summaryrefslogtreecommitdiffstats
path: root/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
blob: 0bec67d2519e325bc87240175ce5ef386cc13754 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
<samba:parameter name="server schannel require seal"
                 context="G"
                 type="boolean"
                 deprecated="1"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>

	<para>
	This option is deprecated and will be removed in future,
	as it is a security problem if not set to "yes" (which will be
	the hardcoded behavior in future).
	</para>

	<para>
	This option controls whether the netlogon server, will reject the usage
	of netlogon secure channel without privacy/enryption.
	</para>

	<para>
	The option is modelled after the registry key available on Windows.
	</para>

	<programlisting>
	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
	</programlisting>

	<para>
	<emphasis>Avoid using this option!</emphasis> Use the per computer account specific option
	'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead!
	Which is available with the patches for
	<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
	see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
	</para>

	<para>
	Samba will log an error in the log files at log level 0
	if legacy a client is rejected or allowed without an explicit,
	'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option
	for the client. The message will indicate
	the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'
	line to be added, if the legacy client software requires it. (The log level can be adjusted with
	'<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
	in order to complain only at a higher log level).
	</para>

	<para>This allows admins to use "no" only for a short grace period,
	in order to collect the explicit
	'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para>

	<para>
	When set to 'yes' this option overrides the
	'<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
	'<smbconfoption name="server schannel"/>' options and implies
	'<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
	</para>

	<para>
	This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option.
	</para>

</description>

<value type="default">yes</value>
</samba:parameter>

<samba:parameter name="server schannel require seal:COMPUTERACCOUNT"
                 context="G"
                 type="string"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>

	<para>
	If you still have legacy domain members, which required "server schannel require seal = no" before,
	it is possible to specify explicit exception per computer account
	by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
	Note that COMPUTERACCOUNT has to be the sAMAccountName value of
	the computer account (including the trailing '$' sign).
	</para>

	<para>
	Samba will log a complaint in the log files at log level 0
	about the security problem if the option is set to "no",
	but the related computer does not require it.
	(The log level can be adjusted with
	'<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
	in order to complain only at a higher log level).
	</para>

	<para>
	Samba will warn in the log files at log level 5,
	if a setting is still needed for the specified computer account.
	</para>

	<para>
	See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
	<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
	</para>

	<para>
	This option overrides the '<smbconfoption name="server schannel require seal"/>' option.
	</para>

	<para>
	When set to 'yes' this option overrides the
	'<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
	'<smbconfoption name="server schannel"/>' options and implies
	'<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
	</para>

	<programlisting>
	server require schannel seal:LEGACYCOMPUTER1$ = no
	server require schannel seal:NASBOX$ = no
	server require schannel seal:LEGACYCOMPUTER2$ = no
	</programlisting>
</description>

</samba:parameter>