From c45247815af1a5817f1d34255aeb75e75cec82bd Mon Sep 17 00:00:00 2001
From: Gary Lockyer <gary@catalyst.net.nz>
Date: Fri, 29 Aug 2025 11:05:10 +1200
Subject: [PATCH] config: add certificate backdating compensation

When preforming certificate based kerberos authentication (PKINIT) with
"strong certificate binding enforcement = compatibility"", for WEAK mappings
the certificate issue date must be after the date the user record was created.

This parameter relaxes that constraint by allowing the certificate to have been
issued up to the specified number of minutes before the user record was created.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---
 .../smbdotconf/security/kdccertbackdating.xml | 28 +++++++++++++++++++
 lib/param/loadparm.c                          |  1 +
 source3/param/loadparm.c                      |  1 +
 3 files changed, 30 insertions(+)
 create mode 100644 docs-xml/smbdotconf/security/kdccertbackdating.xml

diff --git a/docs-xml/smbdotconf/security/kdccertbackdating.xml b/docs-xml/smbdotconf/security/kdccertbackdating.xml
new file mode 100644
index 00000000000..11926a164bb
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdccertbackdating.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="certificate backdating compensation"
+                 context="G"
+                 type="integer"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+        When performing certificate based kerberos authentication
+        (PKINIT) with
+        <smbconfoption name="strong certificate binding enforcement">
+            compatibility
+        </smbconfoption>
+    </para>
+    <para>
+        This parameter specifies number of minutes that a certificate's issue
+        date may precede the creation of a users account.
+    </para>
+
+    <para>More details can be found at
+        <ulink url="https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16">
+            KB5014754: Certificate-based authentication changes on Windows
+            domain controllers
+        </ulink>
+    </para>
+
+</description>
+
+<value type="default">0</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 98dafbd25de..8aea8f8499b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2958,6 +2958,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 
 	lpcfg_do_global_parameter(lp_ctx, "kdc enable fast", "True");
 	lpcfg_do_global_parameter(lp_ctx, "strong certificate binding enforcement", "full");
+	lpcfg_do_global_parameter(lp_ctx, "certificate backdating compensation", "0");
 
 	lpcfg_do_global_parameter(lp_ctx, "nt status support", "True");
 
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 59ccbf99b81..d8ee4002fab 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -962,6 +962,7 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
 	Globals.kdc_enable_fast = true;
 	Globals.strong_certificate_binding_enforcement
 		= KDC_CERT_BINDING_FULL;
+	Globals.certificate_backdating_compensation = 0;
 
 	Globals.winbind_debug_traceid = true;
 
-- 
2.47.3