Blob Blame History Raw
From 693540a9ac017afbaeea5800f9025b75e390f53b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 19 Nov 2019 14:52:44 +0100
Subject: [PATCH 207/208] libcli:auth: If weak crypto is disallowed reject md5
 servers

Signed-off-by: Andreas Schneider <asn@samba.org>
---
 docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 ++
 libcli/auth/netlogon_creds_cli.c                 | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
index 37656293aa4..e8b06615a9c 100644
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -16,6 +16,8 @@
 	by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
 
 	<para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
+
+	<para>If weak cryptography is not allowed by the system, md5 servers will *always* be rejected.</para>
 </description>
 
 <value type="default">no</value>
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index c8f4227a924..fe453c268cf 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -39,6 +39,7 @@
 #include "libds/common/roles.h"
 #include "lib/crypto/md4.h"
 #include "auth/credentials/credentials.h"
+#include "loadparm.h"
 
 struct netlogon_creds_cli_locked_state;
 
@@ -303,6 +304,11 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 					     server_netbios_domain,
 					     reject_md5_servers);
 
+	if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+		reject_md5_servers = true;
+	}
+
+
 	/*
 	 * allow overwrite per domain
 	 * require strong key:<netbios_domain>
-- 
2.23.0