diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-11-25 16:53:35 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-13 13:07:29 +0000 |
commit | 7732a4b0bde1d9f98a0371f17d22648495329470 (patch) | |
tree | 83cf864a229b94627388116492be774944d56c88 | |
parent | 689507457f5e6666488732f91a355a2183fb1662 (diff) | |
download | samba-7732a4b0bde1d9f98a0371f17d22648495329470.tar.gz |
CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
-rw-r--r-- | docs-xml/smbdotconf/security/serverschannel.xml | 43 | ||||
-rw-r--r-- | docs-xml/smbdotconf/security/serverschannelrequireseal.xml | 118 | ||||
-rw-r--r-- | lib/param/loadparm.c | 1 | ||||
-rw-r--r-- | source3/param/loadparm.c | 1 |
4 files changed, 157 insertions, 6 deletions
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml index 394ffdc36fb..5c69f0f64df 100644 --- a/docs-xml/smbdotconf/security/serverschannel.xml +++ b/docs-xml/smbdotconf/security/serverschannel.xml @@ -12,19 +12,37 @@ the hardcoded behavior in future). </para> - <para> - Samba will complain in the log files at log level 0, - about the security problem if the option is not set to "yes". + <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead! </para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + <para> - See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 + This allows admins to use "auto" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options. </para> - <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option. + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>. </para> <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para> + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="server schannel require seal"/>' options.</para> + </description> <value type="default">yes</value> @@ -48,6 +66,9 @@ about the security problem if the option is not set to "no", but the related computer is actually using the netlogon secure channel (schannel) feature. + (The log level can be adjusted with + '<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). </para> <para> @@ -56,15 +77,25 @@ </para> <para> - See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 + See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>. </para> <para>This option overrides the <smbconfoption name="server schannel"/> option.</para> + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="server schannel require seal"/>' options.</para> + <para>Which means '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' + is only useful in combination with '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'</para> + <programlisting> server require schannel:LEGACYCOMPUTER1$ = no + server require schannel seal:LEGACYCOMPUTER1$ = no server require schannel:NASBOX$ = no + server require schannel seal:NASBOX$ = no server require schannel:LEGACYCOMPUTER2$ = no + server require schannel seal:LEGACYCOMPUTER2$ = no </programlisting> </description> diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml new file mode 100644 index 00000000000..d4620d1252d --- /dev/null +++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml @@ -0,0 +1,118 @@ +<samba:parameter name="server schannel require seal" + context="G" + type="boolean" + deprecated="1" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + This option is deprecated and will be removed in future, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in future). + </para> + + <para> + This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will + reject the usage of netlogon secure channel without privacy/enryption. + </para> + + <para> + The option is modelled after the registry key available on Windows. + </para> + + <programlisting> + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2 + </programlisting> + + <para> + <emphasis>Avoid using this option!</emphasis> Use the per computer account specific option + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para>This allows admins to use "no" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para> + + <para> + When set to 'yes' this option overrides the + '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and + '<smbconfoption name="server schannel"/>' options and implies + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'. + </para> + + <para> + This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option. + </para> + +</description> + +<value type="default">yes</value> +</samba:parameter> + +<samba:parameter name="server schannel require seal:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para> + If you still have legacy domain members, which required "server schannel require seal = no" before, + it is possible to specify explicit exception per computer account + by using 'server schannel require seal:COMPUTERACCOUNT = no' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will warn in the log files at log level 5, + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para> + This option overrides the '<smbconfoption name="server schannel require seal"/>' option. + </para> + + <para> + When set to 'yes' this option overrides the + '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and + '<smbconfoption name="server schannel"/>' options and implies + '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'. + </para> + + <programlisting> + server require schannel seal:LEGACYCOMPUTER1$ = no + server require schannel seal:NASBOX$ = no + server require schannel seal:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + +</samba:parameter> diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index e509cf85bb8..1dcc8061fa2 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template"); lpcfg_do_global_parameter(lp_ctx, "server schannel", "True"); + lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True"); lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True"); lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 336852b927c..a0c9249b777 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.require_strong_key = true; Globals.reject_md5_servers = true; Globals.server_schannel = true; + Globals.server_schannel_require_seal = true; Globals.reject_md5_clients = true; Globals.read_raw = true; Globals.write_raw = true; |