1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7732a4b0bd)
This commit is contained in:
Stefan Metzmacher 2022-11-25 16:53:35 +01:00
parent 9f809e2dd3
commit d04da3d700
4 changed files with 159 additions and 8 deletions

View File

@ -12,19 +12,37 @@
the hardcoded behavior in future).
</para>
<para>
Samba will complain in the log files at log level 0,
about the security problem if the option is not set to "yes".
</para>
<para>
See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
<para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead!
</para>
<para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
<para>
Samba will log an error in the log files at log level 0
if legacy a client is rejected or allowed without an explicit,
'<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option
for the client. The message will indicate
the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
line to be added, if the legacy client software requires it. (The log level can be adjusted with
'<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>'
in order to complain only at a higher log level).
</para>
<para>
This allows admins to use "auto" only for a short grace period,
in order to collect the explicit
'<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options.
</para>
<para>
See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
</para>
<para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
<para>This option is over-ridden by the effective value of 'yes' from
the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
</description>
<value type="default">yes</value>
@ -48,6 +66,9 @@
about the security problem if the option is not set to "no",
but the related computer is actually using the netlogon
secure channel (schannel) feature.
(The log level can be adjusted with
'<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>'
in order to complain only at a higher log level).
</para>
<para>
@ -56,15 +77,25 @@
</para>
<para>
See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
</para>
<para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
<para>This option is over-ridden by the effective value of 'yes' from
the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
<para>Which means '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
is only useful in combination with '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'</para>
<programlisting>
server require schannel:LEGACYCOMPUTER1$ = no
server require schannel seal:LEGACYCOMPUTER1$ = no
server require schannel:NASBOX$ = no
server require schannel seal:NASBOX$ = no
server require schannel:LEGACYCOMPUTER2$ = no
server require schannel seal:LEGACYCOMPUTER2$ = no
</programlisting>
</description>

View File

@ -0,0 +1,118 @@
<samba:parameter name="server schannel require seal"
context="G"
type="boolean"
deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
This option is deprecated and will be removed in future,
as it is a security problem if not set to "yes" (which will be
the hardcoded behavior in future).
</para>
<para>
This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
reject the usage of netlogon secure channel without privacy/enryption.
</para>
<para>
The option is modelled after the registry key available on Windows.
</para>
<programlisting>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
</programlisting>
<para>
<emphasis>Avoid using this option!</emphasis> Use the per computer account specific option
'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead!
Which is available with the patches for
<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
</para>
<para>
Samba will log an error in the log files at log level 0
if legacy a client is rejected or allowed without an explicit,
'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option
for the client. The message will indicate
the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'
line to be added, if the legacy client software requires it. (The log level can be adjusted with
'<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
in order to complain only at a higher log level).
</para>
<para>This allows admins to use "no" only for a short grace period,
in order to collect the explicit
'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
<para>
When set to 'yes' this option overrides the
'<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
'<smbconfoption name="server schannel"/>' options and implies
'<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
</para>
<para>
This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option.
</para>
</description>
<value type="default">yes</value>
</samba:parameter>
<samba:parameter name="server schannel require seal:COMPUTERACCOUNT"
context="G"
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
If you still have legacy domain members, which required "server schannel require seal = no" before,
it is possible to specify explicit exception per computer account
by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
Note that COMPUTERACCOUNT has to be the sAMAccountName value of
the computer account (including the trailing '$' sign).
</para>
<para>
Samba will log a complaint in the log files at log level 0
about the security problem if the option is set to "no",
but the related computer does not require it.
(The log level can be adjusted with
'<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
in order to complain only at a higher log level).
</para>
<para>
Samba will warn in the log files at log level 5,
if a setting is still needed for the specified computer account.
</para>
<para>
See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
</para>
<para>
This option overrides the '<smbconfoption name="server schannel require seal"/>' option.
</para>
<para>
When set to 'yes' this option overrides the
'<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
'<smbconfoption name="server schannel"/>' options and implies
'<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
</para>
<programlisting>
server require schannel seal:LEGACYCOMPUTER1$ = no
server require schannel seal:NASBOX$ = no
server require schannel seal:LEGACYCOMPUTER2$ = no
</programlisting>
</description>
</samba:parameter>

View File

@ -2725,6 +2725,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True");
lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");

View File

@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.require_strong_key = true;
Globals.reject_md5_servers = true;
Globals.server_schannel = true;
Globals.server_schannel_require_seal = true;
Globals.reject_md5_clients = true;
Globals.read_raw = true;
Globals.write_raw = true;