From: Andrew Bartlett Date: Thu, 14 Sep 2023 09:20:39 +0000 (+1200) Subject: docs-xml: Add new parameter "acl claims evaluation" X-Git-Tag: tevent-0.16.0~432 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1223b89d81892ead52267a31afea40f14c4f2a09;p=thirdparty%2Fsamba.git docs-xml: Add new parameter "acl claims evaluation" Signed-off-by: Andrew Bartlett Reviewed-by: Douglas Bagnall --- diff --git a/docs-xml/smbdotconf/security/aclclaimsevaluation.xml b/docs-xml/smbdotconf/security/aclclaimsevaluation.xml new file mode 100644 index 00000000000..ab72617facd --- /dev/null +++ b/docs-xml/smbdotconf/security/aclclaimsevaluation.xml @@ -0,0 +1,42 @@ + + + This option controls the way Samba handles evaluation of + security descriptors in Samba, with regards to Active + Directory Claims. AD Claims, introduced with Windows 2012, + are essentially administrator-defined key-value pairs that can + be set both in Active Directory (communicated via the Kerberos + PAC) and in the security descriptor themselves. + + + Active Directory claims are new with Samba 4.20. + Because the claims are evaluated against a very flexible + expression language within the security descriptor, this option provides a mechanism + to disable this logic if required by the administrator. + + This default behaviour is that claims evaluation is + enabled in the AD DC only. Additionally, claims evaluation on + the AD DC is only enabled if the DC functional level + is 2012 or later. See . + + Possible values are : + + + AD DC only: Enabled for the Samba AD + DC (for DC functional level 2012 or higher). + + + never: Disabled in all cases. + This option disables some but not all of the + Authentication Policies and Authentication Policy Silos features of + the Windows 2012R2 functional level in the AD DC. + + + + +AD DC only + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 447087911b5..9a7ae4f95fe 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -3156,6 +3156,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) "ad dc functional level", "2008_R2"); + lpcfg_do_global_parameter(lp_ctx, + "acl claims evaluation", + "AD DC only"); + for (i = 0; parm_table[i].label; i++) { if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) { lp_ctx->flags[i] |= FLAG_DEFAULT; diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h index 06e40f25c84..0bf4c173652 100644 --- a/lib/param/loadparm.h +++ b/lib/param/loadparm.h @@ -258,6 +258,12 @@ enum store_nt_hash { NT_HASH_STORE_ALWAYS }; +/* Controlling the storage of the NT password has on the AD DC */ +enum acl_claims_evaluation { + ACL_CLAIMS_EVALUATION_AD_DC_ONLY, + ACL_CLAIMS_EVALUATION_NEVER +}; + /* * Default passwd chat script. */ diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 948550e6171..ce591560ba8 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -439,6 +439,12 @@ static const struct enum_list enum_ad_functional_level[] = { {-1, NULL} }; +static const struct enum_list enum_acl_claims_evaluation[] = { + {ACL_CLAIMS_EVALUATION_AD_DC_ONLY, "AD DC only"}, + {ACL_CLAIMS_EVALUATION_NEVER, "never"}, + {-1, NULL} +}; + /* Note: We do not initialise the defaults union - it is not allowed in ANSI C * * NOTE: Handling of duplicated (synonym) parameters: diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 238b725e278..1c364458912 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -997,6 +997,8 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.ad_dc_functional_level = DS_DOMAIN_FUNCTION_2008_R2, + Globals.acl_claims_evaluation = ACL_CLAIMS_EVALUATION_AD_DC_ONLY; + /* Now put back the settings that were set with lp_set_cmdline() */ apply_lp_set_cmdline(); }