enabled" option.
+Kerberos PKINIT KeyTrust logon support
+--------------------------------------
+
+Samba servers configured with the embedded heimdal KDC and running as an ADDC,
+now support "Windows Hello for Business Key-Trust logons". This allows the
+PKINIT authentication mechanism to be used with self-signed keys.
+
+The samba-tool computer and user commands have a new "keytrust"
+sub-command which allows for the setting and viewing of the public key
+details for computer and user accounts. This stores the public key
+details in msDS-KeyCredentialLink attribute of the account.
+
+
+msDS-KeyCredentialLink validation
+---------------------------------
+
+Updates to the msDS-KeyCredentialLink attribute are validated against the
+rules specified by MS-ADTS 3.1.1.5.3.1.1.6.
+
+Kerberos PKINIT strong/flexible key mappings
+--------------------------------------------
+
+Samba servers configured with the embedded heimdal KDC and running as an ADDC
+now support "Windows Strong and Flexible key mappings" as outlined in
+Microsoft KB5014754: Certificate-based authentication changes on Windows domain
+controllers.
+
+The default enforcement mode ("full") allows only strong certificate
+mappings. The smb.conf option
+
+ strong certificate binding enforcement = compatibility
+
+will allow weak mappings where the certificate is newer than the user
+account. The option "none" will allow any mappings.
+
+The mappings for an account should be placed in the altSecurityIdentities
+attribute and follow the syntax documented in KB5014754.
+
+
+Kerberos PKINIT SID extension
+-----------------------------
+
+PKINIT authentication now supports certificates containing an Object SID
+extension (extension 1.3.6.1.4.1.311.25.2), this is considered to be a STRONG
+mapping for KB5014754.
+
+The computer and user samba-tool commands have a new sub-command
+"generate-csr" to generate certificate signing requests.
+
+
+KDC includes PAC by default
+---------------------------
+
+Samba will ignore the value provided by the client in "PA-PAC-REQUEST"
+and always include a PAC in responses, unless "kdc always generate
+pac" is set to "no".
+
+
+KDC can insist clients request canonicalization
+-----------------------------------------------
+
+Canonicalization of principal client names is not mandatory in
+Kerberos (per RFC4120), but must be requested by the client. In some
+circumstances allows a client to deceive Active Directory member
+servers (known as the "dollar ticket" attack).
+
+The new configuration option "kdc require canonicalization" can be
+used to require that clients request canonicalization; if they do not,
+their AS_REQ requests will be rejected as if the account was unknown.
+
+The default value is "no", for backward compatibility. Windows clients
+will ask for canonicalization by default, so in Windows-heavy
+environments it is safe and recommended to set this to "yes".
+
+KDC can avoid potentially confusing canonicalization
+----------------------------------------------------
+
+Currently when the client does not request canonicalization, when the
+KDC looks up a name and there is no match it will append a "$" to the
+name and try again. An attacker who can create arbitrary machine
+accounts can sometimes get tickets for Unix users by mimicking their
+names (the "dollar ticket" attack).
+
+The configuration option
+
+ kdc name match implicit dollar without canonicalization = no
+
+can be used to disable this behaviour for clients that do not request
+canonicalization. Probably this only affects traditional Unix clients,
+as Windows clients use canonicalization. If affected clients want a
+ticket for a machine account, they will have to use the full name
+including the dollar (e.g. "server$", not "server").
+
+If the "kdc require canonicalization" option cannot be set to "yes"
+(because some clients do not request canonicalization) setting this
+option to "no" is a good alternative.
+
+
+KDC provides Kerberos acceptors with canonical client names
+-----------------------------------------------------------
+
+By default the KDC will now send Kerberos services the canonicalized
+name (the sAMAccountName from the PAC) rather than trusting the cname.
+
+To return to the old behaviour, use
+
+ krb5 acceptor report canonical client name = no
+
+in the smb.conf.
+
+This currently affects Heimdal KDC only, not MIT.
+
+
+KDC recommended configuration:
+-----------------------------
+strong certificate binding enforcement full
+kdc always include pac yes
+kdc require canonicalization yes
+
+If unable to use "kdc require canonicalization" = "yes", then
+"kdc name match implicit dollar without implicit canonicalization" should be
+set to "no" if possible.
+
+samba tool
+----------
+
+Two new sub-commands have been added to the user and computer commands:
+
+user|computer generate-csr
+ Generate a Certificate signing request for an account containing the
+ Object SID extension (extension 1.3.6.1.4.1.311.25.2)
+
+user|computer keytrust
+ Add the public key details of a self signed certificate to an account.
+ The command supports PEM and DER encoded public keys.
+
REMOVED FEATURES
================
Parameter Name Description Default
-------------- ----------- -------
+ strong certificate binding enforcement New full
+ certificate backdating compensation New 0
+ kdc always include pac New yes
+ kdc require canonicalization New no
+ kdc name match implicit dollar without canonicalization
+ New yes
KNOWN ISSUES
============
projects / thirdparty / samba.git / commitdiff
