summaryrefslogtreecommitdiffstats
path: root/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs-xml/smbdotconf/security/serverschannelrequireseal.xml')
-rw-r--r--docs-xml/smbdotconf/security/serverschannelrequireseal.xml117
1 files changed, 117 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
new file mode 100644
index 0000000..0bec67d
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
@@ -0,0 +1,117 @@
+<samba:parameter name="server schannel require seal"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in future).
+ </para>
+
+ <para>
+ This option controls whether the netlogon server, will reject the usage
+ of netlogon secure channel without privacy/enryption.
+ </para>
+
+ <para>
+ The option is modelled after the registry key available on Windows.
+ </para>
+
+ <programlisting>
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
+ </programlisting>
+
+ <para>
+ <emphasis>Avoid using this option!</emphasis> Use the per computer account specific option
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "no" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+ <para>
+ When set to 'yes' this option overrides the
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="server schannel"/>' options and implies
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
+ </para>
+
+ <para>
+ This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option.
+ </para>
+
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server schannel require seal:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ If you still have legacy domain members, which required "server schannel require seal = no" before,
+ it is possible to specify explicit exception per computer account
+ by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "no",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will warn in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>
+ This option overrides the '<smbconfoption name="server schannel require seal"/>' option.
+ </para>
+
+ <para>
+ When set to 'yes' this option overrides the
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="server schannel"/>' options and implies
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
+ </para>
+
+ <programlisting>
+ server require schannel seal:LEGACYCOMPUTER1$ = no
+ server require schannel seal:NASBOX$ = no
+ server require schannel seal:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
+</samba:parameter>