Bug 14525 - server schannel = no via group membership
Summary: server schannel = no via group membership
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: unspecified
Hardware: All All
: P5 enhancement (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-10-07 23:52 UTC by Douglas Bagnall
Modified: 2020-10-08 11:45 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Douglas Bagnall 2020-10-07 23:52:14 UTC 
In *aaS situations the people maintaining a DC's smb.conf are not necessarily the ones maintaining the domain. It is tricky in this case for the list of schannel-less machines to be maintained in the smb.conf.

If the smb.conf could name a group to which only the insecure machines belonged, the domain admins could keep it current without bothering the lower level admins.

I'm imagining something like:

   server schannel = yes
   server require schannel:group:machines-without-schannel = no

would allow machines in the group "machines-without-schannel" to not use schannel.
Comment 1 Stefan Metzmacher 2020-10-07 23:57:14 UTC 
(In reply to Douglas Bagnall from comment #0)

I'd do it via GPO's on windows, or specify the acl in SDDL in smb.conf.
The ACL could contain an ACE for a group.