/lib/asn1/gen_template.c | 5 +- third_party/heimdal/lib/asn1/krb5.asn1 | 1 + third_party/heimdal/lib/base/common_plugin.h | 6 +- third_party/heimdal/lib/base/heimbase-svc.h | 5 + third_party/heimdal/lib/base/log.c | 2 +- third_party/heimdal/lib/base/plugin.c | 2 +- third_party/heimdal/lib/hdb/hdb-ldap.c | 3 +- third_party/heimdal/lib/hdb/hdb.asn1 | 3 +- third_party/heimdal/lib/hdb/hdb.c | 40 +- third_party/heimdal/lib/hdb/hdb.h | 4 +- third_party/heimdal/lib/hdb/test_namespace.c | 8 +- third_party/heimdal/lib/kadm5/kadm5-hook.h | 6 +- third_party/heimdal/lib/krb5/an2ln_plugin.h | 6 +- third_party/heimdal/lib/krb5/db_plugin.h | 6 +- third_party/heimdal/lib/krb5/init_creds_pw.c | 2 +- third_party/heimdal/lib/krb5/kuserok_plugin.h | 6 +- third_party/heimdal/lib/krb5/locate_plugin.h | 6 +- third_party/heimdal/lib/krb5/pac.c | 169 +- third_party/heimdal/lib/krb5/send_to_kdc_plugin.h | 5 +- third_party/heimdal/lib/krb5/store-int.c | 2 +- third_party/heimdal/lib/krb5/ticket.c | 2 +- third_party/socket_wrapper/socket_wrapper.c | 18 +- third_party/socket_wrapper/wscript | 2 +- wscript_configure_system_mitkrb5 | 4 +- 193 files changed, 13171 insertions(+), 1181 deletions(-) create mode 100644 docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml create mode 100644 docs-xml/smbdotconf/security/kdcsupportedenctypes.xml create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml create mode 100644 lib/tsocket/tests/socketpair_tcp.c copy source3/lib/namearray.c => lib/tsocket/tests/socketpair_tcp.h (61%) create mode 100644 lib/tsocket/tests/test_tstream.c create mode 100755 python/samba/tests/krb5/etype_tests.py create mode 100755 python/samba/tests/krb5/lockout_tests.py create mode 100644 selftest/knownfail.d/samba-4.5-emulation create mode 100644 source4/auth/tests/sam.c create mode 100644 source4/torture/drs/python/samba_tool_drs_critical.py create mode 100644 third_party/heimdal/lib/asn1/fuzz-inputs/KrbFastArmoredReq Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 2184d6f7481..f78e4ac5ed1 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=16 -SAMBA_VERSION_RELEASE=7 +SAMBA_VERSION_RELEASE=8 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4f085269066..c2aeab4afbe 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,152 @@ + ============================== + Release Notes for Samba 4.16.8 + December 15, 2022 + ============================== + + +This is the latest stable release of the Samba 4.16 release series. +It also contains security changes in order to address the following defects + +o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos + RC4-HMAC Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A Samba Active Directory DC will issue weak rc4-hmac + session keys for use between modern clients and servers + despite all modern Kerberos implementations supporting + the aes256-cts-hmac-sha1-96 cipher. + + On Samba Active Directory DCs and members + 'kerberos encryption types = legacy' would force + rc4-hmac as a client even if the server supports + aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. + + https://www.samba.org/samba/security/CVE-2022-37966.html + +o CVE-2022-37967: This is the Samba CVE for the Windows + Kerberos Elevation of Privilege Vulnerability + disclosed by Microsoft on Nov 8 2022. + + A service account with the special constrained + delegation permission could forge a more powerful + ticket than the one it was presented with. + + https://www.samba.org/samba/security/CVE-2022-37967.html + +o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the + same algorithms as rc4-hmac cryptography in Kerberos, + and so must also be assumed to be weak. + + https://www.samba.org/samba/security/CVE-2022-38023.html + +Note that there are several important behavior changes +included in this release, which may cause compatibility problems +interacting with system still expecting the former behavior. +Please read the advisories of CVE-2022-37966, +CVE-2022-37967 and CVE-2022-38023 carefully! + +samba-tool got a new 'domain trust modify' subcommand +----------------------------------------------------- + +This allows "msDS-SupportedEncryptionTypes" to be changed +on trustedDomain objects. Even against remote DCs (including Windows) +using the --local-dc-ipaddress= (and other --local-dc-* options). +See 'samba-tool domain trust modify --help' for further details. + +smb.conf changes +---------------- + + Parameter Name Description Default + -------------- ----------- ------- + allow nt4 crypto Deprecated no + allow nt4 crypto:COMPUTERACCOUNT New + kdc default domain supported enctypes New (see manpage) + kdc supported enctypes New (see manpage) + kdc force enable rc4 weak session keys New No + reject md5 clients New Default, Deprecated Yes + reject md5 servers New Default, Deprecated Yes + server schannel Deprecated Yes + server schannel require seal New, Deprecated Yes + server schannel require seal:COMPUTERACCOUNT New + winbind sealed pipes Deprecated Yes + +Changes since 4.16.7 +-------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the + same size. + +o Andrew Bartlett <abart...@samba.org> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15237: CVE-2022-37966. + * BUG 15258: filter-subunit is inefficient with large numbers of knownfails. + +o Ralph Boehme <s...@samba.org> + * BUG 15240: CVE-2022-38023. + * BUG 15252: smbd allows setting FILE_ATTRIBUTE_TEMPORARY on directories. + +o Stefan Metzmacher <me...@samba.org> + * BUG 13135: The KDC logic arround msDs-supportedEncryptionTypes differs from + Windows. + * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented + atomically. + * BUG 15203: CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing + vulnerability. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15230: Memory leak in snprintf replacement functions. + * BUG 15237: CVE-2022-37966. + * BUG 15240: CVE-2022-38023. + * BUG 15253: RODC doesn't reset badPwdCount reliable via an RWDC + (CVE-2021-20251 regression). + +o Noel Power <noel.po...@suse.com> + * BUG 15224: pam_winbind uses time_t and pointers assuming they are of the + same size. + +o Andreas Schneider <a...@samba.org> + * BUG 15237: CVE-2022-37966. + * BUG 15243: %U for include directive doesn't work for share listing + (netshareenum). + * BUG 15257: Stack smashing in net offlinejoin requestodj. + +o Joseph Sutton <josephsut...@catalyst.net.nz> + * BUG 15197: Windows 11 22H2 and Samba-AD 4.15 Kerberos login issue. + * BUG 15219: Heimdal session key selection in AS-REQ examines wrong entry. + * BUG 15231: CVE-2022-37967. + * BUG 15237: CVE-2022-37966. + +o Nicolas Williams <n...@twosigma.com> + * BUG 14929: CVE-2022-44640 [SECURITY] Upstream Heimdal free of + user-controlled pointer in FAST. + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical:matrix.org matrix room, or +#samba-technical IRC channel on irc.libera.chat. + + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the Samba 4.1 and newer product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- ============================== Release Notes for Samba 4.16.7 November 15, 2022 @@ -43,8 +192,7 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- ============================== Release Notes for Samba 4.16.6 October 25, 2022 diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py index 78927d85193..53febc8be93 100644 --- a/buildtools/wafsamba/samba_autoconf.py +++ b/buildtools/wafsamba/samba_autoconf.py @@ -184,7 +184,8 @@ def CHECK_TYPE_IN(conf, t, headers=None, alternate=None, define=None): @conf def CHECK_VARIABLE(conf, v, define=None, always=False, - headers=None, msg=None, lib=None): + headers=None, msg=None, lib=None, + mandatory=False): '''check for a variable declaration (or define)''' if define is None: define = 'HAVE_%s' % v.upper() @@ -208,6 +209,7 @@ def CHECK_VARIABLE(conf, v, define=None, always=False, lib=lib, headers=headers, define=define, + mandatory=mandatory, always=always) diff --git a/buildtools/wafsamba/samba_third_party.py b/buildtools/wafsamba/samba_third_party.py index f046ebc96da..10635a3d46b 100644 --- a/buildtools/wafsamba/samba_third_party.py +++ b/buildtools/wafsamba/samba_third_party.py @@ -24,7 +24,7 @@ Build.BuildContext.CHECK_CMOCKA = CHECK_CMOCKA @conf def CHECK_SOCKET_WRAPPER(conf): - return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.3.3') + return conf.CHECK_BUNDLED_SYSTEM_PKG('socket_wrapper', minversion='1.3.4') Build.BuildContext.CHECK_SOCKET_WRAPPER = CHECK_SOCKET_WRAPPER @conf diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 9a40bb1bec4..8e9279cc518 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -676,6 +676,11 @@ <para>Create a domain or forest trust.</para> </refsect3> +<refsect3> + <title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title> + <para>Modify a domain or forest trust.</para> +</refsect3> + <refsect3> <title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title> <para>Delete a domain trust.</para> diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml index 03dc8fa93f7..ee63e6cc245 100644 --- a/docs-xml/smbdotconf/logon/allownt4crypto.xml +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml @@ -1,11 +1,18 @@ <samba:parameter name="allow nt4 crypto" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para> + This option is deprecated and will be removed in future, + as it is a security problem if not set to "no" (which will be + the hardcoded behavior in future). + </para> + <para>This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will - reject clients which does not support NETLOGON_NEG_STRONG_KEYS + reject clients which do not support NETLOGON_NEG_STRONG_KEYS nor NETLOGON_NEG_SUPPORTS_AES.</para> <para>This option was added with Samba 4.2.0. It may lock out clients @@ -18,8 +25,82 @@ <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para> - <para>This option yields precedence to the 'reject md5 clients' option.</para> + <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para>This allows admins to use "yes" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para> + + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="reject md5 clients"/>' options.</para> </description> <value type="default">no</value> </samba:parameter> + +<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members which required 'allow nt4 crypto = yes', + it is possible to specify an explicit exception per computer account + by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "yes", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will log a warning in the log files at log level 5, + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para> + + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="reject md5 clients"/>' options.</para> + <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' + is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para> + + <programlisting> + allow nt4 crypto:LEGACYCOMPUTER1$ = yes + server reject md5 schannel:LEGACYCOMPUTER1$ = no + allow nt4 crypto:NASBOX$ = yes + server reject md5 schannel:NASBOX$ = no + allow nt4 crypto:LEGACYCOMPUTER2$ = yes + server reject md5 schannel:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + +</samba:parameter> diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml index 41684ef1080..fe7701d9277 100644 --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml @@ -1,17 +1,110 @@ <samba:parameter name="reject md5 clients" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para> + This option is deprecated and will be removed in a future release, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in the future). + </para> + <para>This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para> - <para>You can set this to yes if all domain members support aes. - This will prevent downgrade attacks.</para> + <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows + starting with Server 2008R2 and Windows 7, it's available in Samba + starting with 4.0, however third party domain members like NetApp ONTAP + still uses RC4 (HMAC-MD5), see + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink> + for more details. + </para> + + <para>The default changed from 'no' to 'yes', with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para>This allows admins to use "no" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para> + + <para>When set to 'yes' this option overrides the + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and + '<smbconfoption name="allow nt4 crypto"/>' options and implies + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'. + </para> +</description> + +<value type="default">yes</value> +</samba:parameter> + +<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members or trusted domains, + which required "reject md5 clients = no" before, + it is possible to specify an explicit exception per computer account + by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will log a warning in the log files at log level 5 + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para> + + <para>When set to 'yes' this option overrides the + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and + '<smbconfoption name="allow nt4 crypto"/>' options and implies + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'. + </para> - <para>This option takes precedence to the 'allow nt4 crypto' option.</para> + <programlisting> + server reject md5 schannel:LEGACYCOMPUTER1$ = no + server reject md5 schannel:NASBOX$ = no + server reject md5 schannel:LEGACYCOMPUTER2$ = no + </programlisting> </description> -<value type="default">no</value> </samba:parameter> diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml index 03531adbfb3..8bccab391cc 100644 --- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml +++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml @@ -15,7 +15,7 @@ <para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para> - <para>This option yields precedence to the implementation specific restrictions. + <para>This option is over-ridden by the implementation specific restrictions. E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. </para> diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml index 5b07da95050..d124ad48181 100644 --- a/docs-xml/smbdotconf/security/clientschannel.xml +++ b/docs-xml/smbdotconf/security/clientschannel.xml @@ -23,7 +23,7 @@ <para>Note that for active directory domains this is hardcoded to <smbconfoption name="client schannel">yes</smbconfoption>.</para> - <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para> + <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para> </description> <value type="default">yes</value> <value type="example">auto</value> diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml new file mode 100644 index 00000000000..984611167b5 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml @@ -0,0 +1,42 @@ +<samba:parameter name="kdc default domain supported enctypes" + type="integer" + context="G" + handler="handle_kdc_default_domain_supported_enctypes" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + Set the default value of <constant>msDS-SupportedEncryptionTypes</constant> for service accounts in Active Directory that are missing this value or where <constant>msDS-SupportedEncryptionTypes</constant> is set to 0. + </para> + -- Samba Shared Repository