CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default

In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)

[jsutton@samba.org Fixed conflicts]

diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
index e93650ac3e078496b168c2996217209ac71e002b..984611167b595e977fb9bf32439c0f904779d70c 100644 (file)
--- a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
@@ -38,5 +38,5 @@
 
 </description>
 
-<value type="default">36<comment>equivalent to: rc4-hmac aes256-cts-hmac-sha1-96-sk</comment></value>
+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk</comment></value>
 </samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index b712609e3a7c0ee81464ffee07b176a92fb8d719..d55df1f4f80ed62854d1fbd9cc884b732e8c0863 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3076,10 +3076,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
                                  "min domain uid",
                                  "1000");
 
-       lpcfg_do_global_parameter(lp_ctx,
-                                 "kdc default domain supported enctypes",
-                                 "rc4-hmac aes256-cts-hmac-sha1-96-sk");
-
        for (i = 0; parm_table[i].label; i++) {
                if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
                        lp_ctx->flags[i] |= FLAG_DEFAULT;

diff --git a/python/samba/tests/krb5/etype_tests.py b/python/samba/tests/krb5/etype_tests.py
index 1a16518df94e682c32c59cca71c4e9f71b7c0ebe..9725d544c2ac5ac4a983a3f51da13d5ca6c809ad 100755 (executable)
--- a/python/samba/tests/krb5/etype_tests.py
+++ b/python/samba/tests/krb5/etype_tests.py
@@ -63,6 +63,8 @@ class EtypeTests(KdcTgsBaseTests):
             lp = self.get_lp()
             self.default_supported_enctypes = lp.get(
                 'kdc default domain supported enctypes')
+            if self.default_supported_enctypes == 0:
+                self.default_supported_enctypes = rc4_bit | aes256_sk_bit
 
     def _server_creds(self, supported=None, force_nt4_hash=False,
                       account_type=None):

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 44ebd6cb61b7486c034543b620c98535c4062363..1a554016b1ee78d2d79d525375030b7f2d3a294b 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -58,6 +58,9 @@ from samba.ndr import ndr_pack, ndr_unpack
 from samba import net
 from samba.samdb import SamDB, dsdb_Dn
 
+rc4_bit = security.KERB_ENCTYPE_RC4_HMAC_MD5
+aes256_sk_bit = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK
+
 from samba.tests import delete_force
 import samba.tests.krb5.kcrypto as kcrypto
 from samba.tests.krb5.raw_testcase import (
@@ -633,7 +636,8 @@ class KDCBaseTest(RawKerberosTest):
         if supported_enctypes is None:
             lp = self.get_lp()
             supported_enctypes = lp.get('kdc default domain supported enctypes')
-
+            if supported_enctypes == 0:
+                supported_enctypes = rc4_bit | aes256_sk_bit
         supported_enctypes = int(supported_enctypes)
 
         if extra_bits is not None:

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index ea1686e8aa05f83557495dde020cc11546159864..fb2035449c4423e13195fd4fd0c57f941846df69 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -982,9 +982,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 
        Globals.min_domain_uid = 1000;
 
-       Globals.kdc_default_domain_supported_enctypes =
-               KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
-
        /* Now put back the settings that were set with lp_set_cmdline() */
        apply_lp_set_cmdline();
 }

diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 9bcfd7b8c85c12d82c44313df2f663290fcc542a..ae32634735d2fc35f69757c97ac4b7592638ac9f 100644 (file)
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -953,7 +953,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
        bool force_rc4 = lpcfg_kdc_force_enable_rc4_weak_session_keys(lp_ctx);
        struct ldb_message_element *objectclasses;
        struct ldb_val computer_val;
-       uint32_t default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);
+       uint32_t config_default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);
+       uint32_t default_supported_enctypes =
+               config_default_supported_enctypes != 0 ?
+               config_default_supported_enctypes :
+               ENC_RC4_HMAC_MD5 | ENC_HMAC_SHA1_96_AES256_SK;
        uint32_t supported_enctypes
                = ldb_msg_find_attr_as_uint(msg,
                                            "msDS-SupportedEncryptionTypes",