sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2024-12-21 09:34:19 +03:00
Code

docs-xml/smbdotconf: add "server support krb5 netlogon" options

Browse Source 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Stefan Metzmacher 2024-11-07 15:37:57 +01:00 committed by Andreas Schneider
parent a5993f0c5c
commit c58137aad9
2 changed files with 35 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
docs-xml/smbdotconf/logon/serverrejectaesschannel.xml
View File

@ -11,8 +11,10 @@
reject clients which do not support ServerAuthenticateKerberos.</para>
<para>Support for ServerAuthenticateKerberos was added in Windows
starting with Server 2025, it's available in Samba starting with 4.22
(but disabled by default).
starting with Server 2025, it's available in Samba starting with 4.22 with the
'<smbconfoption name="server support krb5 netlogon">yes</smbconfoption>' and
'<smbconfoption name="client use krb5 netlogon">yes</smbconfoption>' options,
which are disabled by default.
</para>
<para>Note this options is not really related to security problems
@ -53,6 +55,9 @@
'<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'.
</para>
<para>This option interacts with the '<smbconfoption name="server support krb5 netlogon"/>' option.
</para>
<para>For now '<smbconfoption name="server reject aes schannel"/>'
is EXPERIMENTAL and should not be configured explicitly.</para>
</description>

28
docs-xml/smbdotconf/security/serversupportkrb5netlogon.xml Normal file
View File

@ -0,0 +1,28 @@
<samba:parameter name="server support krb5 netlogon"
context="G"
type="boolean"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para><emphasis>This option is experimental for now!</emphasis>
</para>
<para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
provide support for ServerAuthenticateKerberos.</para>
<para>Support for ServerAuthenticateKerberos was added in Windows
starting with Server 2025, it's available in Samba starting with 4.22 with the
'<smbconfoption name="server support krb5 netlogon">yes</smbconfoption>' and
'<smbconfoption name="client use krb5 netlogon">yes</smbconfoption>' options,
which are disabled by default.
</para>
<para>This option interacts with the
'<smbconfoption name="server reject aes schannel:COMPUTERACCOUNT">yes</smbconfoption>' and
'<smbconfoption name="server reject aes schannel">yes</smbconfoption>' options.
</para>
</description>
<value type="default">no</value>
<value type="example">yes</value>
</samba:parameter>