CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes

AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.

Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:

 git show -U35 libcli/auth/netlogon_creds_cli.c

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
index 151b4676c57b8b6d2a8a8f03c115d22884562c13..3bc4eaf7b02e2a99f7ffb7be087d4c77731bd54b 100644 (file)
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -13,10 +13,13 @@
        This will prevent downgrade attacks.</para>
 
        <para>The behavior can be controlled per netbios domain
-       by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
+       by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
+
+       <para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
+       see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
 
        <para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
 </description>
 
-<value type="default">no</value>
+<value type="default">yes</value>
 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d8646120e6bd773e94870fa2b93213d18d89a945..10157c95bc16a0c95c66d94006575d28549917ee 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2669,6 +2669,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
        lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False");
        lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
+       lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True");
        lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
        lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
        lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR);

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 2e7c06332f0b94276e12df8e200af966e49bd89e..0f4f7ad761e8c6d1db2c4605d00182ad09083657 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -341,8 +341,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
        const char *client_computer;
        uint32_t proposed_flags;
        uint32_t required_flags = 0;
-       bool reject_md5_servers = false;
-       bool require_strong_key = false;
+       bool reject_md5_servers = true;
+       bool require_strong_key = true;
        int require_sign_or_seal = true;
        bool seal_secure_channel = true;
        enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 3429ecbe5e48b5071b58a6f4cb22f98f2e9e82a1..621b5b9f48c74b46a23458cbf9d246c34f2c3a1e 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -664,6 +664,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
        Globals.client_schannel = true;
        Globals.winbind_sealed_pipes = true;
        Globals.require_strong_key = true;
+       Globals.reject_md5_servers = true;
        Globals.server_schannel = true;
        Globals.read_raw = true;
        Globals.write_raw = true;