samba/backport-0018-CVE-2022-37966.patch

From 945c8c8306fe71dbe3fe14c42cb2dabc9853957e Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 21 Nov 2022 13:47:06 +1300
Subject: [PATCH 18/54] CVE-2022-37966 samba-tool: Declare explicitly RC4
 support of trust objects

As we will assume, as part of the fixes for CVE-2022-37966, that trust
objects with no msDS-SupportedEncryptionTypes attribute support AES
keys, RC4 support must now be explicitly indicated.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 086646865eef247a54897f5542495a2105563a5e)

Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
 python/samba/netcmd/domain.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 0051837138b2..e2eeabd6d1a1 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -2335,11 +2335,14 @@ class cmd_domain_trust_create(DomainTrustCommand):
             if treat_as_external:
                 raise CommandError("--treat-as-external requires --type=forest")
 
-        enc_types = None
+        enc_types = lsa.TrustDomainInfoSupportedEncTypes()
         if use_aes_keys:
-            enc_types = lsa.TrustDomainInfoSupportedEncTypes()
             enc_types.enc_types = security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
             enc_types.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+        else:
+            # CVE-2022-37966: Trust objects are no longer assumed to support
+            # RC4, so we must indicate support explicitly.
+            enc_types.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5
 
         local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION
         local_policy_access |= lsa.LSA_POLICY_TRUST_ADMIN
-- 
2.34.1