From 693540a9ac017afbaeea5800f9025b75e390f53b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Tue, 19 Nov 2019 14:52:44 +0100
Subject: [PATCH 207/208] libcli:auth: If weak crypto is disallowed reject md5
servers
Signed-off-by: Andreas Schneider <asn@samba.org>
---
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 ++
libcli/auth/netlogon_creds_cli.c | 6 ++++++
2 files changed, 8 insertions(+)
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
index 37656293aa4..e8b06615a9c 100644
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -16,6 +16,8 @@
by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
<para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
+
+ <para>If weak cryptography is not allowed by the system, md5 servers will *always* be rejected.</para>
</description>
<value type="default">no</value>
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index c8f4227a924..fe453c268cf 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -39,6 +39,7 @@
#include "libds/common/roles.h"
#include "lib/crypto/md4.h"
#include "auth/credentials/credentials.h"
+#include "loadparm.h"
struct netlogon_creds_cli_locked_state;
@@ -303,6 +304,11 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
server_netbios_domain,
reject_md5_servers);
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ reject_md5_servers = true;
+ }
+
+
/*
* allow overwrite per domain
* require strong key:<netbios_domain>
--
2.23.0