summaryrefslogtreecommitdiffstats
path: root/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs-xml/smbdotconf/winbind/rejectmd5servers.xml')
-rw-r--r--docs-xml/smbdotconf/winbind/rejectmd5servers.xml25
1 files changed, 25 insertions, 0 deletions
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
new file mode 100644
index 0000000..3bc4eaf
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -0,0 +1,25 @@
+<samba:parameter name="reject md5 servers"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option controls whether winbindd requires support
+ for aes support for the netlogon secure channel.</para>
+
+ <para>The following flags will be required NETLOGON_NEG_ARCFOUR,
+ NETLOGON_NEG_SUPPORTS_AES, NETLOGON_NEG_PASSWORD_SET2 and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+ <para>You can set this to yes if all domain controllers support aes.
+ This will prevent downgrade attacks.</para>
+
+ <para>The behavior can be controlled per netbios domain
+ by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
+
+ <para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
+ see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
+
+ <para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>