docs-xml/smbdotconf: add "server support krb5 netlogon" options

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
index 5c6ad5a8c925efea4da847dbf04f8b75920364fb..467261b272d1786b3034c6f854c54e61fe3b883d 100644 (file)
--- a/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
+++ b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
@@ -11,8 +11,10 @@
        reject clients which do not support ServerAuthenticateKerberos.</para>
 
        <para>Support for ServerAuthenticateKerberos was added in Windows
-       starting with Server 2025, it's available in Samba starting with 4.22
-       (but disabled by default).
+       starting with Server 2025, it's available in Samba starting with 4.22 with the
+       '<smbconfoption name="server support krb5 netlogon">yes</smbconfoption>' and
+       '<smbconfoption name="client use krb5 netlogon">yes</smbconfoption>' options,
+       which are disabled by default.
        </para>
 
        <para>Note this options is not really related to security problems
@@ -53,6 +55,9 @@
        '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'.
        </para>
 
+       <para>This option interacts with the '<smbconfoption name="server support krb5 netlogon"/>' option.
+       </para>
+
        <para>For now '<smbconfoption name="server reject aes schannel"/>'
        is EXPERIMENTAL and should not be configured explicitly.</para>
 </description>

diff --git a/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml b/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml
new file mode 100644 (file)
index 0000000..652ef5f
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="server support krb5 netlogon"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+       <para><emphasis>This option is experimental for now!</emphasis>
+       </para>
+
+       <para>This option controls whether the netlogon server (currently
+       only in 'active directory domain controller' mode), will
+       provide support for ServerAuthenticateKerberos.</para>
+
+       <para>Support for ServerAuthenticateKerberos was added in Windows
+       starting with Server 2025, it's available in Samba starting with 4.22 with the
+       '<smbconfoption name="server support krb5 netlogon">yes</smbconfoption>' and
+       '<smbconfoption name="client use krb5 netlogon">yes</smbconfoption>' options,
+       which are disabled by default.
+       </para>
+
+       <para>This option interacts with the
+       '<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">yes</smbconfoption>' and
+       '<smbconfoption name="server reject aes schannel">yes</smbconfoption>' options.
+       </para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>