diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-11-30 09:05:51 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-13 13:07:30 +0000 |
commit | fa64f8fa8d92167ed15d1109af65bbb4daab4bad (patch) | |
tree | 927a8d2a9b9cf6ea6db3d161635e846d6f4a5164 /python | |
parent | 7504a4d6fee7805aac7657b9dab88c48353d6db4 (diff) | |
download | samba-fa64f8fa8d92167ed15d1109af65bbb4daab4bad.tar.gz |
CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean the default
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python')
-rwxr-xr-x | python/samba/tests/krb5/etype_tests.py | 2 | ||||
-rw-r--r-- | python/samba/tests/krb5/kdc_base_test.py | 6 |
2 files changed, 7 insertions, 1 deletions
diff --git a/python/samba/tests/krb5/etype_tests.py b/python/samba/tests/krb5/etype_tests.py index 1a16518df94..9725d544c2a 100755 --- a/python/samba/tests/krb5/etype_tests.py +++ b/python/samba/tests/krb5/etype_tests.py @@ -63,6 +63,8 @@ class EtypeTests(KdcTgsBaseTests): lp = self.get_lp() self.default_supported_enctypes = lp.get( 'kdc default domain supported enctypes') + if self.default_supported_enctypes == 0: + self.default_supported_enctypes = rc4_bit | aes256_sk_bit def _server_creds(self, supported=None, force_nt4_hash=False, account_type=None): diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 5a027d021cd..f0e72f00483 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -63,6 +63,9 @@ from samba.ndr import ndr_pack, ndr_unpack from samba import net from samba.samdb import SamDB, dsdb_Dn +rc4_bit = security.KERB_ENCTYPE_RC4_HMAC_MD5 +aes256_sk_bit = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK + from samba.tests import delete_force import samba.tests.krb5.kcrypto as kcrypto from samba.tests.krb5.raw_testcase import ( @@ -802,7 +805,8 @@ class KDCBaseTest(RawKerberosTest): if supported_enctypes is None: lp = self.get_lp() supported_enctypes = lp.get('kdc default domain supported enctypes') - + if supported_enctypes == 0: + supported_enctypes = rc4_bit | aes256_sk_bit supported_enctypes = int(supported_enctypes) if extra_bits is not None: |