From: Gary Lockyer Date: Tue, 23 Dec 2025 00:37:19 +0000 (+1300) Subject: Update WHATSNEW with kerberos changes X-Git-Tag: tdb-1.4.15~65 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=bf09de7922d9bd590837ba6fe2f5b555787adbc2;p=thirdparty%2Fsamba.git Update WHATSNEW with kerberos changes Signed-off-by: Gary Lockyer Signed-off-by: Douglas Bagnall Autobuild-User(master): Douglas Bagnall Autobuild-Date(master): Thu Jan 15 02:50:59 UTC 2026 on atb-devel-224 --- diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 911dffa1e64..ef009a63870 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -71,6 +71,142 @@ to work, and for Keycloak to work with the "password policy hints enabled" option. +Kerberos PKINIT KeyTrust logon support +-------------------------------------- + +Samba servers configured with the embedded heimdal KDC and running as an ADDC, +now support "Windows Hello for Business Key-Trust logons". This allows the +PKINIT authentication mechanism to be used with self-signed keys. + +The samba-tool computer and user commands have a new "keytrust" +sub-command which allows for the setting and viewing of the public key +details for computer and user accounts. This stores the public key +details in msDS-KeyCredentialLink attribute of the account. + + +msDS-KeyCredentialLink validation +--------------------------------- + +Updates to the msDS-KeyCredentialLink attribute are validated against the +rules specified by MS-ADTS 3.1.1.5.3.1.1.6. + +Kerberos PKINIT strong/flexible key mappings +-------------------------------------------- + +Samba servers configured with the embedded heimdal KDC and running as an ADDC +now support "Windows Strong and Flexible key mappings" as outlined in +Microsoft KB5014754: Certificate-based authentication changes on Windows domain +controllers. + +The default enforcement mode ("full") allows only strong certificate +mappings. The smb.conf option + + strong certificate binding enforcement = compatibility + +will allow weak mappings where the certificate is newer than the user +account. The option "none" will allow any mappings. + +The mappings for an account should be placed in the altSecurityIdentities +attribute and follow the syntax documented in KB5014754. + + +Kerberos PKINIT SID extension +----------------------------- + +PKINIT authentication now supports certificates containing an Object SID +extension (extension 1.3.6.1.4.1.311.25.2), this is considered to be a STRONG +mapping for KB5014754. + +The computer and user samba-tool commands have a new sub-command +"generate-csr" to generate certificate signing requests. + + +KDC includes PAC by default +--------------------------- + +Samba will ignore the value provided by the client in "PA-PAC-REQUEST" +and always include a PAC in responses, unless "kdc always generate +pac" is set to "no". + + +KDC can insist clients request canonicalization +----------------------------------------------- + +Canonicalization of principal client names is not mandatory in +Kerberos (per RFC4120), but must be requested by the client. In some +circumstances allows a client to deceive Active Directory member +servers (known as the "dollar ticket" attack). + +The new configuration option "kdc require canonicalization" can be +used to require that clients request canonicalization; if they do not, +their AS_REQ requests will be rejected as if the account was unknown. + +The default value is "no", for backward compatibility. Windows clients +will ask for canonicalization by default, so in Windows-heavy +environments it is safe and recommended to set this to "yes". + +KDC can avoid potentially confusing canonicalization +---------------------------------------------------- + +Currently when the client does not request canonicalization, when the +KDC looks up a name and there is no match it will append a "$" to the +name and try again. An attacker who can create arbitrary machine +accounts can sometimes get tickets for Unix users by mimicking their +names (the "dollar ticket" attack). + +The configuration option + + kdc name match implicit dollar without canonicalization = no + +can be used to disable this behaviour for clients that do not request +canonicalization. Probably this only affects traditional Unix clients, +as Windows clients use canonicalization. If affected clients want a +ticket for a machine account, they will have to use the full name +including the dollar (e.g. "server$", not "server"). + +If the "kdc require canonicalization" option cannot be set to "yes" +(because some clients do not request canonicalization) setting this +option to "no" is a good alternative. + + +KDC provides Kerberos acceptors with canonical client names +----------------------------------------------------------- + +By default the KDC will now send Kerberos services the canonicalized +name (the sAMAccountName from the PAC) rather than trusting the cname. + +To return to the old behaviour, use + + krb5 acceptor report canonical client name = no + +in the smb.conf. + +This currently affects Heimdal KDC only, not MIT. + + +KDC recommended configuration: +----------------------------- +strong certificate binding enforcement full +kdc always include pac yes +kdc require canonicalization yes + +If unable to use "kdc require canonicalization" = "yes", then +"kdc name match implicit dollar without implicit canonicalization" should be +set to "no" if possible. + +samba tool +---------- + +Two new sub-commands have been added to the user and computer commands: + +user|computer generate-csr + Generate a Certificate signing request for an account containing the + Object SID extension (extension 1.3.6.1.4.1.311.25.2) + +user|computer keytrust + Add the public key details of a self signed certificate to an account. + The command supports PEM and DER encoded public keys. + REMOVED FEATURES ================ @@ -80,6 +216,12 @@ smb.conf changes Parameter Name Description Default -------------- ----------- ------- + strong certificate binding enforcement New full + certificate backdating compensation New 0 + kdc always include pac New yes + kdc require canonicalization New no + kdc name match implicit dollar without canonicalization + New yes KNOWN ISSUES ============