53 lines
1.8 KiB
Diff
53 lines
1.8 KiB
Diff
From 693540a9ac017afbaeea5800f9025b75e390f53b Mon Sep 17 00:00:00 2001
|
|
From: Andreas Schneider <asn@samba.org>
|
|
Date: Tue, 19 Nov 2019 14:52:44 +0100
|
|
Subject: [PATCH 207/208] libcli:auth: If weak crypto is disallowed reject md5
|
|
servers
|
|
|
|
Signed-off-by: Andreas Schneider <asn@samba.org>
|
|
---
|
|
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 ++
|
|
libcli/auth/netlogon_creds_cli.c | 6 ++++++
|
|
2 files changed, 8 insertions(+)
|
|
|
|
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
index 37656293aa4..e8b06615a9c 100644
|
|
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
@@ -16,6 +16,8 @@
|
|
by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
|
|
|
|
<para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
|
|
+
|
|
+ <para>If weak cryptography is not allowed by the system, md5 servers will *always* be rejected.</para>
|
|
</description>
|
|
|
|
<value type="default">no</value>
|
|
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
|
|
index c8f4227a924..fe453c268cf 100644
|
|
--- a/libcli/auth/netlogon_creds_cli.c
|
|
+++ b/libcli/auth/netlogon_creds_cli.c
|
|
@@ -39,6 +39,7 @@
|
|
#include "libds/common/roles.h"
|
|
#include "lib/crypto/md4.h"
|
|
#include "auth/credentials/credentials.h"
|
|
+#include "loadparm.h"
|
|
|
|
struct netlogon_creds_cli_locked_state;
|
|
|
|
@@ -303,6 +304,11 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
|
|
server_netbios_domain,
|
|
reject_md5_servers);
|
|
|
|
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
+ reject_md5_servers = true;
|
|
+ }
|
|
+
|
|
+
|
|
/*
|
|
* allow overwrite per domain
|
|
* require strong key:<netbios_domain>
|
|
--
|
|
2.23.0
|
|
|