From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 7 Nov 2024 14:37:57 +0000 (+0100)
Subject: docs-xml/smbdotconf: add "server support krb5 netlogon" options
X-Git-Tag: tdb-1.4.13~354
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c58137aad998cd9d652c798e0707246d2cc4ad03;p=thirdparty%2Fsamba.git

docs-xml/smbdotconf: add "server support krb5 netlogon" options

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---

diff --git a/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
index 5c6ad5a8c92..467261b272d 100644
--- a/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
+++ b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
@@ -11,8 +11,10 @@
 	reject clients which do not support ServerAuthenticateKerberos.</para>
 
 	<para>Support for ServerAuthenticateKerberos was added in Windows
-	starting with Server 2025, it's available in Samba starting with 4.22
-	(but disabled by default).
+	starting with Server 2025, it's available in Samba starting with 4.22 with the
+	'<smbconfoption name="server support krb5 netlogon">yes</smbconfoption>' and
+	'<smbconfoption name="client use krb5 netlogon">yes</smbconfoption>' options,
+	which are disabled by default.
 	</para>
 
 	<para>Note this options is not really related to security problems
@@ -53,6 +55,9 @@
 	'<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'.
 	</para>
 
+	<para>This option interacts with the '<smbconfoption name="server support krb5 netlogon"/>' option.
+	</para>
+
 	<para>For now '<smbconfoption name="server reject aes schannel"/>'
 	is EXPERIMENTAL and should not be configured explicitly.</para>
 </description>
diff --git a/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml b/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml
new file mode 100644
index 00000000000..652ef5f3d0a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="server support krb5 netlogon"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para><emphasis>This option is experimental for now!</emphasis>
+	</para>
+
+	<para>This option controls whether the netlogon server (currently
+	only in 'active directory domain controller' mode), will
+	provide support for ServerAuthenticateKerberos.</para>
+
+	<para>Support for ServerAuthenticateKerberos was added in Windows
+	starting with Server 2025, it's available in Samba starting with 4.22 with the
+	'<smbconfoption name="server support krb5 netlogon">yes</smbconfoption>' and
+	'<smbconfoption name="client use krb5 netlogon">yes</smbconfoption>' options,
+	which are disabled by default.
+	</para>
+
+	<para>This option interacts with the
+	'<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">yes</smbconfoption>' and
+	'<smbconfoption name="server reject aes schannel">yes</smbconfoption>' options.
+	</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>