== Subject:     Samba AD DC admin tool samba-tool sends passwords in cleartext
== CVE ID#:     CVE-2023-0922
== Versions:    All versions of Samba since 4.0
== Summary:     The Samba AD DC administration tool, when operating
                against a remote LDAP server, will by default send
		new or reset passwords over a signed-only connection. 


Active Directory allows passwords to be set and changed over LDAP.
Microsoft's implementation imposes a restriction that this may only
happen over an encrypted connection, however Samba does not have this
restriction currently.

Samba's samba-tool client tool likewise has no restriction regarding
the security of the connection it will set a password over.

An attacker able to observe the network traffic between samba-tool and
the Samba AD DC could obtain newly set passwords if samba-tool
connected using a Kerberos secured LDAP connection against a Samba AD

This would happen when samba-tool was used to reset a user's
password, or to add a new user.

This only impacts connections made using Kerberos as NTLM-protected
connections are upgraded to encryption regardless.

This patch changes all Samba AD LDAP client connections to use
encryption, as well as integrity protection, by default, by changing
the default value of "client ldap sasl wrapping" to "seal" in Samba's

Administrators should confirm this value has not been overridden in
their local smb.conf to obtain the benefit of this change.

NOTE WELL: Samba, for consistency, uses a common smb.conf option for
LDAP client behaviour.  Therefore this will also encrypt the AD LDAP
connections between Samba's winbindd and any AD DC, so this patch will
also change behaviour for Samba Domain Member configurations.

If this is a concern, the smb.conf value "client ldap sasl wrapping"
can be reset to "sign".

Patch Availability

Patches addressing both these issues have been posted to:

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N (5.9)


Set "client ldap sasl wrapping = seal" in the smb.conf or add the
--option=clientldapsaslwrapping=sign option to any samba-tool or
ldbmodify invocation that sets a password.


Originally reported by Andrew Bartlett of Catalyst and the Samba Team
working with Rob van der Linde of Catalyst.

Patches provided by Rob van der Linde of Catalyst and Andrew Bartlett
of Catalyst and the Samba Team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team