From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 18 Nov 2022 00:44:28 +0000 (+1300)
Subject: CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session... 
X-Git-Tag: samba-4.15.13~46
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=36d5770585ab3abfe1a17f78709728805482388c;p=thirdparty%2Fsamba.git

CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
---

diff --git a/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
new file mode 100644
index 00000000000..1cb46d74a36
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="kdc force enable rc4 weak session keys"
+                 type="boolean"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	  <constant>RFC8429</constant> declares that
+	  <constant>rc4-hmac</constant> Kerberos ciphers are weak and
+	  there are known attacks on Active Directory use of this
+	  cipher suite.
+	</para>
+	<para>
+	  However for compatibility with Microsoft Windows this option
+	  allows the KDC to assume that regardless of the value set in
+	  a service account's
+	  <constant>msDS-SupportedEncryptionTypes</constant> attribute
+	  that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as
+	  found in a service keytab) can be used if the potentially
+	  older client requests it.
+	</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index b712609e3a7..3a62d882a81 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3080,6 +3080,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 				  "kdc default domain supported enctypes",
 				  "rc4-hmac aes256-cts-hmac-sha1-96-sk");
 
+	lpcfg_do_global_parameter(lp_ctx,
+				  "kdc force enable rc4 weak session keys",
+				  "no");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index ea1686e8aa0..f0b82d7dea1 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -984,6 +984,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
 	Globals.kdc_default_domain_supported_enctypes =
 		KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
+	Globals.kdc_force_enable_rc4_weak_session_keys = false;
 
 	/* Now put back the settings that were set with lp_set_cmdline() */
 	apply_lp_set_cmdline();