loadparm: add "kdc require canonicalization"

Has no effect yet.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/docs-xml/smbdotconf/security/kdcrequirecanonicalization.xml b/docs-xml/smbdotconf/security/kdcrequirecanonicalization.xml
new file mode 100644 (file)
index 0000000..e960b61
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcrequirecanonicalization.xml
@@ -0,0 +1,36 @@
+<samba:parameter name="kdc require canonicalization"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+  <description>
+    <para>
+      Require that Kerberos clients use the canonicalization flag.
+    </para>
+
+    <para>
+      Clients that do not use the Kerberos canonicalization flag (see
+      RFC 6806) will get a TGT for the name they requested, which may
+      not exactly match the name in the Samba database. For example, a
+      client may request a ticket for 'root', and if there is a
+      computer called 'ROOT$' in the database, the KDC will issue a
+      ticket for 'root', using the standard matching rules for AD
+      Kerberos. A member server that is Kerberos-aware but not
+      AD-aware might accept this ticket as valid for the local root
+      user. This option avoids the problem by refusing to honour
+      requests without the canonicalization flag.
+    </para>
+    <para>
+      This is a reasonable option if all expected clients request
+      canonicalization (as Windows clients do), and there are member
+      servers that might be confused by this issue. Typically that
+      means unix servers expecting to be in an MIT Kerberos domain.
+    </para>
+    <para>
+      See also the "kdc name match implicit dollar without
+      canonicalization" option, which is more useful if you expect
+      Kerberos clients that will not use the canonicalize flag.
+    </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>

diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 2151807af396bcef98c1cc57cf13f0358b0b1386..e3d9a0a0e5a05664b89c54585bd77686ea8c1193 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2962,6 +2962,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
        lpcfg_do_global_parameter(lp_ctx, "kdc always include pac", "True");
        lpcfg_do_global_parameter(lp_ctx, "kdc name match implicit dollar without canonicalization",
                                  "yes");
+       lpcfg_do_global_parameter(lp_ctx, "kdc require canonicalization", "no");
        lpcfg_do_global_parameter(lp_ctx, "krb5 acceptor report canonical client name", "yes");
 
        lpcfg_do_global_parameter(lp_ctx, "nt status support", "True");

diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index f576e01c1c6619516cace4de72709900ab887bca..4cd2b1f9e872e8398c134f896059a2bb3fe1b2b4 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -967,6 +967,7 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
        Globals.krb5_acceptor_report_canonical_client_name = true;
 
        Globals.kdc_name_match_implicit_dollar_without_canonicalization = true;
+       Globals.kdc_require_canonicalization = false;
 
        Globals.winbind_debug_traceid = true;