WHATSNEW: Add Resource Based Constrained Delegation (RBCD) feature for Heimdal

This landed in master as 34760dfc89e879a889d64b48c606ccbaf10e8ba3.

(This text based strongly on e25d6c89bef298ac8cd8c2fb7b49f6cbd4e05ba5
and b3e043276017c6323afa681df9154df9a4292bd1 in Samba 4.17's WHATSNEW)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15457

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(v4-19-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-19-test): Fri Aug 25 09:02:28 UTC 2023 on atb-devel-224

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d4315046af44c3c7b7b9385e2f3c5638c8349b28..54c59442461f569fa39c3ed8487eedf3aa59732a 100644 (file)
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -135,6 +135,23 @@ member server's own domain, to only consume a header and 4 bytes per
 group in the PAC, not a full-length SID worth of space each.  This is
 known as "Resource SID compression".
 
+Resource Based Constrained Delegation (RBCD) support in both MIT and Heimdal
+-----------------------------------------------------------------------------
+
+Samba AD DC built with MIT Kerberos (1.20 and later) has offered RBCD
+support since Samba 4.17.  Samba 4.19 brings this feature to the
+default Heimdal KDC.
+
+Samba 4.17 added to samba-tool delegation the 'add-principal' and
+'del-principal' subcommands in order to manage RBCD, and the database
+changes made by these tools are now honoured by the Heimdal KDC once
+Samba is upgraded.
+
+Likewise, now both MIT (1.20 and later) and Heimdal KDCs add the
+Asserted Identity [1] SID into the PAC for constrained delegation.
+
+[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
+
 New samba-tool support for silos, claims, sites and subnets.
 ------------------------------------------------------------