docs-xml/smbdotconf: add "server reject aes schannel[:COMPUTERACCOUNT]" options

This will be useful in order to require netr_ServerAuthenticateKerberos()

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index ee63e6cc24532ec05e0565aa7a7c27140a251d96..5b90ba58735f3f34dac943f2aa8e39c28b327bc1 100644 (file)
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -46,8 +46,10 @@
        '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
 
        <para>This option is over-ridden by the effective value of 'yes' from
-       the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
-       and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+       the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>',
+       '<smbconfoption name="reject md5 clients"/>',
+       '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>',
+       and/or '<smbconfoption name="server reject aes schannel"/>' options.</para>
 </description>
 
 <value type="default">no</value>
@@ -88,18 +90,24 @@
     <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
 
     <para>This option is over-ridden by the effective value of 'yes' from
-    the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
-    and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+    the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>',
+    '<smbconfoption name="reject md5 clients"/>',
+    '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>'
+    and/or '<smbconfoption name="server reject aes schannel"/>' options.</para>
     <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
-    is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
+    is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+    and '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>'.</para>
 
     <programlisting>
        allow nt4 crypto:LEGACYCOMPUTER1$ = yes
        server reject md5 schannel:LEGACYCOMPUTER1$ = no
+       server reject aes schannel:LEGACYCOMPUTER1$ = no
        allow nt4 crypto:NASBOX$ = yes
        server reject md5 schannel:NASBOX$ = no
+       server reject aes schannel:NASBOX$ = no
        allow nt4 crypto:LEGACYCOMPUTER2$ = yes
        server reject md5 schannel:LEGACYCOMPUTER2$ = no
+       server reject aes schannel:LEGACYCOMPUTER2$ = no
     </programlisting>
 </description>
 

diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index fe7701d92772605aef1ffcbe43af7bca3a25fff0..ee3cd19190461c4ad94b1dc69008896a2db41cc0 100644 (file)
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -54,6 +54,10 @@
        '<smbconfoption name="allow nt4 crypto"/>' options and implies
        '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
        </para>
+
+       <para>This option is over-ridden by the effective value of 'yes' from
+       the '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>'
+       and/or '<smbconfoption name="server reject aes schannel"/>' options.</para>
 </description>
 
 <value type="default">yes</value>
@@ -100,10 +104,19 @@
     '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
     </para>
 
+    <para>This option is over-ridden by the effective value of 'yes' from
+    the '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT"/>'
+    and/or '<smbconfoption name="server reject aes schannel"/>' options.</para>
+    <para>Which means '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+    is only useful in combination with '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>'.</para>
+
     <programlisting>
        server reject md5 schannel:LEGACYCOMPUTER1$ = no
+       server reject aes schannel:LEGACYCOMPUTER1$ = no
        server reject md5 schannel:NASBOX$ = no
+       server reject aes schannel:NASBOX$ = no
        server reject md5 schannel:LEGACYCOMPUTER2$ = no
+       server reject aes schannel:LEGACYCOMPUTER2$ = no
     </programlisting>
 </description>
 

diff --git a/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
new file mode 100644 (file)
index 0000000..5c6ad5a
--- /dev/null
+++ b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
@@ -0,0 +1,113 @@
+<samba:parameter name="server reject aes schannel"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para><emphasis>This option is experimental for now!</emphasis>
+       </para>
+
+       <para>This option controls whether the netlogon server (currently
+       only in 'active directory domain controller' mode), will
+       reject clients which do not support ServerAuthenticateKerberos.</para>
+
+       <para>Support for ServerAuthenticateKerberos was added in Windows
+       starting with Server 2025, it's available in Samba starting with 4.22
+       (but disabled by default).
+       </para>
+
+       <para>Note this options is not really related to security problems
+       behind CVE_2022_38023, but it still uses the debug level related
+       logic and options.</para>
+
+       <para>
+       Samba will log an error in the log files at log level 0
+       if legacy a client is rejected without an explicit,
+       '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+       for the client. The message will indicate
+       the explicit '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>'
+       line to be added, if the client software requires it. (The log level can be adjusted with
+       '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+       in order to complain only at a higher log level).
+       </para>
+
+       <para>
+       Samba will log a message in the log files at log level 5
+       if a client is allowed without an explicit,
+       '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+       for the client. The message will indicate
+       the explicit '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no</smbconfoption>'
+       line to be added, if the client software requires it. (The log level can be adjusted with
+       '<smbconfoption name="NETLOGON_AES:usage_debug_level">0</smbconfoption>'
+       in order to complain only at a lower or higher log level).
+       This can we used to prepare the configuration before changing to
+       '<smbconfoption name="server reject aes schannel">yes</smbconfoption>'
+       </para>
+
+       <para>Admins can use
+       '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">no/yes</smbconfoption>' options in
+       order to have more control</para>
+
+       <para>When set to 'yes' this option overrides the
+       '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' and
+       '<smbconfoption name="reject md5 clients"/>' options and implies
+       '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'.
+       </para>
+
+       <para>For now '<smbconfoption name="server reject aes schannel"/>'
+       is EXPERIMENTAL and should not be configured explicitly.</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server reject aes schannel:COMPUTERACCOUNT"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>If the time has come and most domain members or trusted domains
+       support ServerAuthenticateKerberos, admins may want to use "server reject aes schannel = yes".
+       It is possible to specify an explicit exception per computer account
+       by setting 'server reject aes schannel:COMPUTERACCOUNT = no'.
+       Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+       the computer account (including the trailing '$' sign).
+    </para>
+
+    <para>Note this options is not really related to security problems
+       behind CVE_2022_38023, but it still uses the debug level related
+       logic and options.
+    </para>
+
+    <para>
+       Samba will log a complaint in the log files at log level 0
+       about the security problem if the option is set to "no",
+       but the related computer does not require it.
+       (The log level can be adjusted with
+       '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+       in order to complain only at a higher log level).
+    </para>
+
+    <para>
+       Samba will log a warning in the log files at log level 5
+       if a setting is still needed for the specified computer account.
+    </para>
+
+    <para>This option overrides the <smbconfoption name="server reject aes schannel"/> option.</para>
+
+    <para>When set to 'yes' this option overrides the
+    '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' and
+    '<smbconfoption name="reject md5 clients"/>' options and implies
+    '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'.
+    </para>
+
+    <programlisting>
+       server reject aes schannel:LEGACYCOMPUTER1$ = no
+       server reject aes schannel:NASBOX$ = no
+       server reject aes schannel:LEGACYCOMPUTER2$ = no
+       server reject aes schannel:HIGHPRIVACYSRV$ = yes
+    </programlisting>
+</description>
+
+</samba:parameter>