NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
struct db_context **db)
{
+ netlogon_creds_cli_warn_options(lp_ctx);
+
if (netlogon_creds_cli_global_db != NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
struct db_context *global_db;
int hash_size, tdb_flags;
+ netlogon_creds_cli_warn_options(lp_ctx);
+
if (netlogon_creds_cli_global_db != NULL) {
return NT_STATUS_OK;
}
TALLOC_FREE(netlogon_creds_cli_global_db);
}
+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
+{
+ bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
+ bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
+ int global_client_schannel = lpcfg_client_schannel(lp_ctx);
+ bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
+ static bool warned_global_reject_md5_servers = false;
+ static bool warned_global_require_strong_key = false;
+ static bool warned_global_client_schannel = false;
+ static bool warned_global_seal_secure_channel = false;
+ static int warned_global_pid = 0;
+ int current_pid = getpid();
+
+ if (warned_global_pid != current_pid) {
+ warned_global_reject_md5_servers = false;
+ warned_global_require_strong_key = false;
+ warned_global_client_schannel = false;
+ warned_global_seal_secure_channel = false;
+ warned_global_pid = current_pid;
+ }
+
+ if (!global_reject_md5_servers && !warned_global_reject_md5_servers) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ DBG_ERR("CVE-2022-38023 (and others): "
+ "Please configure 'reject md5 servers = yes' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+ warned_global_reject_md5_servers = true;
+ }
+
+ if (!global_require_strong_key && !warned_global_require_strong_key) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ DBG_ERR("CVE-2022-38023 (and others): "
+ "Please configure 'require strong key = yes' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+ warned_global_require_strong_key = true;
+ }
+
+ if (global_client_schannel != true && !warned_global_client_schannel) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ DBG_ERR("CVE-2022-38023 (and others): "
+ "Please configure 'client schannel = yes' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+ warned_global_client_schannel = true;
+ }
+
+ if (!global_seal_secure_channel && !warned_global_seal_secure_channel) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ DBG_ERR("CVE-2022-38023 (and others): "
+ "Please configure 'winbind sealed pipes = yes' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+ warned_global_seal_secure_channel = true;
+ }
+}
+
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
struct messaging_context *msg_ctx,
const char *client_account,