diff options
author | Stefan Metzmacher <metze@samba.org> | 2020-09-17 17:27:54 +0200 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2020-09-18 13:27:16 +0200 |
commit | e5c7800b096a4b9fd03490de939e1f26c776123e (patch) | |
tree | 455fff873a64d8dedb992a0fb2d6fdaad4b91780 /docs-xml | |
parent | 6192153da9accb152737ea57ef6465b5bed97830 (diff) | |
download | samba-e5c7800b096a4b9fd03490de939e1f26c776123e.tar.gz |
CVE-2020-1472(ZeroLogon): docs-xml: document 'server require schannel:COMPUTERACCOUNT'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Diffstat (limited to 'docs-xml')
-rw-r--r-- | docs-xml/smbdotconf/security/serverschannel.xml | 69 |
1 files changed, 54 insertions, 15 deletions
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml index 489492d79b1..b682d086f76 100644 --- a/docs-xml/smbdotconf/security/serverschannel.xml +++ b/docs-xml/smbdotconf/security/serverschannel.xml @@ -7,26 +7,65 @@ <description> <para> - This option is deprecated with Samba 4.8 and will be removed in future. - At the same time the default changed to yes, which will be the - hardcoded behavior in future. If you have the need for the behavior of "auto" - to be kept, please file a bug at https://bugzilla.samba.org. + This option is deprecated and will be removed in future, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in future). </para> <para> - This controls whether the server offers or even demands the use of the netlogon schannel. - <smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption - name="server schannel">auto</smbconfoption> offers the schannel but does not enforce it, and <smbconfoption - name="server schannel">yes</smbconfoption> denies access if the client is not able to speak netlogon schannel. - This is only the case for Windows NT4 before SP4. - </para> - + Samba will complain in the log files at log level 0, + about the security problem if the option is not set to "yes". + </para> <para> - Please note that with this set to <literal>no</literal>, you will have to apply the WindowsXP - <filename>WinXP_SignOrSeal.reg</filename> registry patch found in the docs/registry subdirectory of the Samba distribution tarball. - </para> + See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 + </para> + + <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option. + </para> + + <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para> + </description> <value type="default">yes</value> -<value type="example">auto</value> +</samba:parameter> + +<samba:parameter name="server require schannel:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members, which required "server schannel = auto" before, + it is possible to specify explicit expection per computer account + by using 'server require schannel:COMPUTERACCOUNT = no' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will complain in the log files at log level 0, + about the security problem if the option is not set to "no", + but the related computer is actually using the netlogon + secure channel (schannel) feature. + </para> + + <para> + Samba will warn in the log files at log level 5, + if a setting is still needed for the specified computer account. + </para> + + <para> + See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 + </para> + + <para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para> + + <programlisting> + server require schannel:LEGACYCOMPUTER1$ = no + server require schannel:NASBOX$ = no + server require schannel:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + </samba:parameter> |