From: Gary Lockyer <gary@catalyst.net.nz>
Date: Thu, 28 Aug 2025 01:07:01 +0000 (+1200)
Subject: config: add strong certificate binding enforcement
X-Git-Tag: tdb-1.4.15~573
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=470ccdb340e716b8baa69049997a0d8b2432dffa;p=thirdparty%2Fsamba.git

config: add strong certificate binding enforcement

This parameter controls the enforcement of Windows Certificate bindings as
outlined in "KB5014754: Certificate-based authentication changes on Windows
domain controllers",
when preforming certificate based kerberos authentication (PKINIT)

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---

diff --git a/docs-xml/smbdotconf/security/kdccertbindingenforcement.xml b/docs-xml/smbdotconf/security/kdccertbindingenforcement.xml
new file mode 100644
index 00000000000..fa1fab40ee8
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdccertbindingenforcement.xml
@@ -0,0 +1,109 @@
+<samba:parameter name="strong certificate binding enforcement"
+                 context="G"
+                 type="enum"
+                 enumlist="enum_strong_cert_binding_enforcement_vals"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>This parameter controls the enforcement of Windows Certificate
+        bindings as outlined in
+            <ulink url="https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16">
+                KB5014754: Certificate-based authentication changes on
+                Windows domain controllers
+            </ulink>, when performing certificate based kerberos authentication
+            (PKINIT)
+    </para>
+
+    <para>The possible values are:
+        <itemizedlist>
+            <listitem>
+                <para><constant>none</constant></para>
+                <para>
+                    No validation of the certificate mappings is performed
+                </para>
+            </listitem>
+            <listitem>
+                <para><constant>compatibility</constant></para>
+                <para>
+                        Weak certificate mappings are permitted.
+                </para>
+                <para>
+                    In compatibility mode for WEAK mappings the date the
+                    certificate was issued must be after the date that the user
+                    was created.
+                </para>
+                <para>
+                    <constant>Unless</constant>
+                    <smbconfoption name="certificate backdating compensation"/>
+                    has a value.  In that case the certificate may have been
+                    issued no more that number of minutes before the user
+                    was created.
+                </para>
+            </listitem>
+            <listitem>
+                <para><constant>full</constant></para>
+                <para>
+                    Only <constant>strong</constant> certificate mappings are
+                    permitted. This is the default.
+                </para>
+            </listitem>
+        </itemizedlist>
+    </para>
+
+    <para>
+        Certificate mappings are configured in the users
+        <constant>altSecurityIdentities</constant>
+            attribute and may be any of:
+            <itemizedlist>
+            <listitem>
+                <para>X509 Issuer and subject</para>
+                <para>Example: "X509:&lt;I&gt;IssuerName&lt;S&gt;SubjectName"</para>
+                <para>
+                    The values provided for the issuer name and subject name
+                    must match those in the users certificate exactly.
+                </para>
+                <para><emphasis>WEAK</emphasis></para>
+            </listitem>
+            <listitem>
+                <para>X509 Subject only</para>
+                <para>Example: "X509:&lt;S&gt;SubjectName"</para>
+                <para>
+                    The value provided for the issuer subject name
+                    must match that in the users certificate exactly.
+                </para>
+                <para><emphasis>WEAK</emphasis></para>
+            </listitem>
+            <listitem>
+                <para>X509 RFC822</para>
+                <para>Example: "X509:&lt;RFC822&gt;test@example.com"</para>
+                <para>
+                    Email address
+                </para>
+                <para><emphasis>WEAK</emphasis></para>
+            </listitem>
+            <listitem>
+                <para>X509 Issuer and serial number</para>
+                <para>Example: "X509:&lt;I&gt;IssuerName&lt;SR&gt;123456789"</para>
+                <para>
+                    Certificate issuer and serial number
+                </para>
+                <para><emphasis>STRONG</emphasis></para>
+            </listitem>
+            <listitem>
+                <para>X509 Subject Key Identifier</para>
+                <para>Example: "&lt;SKI&gt;01234xxxxx"</para>
+                <para><emphasis>STRONG</emphasis></para>
+            </listitem>
+            <listitem>
+                <para>X509 public key SHA1 </para>
+                <para>Example: "X509:&lt;SHA1-PUKEY&gt;1234567890abcdef"</para>
+                <para>
+                    The SHA1 hash of the certificates public key
+                </para>
+                <para><emphasis>STRONG</emphasis></para>
+            </listitem>
+            </itemizedlist>
+    </para>
+</description>
+
+<value type="default">full</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 4af9638ffd7..98dafbd25de 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2957,6 +2957,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter_var(lp_ctx, "dns port", "%d", DNS_SERVICE_PORT);
 
 	lpcfg_do_global_parameter(lp_ctx, "kdc enable fast", "True");
+	lpcfg_do_global_parameter(lp_ctx, "strong certificate binding enforcement", "full");
 
 	lpcfg_do_global_parameter(lp_ctx, "nt status support", "True");
 
diff --git a/lib/param/loadparm.h b/lib/param/loadparm.h
index 32788e37391..a979a8ac8f6 100644
--- a/lib/param/loadparm.h
+++ b/lib/param/loadparm.h
@@ -183,6 +183,10 @@ struct file_lists {
 #define KERBEROS_ETYPES_STRONG 1
 #define KERBEROS_ETYPES_LEGACY 2
 
+#define KDC_CERT_BINDING_NONE 0
+#define KDC_CERT_BINDING_COMPAT 1
+#define KDC_CERT_BINDING_FULL 2
+
 /* ACL compatibility */
 enum acl_compatibility {ACL_COMPAT_AUTO, ACL_COMPAT_WINNT, ACL_COMPAT_WIN2K};
 
diff --git a/lib/param/param_table.c b/lib/param/param_table.c
index 0283569882a..04d4d1dac84 100644
--- a/lib/param/param_table.c
+++ b/lib/param/param_table.c
@@ -294,6 +294,15 @@ static const struct enum_list enum_kerberos_encryption_types_vals[] = {
 	{-1, NULL}
 };
 
+/* KDC Windows KB5014754 certificate binding enforcement modes */
+
+static const struct enum_list enum_strong_cert_binding_enforcement_vals[] = {
+	{KDC_CERT_BINDING_NONE, "none"},
+	{KDC_CERT_BINDING_COMPAT, "compatibility"},
+	{KDC_CERT_BINDING_FULL, "full"},
+	{-1, NULL}
+};
+
 static const struct enum_list enum_printing[] = {
 	{PRINT_SYSV, "sysv"},
 	{PRINT_AIX, "aix"},
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 1be550d9ad3..59ccbf99b81 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -960,6 +960,8 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
 	Globals.kpasswd_port = 464;
 
 	Globals.kdc_enable_fast = true;
+	Globals.strong_certificate_binding_enforcement
+		= KDC_CERT_BINDING_FULL;
 
 	Globals.winbind_debug_traceid = true;