docs-xml/smbdotconf: add "server reject aes schannel[:COMPUTERACCOUNT]" options

This will be useful in order to require netr_ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

docs-xml/smbdotconf/logon/allownt4crypto.xml

@@ -46,8 +46,10 @@
 	'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
 
 	<para>This option is over-ridden by the effective value of 'yes' from
-	the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
-	and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+	the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>',
+	'<smbconfoption name="reject md5 clients"/>',
+	'<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>',
+	and/or '<smbconfoption name="server reject aes schannel"/>' options.</para>
 </description>
 
 <value type="default">no</value>
@@ -88,18 +90,24 @@
     <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
 
     <para>This option is over-ridden by the effective value of 'yes' from
-    the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
-    and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+    the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>',
+    '<smbconfoption name="reject md5 clients"/>',
+    '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>'
+    and/or '<smbconfoption name="server reject aes schannel"/>' options.</para>
     <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
-    is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
+    is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+    and '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>'.</para>
 
     <programlisting>
 	allow nt4 crypto:LEGACYCOMPUTER1$ = yes
 	server reject md5 schannel:LEGACYCOMPUTER1$ = no
+	server reject aes schannel:LEGACYCOMPUTER1$ = no
 	allow nt4 crypto:NASBOX$ = yes
 	server reject md5 schannel:NASBOX$ = no
+	server reject aes schannel:NASBOX$ = no
 	allow nt4 crypto:LEGACYCOMPUTER2$ = yes
 	server reject md5 schannel:LEGACYCOMPUTER2$ = no
+	server reject aes schannel:LEGACYCOMPUTER2$ = no
     </programlisting>
 </description>
 

docs-xml/smbdotconf/logon/rejectmd5clients.xml

@@ -54,6 +54,10 @@
 	'<smbconfoption name="allow nt4 crypto"/>' options and implies
 	'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
 	</para>
+
+	<para>This option is over-ridden by the effective value of 'yes' from
+	the '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>'
+	and/or '<smbconfoption name="server reject aes schannel"/>' options.</para>
 </description>
 
 <value type="default">yes</value>
@@ -100,10 +104,19 @@
     '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
     </para>
 
+    <para>This option is over-ridden by the effective value of 'yes' from
+    the '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>'
+    and/or '<smbconfoption name="server reject aes schannel"/>' options.</para>
+    <para>Which means '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+    is only useful in combination with '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>'.</para>
+
     <programlisting>
 	server reject md5 schannel:LEGACYCOMPUTER1$ = no
+	server reject aes schannel:LEGACYCOMPUTER1$ = no
 	server reject md5 schannel:NASBOX$ = no
+	server reject aes schannel:NASBOX$ = no
 	server reject md5 schannel:LEGACYCOMPUTER2$ = no
+	server reject aes schannel:LEGACYCOMPUTER2$ = no
     </programlisting>
 </description>
 

docs-xml/smbdotconf/logon/serverrejectaesschannel.xml

@@ -0,0 +1,113 @@
+<samba:parameter name="server reject aes schannel"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para><emphasis>This option is experimental for now!</emphasis>
+	</para>
+
+	<para>This option controls whether the netlogon server (currently
+	only in 'active directory domain controller' mode), will
+	reject clients which do not support ServerAuthenticateKerberos.</para>
+
+	<para>Support for ServerAuthenticateKerberos was added in Windows
+	starting with Server 2025, it's available in Samba starting with 4.22
+	(but disabled by default).
+	</para>
+
+	<para>Note this options is not really related to security problems
+	behind CVE_2022_38023, but it still uses the debug level related
+	logic and options.</para>
+
+	<para>
+	Samba will log an error in the log files at log level 0
+	if legacy a client is rejected without an explicit,
+	'<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+	for the client. The message will indicate
+	the explicit '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>'
+	line to be added, if the client software requires it. (The log level can be adjusted with
+	'<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+	</para>
+
+	<para>
+	Samba will log a message in the log files at log level 5
+	if a client is allowed without an explicit,
+	'<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+	for the client. The message will indicate
+	the explicit '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>'
+	line to be added, if the client software requires it. (The log level can be adjusted with
+	'<smbconfoption name="NETLOGON_AES:usage_debug_level">0</smbconfoption>'
+	in order to complain only at a lower or higher log level).
+	This can we used to prepare the configuration before changing to
+	'<smbconfoption name="server reject aes schannel">yes</smbconfoption>'
+	</para>
+
+	<para>Admins can use
+	'<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no/yes</smbconfoption>' options in
+	order to have more control</para>
+
+	<para>When set to 'yes' this option overrides the
+	'<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' and
+	'<smbconfoption name="reject md5 clients"/>' options and implies
+	'<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'.
+	</para>
+
+	<para>For now '<smbconfoption name="server reject aes schannel"/>'
+	is EXPERIMENTAL and should not be configured explicitly.</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server reject aes schannel:COMPUTERACCOUNT"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>If the time has come and most domain members or trusted domains
+	support ServerAuthenticateKerberos, admins may want to use "server reject aes schannel = yes".
+	It is possible to specify an explicit exception per computer account
+	by setting 'server reject aes schannel:COMPUTERACCOUNT = no'.
+	Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+	the computer account (including the trailing '$' sign).
+    </para>
+
+    <para>Note this options is not really related to security problems
+	behind CVE_2022_38023, but it still uses the debug level related
+	logic and options.
+    </para>
+
+    <para>
+	Samba will log a complaint in the log files at log level 0
+	about the security problem if the option is set to "no",
+	but the related computer does not require it.
+	(The log level can be adjusted with
+	'<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+    </para>
+
+    <para>
+	Samba will log a warning in the log files at log level 5
+	if a setting is still needed for the specified computer account.
+    </para>
+
+    <para>This option overrides the <smbconfoption name="server reject aes schannel"/> option.</para>
+
+    <para>When set to 'yes' this option overrides the
+    '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' and
+    '<smbconfoption name="reject md5 clients"/>' options and implies
+    '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'.
+    </para>
+
+    <programlisting>
+	server reject aes schannel:LEGACYCOMPUTER1$ = no
+	server reject aes schannel:NASBOX$ = no
+	server reject aes schannel:LEGACYCOMPUTER2$ = no
+	server reject aes schannel:HIGHPRIVACYSRV$ = yes
+    </programlisting>
+</description>
+
+</samba:parameter>