diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index 394ffdc36fb..5c69f0f64df 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -12,19 +12,37 @@
the hardcoded behavior in future).
-
- Samba will complain in the log files at log level 0,
- about the security problem if the option is not set to "yes".
-
-
- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
+ Avoid using this option! Use explicit 'no' instead!
- If you still have legacy domain members use the option.
+
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ 'no' option
+ for the client. The message will indicate
+ the explicit 'no'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '1'
+ in order to complain only at a higher log level).
+
+
+
+ This allows admins to use "auto" only for a short grace period,
+ in order to collect the explicit
+ 'no' options.
+
+
+
+ See CVE-2020-1472(ZeroLogon),
+ https://bugzilla.samba.org/show_bug.cgi?id=14497.
This option is over-ridden by the option.
+ This option is over-ridden by the effective value of 'yes' from
+ the ''
+ and/or '' options.
+
yes
@@ -48,6 +66,9 @@
about the security problem if the option is not set to "no",
but the related computer is actually using the netlogon
secure channel (schannel) feature.
+ (The log level can be adjusted with
+ '1'
+ in order to complain only at a higher log level).
@@ -56,15 +77,25 @@
- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
+ See CVE-2020-1472(ZeroLogon),
+ https://bugzilla.samba.org/show_bug.cgi?id=14497.
This option overrides the option.
+ This option is over-ridden by the effective value of 'yes' from
+ the ''
+ and/or '' options.
+ Which means 'no'
+ is only useful in combination with 'no'
+
server require schannel:LEGACYCOMPUTER1$ = no
+ server require schannel seal:LEGACYCOMPUTER1$ = no
server require schannel:NASBOX$ = no
+ server require schannel seal:NASBOX$ = no
server require schannel:LEGACYCOMPUTER2$ = no
+ server require schannel seal:LEGACYCOMPUTER2$ = no
diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
new file mode 100644
index 00000000000..d4620d1252d
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
@@ -0,0 +1,118 @@
+
+
+
+
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in future).
+
+
+
+ This option controls whether the netlogon server (currently
+ only in 'active directory domain controller' mode), will
+ reject the usage of netlogon secure channel without privacy/enryption.
+
+
+
+ The option is modelled after the registry key available on Windows.
+
+
+
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
+
+
+
+ Avoid using this option! Use the per computer account specific option
+ '' instead!
+ Which is available with the patches for
+ CVE-2022-38023
+ see https://bugzilla.samba.org/show_bug.cgi?id=15240.
+
+
+
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ 'no' option
+ for the client. The message will indicate
+ the explicit 'no'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '1'
+ in order to complain only at a higher log level).
+
+
+ This allows admins to use "no" only for a short grace period,
+ in order to collect the explicit
+ 'no' options.
+
+
+ When set to 'yes' this option overrides the
+ '' and
+ '' options and implies
+ 'yes'.
+
+
+
+ This option is over-ridden by the option.
+
+
+
+
+yes
+
+
+
+
+
+
+ If you still have legacy domain members, which required "server schannel require seal = no" before,
+ it is possible to specify explicit exception per computer account
+ by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+
+
+
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "no",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '1'
+ in order to complain only at a higher log level).
+
+
+
+ Samba will warn in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+
+
+
+ See CVE-2022-38023,
+ https://bugzilla.samba.org/show_bug.cgi?id=15240.
+
+
+
+ This option overrides the '' option.
+
+
+
+ When set to 'yes' this option overrides the
+ '' and
+ '' options and implies
+ 'yes'.
+
+
+
+ server require schannel seal:LEGACYCOMPUTER1$ = no
+ server require schannel seal:NASBOX$ = no
+ server require schannel seal:LEGACYCOMPUTER2$ = no
+
+
+
+
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index e509cf85bb8..1dcc8061fa2 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
+ lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True");
lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index c88d241bcf7..9bb5f4cf8cb 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -668,6 +668,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.require_strong_key = true;
Globals.reject_md5_servers = true;
Globals.server_schannel = true;
+ Globals.server_schannel_require_seal = true;
Globals.reject_md5_clients = true;
Globals.read_raw = true;
Globals.write_raw = true;