From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 26 Nov 2025 03:48:35 +0000 (+1300)
Subject: loadparm: add "kdc require canonicalization"
X-Git-Tag: tdb-1.4.15~75
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d803e2055b168b1c807325b0da54d3bbf6e5570a;p=thirdparty%2Fsamba.git

loadparm: add "kdc require canonicalization"

Has no effect yet.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
---

diff --git a/docs-xml/smbdotconf/security/kdcrequirecanonicalization.xml b/docs-xml/smbdotconf/security/kdcrequirecanonicalization.xml
new file mode 100644
index 00000000000..e960b613e71
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcrequirecanonicalization.xml
@@ -0,0 +1,36 @@
+<samba:parameter name="kdc require canonicalization"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+  <description>
+    <para>
+      Require that Kerberos clients use the canonicalization flag.
+    </para>
+
+    <para>
+      Clients that do not use the Kerberos canonicalization flag (see
+      RFC 6806) will get a TGT for the name they requested, which may
+      not exactly match the name in the Samba database. For example, a
+      client may request a ticket for 'root', and if there is a
+      computer called 'ROOT$' in the database, the KDC will issue a
+      ticket for 'root', using the standard matching rules for AD
+      Kerberos. A member server that is Kerberos-aware but not
+      AD-aware might accept this ticket as valid for the local root
+      user. This option avoids the problem by refusing to honour
+      requests without the canonicalization flag.
+    </para>
+    <para>
+      This is a reasonable option if all expected clients request
+      canonicalization (as Windows clients do), and there are member
+      servers that might be confused by this issue. Typically that
+      means unix servers expecting to be in an MIT Kerberos domain.
+    </para>
+    <para>
+      See also the "kdc name match implicit dollar without
+      canonicalization" option, which is more useful if you expect
+      Kerberos clients that will not use the canonicalize flag.
+    </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 2151807af39..e3d9a0a0e5a 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2962,6 +2962,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "kdc always include pac", "True");
 	lpcfg_do_global_parameter(lp_ctx, "kdc name match implicit dollar without canonicalization",
 				  "yes");
+	lpcfg_do_global_parameter(lp_ctx, "kdc require canonicalization", "no");
 	lpcfg_do_global_parameter(lp_ctx, "krb5 acceptor report canonical client name", "yes");
 
 	lpcfg_do_global_parameter(lp_ctx, "nt status support", "True");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index f576e01c1c6..4cd2b1f9e87 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -967,6 +967,7 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
 	Globals.krb5_acceptor_report_canonical_client_name = true;
 
 	Globals.kdc_name_match_implicit_dollar_without_canonicalization = true;
+	Globals.kdc_require_canonicalization = false;
 
 	Globals.winbind_debug_traceid = true;