From faa7babcd8db9ef14398848d0c398578d1a79d85 Mon Sep 17 00:00:00 2001 From: Rob van der Linde Date: Mon, 27 Feb 2023 14:06:23 +1300 Subject: [PATCH] CVE-2023-0614: set default ldap client sasl wrapping to seal Signed-off-by: Rob van der Linde Signed-off-by: Andrew Bartlett Reviewed-by: Joseph Sutton --- .../ldap/clientldapsaslwrapping.xml | 27 +++++++++---------- lib/param/loadparm.c | 2 +- python/samba/tests/auth_log.py | 2 +- source3/param/loadparm.c | 2 +- 4 files changed, 16 insertions(+), 17 deletions(-) diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml index 3152f0682dd..21bd2090057 100644 --- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml +++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml @@ -18,25 +18,24 @@ - This option is needed in the case of Domain Controllers enforcing - the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). - LDAP sign and seal can be controlled with the registry key - "HKLM\System\CurrentControlSet\Services\ - NTDS\Parameters\LDAPServerIntegrity" - on the Windows server side. - + This option is needed firstly to secure the privacy of + administrative connections from samba-tool, + including in particular new or reset passwords for users. For + this reason the default is seal. - - Depending on the used KRB5 library (MIT and older Heimdal versions) - it is possible that the message "integrity only" is not supported. - In this case, sign is just an alias for - seal. + Additionally, winbindd and the + net tool can use LDAP to communicate with + Domain Controllers, so this option also controls the level of + privacy for those connections. All supported AD DC versions + will enforce the usage of at least signed LDAP connections by + default, so a value of at least sign is + required in practice. - The default value is sign. That implies synchronizing the time + The default value is seal. That implies synchronizing the time with the KDC in the case of using Kerberos. -sign +seal diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 6ab7fa89db7..16cb0d47f31 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2990,7 +2990,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10"); - lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign"); + lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "seal"); lpcfg_do_global_parameter(lp_ctx, "mdns name", "netbios"); diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py index d166b93d90a..8f9f487f82a 100644 --- a/python/samba/tests/auth_log.py +++ b/python/samba/tests/auth_log.py @@ -470,7 +470,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): def isLastExpectedMessage(msg): return (msg["type"] == "Authorization" and msg["Authorization"]["serviceDescription"] == "LDAP" and - msg["Authorization"]["transportProtection"] == "SIGN" and + msg["Authorization"]["transportProtection"] == "SEAL" and msg["Authorization"]["authType"] == "krb5") self.samdb = SamDB(url="ldap://%s" % os.environ["SERVER"], diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 05a5ae20abe..12718ced9e7 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -756,7 +756,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.ldap_debug_level = 0; Globals.ldap_debug_threshold = 10; - Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; + Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SEAL; Globals.ldap_server_require_strong_auth = LDAP_SERVER_REQUIRE_STRONG_AUTH_YES; -- 2.25.1