diff options
author | Rob van der Linde <rob@catalyst.net.nz> | 2023-02-27 14:06:23 +1300 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2023-03-20 10:05:01 +0100 |
commit | 04e5a7eb03a1e913f34d77b7b6c2353b41ef546a (patch) | |
tree | 2d0fa1b3b142bb2aeb1379fe6b4d48d1989dd6b8 | |
parent | 888c6ae8177d87e408722f67cc03359ae2533402 (diff) | |
download | samba-04e5a7eb03a1e913f34d77b7b6c2353b41ef546a.tar.gz |
CVE-2023-0922 set default ldap client sasl wrapping to seal
This avoids sending new or reset passwords in the clear
(integrity protected only) from samba-tool in particular.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
-rw-r--r-- | docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml | 27 | ||||
-rw-r--r-- | lib/param/loadparm.c | 2 | ||||
-rw-r--r-- | python/samba/tests/auth_log.py | 2 | ||||
-rw-r--r-- | source3/param/loadparm.c | 2 |
4 files changed, 16 insertions, 17 deletions
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml index 3152f0682dd..21bd2090057 100644 --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml @@ -18,25 +18,24 @@ </para> <para> - This option is needed in the case of Domain Controllers enforcing - the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). - LDAP sign and seal can be controlled with the registry key - "<literal>HKLM\System\CurrentControlSet\Services\</literal> - <literal>NTDS\Parameters\LDAPServerIntegrity</literal>" - on the Windows server side. - </para> + This option is needed firstly to secure the privacy of + administrative connections from <command>samba-tool</command>, + including in particular new or reset passwords for users. For + this reason the default is <emphasis>seal</emphasis>.</para> - <para> - Depending on the used KRB5 library (MIT and older Heimdal versions) - it is possible that the message "integrity only" is not supported. - In this case, <emphasis>sign</emphasis> is just an alias for - <emphasis>seal</emphasis>. + <para>Additionally, <command>winbindd</command> and the + <command>net</command> tool can use LDAP to communicate with + Domain Controllers, so this option also controls the level of + privacy for those connections. All supported AD DC versions + will enforce the usage of at least signed LDAP connections by + default, so a value of at least <emphasis>sign</emphasis> is + required in practice. </para> <para> - The default value is <emphasis>sign</emphasis>. That implies synchronizing the time + The default value is <emphasis>seal</emphasis>. That implies synchronizing the time with the KDC in the case of using <emphasis>Kerberos</emphasis>. </para> </description> -<value type="default">sign</value> +<value type="default">seal</value> </samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index fc0dc4df83f..f70823fe366 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2992,7 +2992,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10"); - lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign"); + lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "seal"); lpcfg_do_global_parameter(lp_ctx, "mdns name", "netbios"); diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py index 9949b0abe4d..b0f4840563d 100644 --- a/python/samba/tests/auth_log.py +++ b/python/samba/tests/auth_log.py @@ -470,7 +470,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): def isLastExpectedMessage(msg): return (msg["type"] == "Authorization" and msg["Authorization"]["serviceDescription"] == "LDAP" and - msg["Authorization"]["transportProtection"] == "SIGN" and + msg["Authorization"]["transportProtection"] == "SEAL" and msg["Authorization"]["authType"] == "krb5") self.samdb = SamDB(url="ldap://%s" % os.environ["SERVER"], diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 0ebdd315bd1..97d02037a89 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -756,7 +756,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.ldap_debug_level = 0; Globals.ldap_debug_threshold = 10; - Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; + Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SEAL; Globals.ldap_server_require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_YES; |