From: Stefan Metzmacher Date: Thu, 24 Nov 2022 17:26:18 +0000 (+0100) Subject: CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes X-Git-Tag: samba-4.15.13~79 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ade168df393064dd25a6e540e06332dcd1803297;p=thirdparty%2Fsamba.git CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients' default to yes AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0, so there's no reason to allow md5 clients by default. However some third party domain members may need it. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Ralph Boehme (cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1) --- diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml index 0bb9f6f6c8e..edcbe02e99a 100644 --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml @@ -7,11 +7,16 @@ only in 'active directory domain controller' mode), will reject clients which does not support NETLOGON_NEG_SUPPORTS_AES. - You can set this to yes if all domain members support aes. - This will prevent downgrade attacks. + Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows + starting with Server 2008R2 and Windows 7, it's available in Samba + starting with 4.0, however third party domain members like NetApp ONTAP + still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details. + + The default changed from 'no' to 'yes', with the patches for CVE-2022-38023, + see https://bugzilla.samba.org/show_bug.cgi?id=15240 This option overrides the 'allow nt4 crypto' option. -no +yes diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index dfcc27ea68b..3f4e367570e 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2722,6 +2722,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template"); lpcfg_do_global_parameter(lp_ctx, "server schannel", "True"); + lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True"); lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True"); diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 5568e399da5..f452248db8d 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1629,6 +1629,8 @@ sub provision_ad_dc_ntvfs($$$) client min protocol = CORE server min protocol = LANMAN1 + reject md5 clients = no + CVE_2020_1472:warn_about_unused_debug_level = 3 server require schannel:schannel0\$ = no server require schannel:schannel1\$ = no @@ -1992,6 +1994,8 @@ sub provision_ad_dc($$$$$$$) lpq cache time = 0 print notify backchannel = yes + reject md5 clients = no + CVE_2020_1472:warn_about_unused_debug_level = 3 server require schannel:schannel0\$ = no server require schannel:schannel1\$ = no diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index f934d48498c..13a8504425c 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.require_strong_key = true; Globals.reject_md5_servers = true; Globals.server_schannel = true; + Globals.reject_md5_clients = true; Globals.read_raw = true; Globals.write_raw = true; Globals.null_passwords = false;