From: Douglas Bagnall Date: Wed, 12 Nov 2025 03:29:13 +0000 (+1300) Subject: loadparm: add "kdc name match implicit dollar without canonicalization" X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1db071e7e21bc67c0e77dae478d333228bac153a;p=thirdparty%2Fsamba.git loadparm: add "kdc name match implicit dollar without canonicalization" This does nothing yet. Signed-off-by: Douglas Bagnall Reviewed-by: Jennifer Sutton --- diff --git a/docs-xml/smbdotconf/security/kdcnamematchimplicitdollarwithoutcanonicalization.xml b/docs-xml/smbdotconf/security/kdcnamematchimplicitdollarwithoutcanonicalization.xml new file mode 100644 index 00000000000..e1426b191c9 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcnamematchimplicitdollarwithoutcanonicalization.xml @@ -0,0 +1,39 @@ + + + + This option only affect clients that do not request name + canonicalization in an AS request, which generally means + traditional unix Kerberos clients and not Windows clients. + + + + The KDC may match the name in an AS request inexactly, for + example using a case-insensitive comparison or converting it to + a User Principal Name, but the client is not informed of the + principal it actually matched unless it set the 'canonicalize' + option flag. + + + In Active Directory domains, the default behaviour of the KDC is + to append a '$' character if the supplied name does not have one + and does not already match. That allows 'foo' to match the + machine account 'foo$'. An attacker who is able to create + arbitrary machine accounts (which can be a low-privilege + operation) is sometimes able to get tickets for unix users by + mimicking their names. This is known as the 'dollar ticket + attack'. + + + With this option set to 'no', the KDC will not try to match + using the appended '$' unless the canonicalize flag is set. This + will allow AD-aware clients as usual to connect with + canonicalization, but not expose traditional unix clients to the + dollar ticket attack. + + + +yes + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 125838c53a7..dc4f6829208 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2960,6 +2960,8 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "strong certificate binding enforcement", "full"); lpcfg_do_global_parameter(lp_ctx, "certificate backdating compensation", "0"); lpcfg_do_global_parameter(lp_ctx, "kdc always include pac", "True"); + lpcfg_do_global_parameter(lp_ctx, "kdc name match implicit dollar without canonicalization", + "yes"); lpcfg_do_global_parameter(lp_ctx, "nt status support", "True"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 344b8901401..42f126acc21 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -965,6 +965,8 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx, Globals.certificate_backdating_compensation = 0; Globals.kdc_always_include_pac = true; + Globals.kdc_name_match_implicit_dollar_without_canonicalization = true; + Globals.winbind_debug_traceid = true; Globals.aio_max_threads = 100;