mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
80d0238679
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 2ad302b422
)
107 lines
4.7 KiB
XML
107 lines
4.7 KiB
XML
<samba:parameter name="allow nt4 crypto"
|
|
context="G"
|
|
type="boolean"
|
|
deprecated="1"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
<para>
|
|
This option is deprecated and will be removed in future,
|
|
as it is a security problem if not set to "no" (which will be
|
|
the hardcoded behavior in future).
|
|
</para>
|
|
|
|
<para>This option controls whether the netlogon server (currently
|
|
only in 'active directory domain controller' mode), will
|
|
reject clients which do not support NETLOGON_NEG_STRONG_KEYS
|
|
nor NETLOGON_NEG_SUPPORTS_AES.</para>
|
|
|
|
<para>This option was added with Samba 4.2.0. It may lock out clients
|
|
which worked fine with Samba versions up to 4.1.x. as the effective default
|
|
was "yes" there, while it is "no" now.</para>
|
|
|
|
<para>If you have clients without RequireStrongKey = 1 in the registry,
|
|
you may need to set "allow nt4 crypto = yes", until you have fixed all clients.
|
|
</para>
|
|
|
|
<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
|
|
|
|
<para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
|
|
Which is available with the patches for
|
|
<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
|
|
see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
|
|
|
|
<para>
|
|
Samba will log an error in the log files at log level 0
|
|
if legacy a client is rejected or allowed without an explicit,
|
|
'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
|
|
for the client. The message will indicate
|
|
the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
|
|
line to be added, if the legacy client software requires it. (The log level can be adjusted with
|
|
'<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
|
|
in order to complain only at a higher log level).
|
|
</para>
|
|
|
|
<para>This allows admins to use "yes" only for a short grace period,
|
|
in order to collect the explicit
|
|
'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
|
|
|
|
<para>This option is over-ridden by the effective value of 'yes' from
|
|
the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
|
|
and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
|
|
</description>
|
|
|
|
<value type="default">no</value>
|
|
</samba:parameter>
|
|
|
|
<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT"
|
|
context="G"
|
|
type="string"
|
|
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
<description>
|
|
|
|
<para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
|
|
it is possible to specify an explicit exception per computer account
|
|
by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
|
|
Note that COMPUTERACCOUNT has to be the sAMAccountName value of
|
|
the computer account (including the trailing '$' sign).
|
|
</para>
|
|
|
|
<para>
|
|
Samba will log a complaint in the log files at log level 0
|
|
about the security problem if the option is set to "yes",
|
|
but the related computer does not require it.
|
|
(The log level can be adjusted with
|
|
'<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
|
|
in order to complain only at a higher log level).
|
|
</para>
|
|
|
|
<para>
|
|
Samba will log a warning in the log files at log level 5,
|
|
if a setting is still needed for the specified computer account.
|
|
</para>
|
|
|
|
<para>
|
|
See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
|
|
<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
|
|
</para>
|
|
|
|
<para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
|
|
|
|
<para>This option is over-ridden by the effective value of 'yes' from
|
|
the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
|
|
and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
|
|
<para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
|
|
is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
|
|
|
|
<programlisting>
|
|
allow nt4 crypto:LEGACYCOMPUTER1$ = yes
|
|
server reject md5 schannel:LEGACYCOMPUTER1$ = no
|
|
allow nt4 crypto:NASBOX$ = yes
|
|
server reject md5 schannel:NASBOX$ = no
|
|
allow nt4 crypto:LEGACYCOMPUTER2$ = yes
|
|
server reject md5 schannel:LEGACYCOMPUTER2$ = no
|
|
</programlisting>
|
|
</description>
|
|
|
|
</samba:parameter>
|