This option is deprecated and will be removed in future,
as it is a security problem if not set to "yes" (which will be
the hardcoded behavior in future).
This option controls whether the netlogon server, will reject the usage
of netlogon secure channel without privacy/enryption.
The option is modelled after the registry key available on Windows.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
Avoid using this option! Use the per computer account specific option
'' instead!
Which is available with the patches for
CVE-2022-38023
see https://bugzilla.samba.org/show_bug.cgi?id=15240.
Samba will log an error in the log files at log level 0
if legacy a client is rejected or allowed without an explicit,
'no' option
for the client. The message will indicate
the explicit 'no'
line to be added, if the legacy client software requires it. (The log level can be adjusted with
'1'
in order to complain only at a higher log level).
This allows admins to use "no" only for a short grace period,
in order to collect the explicit
'no' options.
When set to 'yes' this option overrides the
'' and
'' options and implies
'yes'.
This option is over-ridden by the option.
yes
If you still have legacy domain members, which required "server schannel require seal = no" before,
it is possible to specify explicit exception per computer account
by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
Note that COMPUTERACCOUNT has to be the sAMAccountName value of
the computer account (including the trailing '$' sign).
Samba will log a complaint in the log files at log level 0
about the security problem if the option is set to "no",
but the related computer does not require it.
(The log level can be adjusted with
'1'
in order to complain only at a higher log level).
Samba will warn in the log files at log level 5,
if a setting is still needed for the specified computer account.
See CVE-2022-38023,
https://bugzilla.samba.org/show_bug.cgi?id=15240.
This option overrides the '' option.
When set to 'yes' this option overrides the
'' and
'' options and implies
'yes'.
server require schannel seal:LEGACYCOMPUTER1$ = no
server require schannel seal:NASBOX$ = no
server require schannel seal:LEGACYCOMPUTER2$ = no