From 545c20fd321f8eb5feebd11c825942755b374fdc Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 18 Nov 2022 13:44:28 +1300
Subject: [PATCH] CVE-2022-37966 param: Add support for new option "kdc force
 enable rc4 weak session keys"

Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
---
 .../kdcforceenablerc4weaksessionkeys.xml      | 24 +++++++++++++++++++
 lib/param/loadparm.c                          |  4 ++++
 source3/param/loadparm.c                      |  1 +
 3 files changed, 29 insertions(+)
 create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml

diff --git a/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
new file mode 100644
index 00000000000..1cb46d74a36
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="kdc force enable rc4 weak session keys"
+                 type="boolean"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>
+	  <constant>RFC8429</constant> declares that
+	  <constant>rc4-hmac</constant> Kerberos ciphers are weak and
+	  there are known attacks on Active Directory use of this
+	  cipher suite.
+	</para>
+	<para>
+	  However for compatibility with Microsoft Windows this option
+	  allows the KDC to assume that regardless of the value set in
+	  a service account's
+	  <constant>msDS-SupportedEncryptionTypes</constant> attribute
+	  that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as
+	  found in a service keytab) can be used if the potentially
+	  older client requests it.
+	</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index e810fa564d6..0fee67d3c1b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3087,6 +3087,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 				  "kdc default domain supported enctypes",
 				  "rc4-hmac aes256-cts-hmac-sha1-96-sk");
 
+	lpcfg_do_global_parameter(lp_ctx,
+				  "kdc force enable rc4 weak session keys",
+				  "no");
+
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index c33b0cd3fea..ec59f9274d4 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -993,6 +993,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
 	Globals.kdc_default_domain_supported_enctypes =
 		KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
+	Globals.kdc_force_enable_rc4_weak_session_keys = false;
 
 	/* Now put back the settings that were set with lp_set_cmdline() */
 	apply_lp_set_cmdline();
-- 
2.47.2