CVE-2022-38023 testparm: warn about server/client schannel != yes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15260

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>

1 files changed, 17 insertions, 3 deletions

diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index e0455b9d7b6..7e913a8ac4d 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -598,11 +598,25 @@ static int do_global_checks(void)
 		ret = 1;
 	}
 
-	if (!lp_server_schannel()) {
+	if (lp_server_schannel() != true) { /* can be 'auto' */
 		fprintf(stderr,
-			"WARNING: You have configured 'server schannel = no'. "
+			"WARNING: You have not configured "
+			"'server schannel = yes' (the default). "
 			"Your server is vulernable to \"ZeroLogon\" "
-			"(CVE-2020-1472)\n\n");
+			"(CVE-2020-1472)\n"
+			"If required use individual "
+			"'server require schannel:COMPUTERACCOUNT$ = no' "
+			"options\n\n");
+	}
+	if (lp_client_schannel() != true) { /* can be 'auto' */
+		fprintf(stderr,
+			"WARNING: You have not configured "
+			"'client schannel = yes' (the default). "
+			"Your server is vulernable to \"ZeroLogon\" "
+			"(CVE-2020-1472)\n"
+			"If required use individual "
+			"'client schannel:NETBIOSDOMAIN = no' "
+			"options\n\n");
 	}
 
 	return ret;