From c8e53394b98b128ed460a6111faf05dfbad980d1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Nov 2022 18:26:18 +0100
Subject: CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 clients'
 default to yes

AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
---
 source3/param/loadparm.c | 1 +
 1 file changed, 1 insertion(+)

(limited to 'source3/param')

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 621b5b9f48c..336852b927c 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.require_strong_key = true;
 	Globals.reject_md5_servers = true;
 	Globals.server_schannel = true;
+	Globals.reject_md5_clients = true;
 	Globals.read_raw = true;
 	Globals.write_raw = true;
 	Globals.null_passwords = false;
-- 
cgit v1.2.1