diff options
author | Stefan Metzmacher <metze@samba.org> | 2016-07-22 12:58:00 +0200 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2016-07-22 23:34:21 +0200 |
commit | 1854252816bf19b9afd104098e750d8495ad85b6 (patch) | |
tree | 9dbb644143ec94e7be1f6de9081f83914ac56e35 /WHATSNEW.txt | |
parent | 661e1a229e85f566c5fc5d43ea03fbb29847439a (diff) | |
download | samba-1854252816bf19b9afd104098e750d8495ad85b6.tar.gz |
WHATSNEW: add SmartCard/PKINIT improvements
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'WHATSNEW.txt')
-rw-r--r-- | WHATSNEW.txt | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 505d28b05dc..ad10514731f 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -177,6 +177,28 @@ Python crypto requirements Some samba-tool subcommands require python-crypto and/or python-m2crypto packages to be installed. +SmartCard/PKINIT improvements +----------------------------- + +"samba-tool user create" accepts --smartcard-required +and "samba-tool user setpassword" accepts --smartcard-required +and --clear-smartcard-required. + +Specifying --smartcard-required results in the UF_SMARTCARD_REQUIRED +flags being set in the userAccountControl attribute. +At the same time the account password is reset to a random +NTHASH value. + +Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED +bit is set in the userAccountControl attribute of a user. + +When doing a PKINIT based kerberos logon the KDC adds the +required PAC_CREDENTIAL_INFO element to the authorization data. +That means the NTHASH is shared between the PKINIT based client and +the domain controller, which allows the client to do NTLM based +authentication on behalf of the user. It also allows on offline +logon using a smartcard to work on Windows clients. + REMOVED FEATURES ================ |