From: Gary Lockyer Date: Mon, 20 Oct 2025 00:01:14 +0000 (+1300) Subject: config: add kdc always include pac X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87cdaf088debe9321e52a5dff6c5e7bd9882b76d;p=thirdparty%2Fsamba.git config: add kdc always include pac This option over-rides the PA-PAC-REQUEST received from the client. When enabled (the default) a PAC will always be included in the response. Signed-off-by: Gary Lockyer Reviewed-by: Jennifer Sutton --- diff --git a/docs-xml/smbdotconf/security/kdcalwaysincludepac.xml b/docs-xml/smbdotconf/security/kdcalwaysincludepac.xml new file mode 100644 index 00000000000..5f8b1f2c808 --- /dev/null +++ b/docs-xml/smbdotconf/security/kdcalwaysincludepac.xml @@ -0,0 +1,20 @@ + + + + This option over-rides the PA-PAC-REQUEST received from the client. + When enabled (the default) a PAC will always be included in the + kerberos responses. + + + + This option currently only applies if the embedded Heimdal + KDC is used. + + + + +yes + diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 69baf4b7054..125838c53a7 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2959,6 +2959,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "kdc enable fast", "True"); lpcfg_do_global_parameter(lp_ctx, "strong certificate binding enforcement", "full"); lpcfg_do_global_parameter(lp_ctx, "certificate backdating compensation", "0"); + lpcfg_do_global_parameter(lp_ctx, "kdc always include pac", "True"); lpcfg_do_global_parameter(lp_ctx, "nt status support", "True"); diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 5a0cb261824..344b8901401 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -963,6 +963,7 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx, Globals.strong_certificate_binding_enforcement = KDC_CERT_BINDING_FULL; Globals.certificate_backdating_compensation = 0; + Globals.kdc_always_include_pac = true; Globals.winbind_debug_traceid = true;