84 lines
3.3 KiB
Diff
84 lines
3.3 KiB
Diff
From 91ed623daf97524aeef8dc3c35808634456c4526 Mon Sep 17 00:00:00 2001
|
|
From: Andrew Bartlett <abartlet@samba.org>
|
|
Date: Fri, 18 Nov 2022 13:44:28 +1300
|
|
Subject: [PATCH 15/54] CVE-2022-37966 param: Add support for new option "kdc
|
|
force enable rc4 weak session keys"
|
|
|
|
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
|
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
|
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
(cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628)
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17695
|
|
---
|
|
.../kdcforceenablerc4weaksessionkeys.xml | 24 +++++++++++++++++++
|
|
lib/param/loadparm.c | 4 ++++
|
|
source3/param/loadparm.c | 1 +
|
|
3 files changed, 29 insertions(+)
|
|
create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
|
|
|
|
diff --git a/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
|
|
new file mode 100644
|
|
index 000000000000..1cb46d74a369
|
|
--- /dev/null
|
|
+++ b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
|
|
@@ -0,0 +1,24 @@
|
|
+<samba:parameter name="kdc force enable rc4 weak session keys"
|
|
+ type="boolean"
|
|
+ context="G"
|
|
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
+<description>
|
|
+ <para>
|
|
+ <constant>RFC8429</constant> declares that
|
|
+ <constant>rc4-hmac</constant> Kerberos ciphers are weak and
|
|
+ there are known attacks on Active Directory use of this
|
|
+ cipher suite.
|
|
+ </para>
|
|
+ <para>
|
|
+ However for compatibility with Microsoft Windows this option
|
|
+ allows the KDC to assume that regardless of the value set in
|
|
+ a service account's
|
|
+ <constant>msDS-SupportedEncryptionTypes</constant> attribute
|
|
+ that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as
|
|
+ found in a service keytab) can be used if the potentially
|
|
+ older client requests it.
|
|
+ </para>
|
|
+</description>
|
|
+
|
|
+<value type="default">no</value>
|
|
+</samba:parameter>
|
|
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
index 1cb25f843b3b..a858c31dbba4 100644
|
|
--- a/lib/param/loadparm.c
|
|
+++ b/lib/param/loadparm.c
|
|
@@ -3091,6 +3091,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|
"kdc default domain supported enctypes",
|
|
"rc4-hmac aes256-cts-hmac-sha1-96-sk");
|
|
|
|
+ lpcfg_do_global_parameter(lp_ctx,
|
|
+ "kdc force enable rc4 weak session keys",
|
|
+ "no");
|
|
+
|
|
for (i = 0; parm_table[i].label; i++) {
|
|
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
|
|
lp_ctx->flags[i] |= FLAG_DEFAULT;
|
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
index fb15b20e1876..dc1a830cdbe1 100644
|
|
--- a/source3/param/loadparm.c
|
|
+++ b/source3/param/loadparm.c
|
|
@@ -997,6 +997,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|
|
|
Globals.kdc_default_domain_supported_enctypes =
|
|
KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
|
|
+ Globals.kdc_force_enable_rc4_weak_session_keys = false;
|
|
|
|
/* Now put back the settings that were set with lp_set_cmdline() */
|
|
apply_lp_set_cmdline();
|
|
--
|
|
2.34.1
|