]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: fcca312)
docs-xml/smbdotconf: add "reject aes netlogon servers" option
authorStefan Metzmacher <metze@samba.org>
Thu, 7 Nov 2024 11:41:05 +0000 (12:41 +0100)
committerStefan Metzmacher <metze@samba.org>
Mon, 13 Jan 2025 23:40:30 +0000 (23:40 +0000)
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml [new file with mode: 0644] patch | blob
docs-xml/smbdotconf/winbind/rejectmd5servers.xml patch | blob | blame | history

diff --git a/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml b/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml
new file mode 100644 (file)
index 0000000..202f00c
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="reject aes netlogon servers"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para>This option controls whether winbindd requires support
+       for ServerAuthenticateKerberos support for the netlogon secure channel.</para>
+
+       <para>Support for ServerAuthenticateKerberos was added in Windows
+       starting with Server 2025, it's available in Samba active directory domain controllers
+       starting with 4.22 with the '<smbconfoption name="server support krb5 netlogon">yes</smbconfoption>' option,
+       which is disabled by default.
+       </para>
+
+       <para>The following flags will be required: NETLOGON_NEG_PASSWORD_SET2,
+       NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+       <para>You can set this to yes if all domain controllers support
+       ServerAuthenticateKerberos.
+       This will prevent downgrade attacks.</para>
+
+       <para>The behavior can be controlled per netbios domain
+       by using 'reject aes netlogon servers:NETBIOSDOMAIN = no' as option.</para>
+
+       <para>This option overrides the <smbconfoption name="reject md5 servers"/> option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
index 3bc4eaf7b02e2a99f7ffb7be087d4c77731bd54b..1d6e0c8ad6d2b4cfaba8e9c9ccdc503ea056a717 100644 (file)
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -18,6 +18,8 @@
        <para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
        see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
 
+       <para>This option is over-ridden by the <smbconfoption name="reject aes netlogon servers"/> option.</para>
+
        <para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
 </description>
 
Mirror of https://github.com/samba-team/samba.git