diff options
Diffstat (limited to 'docs-xml/smbdotconf/security/serverschannelrequireseal.xml')
-rw-r--r-- | docs-xml/smbdotconf/security/serverschannelrequireseal.xml | 117 |
1 files changed, 117 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml new file mode 100644 index 0000000..0bec67d --- /dev/null +++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml @@ -0,0 +1,117 @@ +<samba:parameter name="server schannel require seal" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + This option is deprecated and will be removed in future, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in future). + </para> + + <para> + This option controls whether the netlogon server, will reject the usage + of netlogon secure channel without privacy/enryption. + </para> + + <para> + The option is modelled after the registry key available on Windows. + </para> + + <programlisting> + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2 + </programlisting> + + <para> + <emphasis>Avoid using this option!</emphasis> Use the per computer account specific option + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para>This allows admins to use "no" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para> + + <para> + When set to 'yes' this option overrides the + '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and + '<smbconfoption name="server schannel"/>' options and implies + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'. + </para> + + <para> + This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option. + </para> + +</description> + +<value type="default">yes</value> +</samba:parameter> + +<samba:parameter name="server schannel require seal:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + If you still have legacy domain members, which required "server schannel require seal = no" before, + it is possible to specify explicit exception per computer account + by using 'server schannel require seal:COMPUTERACCOUNT = no' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will warn in the log files at log level 5, + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para> + This option overrides the '<smbconfoption name="server schannel require seal"/>' option. + </para> + + <para> + When set to 'yes' this option overrides the + '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and + '<smbconfoption name="server schannel"/>' options and implies + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'. + </para> + + <programlisting> + server require schannel seal:LEGACYCOMPUTER1$ = no + server require schannel seal:NASBOX$ = no + server require schannel seal:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + +</samba:parameter> |