diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-11-15 18:14:36 +1300 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-13 13:07:29 +0000 |
commit | d861d4eb28bd4c091955c11669edcf867b093a6f (patch) | |
tree | 7e7e8732285919bf75ab7b436bd96b4c6d71dfa1 | |
parent | a50a2be622afaa7a280312ea12f5eb9c9a0c41da (diff) | |
download | samba-d861d4eb28bd4c091955c11669edcf867b093a6f.tar.gz |
CVE-2022-37966 param: Add support for new option "kdc default domain supportedenctypes"
This matches the Windows registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r-- | docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml | 42 | ||||
-rw-r--r-- | lib/param/loadparm.c | 79 | ||||
-rw-r--r-- | librpc/idl/security.idl | 1 | ||||
-rw-r--r-- | source3/param/loadparm.c | 3 |
4 files changed, 125 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml new file mode 100644 index 00000000000..e93650ac3e0 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml @@ -0,0 +1,42 @@ +<samba:parameter name="kdc default domain supported enctypes" + type="integer" + context="G" + handler="handle_kdc_default_domain_supported_enctypes" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + <para> + Set the default value of <constant>msDS-SupportedEncryptionTypes</constant> for service accounts in Active Directory that are missing this value or where <constant>msDS-SupportedEncryptionTypes</constant> is set to 0. + </para> + + <para> + This allows Samba administrators to match the configuration flexibility provided by the + <constant>HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes</constant> Registry Value on Windows. + </para> + <para> + Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed in hexadecimal or as a list of Kerberos encryption type names. + </para> + <para> + Specified values are ORed together bitwise, and those currently supported consist of: + </para><itemizedlist> + <listitem> + <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para> + <para>Known on Windows as Kerberos RC4 encryption</para> + </listitem> + <listitem> + <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para> + <para>Known on Windows as Kerberos AES 128 bit encryption</para> + </listitem> + <listitem> + <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para> + <para>Known on Windows as Kerberos AES 256 bit encryption</para> + </listitem> + <listitem> + <para><constant>aes256-cts-hmac-sha1-96-sk</constant>, <constant>aes256-cts-sk</constant>, <constant>0x20</constant>, or <constant>32</constant></para> + <para>Allow AES session keys. When this is set, it indicates to the KDC that AES session keys can be used, even when <constant>aes256-cts</constant> and <constant>aes128-cts</constant> are not set. This allows use of AES keys against hosts otherwise only configured with RC4 for ticket keys (which is the default).</para> + </listitem> +</itemizedlist> + +</description> + +<value type="default">36<comment>equivalent to: rc4-hmac aes256-cts-hmac-sha1-96-sk</comment></value> +</samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 1dcc8061fa2..1cb25f843b3 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -70,6 +70,7 @@ #include "tdb.h" #include "librpc/gen_ndr/nbt.h" #include "librpc/gen_ndr/dns.h" +#include "librpc/gen_ndr/security.h" #include "libds/common/roles.h" #include "lib/util/samba_util.h" #include "libcli/auth/ntlm_check.h" @@ -1704,6 +1705,80 @@ out: return value_is_valid; } +bool handle_kdc_default_domain_supported_enctypes(struct loadparm_context *lp_ctx, + struct loadparm_service *service, + const char *pszParmValue, char **ptr) +{ + char **enctype_list = NULL; + char **enctype = NULL; + uint32_t result = 0; + bool ok = true; + + enctype_list = str_list_make(NULL, pszParmValue, NULL); + if (enctype_list == NULL) { + DBG_ERR("OOM: failed to make string list from %s\n", + pszParmValue); + ok = false; + goto out; + } + + for (enctype = enctype_list; *enctype != NULL; ++enctype) { + if (strwicmp(*enctype, "arcfour-hmac-md5") == 0 || + strwicmp(*enctype, "rc4-hmac") == 0) + { + result |= KERB_ENCTYPE_RC4_HMAC_MD5; + } + else if (strwicmp(*enctype, "aes128-cts-hmac-sha1-96") == 0 || + strwicmp(*enctype, "aes128-cts") == 0) + { + result |= KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96; + } + else if (strwicmp(*enctype, "aes256-cts-hmac-sha1-96") == 0 || + strwicmp(*enctype, "aes256-cts") == 0) + { + result |= KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96; + } + else if (strwicmp(*enctype, "aes256-cts-hmac-sha1-96-sk") == 0 || + strwicmp(*enctype, "aes256-cts-sk") == 0) + { + result |= KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK; + } + else { + const char *bitstr = *enctype; + int base; + int error; + unsigned long bit; + + /* See if the bit's specified in hexadecimal. */ + if (bitstr[0] == '0' && + (bitstr[1] == 'x' || bitstr[2] == 'X')) + { + base = 16; + bitstr += 2; + } + else { + base = 10; + } + + bit = smb_strtoul(bitstr, NULL, base, &error, SMB_STR_FULL_STR_CONV); + if (error) { + DBG_ERR("WARNING: Ignoring invalid value '%s' " + "for parameter 'kdc default domain supported enctypes'\n", + *enctype); + ok = false; + } else { + result |= bit; + } + } + } + + *(int *)ptr = result; +out: + TALLOC_FREE(enctype_list); + + return ok; +} + static bool set_variable(TALLOC_CTX *mem_ctx, struct loadparm_service *service, int parmnum, void *parm_ptr, const char *pszParmName, const char *pszParmValue, @@ -3012,6 +3087,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "rpc start on demand helpers", "yes"); + lpcfg_do_global_parameter(lp_ctx, + "kdc default domain supported enctypes", + "rc4-hmac aes256-cts-hmac-sha1-96-sk"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl index 2ef34170479..3d2c8a33903 100644 --- a/librpc/idl/security.idl +++ b/librpc/idl/security.idl @@ -734,6 +734,7 @@ interface security KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004, KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008, KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010, + KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK = 0x00000020, KERB_ENCTYPE_FAST_SUPPORTED = 0x00010000, KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000, KERB_ENCTYPE_CLAIMS_SUPPORTED = 0x00040000, diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index a0c9249b777..27a77c71f5e 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -993,6 +993,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) */ Globals.rpc_start_on_demand_helpers = true; + Globals.kdc_default_domain_supported_enctypes = + KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK; + /* Now put back the settings that were set with lp_set_cmdline() */ apply_lp_set_cmdline(); } |