my $extra_conf_options = "netbios aliases = localDC1-a
server services = +winbind -winbindd
ldap server require strong auth = allow_sasl_over_tls
- allow nt4 crypto = yes
raw NTLMv2 auth = yes
lsa over netlogon = yes
rpc server port = 1027
dsdb password event notification = true
dsdb group change notification = true
- reject md5 clients = no
-
CVE_2020_1472:warn_about_unused_debug_level = 3
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ allow nt4 crypto:torturetest\$ = yes
+ server reject md5 schannel:schannel2\$ = no
+ server reject md5 schannel:schannel3\$ = no
+ server reject md5 schannel:schannel8\$ = no
+ server reject md5 schannel:schannel9\$ = no
+ server reject md5 schannel:torturetest\$ = no
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
server require schannel:schannel0\$ = no
server require schannel:schannel1\$ = no
server require schannel:schannel2\$ = no
my $extra_conf_options = "
spnego:simulate_w2k=yes
ntlmssp_server:force_old_spnego=yes
+
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
";
my $extra_provision_options = ["--use-ntvfs", "--base-schema=2008_R2"];
# This environment uses plain text secrets
my $extra_conf_options = "allow dns updates = nonsecure and secure
dcesrv:header signing = no
dcesrv:max auth states = 0
- dns forwarder = $ip_addr1 $ip_addr2";
+ dns forwarder = $ip_addr1 $ip_addr2
+
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
+";
+
my $extra_provision_options = ["--use-ntvfs", "--base-schema=2008_R2"];
my $ret = $self->provision($prefix,
"domain controller",
my ($self, $prefix, $dcvars) = @_;
print "PROVISIONING DC WITH FOREST LEVEL 2008r2...\n";
- my $extra_conf_options = "ldap server require strong auth = no";
+ my $extra_conf_options = "
+ ldap server require strong auth = no
+
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
+";
my $extra_provision_options = ["--use-ntvfs", "--base-schema=2008_R2"];
my $ret = $self->provision($prefix,
"domain controller",
lpq cache time = 0
print notify backchannel = yes
- reject md5 clients = no
-
CVE_2020_1472:warn_about_unused_debug_level = 3
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ CVE_2022_38023:error_debug_level = 2
+ server reject md5 schannel:schannel2\$ = no
+ server reject md5 schannel:schannel3\$ = no
+ server reject md5 schannel:schannel8\$ = no
+ server reject md5 schannel:schannel9\$ = no
+ server reject md5 schannel:torturetest\$ = no
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
+ server reject md5 schannel:samlogontest\$ = no
server require schannel:schannel0\$ = no
server require schannel:schannel1\$ = no
server require schannel:schannel2\$ = no