CVE-2022-38023 docs-xml/smbdotconf: add "server schannel require seal[:COMPUTERACCOUNT]" options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470)

4 files changed, 157 insertions, 6 deletions

diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index 3e66df1c203..42a657912ca 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -12,19 +12,37 @@
 	the hardcoded behavior in future).
     </para>
 
-    <para>
-	Samba will complain in the log files at log level 0,
-	about the security problem if the option is not set to "yes".
+    <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead!
     </para>
+
+    <para>
+	Samba will log an error in the log files at log level 0
+	if legacy a client is rejected or allowed without an explicit,
+	'<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+	for the client. The message will indicate
+	the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
+	line to be added, if the legacy client software requires it. (The log level can be adjusted with
+	'<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+	</para>
+
     <para>
-	See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
+	This allows admins to use "auto" only for a short grace period,
+	in order to collect the explicit
+	'<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options.
     </para>
 
-    <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
+    <para>
+	See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
+	<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
     </para>
 
     <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
 
+    <para>This option is over-ridden by the effective value of 'yes' from
+    the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
+    and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
+
 </description>
 
 <value type="default">yes</value>
@@ -48,6 +66,9 @@
 	about the security problem if the option is not set to "no",
 	but the related computer is actually using the netlogon
 	secure channel (schannel) feature.
+	(The log level can be adjusted with
+	'<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
     </para>
 
     <para>
@@ -56,15 +77,25 @@
     </para>
 
     <para>
-	See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
+	See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
+	<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
     </para>
 
     <para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
 
+    <para>This option is over-ridden by the effective value of 'yes' from
+    the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
+    and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
+    <para>Which means '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
+    is only useful in combination with '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'</para>
+
     <programlisting>
 	server require schannel:LEGACYCOMPUTER1$ = no
+	server require schannel seal:LEGACYCOMPUTER1$ = no
 	server require schannel:NASBOX$ = no
+	server require schannel seal:NASBOX$ = no
 	server require schannel:LEGACYCOMPUTER2$ = no
+	server require schannel seal:LEGACYCOMPUTER2$ = no
     </programlisting>
 </description>
 
diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
new file mode 100644
index 00000000000..d4620d1252d
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
@@ -0,0 +1,118 @@
+<samba:parameter name="server schannel require seal"
+                 context="G"
+                 type="boolean"
+                 deprecated="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>
+	This option is deprecated and will be removed in future,
+	as it is a security problem if not set to "yes" (which will be
+	the hardcoded behavior in future).
+	</para>
+
+	<para>
+	This option controls whether the netlogon server (currently
+	only in 'active directory domain controller' mode), will
+	reject the usage of netlogon secure channel without privacy/enryption.
+	</para>
+
+	<para>
+	The option is modelled after the registry key available on Windows.
+	</para>
+
+	<programlisting>
+	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
+	</programlisting>
+
+	<para>
+	<emphasis>Avoid using this option!</emphasis> Use the per computer account specific option
+	'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead!
+	Which is available with the patches for
+	<ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+	see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+	</para>
+
+	<para>
+	Samba will log an error in the log files at log level 0
+	if legacy a client is rejected or allowed without an explicit,
+	'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option
+	for the client. The message will indicate
+	the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'
+	line to be added, if the legacy client software requires it. (The log level can be adjusted with
+	'<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+	</para>
+
+	<para>This allows admins to use "no" only for a short grace period,
+	in order to collect the explicit
+	'<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+	<para>
+	When set to 'yes' this option overrides the
+	'<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
+	'<smbconfoption name="server schannel"/>' options and implies
+	'<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
+	</para>
+
+	<para>
+	This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option.
+	</para>
+
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server schannel require seal:COMPUTERACCOUNT"
+                 context="G"
+                 type="string"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+	<para>
+	If you still have legacy domain members, which required "server schannel require seal = no" before,
+	it is possible to specify explicit exception per computer account
+	by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
+	Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+	the computer account (including the trailing '$' sign).
+	</para>
+
+	<para>
+	Samba will log a complaint in the log files at log level 0
+	about the security problem if the option is set to "no",
+	but the related computer does not require it.
+	(The log level can be adjusted with
+	'<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+	in order to complain only at a higher log level).
+	</para>
+
+	<para>
+	Samba will warn in the log files at log level 5,
+	if a setting is still needed for the specified computer account.
+	</para>
+
+	<para>
+	See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+	<ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+	</para>
+
+	<para>
+	This option overrides the '<smbconfoption name="server schannel require seal"/>' option.
+	</para>
+
+	<para>
+	When set to 'yes' this option overrides the
+	'<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
+	'<smbconfoption name="server schannel"/>' options and implies
+	'<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
+	</para>
+
+	<programlisting>
+	server require schannel seal:LEGACYCOMPUTER1$ = no
+	server require schannel seal:NASBOX$ = no
+	server require schannel seal:LEGACYCOMPUTER2$ = no
+	</programlisting>
+</description>
+
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 3f4e367570e..c8ecaba70f1 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2722,6 +2722,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
 
 	lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
+	lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True");
 	lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
 
 	lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 13a8504425c..4e10aaf4724 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
 	Globals.require_strong_key = true;
 	Globals.reject_md5_servers = true;
 	Globals.server_schannel = true;
+	Globals.server_schannel_require_seal = true;
 	Globals.reject_md5_clients = true;
 	Globals.read_raw = true;
 	Globals.write_raw = true;