The system can not be updated to UCS 5.0 due to the following reasons:
samba_server_schannel:
WARNING: Samba is configured with "server schannel = ",
This is extremely dangerous, see https://www.samba.org/samba/security/CVE-2020-1472.html
Please take care to change this back to “yes” before updating.
Error: Update aborted by pre-update script of release 5.0-0
Thanks for the help - I have tried updating in config but maybe am not finding the correct file - does anyone know where I can make this change in samba config? Thanks
I added through here, but it doesnt do anything:
I have carefully followed the instructions here:
Update 2020-10-29: See the end of the article
Zerologon is a vulnerability which exploits an issue in netlogon cryptography. It allows attackers to gain Domain Administrator rights. The only requirement for the attacker is to have unauthenticated network access to the domain controller.
More information about the vulnerability is available at Secura
Information about CVE-2020-1472 in Samba can be found in the upstream bugtracker: Bug 14497 CVE-2020-1472 Samba impact of “ZeroLogin”
A default installation of UCS with Samba as Active Directory Domain Controller is not affected by the vulnerability . UCS does not alter the Samba default setting for the server schannel = yes configuration option.
However, Administrators should check that they have not changed these default manually, e.g. in order to support older clients in their network.
When executing
testparm -s 2>1 | grep -i "server schannel"
on all Samba DCs in the domain, there should be no output - the default value of server schannel = yes is not printed. If server schannel = no or server schannel = auto is printed, the domain is vulnerable. The option should be removed from the Samba configuration and the Samba services should be restarted with /etc/init.d/samba restart
Update 2020-10-29
An update for UCS 4.4-5 and 4.4-6 was released with samba package version 2:4.10.18-1A~4.4.0.202010271637 . This update contains Samba 4.10.18 which contains a mitigation against the attack. “Secure Channel” ( schannel ) can be deactivated for individual hosts, and must not be deactivated globally anymore. An example config entry looks like this:
server schannel = yes
server require schannel:host1$ = no
server require schannel:host2$ = no
