config: add kdc always include pac

author Gary Lockyer <gary@catalyst.net.nz>

Mon, 20 Oct 2025 00:01:14 +0000 (13:01 +1300)

committer Douglas Bagnall <dbagnall@samba.org>

Thu, 13 Nov 2025 22:09:33 +0000 (22:09 +0000)
author Gary Lockyer <gary@catalyst.net.nz>
Mon, 20 Oct 2025 00:01:14 +0000 (13:01 +1300)
committer Douglas Bagnall <dbagnall@samba.org>
Thu, 13 Nov 2025 22:09:33 +0000 (22:09 +0000)
diff --git a/docs-xml/smbdotconf/security/kdcalwaysincludepac.xml b/docs-xml/smbdotconf/security/kdcalwaysincludepac.xml

new file mode 100644 (file)

index 0000000..5f8b1f2
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcalwaysincludepac.xml
@@ -0,0 +1,20 @@
+<samba:parameter name="kdc always include pac"
+                 type="boolean"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+        This option over-rides the PA-PAC-REQUEST received from the client.
+        When enabled (the default) a PAC will always be included in the
+        kerberos responses.
+       </para>
+
+    <para>
+        This option currently only applies if the embedded Heimdal
+        KDC is used.
+    </para>
+
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c

index 69baf4b70541722c52bc7ab5afac2b4af00047c1..125838c53a7c2c163c8219296486ae7543c26404 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2959,6 +2959,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
         lpcfg_do_global_parameter(lp_ctx, "kdc enable fast", "True");
         lpcfg_do_global_parameter(lp_ctx, "strong certificate binding enforcement", "full");
         lpcfg_do_global_parameter(lp_ctx, "certificate backdating compensation", "0");
+       lpcfg_do_global_parameter(lp_ctx, "kdc always include pac", "True");
  
         lpcfg_do_global_parameter(lp_ctx, "nt status support", "True");
  
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c

index 5a0cb261824dcd780b84b70bc5282b5735916762..344b8901401f377c6bceb05e088ec5e6029f659e 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -963,6 +963,7 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
         Globals.strong_certificate_binding_enforcement
                 = KDC_CERT_BINDING_FULL;
         Globals.certificate_backdating_compensation = 0;
+       Globals.kdc_always_include_pac = true;
  
         Globals.winbind_debug_traceid = true;
author	Gary Lockyer <gary@catalyst.net.nz>
	Mon, 20 Oct 2025 00:01:14 +0000 (13:01 +1300)
committer	Douglas Bagnall <dbagnall@samba.org>
	Thu, 13 Nov 2025 22:09:33 +0000 (22:09 +0000)
docs-xml/smbdotconf/security/kdcalwaysincludepac.xml	[new file with mode: 0644]	patch \| blob
lib/param/loadparm.c		patch \| blob \| blame \| history
source3/param/loadparm.c		patch \| blob \| blame \| history