diff options
author | Andrew Bartlett <abartlet@samba.org> | 2022-11-18 13:44:28 +1300 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 00:48:48 +0100 |
commit | 36d5770585ab3abfe1a17f78709728805482388c (patch) | |
tree | 9c5d76e5b4e73dcbb2f83003d82342f249d86084 | |
parent | 1daea832104e46cfc4ea9700024bda35271a7672 (diff) | |
download | samba-36d5770585ab3abfe1a17f78709728805482388c.tar.gz |
CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
-rw-r--r-- | docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml | 24 | ||||
-rw-r--r-- | lib/param/loadparm.c | 4 | ||||
-rw-r--r-- | source3/param/loadparm.c | 1 |
3 files changed, 29 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml new file mode 100644 index 00000000000..1cb46d74a36 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml @@ -0,0 +1,24 @@ +<samba:parameter name="kdc force enable rc4 weak session keys" + type="boolean" + context="G" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + <constant>RFC8429</constant> declares that + <constant>rc4-hmac</constant> Kerberos ciphers are weak and + there are known attacks on Active Directory use of this + cipher suite. + </para> + <para> + However for compatibility with Microsoft Windows this option + allows the KDC to assume that regardless of the value set in + a service account's + <constant>msDS-SupportedEncryptionTypes</constant> attribute + that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as + found in a service keytab) can be used if the potentially + older client requests it. + </para> +</description> + +<value type="default">no</value> +</samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index b712609e3a7..3a62d882a81 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3080,6 +3080,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "kdc default domain supported enctypes", "rc4-hmac aes256-cts-hmac-sha1-96-sk"); + lpcfg_do_global_parameter(lp_ctx, + "kdc force enable rc4 weak session keys", + "no"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index ea1686e8aa0..f0b82d7dea1 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -984,6 +984,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.kdc_default_domain_supported_enctypes = KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK; + Globals.kdc_force_enable_rc4_weak_session_keys = false; /* Now put back the settings that were set with lp_set_cmdline() */ apply_lp_set_cmdline(); |