summaryrefslogtreecommitdiff
path: root/docs-xml/smbdotconf/security/serverschannel.xml
blob: 394ffdc36fbd86abd3f4a0d103376345e09eebd2 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
<samba:parameter name="server schannel"
                 context="G"
                 type="enum"
                 enumlist="enum_bool_auto"
                 deprecated="1"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>

    <para>
	This option is deprecated and will be removed in future,
	as it is a security problem if not set to "yes" (which will be
	the hardcoded behavior in future).
    </para>

    <para>
	Samba will complain in the log files at log level 0,
	about the security problem if the option is not set to "yes".
    </para>
    <para>
	See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
    </para>

    <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
    </para>

    <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>

</description>

<value type="default">yes</value>
</samba:parameter>

<samba:parameter name="server require schannel:COMPUTERACCOUNT"
                 context="G"
                 type="string"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>

    <para>If you still have legacy domain members, which required "server schannel = auto" before,
	it is possible to specify explicit exception per computer account
	by using 'server require schannel:COMPUTERACCOUNT = no' as option.
	Note that COMPUTERACCOUNT has to be the sAMAccountName value of
	the computer account (including the trailing '$' sign).
    </para>

    <para>
	Samba will complain in the log files at log level 0,
	about the security problem if the option is not set to "no",
	but the related computer is actually using the netlogon
	secure channel (schannel) feature.
    </para>

    <para>
	Samba will warn in the log files at log level 5,
	if a setting is still needed for the specified computer account.
    </para>

    <para>
	See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
    </para>

    <para>This option overrides the <smbconfoption name="server schannel"/> option.</para>

    <programlisting>
	server require schannel:LEGACYCOMPUTER1$ = no
	server require schannel:NASBOX$ = no
	server require schannel:LEGACYCOMPUTER2$ = no
    </programlisting>
</description>

</samba:parameter>