When preforming certificate based kerberos authentication (PKINIT) with
"strong certificate binding enforcement = compatibility"", for WEAK mappings
the certificate issue date must be after the date the user record was created.
This parameter relaxes that constraint by allowing the certificate to have been
issued up to the specified number of minutes before the user record was created.
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
--- /dev/null
+<samba:parameter name="certificate backdating compensation"
+ context="G"
+ type="integer"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ When performing certificate based kerberos authentication
+ (PKINIT) with
+ <smbconfoption name="strong certificate binding enforcement">
+ compatibility
+ </smbconfoption>
+ </para>
+ <para>
+ This parameter specifies number of minutes that a certificate's issue
+ date may precede the creation of a users account.
+ </para>
+
+ <para>More details can be found at
+ <ulink url="https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16">
+ KB5014754: Certificate-based authentication changes on Windows
+ domain controllers
+ </ulink>
+ </para>
+
+</description>
+
+<value type="default">0</value>
+</samba:parameter>
lpcfg_do_global_parameter(lp_ctx, "kdc enable fast", "True");
lpcfg_do_global_parameter(lp_ctx, "strong certificate binding enforcement", "full");
+ lpcfg_do_global_parameter(lp_ctx, "certificate backdating compensation", "0");
lpcfg_do_global_parameter(lp_ctx, "nt status support", "True");
Globals.kdc_enable_fast = true;
Globals.strong_certificate_binding_enforcement
= KDC_CERT_BINDING_FULL;
+ Globals.certificate_backdating_compensation = 0;
Globals.winbind_debug_traceid = true;
projects / thirdparty / samba.git / commitdiff
