Projects
openEuler:20.03:LTS:SP3
samba
_service:tar_scm_kernel_repo:backport-0020-CVE-...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-0020-CVE-2022-38023.patch of Package samba
From b7f0e7f2ccc9c07b2daa0dc6d66ea117108e9a4f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher <metze@samba.org> Date: Fri, 25 Nov 2022 14:02:11 +0100 Subject: [PATCH 20/29] CVE-2022-38023 docs-xml/smbdotconf: document "server reject md5 schannel:COMPUTERACCOUNT" BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1) Conflict: NA Reference: https://attachments.samba.org/attachment.cgi?id=17698 --- docs-xml/smbdotconf/logon/allownt4crypto.xml | 13 ++- .../smbdotconf/logon/rejectmd5clients.xml | 96 ++++++++++++++++++- 2 files changed, 103 insertions(+), 6 deletions(-) diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml index bbd03a42db74..ee63e6cc2453 100644 --- a/docs-xml/smbdotconf/logon/allownt4crypto.xml +++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml @@ -45,7 +45,9 @@ in order to collect the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para> - <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para> + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="reject md5 clients"/>' options.</para> </description> <value type="default">no</value> @@ -85,12 +87,19 @@ <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para> - <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para> + <para>This option is over-ridden by the effective value of 'yes' from + the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' + and/or '<smbconfoption name="reject md5 clients"/>' options.</para> + <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' + is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para> <programlisting> allow nt4 crypto:LEGACYCOMPUTER1$ = yes + server reject md5 schannel:LEGACYCOMPUTER1$ = no allow nt4 crypto:NASBOX$ = yes + server reject md5 schannel:NASBOX$ = no allow nt4 crypto:LEGACYCOMPUTER2$ = yes + server reject md5 schannel:LEGACYCOMPUTER2$ = no </programlisting> </description> diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml index edcbe02e99a3..fe7701d92772 100644 --- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml +++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml @@ -1,8 +1,15 @@ <samba:parameter name="reject md5 clients" context="G" type="boolean" + deprecated="1" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> <description> + <para> + This option is deprecated and will be removed in a future release, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in the future). + </para> + <para>This option controls whether the netlogon server (currently only in 'active directory domain controller' mode), will reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para> @@ -10,13 +17,94 @@ <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows starting with Server 2008R2 and Windows 7, it's available in Samba starting with 4.0, however third party domain members like NetApp ONTAP - still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para> + still uses RC4 (HMAC-MD5), see + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink> + for more details. + </para> + + <para>The default changed from 'no' to 'yes', with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead! + Which is available with the patches for + <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> + see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> - <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023, - see https://bugzilla.samba.org/show_bug.cgi?id=15240</para> + <para> + Samba will log an error in the log files at log level 0 + if legacy a client is rejected or allowed without an explicit, + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option + for the client. The message will indicate + the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' + line to be added, if the legacy client software requires it. (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> - <para>This option overrides the 'allow nt4 crypto' option.</para> + <para>This allows admins to use "no" only for a short grace period, + in order to collect the explicit + '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para> + + <para>When set to 'yes' this option overrides the + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and + '<smbconfoption name="allow nt4 crypto"/>' options and implies + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'. + </para> </description> <value type="default">yes</value> </samba:parameter> + +<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members or trusted domains, + which required "reject md5 clients = no" before, + it is possible to specify an explicit exception per computer account + by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will log a complaint in the log files at log level 0 + about the security problem if the option is set to "no", + but the related computer does not require it. + (The log level can be adjusted with + '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' + in order to complain only at a higher log level). + </para> + + <para> + Samba will log a warning in the log files at log level 5 + if a setting is still needed for the specified computer account. + </para> + + <para> + See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, + <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. + </para> + + <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para> + + <para>When set to 'yes' this option overrides the + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and + '<smbconfoption name="allow nt4 crypto"/>' options and implies + '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'. + </para> + + <programlisting> + server reject md5 schannel:LEGACYCOMPUTER1$ = no + server reject md5 schannel:NASBOX$ = no + server reject md5 schannel:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + +</samba:parameter> -- 2.34.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.