From 693540a9ac017afbaeea5800f9025b75e390f53b Mon Sep 17 00:00:00 2001

From: Andreas Schneider <asn@samba.org>

Date: Tue, 19 Nov 2019 14:52:44 +0100

Subject: [PATCH 207/208] libcli:auth: If weak crypto is disallowed reject md5

 servers

Signed-off-by: Andreas Schneider <asn@samba.org>

---

 docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 ++

 libcli/auth/netlogon_creds_cli.c                 | 6 ++++++

 2 files changed, 8 insertions(+)

diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml

index 37656293aa4..e8b06615a9c 100644

--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml

+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml

@@ -16,6 +16,8 @@

 	by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>

 	<para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>

+

+	<para>If weak cryptography is not allowed by the system, md5 servers will *always* be rejected.</para>

 </description>

 <value type="default">no</value>

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c

index c8f4227a924..fe453c268cf 100644

--- a/libcli/auth/netlogon_creds_cli.c

+++ b/libcli/auth/netlogon_creds_cli.c

@@ -39,6 +39,7 @@

 #include "libds/common/roles.h"

 #include "lib/crypto/md4.h"

 #include "auth/credentials/credentials.h"

+#include "loadparm.h"

 struct netlogon_creds_cli_locked_state;

@@ -303,6 +304,11 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,

 					     server_netbios_domain,

 					     reject_md5_servers);

+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {

+		reject_md5_servers = true;

+	}

+

+

 	/*

 	 * allow overwrite per domain

 	 * require strong key:<netbios_domain>

-- 

2.23.0