The Samba-Bugzilla – Attachment 18392 Details for
Bug 15689
Can't add/delete special keys to keytab for nfs, cifs, http etc
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for v4-21-test
v4-21-test.patch (text/plain), 29.13 KB, created by
Pavel Filipenský
on 2024-08-06 06:48:22 UTC
(
hide
)
Description:
patch for v4-21-test
Filename:
MIME Type:
Creator:
Pavel Filipenský
Created:
2024-08-06 06:48:22 UTC
Size:
29.13 KB
patch
obsolete
>From 2a8fc43048266282c3f04acc2712d9ad93a61855 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Thu, 1 Aug 2024 21:49:19 +0200 >Subject: [PATCH 1/4] docs:smbdotconf: Improve formatting of 'sync machine > password to keytab' >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >Hint: review this commit with ignoring white space changes. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net> >(cherry picked from commit 6c627903ee466cd1559d7f58821221c4dd668d1f) >--- > .../security/syncmachinepasswordtokeytab.xml | 77 ++++++++++--------- > 1 file changed, 42 insertions(+), 35 deletions(-) > >diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml >index 48d89213acf..b749ecb5c66 100644 >--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml >+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml >@@ -3,8 +3,9 @@ > type="cmdlist" > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> >- <para>This option allows you to describe what keytabs and how should be >- updated when machine account is changed via one of these commands >+<para> >+This option allows you to describe what keytabs and how should be updated when >+machine account is changed via one of these commands > > <programlisting> > wbinfo --change-secret >@@ -13,57 +14,63 @@ net rpc changetrustpw > net ads changetrustpw > </programlisting> > >- or by winbindd doing regular updates (see <smbconfoption name="machine password timeout"/>) >- >+or by winbindd doing regular updates (see <smbconfoption name="machine password timeout"/>) > </para> > >-<para>The option takes a list of keytab strings. Each string has this form: >- >+<para> >+The option takes a list of keytab strings. Each string has this form: > <programlisting> >- absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password] >+absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password] > </programlisting> > >- where spn_spec can have exactly one of these three forms: >+where spn_spec can have exactly one of these four forms: > <programlisting> >- account_name >- sync_spns >- spn_prefixes=value1[,value2[...]] >- spns=value1[,value2[...]] >+account_name >+sync_spns >+spn_prefixes=value1[,value2[...]] >+spns=value1[,value2[...]] > </programlisting> >-<para> >- No other combinations are allowed. >- >- Specifiers: >- account_name - creates entry using principal 'computer$@REALM'. >- sync_spns - uses principals received from AD DC. >- spn_prefixes - creates principals from the prefixes and adds netbios_aliases or additional_dns_hostnames if specified. >- spns - creates only the principals defined in the list. >+No other combinations are allowed. >+</para> > >- Options: >- sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read from DC and is used to find the highest common enc type for AD and KRB5 lib. >- sync_kvno - the key version number ("msDS-KeyVersionNumber") is synchronized from DC, otherwise is set to -1. >- netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for each alias. See <smbconfoption name="netbios aliases"/> >- additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/dnshostname@REALM is added for each dns name. See <smbconfoption name="additional dns hostnames"/> >- machine_password - mandatory, if missing the entry is ignored. For future use. >+<para> >+Specifiers: >+<programlisting> >+account_name - creates entry using principal 'computer$@REALM'. >+sync_spns - uses principals received from AD DC. >+spn_prefixes - creates principals from the prefixes and adds netbios_aliases or additional_dns_hostnames if specified. >+spns - creates only the principals defined in the list. >+</programlisting> > </para> > >+<para> >+Options: >+<programlisting> >+sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read from DC and is used to find the highest common enc type for AD and KRB5 lib. >+sync_kvno - the key version number ("msDS-KeyVersionNumber") is synchronized from DC, otherwise is set to -1. >+netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for each alias. See <smbconfoption name="netbios aliases"/> >+additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/dnshostname@REALM is added for each dns name. See <smbconfoption name="additional dns hostnames"/> >+machine_password - mandatory, if missing the entry is ignored. For future use. >+</programlisting> > </para> >+ > <para> > Example: > <programlisting> >- "/path/to/keytab0:account_name:machine_password", >- "/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password", >- "/path/to/keytab2:sync_spns:machine_password", >- "/path/to/keytab3:sync_spns:sync_kvno:machine_password", >- "/path/to/keytab4:spn_prefixes=imap,smtp:machine_password", >- "/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password", >- "/path/to/keytab6:spns=wurst/brot@REALM:machine_password", >- "/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password" >+"/path/to/keytab0:account_name:machine_password", >+"/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password", >+"/path/to/keytab2:sync_spns:machine_password", >+"/path/to/keytab3:sync_spns:sync_kvno:machine_password", >+"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password", >+"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password", >+"/path/to/keytab6:spns=wurst/brot@REALM:machine_password", >+"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password" > </programlisting> > If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options. > >-If no value is present, winbind uses value /path/to/keytab:sync_spns:sync_kvno:machine_password >+If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting> > where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/> > </para> >+ > </description> > </samba:parameter> >-- >2.45.2 > > >From 76379574928d4c39b799e7ba47de2d28c788f9b9 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Thu, 1 Aug 2024 22:39:56 +0200 >Subject: [PATCH 2/4] docs-xml: Fix trailing whitespace in net.8.xml >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net> >(cherry picked from commit 374680010d42d3bca52791159dba7b42eb8d0d6c) >--- > docs-xml/manpages/net.8.xml | 120 ++++++++++++++++++------------------ > 1 file changed, 60 insertions(+), 60 deletions(-) > >diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml >index c284cc25b49..f0b3df793d4 100644 >--- a/docs-xml/manpages/net.8.xml >+++ b/docs-xml/manpages/net.8.xml >@@ -80,12 +80,12 @@ > <para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle> > <manvolnum>7</manvolnum></citerefentry> suite.</para> > >- <para>The Samba net utility is meant to work just like the net utility >- available for windows and DOS. The first argument should be used >- to specify the protocol to use when executing a certain command. >- ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) >- clients and RPC can be used for NT4 and Windows 2000. If this >- argument is omitted, net will try to determine it automatically. >+ <para>The Samba net utility is meant to work just like the net utility >+ available for windows and DOS. The first argument should be used >+ to specify the protocol to use when executing a certain command. >+ ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) >+ clients and RPC can be used for NT4 and Windows 2000. If this >+ argument is omitted, net will try to determine it automatically. > Not all commands are available on all protocols. > </para> > >@@ -98,7 +98,7 @@ > <varlistentry> > <term>-w|--target-workgroup target-workgroup</term> > <listitem><para> >- Sets target workgroup or domain. You have to specify >+ Sets target workgroup or domain. You have to specify > either this option or the IP address or the name of a server. > </para></listitem> > </varlistentry> >@@ -115,7 +115,7 @@ > <varlistentry> > <term>-p|--port port</term> > <listitem><para> >- Port on the target server to connect to (usually 139 or 445). >+ Port on the target server to connect to (usually 139 or 445). > Defaults to trying 445 first, then 139. > </para></listitem> > </varlistentry> >@@ -123,7 +123,7 @@ > <varlistentry> > <term>-S|--server server</term> > <listitem><para> >- Name of target server. You should specify either >+ Name of target server. You should specify either > this option or a target workgroup or a target IP address. > </para></listitem> > </varlistentry> >@@ -524,7 +524,7 @@ YOU HAVE BEEN WARNED. > <refsect3> > <title>TIME</title> > >-<para>Without any options, the <command>NET TIME</command> command >+<para>Without any options, the <command>NET TIME</command> command > displays the time on the remote server. The remote server must be > specified with the -S option. > </para> >@@ -542,7 +542,7 @@ The remote server must be specified with the -S option. > > <refsect3> > <title>TIME SET</title> >-<para>Tries to set the date and time of the local server to that on >+<para>Tries to set the date and time of the local server to that on > the remote server using <command>/bin/date</command>. > The remote server must be specified with the -S option. > </para> >@@ -565,8 +565,8 @@ The remote server must be specified with the -S option. > [osName=string osVer=string] [options]</title> > > <para> >-Join a domain. If the account already exists on the server, and >-[TYPE] is MEMBER, the machine will attempt to join automatically. >+Join a domain. If the account already exists on the server, and >+[TYPE] is MEMBER, the machine will attempt to join automatically. > (Assuming that the machine has been created in server manager) > Otherwise, a password will be prompted for, and a new account may > be created.</para> >@@ -590,7 +590,7 @@ format is host/netbiosname@REALM. > [OU] (ADS only) Precreate the computer account in a specific OU. The > OU string reads from top to bottom without RDNs, and is delimited by > a '/'. Please note that '\' is used for escape by both the shell >-and ldap, so it may need to be doubled or quadrupled to pass through, >+and ldap, so it may need to be doubled or quadrupled to pass through, > and it is not used as a delimiter. > </para> > <para> >@@ -607,8 +607,8 @@ must be specified for either to take effect. > <refsect2> > <title>[RPC] OLDJOIN [options]</title> > >-<para>Join a domain. Use the OLDJOIN option to join the domain >-using the old style of domain joining - you need to create a trust >+<para>Join a domain. Use the OLDJOIN option to join the domain >+using the old style of domain joining - you need to create a trust > account in server manager first.</para> > </refsect2> > >@@ -692,8 +692,8 @@ account in server manager first.</para> > <refsect3> > <title>[RAP|RPC] SHARE ADD <replaceable>name=serverpath</replaceable> [-C comment] [-M maxusers] [targets]</title> > >-<para>Adds a share from a server (makes the export active). Maxusers >-specifies the number of users that can be connected to the >+<para>Adds a share from a server (makes the export active). Maxusers >+specifies the number of users that can be connected to the > share simultaneously.</para> > > </refsect3> >@@ -718,7 +718,7 @@ share simultaneously.</para> > <refsect3> > <title>[RPC|RAP] FILE CLOSE <replaceable>fileid</replaceable></title> > >-<para>Close file with specified <replaceable>fileid</replaceable> on >+<para>Close file with specified <replaceable>fileid</replaceable> on > remote server.</para> > > </refsect3> >@@ -727,7 +727,7 @@ remote server.</para> > <title>[RPC|RAP] FILE INFO <replaceable>fileid</replaceable></title> > > <para> >-Print information on specified <replaceable>fileid</replaceable>. >+Print information on specified <replaceable>fileid</replaceable>. > Currently listed are: file-id, username, locks, path, permissions. > </para> > >@@ -739,7 +739,7 @@ Currently listed are: file-id, username, locks, path, permissions. > <para> > List files opened by specified <replaceable>user</replaceable>. > Please note that <command>net rap file user</command> does not work >-against Samba servers. >+against Samba servers. > </para> > > </refsect3> >@@ -752,7 +752,7 @@ against Samba servers. > <refsect3> > <title>RAP SESSION</title> > >-<para>Without any other options, SESSION enumerates all active SMB/CIFS >+<para>Without any other options, SESSION enumerates all active SMB/CIFS > sessions on the target server.</para> > > </refsect3> >@@ -784,7 +784,7 @@ to local domain.</para> > <refsect2> > <title>RAP DOMAIN</title> > >-<para>Lists all domains and workgroups visible on the >+<para>Lists all domains and workgroups visible on the > current network.</para> > > </refsect2> >@@ -796,7 +796,7 @@ current network.</para> > <title>RAP PRINTQ INFO <replaceable>QUEUE_NAME</replaceable></title> > > <para>Lists the specified print queue and print jobs on the server. >-If the <replaceable>QUEUE_NAME</replaceable> is omitted, all >+If the <replaceable>QUEUE_NAME</replaceable> is omitted, all > queues are listed.</para> > > </refsect3> >@@ -814,9 +814,9 @@ queues are listed.</para> > <title>RAP VALIDATE <replaceable>user</replaceable> [<replaceable>password</replaceable>]</title> > > <para> >-Validate whether the specified user can log in to the >-remote server. If the password is not specified on the commandline, it >-will be prompted. >+Validate whether the specified user can log in to the >+remote server. If the password is not specified on the commandline, it >+will be prompted. > </para> > > ¬.implemented; >@@ -852,7 +852,7 @@ will be prompted. > <refsect2> > <title>RAP ADMIN <replaceable>command</replaceable></title> > >-<para>Execute the specified <replaceable>command</replaceable> on >+<para>Execute the specified <replaceable>command</replaceable> on > the remote server. Only works with OS/2 servers. > </para> > >@@ -899,7 +899,7 @@ Change password of <replaceable>USER</replaceable> from <replaceable>OLDPASS</re > <title>LOOKUP HOST <replaceable>HOSTNAME</replaceable> [<replaceable>TYPE</replaceable>]</title> > > <para> >-Lookup the IP address of the given host with the specified type (netbios suffix). >+Lookup the IP address of the given host with the specified type (netbios suffix). > The type defaults to 0x20 (workstation). > </para> > >@@ -965,7 +965,7 @@ or workgroup. Defaults to local domain.</para> > <refsect2> > <title>CACHE</title> > >-<para>Samba uses a general caching interface called 'gencache'. It >+<para>Samba uses a general caching interface called 'gencache'. It > can be controlled using 'NET CACHE'.</para> > > <para>All the timeout parameters support the suffixes: >@@ -1044,7 +1044,7 @@ omitted, the SID of the local server.</para> > <refsect2> > <title>GETDOMAINSID</title> > >-<para>Prints the local machine SID and the SID of the current >+<para>Prints the local machine SID and the SID of the current > domain.</para> > > </refsect2> >@@ -1158,15 +1158,15 @@ such as domain name, domain sid and number of users and groups. > <refsect3> > <title>RPC TRUSTDOM ADD <replaceable>DOMAIN</replaceable></title> > >-<para>Add a interdomain trust account for <replaceable>DOMAIN</replaceable>. >-This is in fact a Samba account named <replaceable>DOMAIN$</replaceable> >-with the account flag <constant>'I'</constant> (interdomain trust account). >+<para>Add a interdomain trust account for <replaceable>DOMAIN</replaceable>. >+This is in fact a Samba account named <replaceable>DOMAIN$</replaceable> >+with the account flag <constant>'I'</constant> (interdomain trust account). > This is required for incoming trusts to work. It makes Samba be a > trusted domain of the foreign (trusting) domain. > Users of the Samba domain will be made available in the foreign domain. >-If the command is used against localhost it has the same effect as >+If the command is used against localhost it has the same effect as > <command>smbpasswd -a -i DOMAIN</command>. Please note that both commands >-expect a appropriate UNIX account. >+expect a appropriate UNIX account. > </para> > > </refsect3> >@@ -1174,9 +1174,9 @@ expect a appropriate UNIX account. > <refsect3> > <title>RPC TRUSTDOM DEL <replaceable>DOMAIN</replaceable></title> > >-<para>Remove interdomain trust account for >-<replaceable>DOMAIN</replaceable>. If it is used against localhost >-it has the same effect as <command>smbpasswd -x DOMAIN$</command>. >+<para>Remove interdomain trust account for >+<replaceable>DOMAIN</replaceable>. If it is used against localhost >+it has the same effect as <command>smbpasswd -x DOMAIN$</command>. > </para> > > </refsect3> >@@ -1185,7 +1185,7 @@ it has the same effect as <command>smbpasswd -x DOMAIN$</command>. > <title>RPC TRUSTDOM ESTABLISH <replaceable>DOMAIN</replaceable></title> > > <para> >-Establish a trust relationship to a trusted domain. >+Establish a trust relationship to a trusted domain. > Interdomain account must already be created on the remote PDC. > This is required for outgoing trusts to work. It makes Samba be a > trusting domain of a foreign (trusted) domain. >@@ -1326,9 +1326,9 @@ net rpc trust delete \ > <refsect3> > <title>RPC RIGHTS</title> > >-<para>This subcommand is used to view and manage Samba's rights assignments (also >-referred to as privileges). There are three options currently available: >-<parameter>list</parameter>, <parameter>grant</parameter>, and >+<para>This subcommand is used to view and manage Samba's rights assignments (also >+referred to as privileges). There are three options currently available: >+<parameter>list</parameter>, <parameter>grant</parameter>, and > <parameter>revoke</parameter>. More details on Samba's privilege model and its use > can be found in the Samba-HOWTO-Collection.</para> > >@@ -1367,14 +1367,14 @@ Force shutting down all applications. > <varlistentry> > <term>-t timeout</term> > <listitem><para> >-Timeout before system will be shut down. An interactive >+Timeout before system will be shut down. An interactive > user of the system can use this time to cancel the shutdown. > </para></listitem> > </varlistentry> > > <varlistentry> > <term>-C message</term> >-<listitem><para>Display the specified message on the screen to >+<listitem><para>Display the specified message on the screen to > announce the shutdown.</para></listitem> > </varlistentry> > </variablelist> >@@ -1391,8 +1391,8 @@ to run this against the PDC, from a Samba machine joined as a BDC. </para> > <refsect2> > <title>RPC VAMPIRE</title> > >-<para>Export users, aliases and groups from remote server to >-local server. You need to run this against the PDC, from a Samba machine joined as a BDC. >+<para>Export users, aliases and groups from remote server to >+local server. You need to run this against the PDC, from a Samba machine joined as a BDC. > This vampire command cannot be used against an Active Directory, only > against an NT4 Domain Controller. > </para> >@@ -1486,7 +1486,7 @@ against an NT4 Domain Controller. > <title>ADS STATUS</title> > > <para>Print out status of machine account of the local machine in ADS. >-Prints out quite some debug info. Aimed at developers, regular >+Prints out quite some debug info. Aimed at developers, regular > users should use <command>NET ADS TESTJOIN</command>.</para> > > </refsect2> >@@ -1498,7 +1498,7 @@ users should use <command>NET ADS TESTJOIN</command>.</para> > <title>ADS PRINTER INFO [<replaceable>PRINTER</replaceable>] [<replaceable>SERVER</replaceable>]</title> > > <para> >-Lookup info for <replaceable>PRINTER</replaceable> on <replaceable>SERVER</replaceable>. The printer name defaults to "*", the >+Lookup info for <replaceable>PRINTER</replaceable> on <replaceable>SERVER</replaceable>. The printer name defaults to "*", the > server name defaults to the local host.</para> > > </refsect3> >@@ -1522,8 +1522,8 @@ server name defaults to the local host.</para> > <refsect2> > <title>ADS SEARCH <replaceable>EXPRESSION</replaceable> <replaceable>ATTRIBUTES...</replaceable></title> > >-<para>Perform a raw LDAP search on a ADS server and dump the results. The >-expression is a standard LDAP search expression, and the >+<para>Perform a raw LDAP search on a ADS server and dump the results. The >+expression is a standard LDAP search expression, and the > attributes are a list of LDAP fields to show in the results.</para> > > <para>Example: <userinput>net ads search '(objectCategory=group)' sAMAccountName</userinput> >@@ -1535,9 +1535,9 @@ attributes are a list of LDAP fields to show in the results.</para> > <title>ADS DN <replaceable>DN</replaceable> <replaceable>(attributes)</replaceable></title> > > <para> >-Perform a raw LDAP search on a ADS server and dump the results. The >-DN standard LDAP DN, and the attributes are a list of LDAP fields >-to show in the result. >+Perform a raw LDAP search on a ADS server and dump the results. The >+DN standard LDAP DN, and the attributes are a list of LDAP fields >+to show in the result. > </para> > > <para>Example: <userinput>net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName</userinput></para> >@@ -2281,7 +2281,7 @@ share (no creation of new files or directories or writing to files). > </para> > > <para> >-The default if no "acl" is given is "Everyone:R", which means any >+The default if no "acl" is given is "Everyone:R", which means any > authenticated user has read-only access. > </para> > >@@ -3675,20 +3675,20 @@ net witness force-response Force an AsyncNotify response based on json input ( > <refsect1> > <title>VERSION</title> > >- <para>This man page is complete for version 3 of the Samba >+ <para>This man page is complete for version 3 of the Samba > suite.</para> > </refsect1> > > <refsect1> > <title>AUTHOR</title> >- >- <para>The original Samba software and related utilities >+ >+ <para>The original Samba software and related utilities > were created by Andrew Tridgell. Samba is now developed >- by the Samba Team as an Open Source project similar >+ by the Samba Team as an Open Source project similar > to the way the Linux kernel is developed.</para> > > <para>The net manpage was written by Jelmer Vernooij.</para> >- >+ > </refsect1> > > </refentry> >-- >2.45.2 > > >From 48c804ca18ed537fc4355cb61928ac038137f72c Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Thu, 1 Aug 2024 22:39:58 +0200 >Subject: [PATCH 3/4] docs-xml: Delete descriptions for removed commands "net > ads keytab add" and "net ads keytab add_update_ads" >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net> > >Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org> >Autobuild-Date(master): Mon Aug 5 13:29:25 UTC 2024 on atb-devel-224 > >(cherry picked from commit a5f47f6efe67e02d7a12f30b4e6fb76bcd6aa71c) >--- > docs-xml/manpages/net.8.xml | 70 ------------------------------------- > 1 file changed, 70 deletions(-) > >diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml >index f0b3df793d4..61a1e6362ce 100644 >--- a/docs-xml/manpages/net.8.xml >+++ b/docs-xml/manpages/net.8.xml >@@ -1557,76 +1557,6 @@ are made to the computer AD account. > </para> > </refsect2> > >-<refsect2> >-<title>ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title> >- >-<para> >-Adds a new keytab entry, the entry can be either; >- <variablelist> >- <varlistentry><term>kerberos principal</term> >- <listitem><para> >- A kerberos principal (identified by the presence of '@') is just >- added to the keytab file. >- </para></listitem> >- </varlistentry> >- <varlistentry><term>machinename</term> >- <listitem><para> >- A machinename (identified by the trailing '$') is used to create a >- a kerberos principal 'machinename@realm' which is added to the >- keytab file. >- </para></listitem> >- </varlistentry> >- <varlistentry><term>serviceclass</term> >- <listitem><para> >- A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair >- of kerberos principals 'serviceclass/fully_qualified_dns_name@realm' & >- 'serviceclass/netbios_name@realm' which are added to the keytab file. >- </para></listitem> >- </varlistentry> >- <varlistentry><term>Windows SPN</term> >- <listitem><para> >- A Windows SPN is of the format 'serviceclass/host:port', it is used to >- create a kerberos principal 'serviceclass/host@realm' which will >- be written to the keytab file. >- </para></listitem> >- </varlistentry> >- </variablelist> >-</para> >-<para> >-Unlike old versions no computer AD objects are modified by this command. To >-preserve the behaviour of older clients 'net ads keytab ad_update_ads' is >-available. >-</para> >-</refsect2> >- >-<refsect2> >-<title>ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title> >- >-<para> >-Adds a new keytab entry (see section for net ads keytab add). In addition to >-adding entries to the keytab file corresponding Windows SPNs are created >-from the entry passed to this command. These SPN(s) added to the AD computer >-account object associated with the client machine running this command for >-the following entry types; >- <variablelist> >- <varlistentry><term>serviceclass</term> >- <listitem><para> >- A serviceclass (such as 'cifs', 'html' etc.) is used to create a >- pair of Windows SPN(s) 'param/full_qualified_dns' & >- 'param/netbios_name' which are added to the AD computer account object >- for this client. >- </para></listitem> >- </varlistentry> >- <varlistentry><term>Windows SPN</term> >- <listitem><para> >- A Windows SPN is of the format 'serviceclass/host:port', it is >- added as passed to the AD computer account object for this client. >- </para></listitem> >- </varlistentry> >- </variablelist> >-</para> >-</refsect2> >- > <refsect2> > <title>ADS setspn <replaceable>SETSPN LIST [machine]</replaceable></title> > >-- >2.45.2 > > >From 12280863c69cf06de5db452a55af586298aacf7e Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Tue, 6 Aug 2024 08:42:34 +0200 >Subject: [PATCH 4/4] WHATSNEW: update the "Automatic keytab update after > machine password change" section >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >--- > WHATSNEW.txt | 44 ++++++++++++++++++++++++++++++++++++++++++-- > 1 file changed, 42 insertions(+), 2 deletions(-) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index bf2dbb94b3a..d10269f9082 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -193,9 +193,49 @@ updates or manually (e.g. net ads changetrustpw), now winbind will also support > update of keytab entries in case you use newly added option > 'sync machine password to keytab'. > The new parameter allows you to describe what keytabs and how should be updated. >+From smb.conf(5) manpage - each keytab can have exactly one of these four forms: >+ >+ account_name >+ sync_spns >+ spn_prefixes=value1[,value2[...]] >+ spns=value1[,value2[...]] >+ >+The functionaity provided by the removed commands "net ads keytab >+add/delete/add_update_ads" can be achieved via the 'sync machine password to >+keytab' as in these examples: >+ >+"net ads keytab add wurst/brot@REALM" >+ >+- this command is not adding <principal> to AD, so the best fit can be specifier >+ "spns" >+- add to smb.conf: >+ sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password >+- run: >+ "net ads keytab create" >+ >+"net ads keytab delete wurst/brot@REALM" >+ >+- remove the principal (or the whole keytab line if there was just one) >+- run: >+ "net ads keytab create" >+ >+"net ads keytab add_update_ads wurst/brot@REALM" >+ >+- this command was adding the principal to AD, so for this case use a keytab >+ with specifier sync_spns >+- add to smb.conf: >+ sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password >+- run: >+ "net ads setspn add wurst/brot@REALM" # this adds the principal to AD >+ "net ads keytab create" # this sync it from AD to local keytab >+ >+ > A new parameter 'sync machine password script' allows to specify external script >-that will be triggered after the automatic keytab update. For detailed >-information check the smb.conf manpage. >+that will be triggered after the automatic keytab update. Example of such script >+that can be used in a cluster enviromnent with ctdb is >+source3/script/updatekeytab.sh >+ >+For detailed information check the smb.conf(5) manpage. > > REMOVED FEATURES > ================ >-- >2.45.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18392">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 15689
: 18392 |
18407
|
18413