From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 13:02:11 +0000 (+0100)
Subject: CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"
X-Git-Tag: samba-4.15.13~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b7f0e7f2ccc9c07b2daa0dc6d66ea117108e9a4f;p=thirdparty%2Fsamba.git

CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)
---

diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index bbd03a42db7..ee63e6cc245 100644
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -45,7 +45,9 @@
 	in order to collect the explicit
 	'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
 
-	<para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
+	<para>This option is over-ridden by the effective value of 'yes' from
+	the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+	and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
 </description>
 
 <value type="default">no</value>
@@ -85,12 +87,19 @@
 
     <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
 
-    <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
+    <para>This option is over-ridden by the effective value of 'yes' from
+    the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+    and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+    <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+    is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
 
     <programlisting>
 	allow nt4 crypto:LEGACYCOMPUTER1$ = yes
+	server reject md5 schannel:LEGACYCOMPUTER1$ = no
 	allow nt4 crypto:NASBOX$ = yes
+	server reject md5 schannel:NASBOX$ = no
 	allow nt4 crypto:LEGACYCOMPUTER2$ = yes
+	server reject md5 schannel:LEGACYCOMPUTER2$ = no
     </programlisting>
 </description>
 
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index edcbe02e99a..fe7701d9277 100644
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -1,8 +1,15 @@
 <samba:parameter name="reject md5 clients"
                  context="G"
                  type="boolean"
+                 deprecated="1"
                  xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
 <description>
+	<para>
+	This option is deprecated and will be removed in a future release,
+	as it is a security problem if not set to "yes" (which will be
+	the hardcoded behavior in the future).
+	</para>
+
 	<para>This option controls whether the netlogon server (currently
 	only in 'active directory domain controller' mode), will
 	reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
@@ -10,13 +17,94 @@
 	<para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
 	starting with Server 2008R2 and Windows 7, it's available in Samba
 	starting with 4.0, however third party domain members like NetApp ONTAP
-	still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
+	still uses RC4 (HMAC-MD5), see
+	<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink>
+	for more details.
+	</para>
+
+	<para>The default changed from 'no' to 'yes', with the patches for
+	<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+	see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+	</para>
+
+	<para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account
+	'<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead!
+	Which is available with the patches for
+	<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+	see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+	</para>
 
-	<para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
-	see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
+	<para>
+	Samba will log an error in the log files at log level 0
+	if legacy a client is rejected or allowed without an explicit,
+	'<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+	for the client. The message will indicate
+	the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+	line to be added, if the legacy client software requires it. (The log level can be adjusted with
+	'<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+	</para>
 
-	<para>This option overrides the 'allow nt4 crypto' option.</para>
+	<para>This allows admins to use "no" only for a short grace period,
+	in order to collect the explicit
+	'<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+	<para>When set to 'yes' this option overrides the
+	'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+	'<smbconfoption name="allow nt4 crypto"/>' options and implies
+	'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+	</para>
 </description>
 
 <value type="default">yes</value>
 </samba:parameter>
+
+<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+    <para>If you still have legacy domain members or trusted domains,
+	which required "reject md5 clients = no" before,
+	it is possible to specify an explicit exception per computer account
+	by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'.
+	Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+	the computer account (including the trailing '$' sign).
+    </para>
+
+    <para>
+	Samba will log a complaint in the log files at log level 0
+	about the security problem if the option is set to "no",
+	but the related computer does not require it.
+	(The log level can be adjusted with
+	'<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+    </para>
+
+    <para>
+	Samba will log a warning in the log files at log level 5
+	if a setting is still needed for the specified computer account.
+    </para>
+
+    <para>
+	See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+	<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+    </para>
+
+    <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para>
+
+    <para>When set to 'yes' this option overrides the
+    '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+    '<smbconfoption name="allow nt4 crypto"/>' options and implies
+    '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+    </para>
+
+    <programlisting>
+	server reject md5 schannel:LEGACYCOMPUTER1$ = no
+	server reject md5 schannel:NASBOX$ = no
+	server reject md5 schannel:LEGACYCOMPUTER2$ = no
+    </programlisting>
+</description>
+
+</samba:parameter>