CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes

AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1)

diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index 0bb9f6f6c8ec333e96eec4c7704a5605bd2fbec4..edcbe02e99a3fb723173ab362441d59d75a51319 100644 (file)
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -7,11 +7,16 @@
        only in 'active directory domain controller' mode), will
        reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
 
-       <para>You can set this to yes if all domain members support aes.
-       This will prevent downgrade attacks.</para>
+       <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
+       starting with Server 2008R2 and Windows 7, it's available in Samba
+       starting with 4.0, however third party domain members like NetApp ONTAP
+       still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
+
+       <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
+       see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
 
        <para>This option overrides the 'allow nt4 crypto' option.</para>
 </description>
 
-<value type="default">no</value>
+<value type="default">yes</value>
 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index dfcc27ea68b64d1d7d1a8d1fec43a5d6a92493db..3f4e367570e4f799a634d76863edbc125806ea5b 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2722,6 +2722,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
 
        lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
+       lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
 
        lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
 

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 5568e399da57a47bead3158049a0a15f86f5b7a9..f452248db8d4901e673b8958ad34ff1a8a844125 100755 (executable)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1629,6 +1629,8 @@ sub provision_ad_dc_ntvfs($$$)
        client min protocol = CORE
        server min protocol = LANMAN1
 
+       reject md5 clients = no
+
        CVE_2020_1472:warn_about_unused_debug_level = 3
        server require schannel:schannel0\$ = no
        server require schannel:schannel1\$ = no
@@ -1992,6 +1994,8 @@ sub provision_ad_dc($$$$$$$)
        lpq cache time = 0
        print notify backchannel = yes
 
+       reject md5 clients = no
+
        CVE_2020_1472:warn_about_unused_debug_level = 3
        server require schannel:schannel0\$ = no
        server require schannel:schannel1\$ = no

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index f934d48498c00c013ad3bd8f2c35034fe1f9fad7..13a8504425ca3667a90be7f10efc9a4934e05444 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.require_strong_key = true;
        Globals.reject_md5_servers = true;
        Globals.server_schannel = true;
+       Globals.reject_md5_clients = true;
        Globals.read_raw = true;
        Globals.write_raw = true;
        Globals.null_passwords = false;