From 33ddd29f6be5a63bdd1d0ee60c86b56f619abaf8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 7 Nov 2024 12:41:05 +0100
Subject: [PATCH] docs-xml/smbdotconf: add "reject aes netlogon servers" option

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---
 .../winbind/rejectaesnetlogonservers.xml      | 29 +++++++++++++++++++
 .../smbdotconf/winbind/rejectmd5servers.xml   |  2 ++
 2 files changed, 31 insertions(+)
 create mode 100644 docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml

diff --git a/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml b/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml
new file mode 100644
index 00000000000..202f00ce202
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/rejectaesnetlogonservers.xml
@@ -0,0 +1,29 @@
+<samba:parameter name="reject aes netlogon servers"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option controls whether winbindd requires support
+	for ServerAuthenticateKerberos support for the netlogon secure channel.</para>
+
+	<para>Support for ServerAuthenticateKerberos was added in Windows
+	starting with Server 2025, it's available in Samba active directory domain controllers
+	starting with 4.22 with the '<smbconfoption name="server support krb5 netlogon">yes</smbconfoption>' option,
+	which is disabled by default.
+	</para>
+
+	<para>The following flags will be required: NETLOGON_NEG_PASSWORD_SET2,
+	NETLOGON_NEG_SUPPORTS_KERBEROS_AUTH and NETLOGON_NEG_AUTHENTICATED_RPC.</para>
+
+	<para>You can set this to yes if all domain controllers support
+	ServerAuthenticateKerberos.
+	This will prevent downgrade attacks.</para>
+
+	<para>The behavior can be controlled per netbios domain
+	by using 'reject aes netlogon servers:NETBIOSDOMAIN = no' as option.</para>
+
+	<para>This option overrides the <smbconfoption name="reject md5 servers"/> option.</para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
index 3bc4eaf7b02..1d6e0c8ad6d 100644
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -18,6 +18,8 @@
 	<para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
 	see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
 
+	<para>This option is over-ridden by the <smbconfoption name="reject aes netlogon servers"/> option.</para>
+
 	<para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
 </description>
 
-- 
2.47.3