blob: d347e8cdb2c229986dcf24a96ab322b86a1516f4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
|
<samba:parameter name="strong certificate binding enforcement"
context="G"
type="enum"
enumlist="enum_strong_cert_binding_enforcement_vals"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>This parameter controls the enforcement of Windows Certificate
bindings as outlined in
<ulink url="https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16">
KB5014754: Certificate-based authentication changes on
Windows domain controllers
</ulink>, when performing certificate based kerberos authentication
(PKINIT)
</para>
<para>The possible values are:
<itemizedlist>
<listitem>
<para><constant>none</constant></para>
<para>
No validation of the certificate mappings is performed
</para>
</listitem>
<listitem>
<para><constant>compatibility</constant></para>
<para>
Weak certificate mappings are permitted.
</para>
<para>
In compatibility mode for WEAK mappings the date the
certificate was issued must be after the date that the user
was created.
</para>
<para>
<constant>Unless</constant>
<smbconfoption name="certificate backdating compensation"/>
has a value. In that case the certificate may have been
issued no more than that number of minutes before the user
was created.
</para>
</listitem>
<listitem>
<para><constant>full</constant></para>
<para>
Only <constant>strong</constant> certificate mappings are
permitted. This is the default.
</para>
</listitem>
</itemizedlist>
</para>
<para>
Certificate mappings are configured in the users
<constant>altSecurityIdentities</constant>
attribute and may be any of:
<itemizedlist>
<listitem>
<para>X509 Issuer and subject</para>
<para>Example: "X509:<I>IssuerName<S>SubjectName"</para>
<para>
The values provided for the issuer name and subject name
must match those in the user's certificate exactly.
</para>
<para><emphasis>WEAK</emphasis></para>
</listitem>
<listitem>
<para>X509 Subject only</para>
<para>Example: "X509:<S>SubjectName"</para>
<para>
The value provided for the issuer subject name
must match that in the user's certificate exactly.
</para>
<para><emphasis>WEAK</emphasis></para>
</listitem>
<listitem>
<para>X509 RFC822</para>
<para>Example: "X509:<RFC822>test@example.com"</para>
<para>
Email address
</para>
<para><emphasis>WEAK</emphasis></para>
</listitem>
<listitem>
<para>X509 Issuer and serial number</para>
<para>Example: "X509:<I>IssuerName<SR>123456789"</para>
<para>
Certificate issuer and serial number
</para>
<para><emphasis>STRONG</emphasis></para>
</listitem>
<listitem>
<para>X509 Subject Key Identifier</para>
<para>Example: "<SKI>01234xxxxx"</para>
<para><emphasis>STRONG</emphasis></para>
</listitem>
<listitem>
<para>X509 public key SHA1 </para>
<para>Example: "X509:<SHA1-PUKEY>1234567890abcdef"</para>
<para>
The SHA1 hash of the certificate's public key
</para>
<para><emphasis>STRONG</emphasis></para>
</listitem>
</itemizedlist>
Certificate mappings may also take the form of a certificate extension
(extension 1.3.6.1.4.1.311.25.2) that contains the user's SID. This is
considered a <emphasis>STRONG</emphasis> mapping.
</para>
</description>
<value type="default">full</value>
</samba:parameter>
|
