CVE-2022-38023 testparm: warn about server/client schannel != yes

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e)

diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 58ba46bc15fbfaea648a64388327a0fa0b513dfb..dd8acb58ff7124eac7d3842079e309afa8bb3045 100644 (file)
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -598,11 +598,25 @@ static int do_global_checks(void)
                ret = 1;
        }
 
-       if (!lp_server_schannel()) {
+       if (lp_server_schannel() != true) { /* can be 'auto' */
                fprintf(stderr,
-                       "WARNING: You have configured 'server schannel = no'. "
+                       "WARNING: You have not configured "
+                       "'server schannel = yes' (the default). "
                        "Your server is vulernable to \"ZeroLogon\" "
-                       "(CVE-2020-1472)\n\n");
+                       "(CVE-2020-1472)\n"
+                       "If required use individual "
+                       "'server require schannel:COMPUTERACCOUNT$ = no' "
+                       "options\n\n");
+       }
+       if (lp_client_schannel() != true) { /* can be 'auto' */
+               fprintf(stderr,
+                       "WARNING: You have not configured "
+                       "'client schannel = yes' (the default). "
+                       "Your server is vulernable to \"ZeroLogon\" "
+                       "(CVE-2020-1472)\n"
+                       "If required use individual "
+                       "'client schannel:NETBIOSDOMAIN = no' "
+                       "options\n\n");
        }
 
        return ret;