This will prevent downgrade attacks.</para>
<para>The behavior can be controlled per netbios domain
- by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
+ by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
+
+ <para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
+ see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
<para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
</description>
-<value type="default">no</value>
+<value type="default">yes</value>
</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False");
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
+ lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR);
const char *client_computer;
uint32_t proposed_flags;
uint32_t required_flags = 0;
- bool reject_md5_servers = false;
- bool require_strong_key = false;
+ bool reject_md5_servers = true;
+ bool require_strong_key = true;
int require_sign_or_seal = true;
bool seal_secure_channel = true;
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
Globals.client_schannel = true;
Globals.winbind_sealed_pipes = true;
Globals.require_strong_key = true;
+ Globals.reject_md5_servers = true;
Globals.server_schannel = true;
Globals.read_raw = true;
Globals.write_raw = true;