From: Stefan Metzmacher Date: Fri, 25 Nov 2022 15:53:35 +0000 (+0100) Subject: CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUN... X-Git-Tag: samba-4.15.13~70 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dba546dbfa5dcaa22ed828c2f5b7fa9c8cb6242e;p=thirdparty%2Fsamba.git CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Ralph Boehme (cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470) --- diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml index 3e66df1c203..42a657912ca 100644 --- a/docs-xml/smbdotconf/security/serverschannel.xml +++ b/docs-xml/smbdotconf/security/serverschannel.xml @@ -12,19 +12,37 @@ the hardcoded behavior in future). - - Samba will complain in the log files at log level 0, - about the security problem if the option is not set to "yes". + Avoid using this option! Use explicit 'no' instead! + + + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + 'no' option + for the client. The message will indicate + the explicit 'no' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + - See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 + This allows admins to use "auto" only for a short grace period, + in order to collect the explicit + 'no' options. - If you still have legacy domain members use the option. + + See CVE-2020-1472(ZeroLogon), + https://bugzilla.samba.org/show_bug.cgi?id=14497. This option is over-ridden by the option. + This option is over-ridden by the effective value of 'yes' from + the '' + and/or '' options. + yes @@ -48,6 +66,9 @@ about the security problem if the option is not set to "no", but the related computer is actually using the netlogon secure channel (schannel) feature. + (The log level can be adjusted with + '1' + in order to complain only at a higher log level). @@ -56,15 +77,25 @@ - See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 + See CVE-2020-1472(ZeroLogon), + https://bugzilla.samba.org/show_bug.cgi?id=14497. This option overrides the option. + This option is over-ridden by the effective value of 'yes' from + the '' + and/or '' options. + Which means 'no' + is only useful in combination with 'no' + server require schannel:LEGACYCOMPUTER1$ = no + server require schannel seal:LEGACYCOMPUTER1$ = no server require schannel:NASBOX$ = no + server require schannel seal:NASBOX$ = no server require schannel:LEGACYCOMPUTER2$ = no + server require schannel seal:LEGACYCOMPUTER2$ = no diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml new file mode 100644 index 00000000000..d4620d1252d --- /dev/null +++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml @@ -0,0 +1,118 @@ + + + + + This option is deprecated and will be removed in future, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in future). + + + + This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will + reject the usage of netlogon secure channel without privacy/enryption. + + + + The option is modelled after the registry key available on Windows. + + + + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2 + + + + Avoid using this option! Use the per computer account specific option + '' instead! + Which is available with the patches for + CVE-2022-38023 + see https://bugzilla.samba.org/show_bug.cgi?id=15240. + + + + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + 'no' option + for the client. The message will indicate + the explicit 'no' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + This allows admins to use "no" only for a short grace period, + in order to collect the explicit + 'no' options. + + + When set to 'yes' this option overrides the + '' and + '' options and implies + 'yes'. + + + + This option is over-ridden by the option. + + + + +yes + + + + + + + If you still have legacy domain members, which required "server schannel require seal = no" before, + it is possible to specify explicit exception per computer account + by using 'server schannel require seal:COMPUTERACCOUNT = no' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + + + + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + + Samba will warn in the log files at log level 5, + if a setting is still needed for the specified computer account. + + + + See CVE-2022-38023, + https://bugzilla.samba.org/show_bug.cgi?id=15240. + + + + This option overrides the '' option. + + + + When set to 'yes' this option overrides the + '' and + '' options and implies + 'yes'. + + + + server require schannel seal:LEGACYCOMPUTER1$ = no + server require schannel seal:NASBOX$ = no + server require schannel seal:LEGACYCOMPUTER2$ = no + + + + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 3f4e367570e..c8ecaba70f1 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2722,6 +2722,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template"); lpcfg_do_global_parameter(lp_ctx, "server schannel", "True"); + lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True"); lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True"); lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 13a8504425c..4e10aaf4724 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.require_strong_key = true; Globals.reject_md5_servers = true; Globals.server_schannel = true; + Globals.server_schannel_require_seal = true; Globals.reject_md5_clients = true; Globals.read_raw = true; Globals.write_raw = true;