From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 14:13:47 +0000 (+0100)
Subject: CVE-2022-38023 testparm: warn about server/client schannel != yes
X-Git-Tag: samba-4.15.13~67
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=28ac3faa51c66b005a90c527393fa7c2d43d4c31;p=thirdparty%2Fsamba.git

CVE-2022-38023 testparm: warn about server/client schannel != yes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e)
---

diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 58ba46bc15f..dd8acb58ff7 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -598,11 +598,25 @@ static int do_global_checks(void)
 		ret = 1;
 	}
 
-	if (!lp_server_schannel()) {
+	if (lp_server_schannel() != true) { /* can be 'auto' */
 		fprintf(stderr,
-			"WARNING: You have configured 'server schannel = no'. "
+			"WARNING: You have not configured "
+			"'server schannel = yes' (the default). "
 			"Your server is vulernable to \"ZeroLogon\" "
-			"(CVE-2020-1472)\n\n");
+			"(CVE-2020-1472)\n"
+			"If required use individual "
+			"'server require schannel:COMPUTERACCOUNT$ = no' "
+			"options\n\n");
+	}
+	if (lp_client_schannel() != true) { /* can be 'auto' */
+		fprintf(stderr,
+			"WARNING: You have not configured "
+			"'client schannel = yes' (the default). "
+			"Your server is vulernable to \"ZeroLogon\" "
+			"(CVE-2020-1472)\n"
+			"If required use individual "
+			"'client schannel:NETBIOSDOMAIN = no' "
+			"options\n\n");
 	}
 
 	return ret;