From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 22 Jul 2016 10:58:00 +0000 (+0200)
Subject: WHATSNEW: add SmartCard/PKINIT improvements
X-Git-Tag: tdb-1.3.10~159
X-Git-Url: http://git.samba.org/samba.git/?p=ambi%2Fsamba-autobuild%2F.git;a=commitdiff_plain;h=1854252816bf19b9afd104098e750d8495ad85b6

WHATSNEW: add SmartCard/PKINIT improvements

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 505d28b05dc..ad10514731f 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -177,6 +177,28 @@ Python crypto requirements
 Some samba-tool subcommands require python-crypto and/or
 python-m2crypto packages to be installed.
 
+SmartCard/PKINIT improvements
+-----------------------------
+
+"samba-tool user create" accepts --smartcard-required
+and "samba-tool user setpassword" accepts --smartcard-required
+and --clear-smartcard-required.
+
+Specifying --smartcard-required results in the UF_SMARTCARD_REQUIRED
+flags being set in the userAccountControl attribute.
+At the same time the account password is reset to a random
+NTHASH value.
+
+Interactive password logons are rejected, if the UF_SMARTCARD_REQUIRED
+bit is set in the userAccountControl attribute of a user.
+
+When doing a PKINIT based kerberos logon the KDC adds the
+required PAC_CREDENTIAL_INFO element to the authorization data.
+That means the NTHASH is shared between the PKINIT based client and
+the domain controller, which allows the client to do NTLM based
+authentication on behalf of the user. It also allows on offline
+logon using a smartcard to work on Windows clients.
+
 
 REMOVED FEATURES
 ================