summaryrefslogtreecommitdiff
path: root/WHATSNEW.txt
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2016-07-22 12:58:00 +0200
committerAndrew Bartlett <abartlet@samba.org>2016-07-22 23:34:21 +0200
commit1854252816bf19b9afd104098e750d8495ad85b6 (patch)
tree9dbb644143ec94e7be1f6de9081f83914ac56e35 /WHATSNEW.txt
parent661e1a229e85f566c5fc5d43ea03fbb29847439a (diff)
downloadsamba-1854252816bf19b9afd104098e750d8495ad85b6.tar.gz
WHATSNEW: add SmartCard/PKINIT improvements
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'WHATSNEW.txt')
-rw-r--r--WHATSNEW.txt22
1 files changed, 22 insertions, 0 deletions
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 505d28b05dc..ad10514731f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -177,6 +177,28 @@ Python crypto requirements
Some samba-tool subcommands require python-crypto and/or
python-m2crypto packages to be installed.
+SmartCard/PKINIT improvements
+-----------------------------
+
+"samba-tool user create" accepts --smartcard-required
+and "samba-tool user setpassword" accepts --smartcard-required
+and --clear-smartcard-required.
+
+Specifying --smartcard-required results in the UF_SMARTCARD_REQUIRED
+flags being set in the userAccountControl attribute.
+At the same time the account password is reset to a random
+NTHASH value.
+
+Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED
+bit is set in the userAccountControl attribute of a user.
+
+When doing a PKINIT based kerberos logon the KDC adds the
+required PAC_CREDENTIAL_INFO element to the authorization data.
+That means the NTHASH is shared between the PKINIT based client and
+the domain controller, which allows the client to do NTLM based
+authentication on behalf of the user. It also allows on offline
+logon using a smartcard to work on Windows clients.
+
REMOVED FEATURES
================