diff options
author | Rob van der Linde <rob@catalyst.net.nz> | 2023-02-27 14:06:23 +1300 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2023-03-20 10:05:12 +0100 |
commit | bb5aecbd10265904156510d5dfc2f97bad442267 (patch) | |
tree | 27a8cad68c045cfd5c052f09b441d083546d8faf | |
parent | 003f6c16112a45af81ed59877d3b416a2f3847d9 (diff) | |
download | samba-bb5aecbd10265904156510d5dfc2f97bad442267.tar.gz |
CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
-rw-r--r-- | docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | 27 | ||||
-rw-r--r-- | lib/param/loadparm.c | 2 | ||||
-rw-r--r-- | python/samba/tests/auth_log.py | 2 | ||||
-rw-r--r-- | source3/param/loadparm.c | 2 |
4 files changed, 16 insertions, 17 deletions
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml index 3152f0682dd..21bd2090057 100644 --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml @@ -18,25 +18,24 @@ </para> <para> - This option is needed in the case of Domain Controllers enforcing - the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). - LDAP sign and seal can be controlled with the registry key - "<literal>HKLM\System\CurrentControlSet\Services\</literal> - <literal>NTDS\Parameters\LDAPServerIntegrity</literal>" - on the Windows server side. - </para> + This option is needed firstly to secure the privacy of + administrative connections from <command>samba-tool</command>, + including in particular new or reset passwords for users. For + this reason the default is <emphasis>seal</emphasis>.</para> - <para> - Depending on the used KRB5 library (MIT and older Heimdal versions) - it is possible that the message "integrity only" is not supported. - In this case, <emphasis>sign</emphasis> is just an alias for - <emphasis>seal</emphasis>. + <para>Additionally, <command>winbindd</command> and the + <command>net</command> tool can use LDAP to communicate with + Domain Controllers, so this option also controls the level of + privacy for those connections. All supported AD DC versions + will enforce the usage of at least signed LDAP connections by + default, so a value of at least <emphasis>sign</emphasis> is + required in practice. </para> <para> - The default value is <emphasis>sign</emphasis>. That implies synchronizing the time + The default value is <emphasis>seal</emphasis>. That implies synchronizing the time with the KDC in the case of using <emphasis>Kerberos</emphasis>. </para> </description> -<value type="default">sign</value> +<value type="default">seal</value> </samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 6ab7fa89db7..16cb0d47f31 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2990,7 +2990,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10"); - lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign"); + lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "seal"); lpcfg_do_global_parameter(lp_ctx, "mdns name", "netbios"); diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py index d166b93d90a..8f9f487f82a 100644 --- a/python/samba/tests/auth_log.py +++ b/python/samba/tests/auth_log.py @@ -470,7 +470,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): def isLastExpectedMessage(msg): return (msg["type"] == "Authorization" and msg["Authorization"]["serviceDescription"] == "LDAP" and - msg["Authorization"]["transportProtection"] == "SIGN" and + msg["Authorization"]["transportProtection"] == "SEAL" and msg["Authorization"]["authType"] == "krb5") self.samdb = SamDB(url="ldap://%s" % os.environ["SERVER"], diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 05a5ae20abe..12718ced9e7 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -756,7 +756,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.ldap_debug_level = 0; Globals.ldap_debug_threshold = 10; - Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; + Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SEAL; Globals.ldap_server_require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_YES; |