From 4a2b0b69bf8e786703a8f4a648ba00392de5eccd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 30 Nov 2022 09:02:41 +0100 Subject: [PATCH 49/54] CVE-2022-37966 param: don't explicitly initialize "kdc force enable rc4 weak session keys" to false/"no" This is not squashed in order to allow easier backports... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher Reviewed-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4) Conflict: NA Reference: https://attachments.samba.org/attachment.cgi?id=17695 --- lib/param/loadparm.c | 4 ---- source3/param/loadparm.c | 1 - 2 files changed, 5 deletions(-) diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index a858c31dbba4..1cb25f843b3b 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3091,10 +3091,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "kdc default domain supported enctypes", "rc4-hmac aes256-cts-hmac-sha1-96-sk"); - lpcfg_do_global_parameter(lp_ctx, - "kdc force enable rc4 weak session keys", - "no"); - for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index dc1a830cdbe1..fb15b20e1876 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -997,7 +997,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.kdc_default_domain_supported_enctypes = KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK; - Globals.kdc_force_enable_rc4_weak_session_keys = false; /* Now put back the settings that were set with lp_set_cmdline() */ apply_lp_set_cmdline(); -- 2.34.1