sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 crypto:COMPUTERACCOUNT = no"

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bd429d0259)
This commit is contained in:
Stefan Metzmacher 2022-11-25 13:31:14 +01:00
parent d2dc3622d4
commit 3075f65e5d
1 changed files with 74 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
docs-xml/smbdotconf/logon/allownt4crypto.xml
View File

@ -1,11 +1,18 @@
<samba:parameter name="allow nt4 crypto" <samba:parameter name="allow nt4 crypto"
context="G" context="G"
type="boolean" type="boolean"
deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description> <description>
<para>
This option is deprecated and will be removed in future,
as it is a security problem if not set to "no" (which will be
the hardcoded behavior in future).
</para>
<para>This option controls whether the netlogon server (currently <para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will only in 'active directory domain controller' mode), will
reject clients which does not support NETLOGON_NEG_STRONG_KEYS reject clients which do not support NETLOGON_NEG_STRONG_KEYS
nor NETLOGON_NEG_SUPPORTS_AES.</para> nor NETLOGON_NEG_SUPPORTS_AES.</para>
<para>This option was added with Samba 4.2.0. It may lock out clients <para>This option was added with Samba 4.2.0. It may lock out clients
@ -18,8 +25,73 @@
<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para> <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
<para>This option is over-ridden by the 'reject md5 clients' option.</para> <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
Which is available with the patches for
<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
<para>
Samba will log an error in the log files at log level 0
if legacy a client is rejected or allowed without an explicit,
'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
for the client. The message will indicate
the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
line to be added, if the legacy client software requires it. (The log level can be adjusted with
'<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
in order to complain only at a higher log level).
</para>
<para>This allows admins to use "yes" only for a short grace period,
in order to collect the explicit
'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
<para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
</description> </description>
<value type="default">no</value> <value type="default">no</value>
</samba:parameter> </samba:parameter>
<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT"
context="G"
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
it is possible to specify an explicit exception per computer account
by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
Note that COMPUTERACCOUNT has to be the sAMAccountName value of
the computer account (including the trailing '$' sign).
</para>
<para>
Samba will log a complaint in the log files at log level 0
about the security problem if the option is set to "yes",
but the related computer does not require it.
(The log level can be adjusted with
'<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
in order to complain only at a higher log level).
</para>
<para>
Samba will log a warning in the log files at log level 5,
if a setting is still needed for the specified computer account.
</para>
<para>
See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
</para>
<para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
<para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
<programlisting>
allow nt4 crypto:LEGACYCOMPUTER1$ = yes
allow nt4 crypto:NASBOX$ = yes
allow nt4 crypto:LEGACYCOMPUTER2$ = yes
</programlisting>
</description>
</samba:parameter>