samba/backport-0007-CVE-2022-38023.patch

From 2d4faaf6eb2cc2cb0c13f46f348e2710c8f9e3cf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Nov 2022 18:22:23 +0100
Subject: [PATCH 07/30] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5
 servers' default to yes

AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.

Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:

 git show -U35 libcli/auth/netlogon_creds_cli.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584)

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
 docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 7 +++++--
 lib/param/loadparm.c                             | 1 +
 libcli/auth/netlogon_creds_cli.c                 | 4 ++--
 source3/param/loadparm.c                         | 1 +
 4 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
index 151b4676c57b..3bc4eaf7b02e 100644
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -13,10 +13,13 @@
 	This will prevent downgrade attacks.</para>
 
 	<para>The behavior can be controlled per netbios domain
-	by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
+	by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
+
+	<para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
+	see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
 
 	<para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
 </description>
 
-<value type="default">no</value>
+<value type="default">yes</value>
 </samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d8646120e6bd..10157c95bc16 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2669,6 +2669,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
 	lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False");
 	lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
+	lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True");
 	lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
 	lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
 	lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR);
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 848d993a3c66..52df5ab12a63 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -341,8 +341,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 	const char *client_computer;
 	uint32_t proposed_flags;
 	uint32_t required_flags = 0;
-	bool reject_md5_servers = false;
-	bool require_strong_key = false;
+	bool reject_md5_servers = true;
+	bool require_strong_key = true;
 	int require_sign_or_seal = true;
 	bool seal_secure_channel = true;
 	enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 43838575f3bf..91bb3c08327b 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.client_schannel = true;
 	Globals.winbind_sealed_pipes = true;
 	Globals.require_strong_key = true;
+	Globals.reject_md5_servers = true;
 	Globals.server_schannel = true;
 	Globals.read_raw = true;
 	Globals.write_raw = true;
-- 
2.34.1