Netlogon Issue "schannel required"

tinux · November 24, 2019, 6:57pm

Hi.

When I try to authenticate a proprietary client with Netlogon or respective NTLMv1, I see the following error message in log.samba:

[2019/11/24 19:40:02.252780,  0, pid=3525] ../../source4/rpc_server/netlogon/dcerpc_netlogon.c:284(dcesrv_netr_ServerAuthenticate3_helper)
  dcesrv_netr_ServerAuthenticate3_helper: schannel required but client failed to offer it. Client was xyz$

I searched Google for the message and you should set

server schannel = auto

in smb.conf, but I can’t find a suitable entry in the UCS registry.

gulden · November 28, 2019, 9:53am

Hello @tinux,

please have a look at the Release Notes for UCS 4.3-2. NTLMv1 authentication is deactivated per default because of security reasons starting with this UCS version. Activating it is not recommended.

One issue in our bugzilla contains server schannel = auto, see https://forge.univention.org/bugzilla/show_bug.cgi?id=49898.

Nevertheless, you could set that option in /etc/samba/local.conf at your own risk. There is no UCR variable for it.

Best regards,
Nico

tinux · November 29, 2019, 11:51am

Hi Nico

Thanks. For the schannel parameter I created the file /etc/samba/local.conf as follows:

[global]
schannel = auto

requate · September 22, 2020, 4:08pm

Please be warned, that this is absolutely not recommended, because that makes your Samba/AD DC vulnerable to the Zerologon security vulnerability! (See Status of Zerologon (CVE-2020-1472) security issue in UCS).