|
|
b6b438 |
From 693540a9ac017afbaeea5800f9025b75e390f53b Mon Sep 17 00:00:00 2001
|
|
|
b6b438 |
From: Andreas Schneider <asn@samba.org>
|
|
|
b6b438 |
Date: Tue, 19 Nov 2019 14:52:44 +0100
|
|
|
b6b438 |
Subject: [PATCH 207/208] libcli:auth: If weak crypto is disallowed reject md5
|
|
|
b6b438 |
servers
|
|
|
b6b438 |
|
|
|
b6b438 |
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
|
b6b438 |
---
|
|
|
b6b438 |
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 ++
|
|
|
b6b438 |
libcli/auth/netlogon_creds_cli.c | 6 ++++++
|
|
|
b6b438 |
2 files changed, 8 insertions(+)
|
|
|
b6b438 |
|
|
|
b6b438 |
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
|
b6b438 |
index 37656293aa4..e8b06615a9c 100644
|
|
|
b6b438 |
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
|
b6b438 |
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
|
b6b438 |
@@ -16,6 +16,8 @@
|
|
|
b6b438 |
by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
|
|
|
b6b438 |
|
|
|
b6b438 |
<para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+ <para>If weak cryptography is not allowed by the system, md5 servers will *always* be rejected.</para>
|
|
|
b6b438 |
</description>
|
|
|
b6b438 |
|
|
|
b6b438 |
<value type="default">no</value>
|
|
|
b6b438 |
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
|
|
|
b6b438 |
index c8f4227a924..fe453c268cf 100644
|
|
|
b6b438 |
--- a/libcli/auth/netlogon_creds_cli.c
|
|
|
b6b438 |
+++ b/libcli/auth/netlogon_creds_cli.c
|
|
|
b6b438 |
@@ -39,6 +39,7 @@
|
|
|
b6b438 |
#include "libds/common/roles.h"
|
|
|
b6b438 |
#include "lib/crypto/md4.h"
|
|
|
b6b438 |
#include "auth/credentials/credentials.h"
|
|
|
b6b438 |
+#include "loadparm.h"
|
|
|
b6b438 |
|
|
|
b6b438 |
struct netlogon_creds_cli_locked_state;
|
|
|
b6b438 |
|
|
|
b6b438 |
@@ -303,6 +304,11 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
|
|
|
b6b438 |
server_netbios_domain,
|
|
|
b6b438 |
reject_md5_servers);
|
|
|
b6b438 |
|
|
|
b6b438 |
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
|
b6b438 |
+ reject_md5_servers = true;
|
|
|
b6b438 |
+ }
|
|
|
b6b438 |
+
|
|
|
b6b438 |
+
|
|
|
b6b438 |
/*
|
|
|
b6b438 |
* allow overwrite per domain
|
|
|
b6b438 |
* require strong key:<netbios_domain>
|
|
|
b6b438 |
--
|
|
|
b6b438 |
2.23.0
|
|
|
b6b438 |
|