The branch, master has been updated
via cb279144037 s4:rpc_server/netlogon: fix
dcesrv_netr_LogonSamLogon_base_call() for ServerAuthenticateKerberos()
via 5aa79e32639 s4:rpc_server/netlogon: fix
dcesrv_netr_ServerPasswordSet[2] for ServerAuthenticateKerberos
via ff16cb25c40 librpc/server: call dcesrv_netr_check_schannel() as
schannel_check_creds_state() callback
via 2cf8a8ea35d libcli/auth: let schannel_check_creds_state() take an
access_check callback
via e830da448b1 selftest: add 'server support krb5 netlogon = yes' for
ad_dc
via f4547f21762 selftest add 'server reject aes schannel:COMPUTER$'
rules
via 1a18706bcd4 s4:rpc_server/netlogon: implement
dcesrv_netr_ServerAuthenticateKerberos
via 4834b9daccf librpc/server: prepare schannel_util.c for
netr_ServerAuthenticateKerberos
via c58137aad99 docs-xml/smbdotconf: add "server support krb5 netlogon"
options
via a5993f0c5ce docs-xml/smbdotconf: add "server reject aes
schannel[:COMPUTERACCOUNT]" options
via d002f371eca s4:rpc_server/lsa: allow krb5+privacy instead of
schannel
via 87b553084db auth_log: prepare for netr_ServerAuthenticateKerberos
via ff2e2875853 python:tests/krb5: add ServerAuthenticateKerberos
related tests to netlogon.py
via 64d5efa2ded pycredentials: add py_netlogon_creds_kerberos_init
via e296b912b21 python:tests/krb5: let netlogon.py test strong key
without arcfour
via c7a0efb29e1 libcli/auth: add infrastructure for
netr_ServerAuthenticateKerberos()
via 36b5a751237 libcli/auth: add let netlogon_creds_alloc() use
_talloc_keep_secret()
via d091182156f ldb: Add LGPLv3 LICENSE file
via d1849ba12f5 tdb: Add LGPLv3 LICENSE file
via 24494f9ff72 tevent: Add LGPLv3 LICENSE file
via cd0fb59568d talloc: Add LGPLv3 LICENSE file
from 19657be71d7 s4:rpc_server: make use of
dcesrv_assoc_group_common_destructor()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit cb279144037d79bd40da93c082d34ab3a425bf64
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 26 11:13:32 2024 +0100
s4:rpc_server/netlogon: fix dcesrv_netr_LogonSamLogon_base_call() for
ServerAuthenticateKerberos()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org>
Autobuild-Date(master): Thu Dec 12 15:00:10 UTC 2024 on atb-devel-224
commit 5aa79e3263979e0251925bc666c32f31132c370b
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 26 11:10:16 2024 +0100
s4:rpc_server/netlogon: fix dcesrv_netr_ServerPasswordSet[2] for
ServerAuthenticateKerberos
Review with: git show --patience
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit ff16cb25c40607f5fb1923501e56b26e3dd19090
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 26 12:55:12 2024 +0100
librpc/server: call dcesrv_netr_check_schannel() as
schannel_check_creds_state() callback
If schannel is not used we need to return ACCESS_DENIED and discard
the effect of netlogon_creds_server_step_check().
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 2cf8a8ea35d75c7dcac0e724b473f66a36acd8b2
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 26 12:54:02 2024 +0100
libcli/auth: let schannel_check_creds_state() take an access_check callback
This allows the callback to decide if the updated creds should be stored
or not.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit e830da448b10d9a2e23627ce00f153656b17988f
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 26 11:01:16 2024 +0100
selftest: add 'server support krb5 netlogon = yes' for ad_dc
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit f4547f217629d55bb843ca25def4365627848350
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 26 19:43:44 2024 +0100
selftest add 'server reject aes schannel:COMPUTER$' rules
These avoid a lot of messages during the tests...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 1a18706bcd4aab306e6e9069175685b90a5df958
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Oct 29 18:30:22 2024 +0100
s4:rpc_server/netlogon: implement dcesrv_netr_ServerAuthenticateKerberos
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 4834b9daccf138d8cf0d0d12980643c2e09d732e
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Oct 29 18:30:22 2024 +0100
librpc/server: prepare schannel_util.c for netr_ServerAuthenticateKerberos
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit c58137aad998cd9d652c798e0707246d2cc4ad03
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Nov 7 15:37:57 2024 +0100
docs-xml/smbdotconf: add "server support krb5 netlogon" options
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit a5993f0c5ce026a088d7692fc2debbf94a6d6e7c
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Nov 7 15:16:18 2024 +0100
docs-xml/smbdotconf: add "server reject aes schannel[:COMPUTERACCOUNT]"
options
This will be useful in order to require netr_ServerAuthenticateKerberos()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit d002f371ecab65bba4752398c0bf710a717e3069
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed May 1 01:09:40 2024 +0200
s4:rpc_server/lsa: allow krb5+privacy instead of schannel
With netr_ServerAuthenticateKerberos() clients also use
krb5 for lsa_LookupSids3 and lsa_LookupNames4.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 87b553084db9a57bbf0aa44361e5698a031c9d43
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Oct 29 18:30:22 2024 +0100
auth_log: prepare for netr_ServerAuthenticateKerberos
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit ff2e2875853f20d5ccf4016b805c593f22b92c03
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 22 19:51:17 2024 +0100
python:tests/krb5: add ServerAuthenticateKerberos related tests to
netlogon.py
Works against Windows 2025 preview:
SMB_CONF_PATH=/dev/null \
SERVER=172.31.9.115 DC_SERVER=w2025p-115.w2025p-l8.base \
DOMAIN="W2025P-L8" REALM="W2025P-L8.BASE" \
ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \
NETLOGON_STRONG_KEY_SUPPORT=1 NETLOGON_AUTH_KRB5_SUPPORT=1 \
STRICT_CHECKING=0 python/samba/tests/krb5/netlogon.py
The code still works against Windows 2022 with the
following options:
SMB_CONF_PATH=/dev/null \
SERVER=172.31.9.118 DC_SERVER=w2022-118.w2022-l7.base \
DOMAIN="W2022-L7" REALM="W2022-L7.BASE" \
ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \
NETLOGON_STRONG_KEY_SUPPORT=1 NETLOGON_AUTH_KRB5_SUPPORT=0 \
STRICT_CHECKING=0 python/samba/tests/krb5/netlogon.py
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 64d5efa2dedce3c671f7ff3d87884b1c3cce8d72
Author: Stefan Metzmacher <me...@samba.org>
Date: Fri Nov 22 15:31:15 2024 +0100
pycredentials: add py_netlogon_creds_kerberos_init
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit e296b912b21c9e57f7a62789c7ebe73ed49ce718
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Nov 26 18:51:07 2024 +0100
python:tests/krb5: let netlogon.py test strong key without arcfour
It shows that there's no encryption on buffers...
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit c7a0efb29e1cd2e8655a1fe0c89fe7ac79b52f2c
Author: Stefan Metzmacher <me...@samba.org>
Date: Tue Oct 29 18:02:19 2024 +0100
libcli/auth: add infrastructure for netr_ServerAuthenticateKerberos()
This shows that STRONG_KEY without ARCFOUR means no encryption
for ServerPasswordSet2.
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit 36b5a75123742b69be190618b549e06374852b58
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Dec 11 10:14:44 2024 +0100
libcli/auth: add let netlogon_creds_alloc() use _talloc_keep_secret()
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Andreas Schneider <a...@samba.org>
commit d091182156f6467dbf19ac45f8b48de7e35dfc7a
Author: Andreas Schneider <a...@samba.org>
Date: Wed Dec 11 09:47:46 2024 +0100
ldb: Add LGPLv3 LICENSE file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15729
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit d1849ba12f576f28b3def2253a76b7706200e490
Author: Andreas Schneider <a...@samba.org>
Date: Wed Dec 11 09:47:24 2024 +0100
tdb: Add LGPLv3 LICENSE file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15729
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit 24494f9ff720ba6a18db4163832e21106a7b4915
Author: Andreas Schneider <a...@samba.org>
Date: Wed Dec 11 09:45:33 2024 +0100
tevent: Add LGPLv3 LICENSE file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15729
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
commit cd0fb59568d525cb261ac711bf421020ffdfe575
Author: Andreas Schneider <a...@samba.org>
Date: Wed Dec 11 09:44:48 2024 +0100
talloc: Add LGPLv3 LICENSE file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15729
Signed-off-by: Andreas Schneider <a...@samba.org>
Reviewed-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/auth_log.c | 6 +-
auth/common_auth.h | 1 +
auth/credentials/pycredentials.c | 68 +++
auth/gensec/schannel.c | 31 ++
docs-xml/smbdotconf/logon/allownt4crypto.xml | 18 +-
docs-xml/smbdotconf/logon/rejectmd5clients.xml | 13 +
.../smbdotconf/logon/serverrejectaesschannel.xml | 118 +++++
.../security/serversupportkrb5netlogon.xml | 28 ++
lib/ldb/LICENSE | 165 +++++++
lib/talloc/LICENSE | 165 +++++++
lib/tdb/LICENSE | 165 +++++++
lib/tevent/LICENSE | 165 +++++++
libcli/auth/credentials.c | 335 +++++++++++++-
libcli/auth/proto.h | 8 +
libcli/auth/schannel_state.h | 5 +
libcli/auth/schannel_state_tdb.c | 21 +-
librpc/idl/schannel.idl | 17 +-
librpc/rpc/server/netlogon/schannel_util.c | 121 ++++-
python/samba/tests/krb5/netlogon.py | 486 ++++++++++++++++++++-
selftest/knownfail.d/samba.tests.krb5.netlogon | 3 -
selftest/target/Samba4.pm | 37 ++
source4/rpc_server/lsa/lsa_lookup.c | 12 +-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 267 ++++++++++-
source4/selftest/tests.py | 2 +
24 files changed, 2188 insertions(+), 69 deletions(-)
create mode 100644 docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
create mode 100644 docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml
create mode 100644 lib/ldb/LICENSE
create mode 100644 lib/talloc/LICENSE
create mode 100644 lib/tdb/LICENSE
create mode 100644 lib/tevent/LICENSE
Changeset truncated at 500 lines:
diff --git a/auth/auth_log.c b/auth/auth_log.c
index 9a110fd0b48..a918db4e37f 100644
--- a/auth/auth_log.c
+++ b/auth/auth_log.c
@@ -754,8 +754,10 @@ static const char* get_password_type(const struct
auth_usersupplied_info *ui)
} else if (ui->auth_description != NULL &&
strncmp("ServerAuthenticate", ui->auth_description, 18) == 0)
{
- if (ui->netlogon_trust_account.negotiate_flags
- & NETLOGON_NEG_SUPPORTS_AES) {
+ if (ui->netlogon_trust_account.authenticate_kerberos) {
+ password_type = "Kerberos";
+ } else if (ui->netlogon_trust_account.negotiate_flags
+ & NETLOGON_NEG_SUPPORTS_AES) {
password_type = "HMAC-SHA256";
} else if (ui->netlogon_trust_account.negotiate_flags
& NETLOGON_NEG_STRONG_KEYS) {
diff --git a/auth/common_auth.h b/auth/common_auth.h
index 1afb79eb5df..ef507211453 100644
--- a/auth/common_auth.h
+++ b/auth/common_auth.h
@@ -79,6 +79,7 @@ struct auth_usersupplied_info
struct {
uint32_t negotiate_flags;
+ bool authenticate_kerberos;
enum netr_SchannelType secure_channel_type;
const char *computer_name; /* [charset(UTF8)] */
const char *account_name; /* [charset(UTF8)] */
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index d20d58ebe0d..fa6040e35c0 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -1902,6 +1902,62 @@ PyTypeObject PyCredentialCacheContainer = {
.tp_methods = py_ccache_container_methods,
};
+static PyObject *py_netlogon_creds_kerberos_init(PyObject *module,
+ PyObject *args,
+ PyObject *kwargs)
+{
+ const char * const kwnames[] = {
+ "client_account",
+ "client_computer_name",
+ "secure_channel_type",
+ "client_requested_flags",
+ "negotiate_flags",
+ NULL,
+ };
+ const char *client_account = NULL;
+ const char *client_computer_name = NULL;
+ unsigned short secure_channel_type = 0;
+ unsigned int client_requested_flags = 0;
+ unsigned int negotiate_flags = 0;
+ struct netlogon_creds_CredentialState *ncreds = NULL;
+ PyObject *py_ncreds = Py_None;
+ bool ok;
+
+ ok = PyArg_ParseTupleAndKeywords(args, kwargs, "ssHII",
+ discard_const_p(char *, kwnames),
+ &client_account,
+ &client_computer_name,
+ &secure_channel_type,
+ &client_requested_flags,
+ &negotiate_flags);
+ if (!ok) {
+ return NULL;
+ }
+
+ ncreds = netlogon_creds_kerberos_init(NULL,
+ client_account,
+ client_computer_name,
+ secure_channel_type,
+ client_requested_flags,
+ NULL, /* client_sid */
+ negotiate_flags);
+ if (ncreds == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ py_ncreds = py_return_ndr_struct("samba.dcerpc.schannel",
+ "netlogon_creds_CredentialState",
+ ncreds,
+ ncreds);
+ if (py_ncreds == NULL) {
+ TALLOC_FREE(ncreds);
+ return NULL;
+ }
+
+ return py_ncreds;
+}
+
static PyObject *py_netlogon_creds_random_challenge(PyObject *module,
PyObject *unused)
{
@@ -2896,6 +2952,18 @@ static PyObject
*py_netlogon_creds_encrypt_SendToSam(PyObject *module,
}
static PyMethodDef py_module_methods[] = {
+ {
+ .ml_name = "netlogon_creds_kerberos_init",
+ .ml_meth = PY_DISCARD_FUNC_SIG(PyCFunction,
+ py_netlogon_creds_kerberos_init),
+ .ml_flags = METH_VARARGS | METH_KEYWORDS,
+ .ml_doc = "credentials.netlogon_creds_kerberos_init("
+ "client_account, client_computer_name,"
+ "secure_channel_type, "
+ "client_requested_flags, negotiate_flags)"
+ "-> netlogon_creds_CredentialState\n"
+ "Create a new state for
netr_ServerAuthenticateKerberos()",
+ },
{
.ml_name = "netlogon_creds_random_challenge",
.ml_meth = py_netlogon_creds_random_challenge,
diff --git a/auth/gensec/schannel.c b/auth/gensec/schannel.c
index 86527fe4685..6e88e11990d 100644
--- a/auth/gensec/schannel.c
+++ b/auth/gensec/schannel.c
@@ -145,6 +145,13 @@ static NTSTATUS netsec_do_seq_num(struct schannel_state
*state,
uint32_t checksum_length,
uint8_t seq_num[8])
{
+ if (state->creds->authenticate_kerberos) {
+ DBG_WARNING("Called with authenticate_kerberos from %s %s\n",
+ state->creds->account_name,
+ state->creds->computer_name);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
gnutls_cipher_hd_t cipher_hnd = NULL;
gnutls_datum_t key = {
@@ -243,6 +250,13 @@ static NTSTATUS netsec_do_seal(struct schannel_state
*state,
uint8_t *data, uint32_t length,
bool forward)
{
+ if (state->creds->authenticate_kerberos) {
+ DBG_WARNING("Called with authenticate_kerberos from %s %s\n",
+ state->creds->account_name,
+ state->creds->computer_name);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
gnutls_cipher_hd_t cipher_hnd = NULL;
uint8_t sess_kf0[16] = {0};
@@ -423,6 +437,13 @@ static NTSTATUS netsec_do_sign(struct schannel_state
*state,
uint8_t header[8],
uint8_t *checksum)
{
+ if (state->creds->authenticate_kerberos) {
+ DBG_WARNING("Called with authenticate_kerberos from %s %s\n",
+ state->creds->account_name,
+ state->creds->computer_name);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
if (state->creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
gnutls_hmac_hd_t hmac_hnd = NULL;
int rc;
@@ -833,6 +854,16 @@ static NTSTATUS schannel_update_internal(struct
gensec_security *gensec_security
return NT_STATUS_INVALID_PARAMETER_MIX;
}
+ if (creds->authenticate_kerberos) {
+ DBG_ERR("attempted schannel connection with "
+ "authenticate_kerberos from %s %s\n",
+ creds->account_name,
+ creds->computer_name);
+ NDR_PRINT_DEBUG(netlogon_creds_CredentialState, creds);
+ log_stack_trace();
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
state = netsec_create_state(gensec_security,
creds, true /* initiator */);
if (state == NULL) {
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml
b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index ee63e6cc245..5b90ba58735 100644
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -46,8 +46,10 @@
'<smbconfoption name="allow nt4
crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
<para>This option is over-ridden by the effective value of 'yes' from
- the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
- and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+ the '<smbconfoption name="server reject md5
schannel:COMPUTERACCOUNT"/>',
+ '<smbconfoption name="reject md5 clients"/>',
+ '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>',
+ and/or '<smbconfoption name="server reject aes schannel"/>'
options.</para>
</description>
<value type="default">no</value>
@@ -88,18 +90,24 @@
<para>This option overrides the <smbconfoption name="allow nt4 crypto"/>
option.</para>
<para>This option is over-ridden by the effective value of 'yes' from
- the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
- and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>',
+ '<smbconfoption name="reject md5 clients"/>',
+ '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="server reject aes schannel"/>' options.</para>
<para>Which means '<smbconfoption name="allow nt4
crypto:COMPUTERACCOUNT">yes</smbconfoption>'
- is only useful in combination with '<smbconfoption name="server reject md5
schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
+ is only useful in combination with '<smbconfoption name="server reject md5
schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ and '<smbconfoption name="server reject aes
schannel:COMPUTERACCOUNT">no</smbconfoption>'.</para>
<programlisting>
allow nt4 crypto:LEGACYCOMPUTER1$ = yes
server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ server reject aes schannel:LEGACYCOMPUTER1$ = no
allow nt4 crypto:NASBOX$ = yes
server reject md5 schannel:NASBOX$ = no
+ server reject aes schannel:NASBOX$ = no
allow nt4 crypto:LEGACYCOMPUTER2$ = yes
server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ server reject aes schannel:LEGACYCOMPUTER2$ = no
</programlisting>
</description>
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index fe7701d9277..ee3cd191904 100644
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -54,6 +54,10 @@
'<smbconfoption name="allow nt4 crypto"/>' options and implies
'<smbconfoption name="allow nt4
crypto:COMPUTERACCOUNT">no</smbconfoption>'.
</para>
+
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="server reject aes schannel"/>'
options.</para>
</description>
<value type="default">yes</value>
@@ -100,10 +104,19 @@
'<smbconfoption name="allow nt4
crypto:COMPUTERACCOUNT">no</smbconfoption>'.
</para>
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="server reject aes schannel"/>' options.</para>
+ <para>Which means '<smbconfoption name="server reject md5
schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ is only useful in combination with '<smbconfoption name="server reject aes
schannel:COMPUTERACCOUNT">no</smbconfoption>'.</para>
+
<programlisting>
server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ server reject aes schannel:LEGACYCOMPUTER1$ = no
server reject md5 schannel:NASBOX$ = no
+ server reject aes schannel:NASBOX$ = no
server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ server reject aes schannel:LEGACYCOMPUTER2$ = no
</programlisting>
</description>
diff --git a/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
new file mode 100644
index 00000000000..467261b272d
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
@@ -0,0 +1,118 @@
+<samba:parameter name="server reject aes schannel"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para><emphasis>This option is experimental for now!</emphasis>
+ </para>
+
+ <para>This option controls whether the netlogon server (currently
+ only in 'active directory domain controller' mode), will
+ reject clients which do not support ServerAuthenticateKerberos.</para>
+
+ <para>Support for ServerAuthenticateKerberos was added in Windows
+ starting with Server 2025, it's available in Samba starting with 4.22
with the
+ '<smbconfoption name="server support krb5
netlogon">yes</smbconfoption>' and
+ '<smbconfoption name="client use krb5 netlogon">yes</smbconfoption>'
options,
+ which are disabled by default.
+ </para>
+
+ <para>Note this options is not really related to security problems
+ behind CVE_2022_38023, but it still uses the debug level related
+ logic and options.</para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected without an explicit,
+ '<smbconfoption name="server reject aes
schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server reject aes
schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the client software requires it. (The log level
can be adjusted with
+ '<smbconfoption
name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a message in the log files at log level 5
+ if a client is allowed without an explicit,
+ '<smbconfoption name="server reject aes
schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server reject aes
schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the client software requires it. (The log level
can be adjusted with
+ '<smbconfoption name="NETLOGON_AES:usage_debug_level">0</smbconfoption>'
+ in order to complain only at a lower or higher log level).
+ This can we used to prepare the configuration before changing to
+ '<smbconfoption name="server reject aes schannel">yes</smbconfoption>'
+ </para>
+
+ <para>Admins can use
+ '<smbconfoption name="server reject aes
schannel:COMPUTERACCOUNT">no/yes</smbconfoption>' options in
+ order to have more control</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="reject md5 clients"/>' options and implies
+ '<smbconfoption name="server reject md5
schannel:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
+
+ <para>This option interacts with the '<smbconfoption name="server
support krb5 netlogon"/>' option.
+ </para>
+
+ <para>For now '<smbconfoption name="server reject aes schannel"/>'
+ is EXPERIMENTAL and should not be configured explicitly.</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server reject aes schannel:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+
+ <para>If the time has come and most domain members or trusted domains
+ support ServerAuthenticateKerberos, admins may want to use "server
reject aes schannel = yes".
+ It is possible to specify an explicit exception per computer account
+ by setting 'server reject aes schannel:COMPUTERACCOUNT = no'.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>Note this options is not really related to security problems
+ behind CVE_2022_38023, but it still uses the debug level related
+ logic and options.
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "no",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption
name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="server reject aes
schannel"/> option.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="reject md5 clients"/>' options and implies
+ '<smbconfoption name="server reject md5
schannel:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
+
+ <programlisting>
+ server reject aes schannel:LEGACYCOMPUTER1$ = no
+ server reject aes schannel:NASBOX$ = no
+ server reject aes schannel:LEGACYCOMPUTER2$ = no
+ server reject aes schannel:HIGHPRIVACYSRV$ = yes
+ </programlisting>
+</description>
+
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml
b/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml
new file mode 100644
index 00000000000..652ef5f3d0a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="server support krb5 netlogon"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+ <para><emphasis>This option is experimental for now!</emphasis>
+ </para>
+
+ <para>This option controls whether the netlogon server (currently
+ only in 'active directory domain controller' mode), will
+ provide support for ServerAuthenticateKerberos.</para>
+
+ <para>Support for ServerAuthenticateKerberos was added in Windows
+ starting with Server 2025, it's available in Samba starting with 4.22
with the
+ '<smbconfoption name="server support krb5
netlogon">yes</smbconfoption>' and
+ '<smbconfoption name="client use krb5 netlogon">yes</smbconfoption>'
options,
+ which are disabled by default.
+ </para>
+
+ <para>This option interacts with the
+ '<smbconfoption name="server reject aes
schannel:COMPUTERACCOUNT">yes</smbconfoption>' and
+ '<smbconfoption name="server reject aes schannel">yes</smbconfoption>'
options.
+ </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/lib/ldb/LICENSE b/lib/ldb/LICENSE
new file mode 100644
index 00000000000..65c5ca88a67
--- /dev/null
+++ b/lib/ldb/LICENSE
@@ -0,0 +1,165 @@
+ GNU LESSER GENERAL PUBLIC LICENSE
+ Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+ This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+ 0. Additional Definitions.
+
+ As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+ "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+ An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+ A "Combined Work" is a work produced by combining or linking an
+Application with the Library. The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+ The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+ The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+ 1. Exception to Section 3 of the GNU GPL.
+
+ You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+ 2. Conveying Modified Versions.
+
+ If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+ a) under this License, provided that you make a good faith effort to
+ ensure that, in the event an Application does not supply the
+ function or data, the facility still operates, and performs
+ whatever part of its purpose remains meaningful, or
+
+ b) under the GNU GPL, with none of the additional permissions of
+ this License applicable to that copy.
+
+ 3. Object Code Incorporating Material from Library Header Files.
+
+ The object code form of an Application may incorporate material from
+a header file that is part of the Library. You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+ a) Give prominent notice with each copy of the object code that the
+ Library is used in it and that the Library and its use are
+ covered by this License.
+
+ b) Accompany the object code with a copy of the GNU GPL and this license
+ document.
+
--
Samba Shared Repository
