From 56ba30c19059b5d9ee33fac0e95a82aec385f7a3 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 24 Aug 2023 19:09:25 +1200
Subject: [PATCH] WHATSNEW: Add Resource Based Constrained Delegation (RBCD)
 feature for Heimdal

This landed in master as 34760dfc89e879a889d64b48c606ccbaf10e8ba3.

(This text based strongly on e25d6c89bef298ac8cd8c2fb7b49f6cbd4e05ba5
and b3e043276017c6323afa681df9154df9a4292bd1 in Samba 4.17's WHATSNEW)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15457

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
 WHATSNEW.txt | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index d4315046af4..54c59442461 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -135,6 +135,23 @@ member server's own domain, to only consume a header and 4 bytes per
 group in the PAC, not a full-length SID worth of space each.  This is
 known as "Resource SID compression".
 
+Resource Based Constrained Delegation (RBCD) support in both MIT and Heimdal
+-----------------------------------------------------------------------------
+
+Samba AD DC built with MIT Kerberos (1.20 and later) has offered RBCD
+support since Samba 4.17.  Samba 4.19 brings this feature to the
+default Heimdal KDC.
+
+Samba 4.17 added to samba-tool delegation the 'add-principal' and
+'del-principal' subcommands in order to manage RBCD, and the database
+changes made by these tools are now honoured by the Heimdal KDC once
+Samba is upgraded.
+
+Likewise, now both MIT (1.20 and later) and Heimdal KDCs add the
+Asserted Identity [1] SID into the PAC for constrained delegation.
+
+[1] https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview
+
 New samba-tool support for silos, claims, sites and subnets.
 ------------------------------------------------------------
 
-- 
2.25.1