samba/backport-0049-CVE-2022-37966.patch

From 4a2b0b69bf8e786703a8f4a648ba00392de5eccd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 09:02:41 +0100
Subject: [PATCH 49/54] CVE-2022-37966 param: don't explicitly initialize "kdc
 force enable rc4 weak session keys" to false/"no"

This is not squashed in order to allow easier backports...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4)

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
 lib/param/loadparm.c     | 4 ----
 source3/param/loadparm.c | 1 -
 2 files changed, 5 deletions(-)

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index a858c31dbba4..1cb25f843b3b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3091,10 +3091,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 				  "kdc default domain supported enctypes",
 				  "rc4-hmac aes256-cts-hmac-sha1-96-sk");
 
-	lpcfg_do_global_parameter(lp_ctx,
-				  "kdc force enable rc4 weak session keys",
-				  "no");
-
 	for (i = 0; parm_table[i].label; i++) {
 		if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
 			lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index dc1a830cdbe1..fb15b20e1876 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -997,7 +997,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
 	Globals.kdc_default_domain_supported_enctypes =
 		KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
-	Globals.kdc_force_enable_rc4_weak_session_keys = false;
 
 	/* Now put back the settings that were set with lp_set_cmdline() */
 	apply_lp_set_cmdline();
-- 
2.34.1