loadparm: Add ‘krb5 acceptor report canonical client name’ option

author Jennifer Sutton <jennifersutton@catalyst.net.nz>

Tue, 6 Jan 2026 21:21:17 +0000 (10:21 +1300)

committer Douglas Bagnall <dbagnall@samba.org>

Thu, 15 Jan 2026 01:48:37 +0000 (01:48 +0000)
author Jennifer Sutton <jennifersutton@catalyst.net.nz>
Tue, 6 Jan 2026 21:21:17 +0000 (10:21 +1300)
committer Douglas Bagnall <dbagnall@samba.org>
Thu, 15 Jan 2026 01:48:37 +0000 (01:48 +0000)
diff --git a/docs-xml/smbdotconf/security/krb5acceptorreportcanonicalclientname.xml b/docs-xml/smbdotconf/security/krb5acceptorreportcanonicalclientname.xml

new file mode 100644 (file)

index 0000000..d36afaa
--- /dev/null
+++ b/docs-xml/smbdotconf/security/krb5acceptorreportcanonicalclientname.xml
@@ -0,0 +1,21 @@
+<samba:parameter name="krb5 acceptor report canonical client name"
+                 type="boolean"
+                 context="G"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+    <para>
+        This option affects the client name provided to Kerberos acceptors for
+        incoming Kerberos tickets. If set to ‘yes’, the client name in the
+        ticket will be replaced with the canonical client name (the
+        sAMAccountName). Otherwise, it will be left unchanged.
+       </para>
+
+    <para>
+        This option currently only applies if the embedded Heimdal
+        KDC is used.
+    </para>
+
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c

index dc4f6829208864c7f4745a2bcb0ac9356a88d738..2151807af396bcef98c1cc57cf13f0358b0b1386 100644 (file)
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2962,6 +2962,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
         lpcfg_do_global_parameter(lp_ctx, "kdc always include pac", "True");
         lpcfg_do_global_parameter(lp_ctx, "kdc name match implicit dollar without canonicalization",
                                   "yes");
+       lpcfg_do_global_parameter(lp_ctx, "krb5 acceptor report canonical client name", "yes");
  
         lpcfg_do_global_parameter(lp_ctx, "nt status support", "True");
  
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c

index 2c3a5239447a8c6b72696973e99a5c339f012f66..f576e01c1c6619516cace4de72709900ab887bca 100644 (file)
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -964,6 +964,7 @@ void loadparm_s3_init_globals(struct loadparm_context *lp_ctx,
                 = KDC_CERT_BINDING_FULL;
         Globals.certificate_backdating_compensation = 0;
         Globals.kdc_always_include_pac = true;
+       Globals.krb5_acceptor_report_canonical_client_name = true;
  
         Globals.kdc_name_match_implicit_dollar_without_canonicalization = true;
author	Jennifer Sutton <jennifersutton@catalyst.net.nz>
	Tue, 6 Jan 2026 21:21:17 +0000 (10:21 +1300)
committer	Douglas Bagnall <dbagnall@samba.org>
	Thu, 15 Jan 2026 01:48:37 +0000 (01:48 +0000)
docs-xml/smbdotconf/security/krb5acceptorreportcanonicalclientname.xml	[new file with mode: 0644]	patch \| blob
lib/param/loadparm.c		patch \| blob \| blame \| history
source3/param/loadparm.c		patch \| blob \| blame \| history