1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
samba-mirror/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
2023-01-09 14:23:36 +00:00

118 lines
4.4 KiB
XML

<samba:parameter name="server schannel require seal"
context="G"
type="boolean"
deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
This option is deprecated and will be removed in future,
as it is a security problem if not set to "yes" (which will be
the hardcoded behavior in future).
</para>
<para>
This option controls whether the netlogon server, will reject the usage
of netlogon secure channel without privacy/enryption.
</para>
<para>
The option is modelled after the registry key available on Windows.
</para>
<programlisting>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
</programlisting>
<para>
<emphasis>Avoid using this option!</emphasis> Use the per computer account specific option
'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead!
Which is available with the patches for
<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
</para>
<para>
Samba will log an error in the log files at log level 0
if legacy a client is rejected or allowed without an explicit,
'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option
for the client. The message will indicate
the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'
line to be added, if the legacy client software requires it. (The log level can be adjusted with
'<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
in order to complain only at a higher log level).
</para>
<para>This allows admins to use "no" only for a short grace period,
in order to collect the explicit
'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
<para>
When set to 'yes' this option overrides the
'<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
'<smbconfoption name="server schannel"/>' options and implies
'<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
</para>
<para>
This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option.
</para>
</description>
<value type="default">yes</value>
</samba:parameter>
<samba:parameter name="server schannel require seal:COMPUTERACCOUNT"
context="G"
type="string"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
If you still have legacy domain members, which required "server schannel require seal = no" before,
it is possible to specify explicit exception per computer account
by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
Note that COMPUTERACCOUNT has to be the sAMAccountName value of
the computer account (including the trailing '$' sign).
</para>
<para>
Samba will log a complaint in the log files at log level 0
about the security problem if the option is set to "no",
but the related computer does not require it.
(The log level can be adjusted with
'<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
in order to complain only at a higher log level).
</para>
<para>
Samba will warn in the log files at log level 5,
if a setting is still needed for the specified computer account.
</para>
<para>
See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
</para>
<para>
This option overrides the '<smbconfoption name="server schannel require seal"/>' option.
</para>
<para>
When set to 'yes' this option overrides the
'<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
'<smbconfoption name="server schannel"/>' options and implies
'<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
</para>
<programlisting>
server require schannel seal:LEGACYCOMPUTER1$ = no
server require schannel seal:NASBOX$ = no
server require schannel seal:LEGACYCOMPUTER2$ = no
</programlisting>
</description>
</samba:parameter>