From c58137aad998cd9d652c798e0707246d2cc4ad03 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 7 Nov 2024 15:37:57 +0100
Subject: [PATCH] docs-xml/smbdotconf: add "server support krb5 netlogon"
 options

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 .../logon/serverrejectaesschannel.xml         |  9 ++++--
 .../security/serversupportkrb5netlogon.xml    | 28 +++++++++++++++++++
 2 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml

diff --git a/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
index 5c6ad5a8c92..467261b272d 100644
--- a/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
+++ b/docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
@@ -11,8 +11,10 @@
 	reject clients which do not support ServerAuthenticateKerberos.</para>
 
 	<para>Support for ServerAuthenticateKerberos was added in Windows
-	starting with Server 2025, it's available in Samba starting with 4.22
-	(but disabled by default).
+	starting with Server 2025, it's available in Samba starting with 4.22 with the
+	'<smbconfoption name="server support krb5 netlogon">yes</smbconfoption>' and
+	'<smbconfoption name="client use krb5 netlogon">yes</smbconfoption>' options,
+	which are disabled by default.
 	</para>
 
 	<para>Note this options is not really related to security problems
@@ -53,6 +55,9 @@
 	'<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'.
 	</para>
 
+	<para>This option interacts with the '<smbconfoption name="server support krb5 netlogon"/>' option.
+	</para>
+
 	<para>For now '<smbconfoption name="server reject aes schannel"/>'
 	is EXPERIMENTAL and should not be configured explicitly.</para>
 </description>
diff --git a/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml b/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml
new file mode 100644
index 00000000000..652ef5f3d0a
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml
@@ -0,0 +1,28 @@
+<samba:parameter name="server support krb5 netlogon"
+                 context="G"
+                 type="boolean"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para><emphasis>This option is experimental for now!</emphasis>
+	</para>
+
+	<para>This option controls whether the netlogon server (currently
+	only in 'active directory domain controller' mode), will
+	provide support for ServerAuthenticateKerberos.</para>
+
+	<para>Support for ServerAuthenticateKerberos was added in Windows
+	starting with Server 2025, it's available in Samba starting with 4.22 with the
+	'<smbconfoption name="server support krb5 netlogon">yes</smbconfoption>' and
+	'<smbconfoption name="client use krb5 netlogon">yes</smbconfoption>' options,
+	which are disabled by default.
+	</para>
+
+	<para>This option interacts with the
+	'<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">yes</smbconfoption>' and
+	'<smbconfoption name="server reject aes schannel">yes</smbconfoption>' options.
+	</para>
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
-- 
2.47.3