mirror of
https://github.com/samba-team/samba.git
synced 2025-01-05 09:18:06 +03:00
d1790a0b5a
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
72 lines
2.3 KiB
XML
72 lines
2.3 KiB
XML
<samba:parameter name="server schannel"
|
|
context="G"
|
|
type="enum"
|
|
enumlist="enum_bool_auto"
|
|
deprecated="1"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
|
|
<para>
|
|
This option is deprecated and will be removed in future,
|
|
as it is a security problem if not set to "yes" (which will be
|
|
the hardcoded behavior in future).
|
|
</para>
|
|
|
|
<para>
|
|
Samba will complain in the log files at log level 0,
|
|
about the security problem if the option is not set to "yes".
|
|
</para>
|
|
<para>
|
|
See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
|
|
</para>
|
|
|
|
<para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
|
|
</para>
|
|
|
|
<para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
|
|
|
|
</description>
|
|
|
|
<value type="default">yes</value>
|
|
</samba:parameter>
|
|
|
|
<samba:parameter name="server require schannel:COMPUTERACCOUNT"
|
|
context="G"
|
|
type="string"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
|
|
<para>If you still have legacy domain members, which required "server schannel = auto" before,
|
|
it is possible to specify explicit expection per computer account
|
|
by using 'server require schannel:COMPUTERACCOUNT = no' as option.
|
|
Note that COMPUTERACCOUNT has to be the sAMAccountName value of
|
|
the computer account (including the trailing '$' sign).
|
|
</para>
|
|
|
|
<para>
|
|
Samba will complain in the log files at log level 0,
|
|
about the security problem if the option is not set to "no",
|
|
but the related computer is actually using the netlogon
|
|
secure channel (schannel) feature.
|
|
</para>
|
|
|
|
<para>
|
|
Samba will warn in the log files at log level 5,
|
|
if a setting is still needed for the specified computer account.
|
|
</para>
|
|
|
|
<para>
|
|
See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
|
|
</para>
|
|
|
|
<para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para>
|
|
|
|
<programlisting>
|
|
server require schannel:LEGACYCOMPUTER1$ = no
|
|
server require schannel:NASBOX$ = no
|
|
server require schannel:LEGACYCOMPUTER2$ = no
|
|
</programlisting>
|
|
</description>
|
|
|
|
</samba:parameter>
|