From: Andrew Bartlett Date: Sun, 26 May 2024 23:51:59 +0000 (+1200) Subject: WHATSNEW: Mention msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour X-Git-Tag: tdb-1.4.11~397 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f3528808aba9419c0895bdb709e1b0dc0bdced1e;p=thirdparty%2Fsamba.git WHATSNEW: Mention msDS-ExpirePasswordsOnSmartCardOnlyAccounts behaviour Signed-off-by: Andrew Bartlett Reviewed-by: Jo Sutton --- diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 6d1368c42b1..be93dd5ae61 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -139,6 +139,31 @@ authentication and DNS functions. This is not supported in samba-tool yet. +Samba AD will rotate expired passwords on smartcard-required accounts +--------------------------------------------------------------------- + +Traditionally in AD, accounts set to be "smart card require for logon" +will have a password for NTLM fallback and local profile encryption +(Windows DPAPI). This password previously would not expire. + +Matching Windows behaviour, when the DC in a FL 2016 domain and the +msDS-ExpirePasswordsOnSmartCardOnlyAccounts attribute on the domain +root is set to TRUE, Samba will now expire these passwords and rotate +them shortly before they expire. + +Note that the password expiry time must be set to twice the TGT lifetime for +smooth operation, e.g. daily expiry given a default 10 hour TGT +lifetime, as the password is only rotated in the second half of its +life. Again, this matches the Windows behaviour. + +Provided the default 2016 schema is used, new Samba domains +provisioned with Samba 4.21 will have this enabled once the domain +functional level is set to 2016. + +NOTE: Domains upgraded from older Samba versions will not have this +set, even after the functional level preparation, matching the +behaviour of upgraded Windows AD domains. + REMOVED FEATURES ================ @@ -181,4 +206,3 @@ database (https://bugzilla.samba.org/). == Our Code, Our Bugs, Our Responsibility. == The Samba Team ====================================================================== -