From: Stefan Metzmacher Date: Thu, 7 Nov 2024 14:16:18 +0000 (+0100) Subject: docs-xml/smbdotconf: add "server reject aes schannel[:COMPUTERACCOUNT]" options X-Git-Tag: tdb-1.4.13~355 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a5993f0c5ce026a088d7692fc2debbf94a6d6e7c;p=thirdparty%2Fsamba.git docs-xml/smbdotconf: add "server reject aes schannel[:COMPUTERACCOUNT]" options This will be useful in order to require netr_ServerAuthenticateKerberos() Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml index ee63e6cc245..5b90ba58735 100644 --- a/docs-xml/smbdotconf/logon/allownt4crypto.xml +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml @@ -46,8 +46,10 @@ 'yes' options. This option is over-ridden by the effective value of 'yes' from - the '' - and/or '' options. + the '', + '', + '', + and/or '' options. no @@ -88,18 +90,24 @@ This option overrides the option. This option is over-ridden by the effective value of 'yes' from - the '' - and/or '' options. + the '', + '', + '' + and/or '' options. Which means 'yes' - is only useful in combination with 'no' + is only useful in combination with 'no' + and 'no'. allow nt4 crypto:LEGACYCOMPUTER1$ = yes server reject md5 schannel:LEGACYCOMPUTER1$ = no + server reject aes schannel:LEGACYCOMPUTER1$ = no allow nt4 crypto:NASBOX$ = yes server reject md5 schannel:NASBOX$ = no + server reject aes schannel:NASBOX$ = no allow nt4 crypto:LEGACYCOMPUTER2$ = yes server reject md5 schannel:LEGACYCOMPUTER2$ = no + server reject aes schannel:LEGACYCOMPUTER2$ = no diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml index fe7701d9277..ee3cd191904 100644 --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml @@ -54,6 +54,10 @@ '' options and implies 'no'. + + This option is over-ridden by the effective value of 'yes' from + the '' + and/or '' options. yes @@ -100,10 +104,19 @@ 'no'. + This option is over-ridden by the effective value of 'yes' from + the '' + and/or '' options. + Which means 'no' + is only useful in combination with 'no'. + server reject md5 schannel:LEGACYCOMPUTER1$ = no + server reject aes schannel:LEGACYCOMPUTER1$ = no server reject md5 schannel:NASBOX$ = no + server reject aes schannel:NASBOX$ = no server reject md5 schannel:LEGACYCOMPUTER2$ = no + server reject aes schannel:LEGACYCOMPUTER2$ = no diff --git a/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml new file mode 100644 index 00000000000..5c6ad5a8c92 --- /dev/null +++ b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml @@ -0,0 +1,113 @@ + + + This option is experimental for now! + + + This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will + reject clients which do not support ServerAuthenticateKerberos. + + Support for ServerAuthenticateKerberos was added in Windows + starting with Server 2025, it's available in Samba starting with 4.22 + (but disabled by default). + + + Note this options is not really related to security problems + behind CVE_2022_38023, but it still uses the debug level related + logic and options. + + + Samba will log an error in the log files at log level 0 + if legacy a client is rejected without an explicit, + 'no' option + for the client. The message will indicate + the explicit 'no' + line to be added, if the client software requires it. (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + + Samba will log a message in the log files at log level 5 + if a client is allowed without an explicit, + 'no' option + for the client. The message will indicate + the explicit 'no' + line to be added, if the client software requires it. (The log level can be adjusted with + '0' + in order to complain only at a lower or higher log level). + This can we used to prepare the configuration before changing to + 'yes' + + + Admins can use + 'no/yes' options in + order to have more control + + When set to 'yes' this option overrides the + '' and + '' options and implies + 'no'. + + + For now '' + is EXPERIMENTAL and should not be configured explicitly. + + +no +yes + + + + + + If the time has come and most domain members or trusted domains + support ServerAuthenticateKerberos, admins may want to use "server reject aes schannel = yes". + It is possible to specify an explicit exception per computer account + by setting 'server reject aes schannel:COMPUTERACCOUNT = no'. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + + + Note this options is not really related to security problems + behind CVE_2022_38023, but it still uses the debug level related + logic and options. + + + + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '1' + in order to complain only at a higher log level). + + + + Samba will log a warning in the log files at log level 5 + if a setting is still needed for the specified computer account. + + + This option overrides the option. + + When set to 'yes' this option overrides the + '' and + '' options and implies + 'no'. + + + + server reject aes schannel:LEGACYCOMPUTER1$ = no + server reject aes schannel:NASBOX$ = no + server reject aes schannel:LEGACYCOMPUTER2$ = no + server reject aes schannel:HIGHPRIVACYSRV$ = yes + + + +