258 lines
11 KiB
Diff
258 lines
11 KiB
Diff
From fa1144918cac0be0a31fc886ee2fd6c20ce636c4 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Fri, 25 Nov 2022 16:53:35 +0100
|
|
Subject: [PATCH 26/30] CVE-2022-38023 docs-xml/smbdotconf: add "server
|
|
schannel require seal[:COMPUTERACCOUNT]" options
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
(cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470)
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17692
|
|
---
|
|
.../smbdotconf/security/serverschannel.xml | 43 ++++++-
|
|
.../security/serverschannelrequireseal.xml | 118 ++++++++++++++++++
|
|
lib/param/loadparm.c | 1 +
|
|
source3/param/loadparm.c | 1 +
|
|
4 files changed, 157 insertions(+), 6 deletions(-)
|
|
create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml
|
|
|
|
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
|
|
index 394ffdc36fbd..5c69f0f64dfb 100644
|
|
--- a/docs-xml/smbdotconf/security/serverschannel.xml
|
|
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
|
|
@@ -12,19 +12,37 @@
|
|
the hardcoded behavior in future).
|
|
</para>
|
|
|
|
- <para>
|
|
- Samba will complain in the log files at log level 0,
|
|
- about the security problem if the option is not set to "yes".
|
|
+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead!
|
|
</para>
|
|
+
|
|
+ <para>
|
|
+ Samba will log an error in the log files at log level 0
|
|
+ if legacy a client is rejected or allowed without an explicit,
|
|
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option
|
|
+ for the client. The message will indicate
|
|
+ the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
|
|
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
|
|
+ '<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>'
|
|
+ in order to complain only at a higher log level).
|
|
+ </para>
|
|
+
|
|
<para>
|
|
- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
|
|
+ This allows admins to use "auto" only for a short grace period,
|
|
+ in order to collect the explicit
|
|
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options.
|
|
</para>
|
|
|
|
- <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
|
|
+ <para>
|
|
+ See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
|
|
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
|
|
</para>
|
|
|
|
<para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
|
|
|
|
+ <para>This option is over-ridden by the effective value of 'yes' from
|
|
+ the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
|
|
+ and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
|
|
+
|
|
</description>
|
|
|
|
<value type="default">yes</value>
|
|
@@ -48,6 +66,9 @@
|
|
about the security problem if the option is not set to "no",
|
|
but the related computer is actually using the netlogon
|
|
secure channel (schannel) feature.
|
|
+ (The log level can be adjusted with
|
|
+ '<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>'
|
|
+ in order to complain only at a higher log level).
|
|
</para>
|
|
|
|
<para>
|
|
@@ -56,15 +77,25 @@
|
|
</para>
|
|
|
|
<para>
|
|
- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
|
|
+ See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
|
|
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
|
|
</para>
|
|
|
|
<para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
|
|
|
|
+ <para>This option is over-ridden by the effective value of 'yes' from
|
|
+ the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
|
|
+ and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
|
|
+ <para>Which means '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
|
|
+ is only useful in combination with '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'</para>
|
|
+
|
|
<programlisting>
|
|
server require schannel:LEGACYCOMPUTER1$ = no
|
|
+ server require schannel seal:LEGACYCOMPUTER1$ = no
|
|
server require schannel:NASBOX$ = no
|
|
+ server require schannel seal:NASBOX$ = no
|
|
server require schannel:LEGACYCOMPUTER2$ = no
|
|
+ server require schannel seal:LEGACYCOMPUTER2$ = no
|
|
</programlisting>
|
|
</description>
|
|
|
|
diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
|
|
new file mode 100644
|
|
index 000000000000..d4620d1252dd
|
|
--- /dev/null
|
|
+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
|
|
@@ -0,0 +1,118 @@
|
|
+<samba:parameter name="server schannel require seal"
|
|
+ context="G"
|
|
+ type="boolean"
|
|
+ deprecated="1"
|
|
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
+<description>
|
|
+
|
|
+ <para>
|
|
+ This option is deprecated and will be removed in future,
|
|
+ as it is a security problem if not set to "yes" (which will be
|
|
+ the hardcoded behavior in future).
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ This option controls whether the netlogon server (currently
|
|
+ only in 'active directory domain controller' mode), will
|
|
+ reject the usage of netlogon secure channel without privacy/enryption.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ The option is modelled after the registry key available on Windows.
|
|
+ </para>
|
|
+
|
|
+ <programlisting>
|
|
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
|
|
+ </programlisting>
|
|
+
|
|
+ <para>
|
|
+ <emphasis>Avoid using this option!</emphasis> Use the per computer account specific option
|
|
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead!
|
|
+ Which is available with the patches for
|
|
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
|
|
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ Samba will log an error in the log files at log level 0
|
|
+ if legacy a client is rejected or allowed without an explicit,
|
|
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option
|
|
+ for the client. The message will indicate
|
|
+ the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'
|
|
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
|
|
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
|
|
+ in order to complain only at a higher log level).
|
|
+ </para>
|
|
+
|
|
+ <para>This allows admins to use "no" only for a short grace period,
|
|
+ in order to collect the explicit
|
|
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
|
|
+
|
|
+ <para>
|
|
+ When set to 'yes' this option overrides the
|
|
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
|
|
+ '<smbconfoption name="server schannel"/>' options and implies
|
|
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option.
|
|
+ </para>
|
|
+
|
|
+</description>
|
|
+
|
|
+<value type="default">yes</value>
|
|
+</samba:parameter>
|
|
+
|
|
+<samba:parameter name="server schannel require seal:COMPUTERACCOUNT"
|
|
+ context="G"
|
|
+ type="string"
|
|
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
+<description>
|
|
+
|
|
+ <para>
|
|
+ If you still have legacy domain members, which required "server schannel require seal = no" before,
|
|
+ it is possible to specify explicit exception per computer account
|
|
+ by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
|
|
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
|
|
+ the computer account (including the trailing '$' sign).
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ Samba will log a complaint in the log files at log level 0
|
|
+ about the security problem if the option is set to "no",
|
|
+ but the related computer does not require it.
|
|
+ (The log level can be adjusted with
|
|
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
|
|
+ in order to complain only at a higher log level).
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ Samba will warn in the log files at log level 5,
|
|
+ if a setting is still needed for the specified computer account.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
|
|
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ This option overrides the '<smbconfoption name="server schannel require seal"/>' option.
|
|
+ </para>
|
|
+
|
|
+ <para>
|
|
+ When set to 'yes' this option overrides the
|
|
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
|
|
+ '<smbconfoption name="server schannel"/>' options and implies
|
|
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
|
|
+ </para>
|
|
+
|
|
+ <programlisting>
|
|
+ server require schannel seal:LEGACYCOMPUTER1$ = no
|
|
+ server require schannel seal:NASBOX$ = no
|
|
+ server require schannel seal:LEGACYCOMPUTER2$ = no
|
|
+ </programlisting>
|
|
+</description>
|
|
+
|
|
+</samba:parameter>
|
|
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
index e509cf85bb89..1dcc8061fa21 100644
|
|
--- a/lib/param/loadparm.c
|
|
+++ b/lib/param/loadparm.c
|
|
@@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
|
|
|
|
lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
|
|
+ lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True");
|
|
lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
|
|
|
|
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
|
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
index c88d241bcf78..9bb5f4cf8cb3 100644
|
|
--- a/source3/param/loadparm.c
|
|
+++ b/source3/param/loadparm.c
|
|
@@ -668,6 +668,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|
Globals.require_strong_key = true;
|
|
Globals.reject_md5_servers = true;
|
|
Globals.server_schannel = true;
|
|
+ Globals.server_schannel_require_seal = true;
|
|
Globals.reject_md5_clients = true;
|
|
Globals.read_raw = true;
|
|
Globals.write_raw = true;
|
|
--
|
|
2.34.1
|