From 8daa83a594a2e98f39d764422bfbdbc62c9efd44 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 19 Apr 2024 19:20:00 +0200 Subject: Adding upstream version 2:4.20.0+dfsg. Signed-off-by: Daniel Baumann --- docs-xml/smbdotconf/logon/allownt4crypto.xml | 106 +++++++++++++++++++++++++++ 1 file changed, 106 insertions(+) create mode 100644 docs-xml/smbdotconf/logon/allownt4crypto.xml (limited to 'docs-xml/smbdotconf/logon/allownt4crypto.xml') diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml new file mode 100644 index 0000000..ee63e6c --- /dev/null +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml @@ -0,0 +1,106 @@ + + + + This option is deprecated and will be removed in future, + as it is a security problem if not set to "no" (which will be + the hardcoded behavior in future). + + + This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will + reject clients which do not support NETLOGON_NEG_STRONG_KEYS + nor NETLOGON_NEG_SUPPORTS_AES. + + This option was added with Samba 4.2.0. It may lock out clients + which worked fine with Samba versions up to 4.1.x. as the effective default + was "yes" there, while it is "no" now. + + If you have clients without RequireStrongKey = 1 in the registry, + you may need to set "allow nt4 crypto = yes", until you have fixed all clients. + + + "allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks. + + Avoid using this option! Use explicit 'yes' instead! + Which is available with the patches for + CVE-2022-38023 + see https://bugzilla.samba.org/show_bug.cgi?id=15240 + + + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + 'yes' option + for the client. The message will indicate + the explicit 'yes' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + This allows admins to use "yes" only for a short grace period, + in order to collect the explicit + 'yes' options. + + This option is over-ridden by the effective value of 'yes' from + the '' + and/or '' options. + + +no + + + + + + If you still have legacy domain members which required 'allow nt4 crypto = yes', + it is possible to specify an explicit exception per computer account + by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + + + + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "yes", + but the related computer does not require it. + (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + + Samba will log a warning in the log files at log level 5, + if a setting is still needed for the specified computer account. + + + + See CVE-2022-38023, + https://bugzilla.samba.org/show_bug.cgi?id=15240. + + + This option overrides the option. + + This option is over-ridden by the effective value of 'yes' from + the '' + and/or '' options. + Which means 'yes' + is only useful in combination with 'no' + + + allow nt4 crypto:LEGACYCOMPUTER1$ = yes + server reject md5 schannel:LEGACYCOMPUTER1$ = no + allow nt4 crypto:NASBOX$ = yes + server reject md5 schannel:NASBOX$ = no + allow nt4 crypto:LEGACYCOMPUTER2$ = yes + server reject md5 schannel:LEGACYCOMPUTER2$ = no + + + + -- cgit v1.2.3