config: add strong certificate binding enforcement

author Gary Lockyer <gary@catalyst.net.nz>

Thu, 28 Aug 2025 01:07:01 +0000 (13:07 +1200)

committer Jennifer Sutton <jsutton@samba.org>

Fri, 10 Oct 2025 01:27:31 +0000 (01:27 +0000)
author Gary Lockyer <gary@catalyst.net.nz>
Thu, 28 Aug 2025 01:07:01 +0000 (13:07 +1200)
committer Jennifer Sutton <jsutton@samba.org>
Fri, 10 Oct 2025 01:27:31 +0000 (01:27 +0000)
diff --git a/docs-xml/smbdotconf/security/kdccertbindingenforcement.xml b/docs-xml/smbdotconf/security/kdccertbindingenforcement.xml

new file mode 100644 (file)

index 0000000..fa1fab4
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdccertbindingenforcement.xml
@@ -0,0 +1,109 @@
+<samba:parameter name="strong certificate binding enforcement"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_strong_cert_binding_enforcement_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter controls the enforcement of Windows Certificate
+        bindings as outlined in
+            <ulink url="https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16">
+                KB5014754: Certificate-based authentication changes on
+                Windows domain controllers
+            </ulink>, when performing certificate based kerberos authentication
+            (PKINIT)
+    </para>
+
+    <para>The possible values are:
+        <itemizedlist>
+            <listitem>
+                <para><constant>none</constant></para>
+                <para>
+                    No validation of the certificate mappings is performed
+                </para>
+            </listitem>
+            <listitem>
+                <para><constant>compatibility</constant></para>
+                <para>
+                        Weak certificate mappings are permitted.
+                </para>
+                <para>
+                    In compatibility mode for WEAK mappings the date the
+                    certificate was issued must be after the date that the user
+                    was created.
+                </para>
+                <para>
+                    <constant>Unless</constant>
+                    <smbconfoption name="certificate backdating compensation"/>
+                    has a value.  In that case the certificate may have been
+                    issued no more that number of minutes before the user
+                    was created.
+                </para>
+            </listitem>
+            <listitem>
+                <para><constant>full</constant></para>
+                <para>
+                    Only <constant>strong</constant> certificate mappings are
+                    permitted. This is the default.
+                </para>
+            </listitem>
+        </itemizedlist>
+    </para>
+
+    <para>
+        Certificate mappings are configured in the users
+        <constant>altSecurityIdentities</constant>
+            attribute and may be any of:
+            <itemizedlist>
+            <listitem>
+                <para>X509 Issuer and subject</para>
+                <para>Example: "X509:&lt;I&gt;IssuerName&lt;S&gt;SubjectName"</para>
+                <para>
+                    The values provided for the issuer name and subject name
+                    must match those in the users certificate exactly.
+                </para>
+                <para><emphasis>WEAK</emphasis></para>
+            </listitem>
+            <listitem>
+                <para>X509 Subject only</para>
+                <para>Example: "X509:&lt;S&gt;SubjectName"</para>
+                <para>
+                    The value provided for the issuer subject name
+                    must match that in the users certificate exactly.
+                </para>
+                <para><emphasis>WEAK</emphasis></para>
+            </listitem>
+            <listitem>
+                <para>X509 RFC822</para>
+                <para>Example: "X509:&lt;RFC822&gt;test@example.com"</para>
+                <para>
+                    Email address
+                </para>
+                <para><emphasis>WEAK</emphasis></para>
+            </listitem>
+            <listitem>
+                <para>X509 Issuer and serial number</para>
+                <para>Example: "X509:&lt;I&gt;IssuerName&lt;SR&gt;123456789"</para>
+                <para>
+                    Certificate issuer and serial number
+                </para>
+                <para><emphasis>STRONG</emphasis></para>
+            </listitem>
+            <listitem>
+                <para>X509 Subject Key Identifier</para>
+                <para>Example: "&lt;SKI&gt;01234xxxxx"</para>
+                <para><emphasis>STRONG</emphasis></para>
+            </listitem>
+            <listitem>
+                <para>X509 public key SHA1 </para>
+                <para>Example: "X509:&lt;SHA1-PUKEY&gt;1234567890abcdef"</para>
+                <para>
+                    The SHA1 hash of the certificates public key
+                </para>
+                <para><emphasis>STRONG</emphasis></para>
+            </listitem>
+            </itemizedlist>
+    </para>
+</description>
+
+<value type="default">full</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c

index 4af9638ffd7ff96490edafa521d3a329ad961da5..98dafbd25de3ffb926e14014b0bfa28e089362e1 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2957,6 +2957,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
         lpcfg_do_global_parameter_var(lp_ctx, "dns port", "%d", DNS_SERVICE_PORT);
  
         lpcfg_do_global_parameter(lp_ctx, "kdc enable fast", "True");
+       lpcfg_do_global_parameter(lp_ctx, "strong certificate binding enforcement", "full");
  
         lpcfg_do_global_parameter(lp_ctx, "nt status support", "True");
  
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h

index 32788e37391a24f49eaa8ce32453c1a087a5a6d9..a979a8ac8f6a386e56fc8d888f7f4e0ad638b6cd 100644 (file)
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -183,6 +183,10 @@ struct file_lists {
  #define KERBEROS_ETYPES_STRONG 1
  #define KERBEROS_ETYPES_LEGACY 2
  
+#define KDC_CERT_BINDING_NONE 0
+#define KDC_CERT_BINDING_COMPAT 1
+#define KDC_CERT_BINDING_FULL 2
+
  /* ACL compatibility */
  enum acl_compatibility {ACL_COMPAT_AUTO, ACL_COMPAT_WINNT, ACL_COMPAT_WIN2K};
  
diff --git a/lib/param/param_table.c b/lib/param/param_table.c

index 0283569882ae98cbd90a2b4badc1dbd34ae0ca51..04d4d1dac8490fbc3c0a640e3f1ea56ccf657b6e 100644 (file)
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -294,6 +294,15 @@ static const struct enum_list enum_kerberos_encryption_types_vals[] = {
         {-1, NULL}
  };
  
+/* KDC Windows KB5014754 certificate binding enforcement modes */
+
+static const struct enum_list enum_strong_cert_binding_enforcement_vals[] = {
+       {KDC_CERT_BINDING_NONE, "none"},
+       {KDC_CERT_BINDING_COMPAT, "compatibility"},
+       {KDC_CERT_BINDING_FULL, "full"},
+       {-1, NULL}
+};
+
  static const struct enum_list enum_printing[] = {
         {PRINT_SYSV, "sysv"},
         {PRINT_AIX, "aix"},
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c

index 1be550d9ad39e247e937f80d046282450005dfab..59ccbf99b815b6dc49832901d6057a22d89f3349 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -960,6 +960,8 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
         Globals.kpasswd_port = 464;
  
         Globals.kdc_enable_fast = true;
+       Globals.strong_certificate_binding_enforcement
+               = KDC_CERT_BINDING_FULL;
  
         Globals.winbind_debug_traceid = true;
author	Gary Lockyer <gary@catalyst.net.nz>
	Thu, 28 Aug 2025 01:07:01 +0000 (13:07 +1200)
committer	Jennifer Sutton <jsutton@samba.org>
	Fri, 10 Oct 2025 01:27:31 +0000 (01:27 +0000)
docs-xml/smbdotconf/security/kdccertbindingenforcement.xml	[new file with mode: 0644]	patch \| blob
lib/param/loadparm.c		patch \| blob \| blame \| history
lib/param/loadparm.h		patch \| blob \| blame \| history
lib/param/param_table.c		patch \| blob \| blame \| history
source3/param/loadparm.c		patch \| blob \| blame \| history