The Samba-Bugzilla – Attachment 18407 Details for
Bug 15689
Can't add/delete special keys to keytab for nfs, cifs, http etc
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for v4-21-test
4.21.patch (text/plain), 17.59 KB, created by
Pavel Filipenský
on 2024-08-13 14:48:05 UTC
(
hide
)
Description:
patch for v4-21-test
Filename:
MIME Type:
Creator:
Pavel Filipenský
Created:
2024-08-13 14:48:05 UTC
Size:
17.59 KB
patch
obsolete
>From b5bbf4711a866a2a5206a3449858682ce44681b6 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Tue, 6 Aug 2024 23:22:42 +0200 >Subject: [PATCH] Revert "docs-xml: Delete descriptions for removed commands > "net ads keytab add" and "net ads keytab add_update_ads"" >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >This reverts commit a5f47f6efe67e02d7a12f30b4e6fb76bcd6aa71c. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 6211a1f2177075f44542572fcd7bd16b493461f9) >--- > docs-xml/manpages/net.8.xml | 70 +++++++++++++++++++++++++++++++++++++ > 1 file changed, 70 insertions(+) > >diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml >index 61a1e6362ce..f0b3df793d4 100644 >--- a/docs-xml/manpages/net.8.xml >+++ b/docs-xml/manpages/net.8.xml >@@ -1557,6 +1557,76 @@ are made to the computer AD account. > </para> > </refsect2> > >+<refsect2> >+<title>ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title> >+ >+<para> >+Adds a new keytab entry, the entry can be either; >+ <variablelist> >+ <varlistentry><term>kerberos principal</term> >+ <listitem><para> >+ A kerberos principal (identified by the presence of '@') is just >+ added to the keytab file. >+ </para></listitem> >+ </varlistentry> >+ <varlistentry><term>machinename</term> >+ <listitem><para> >+ A machinename (identified by the trailing '$') is used to create a >+ a kerberos principal 'machinename@realm' which is added to the >+ keytab file. >+ </para></listitem> >+ </varlistentry> >+ <varlistentry><term>serviceclass</term> >+ <listitem><para> >+ A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair >+ of kerberos principals 'serviceclass/fully_qualified_dns_name@realm' & >+ 'serviceclass/netbios_name@realm' which are added to the keytab file. >+ </para></listitem> >+ </varlistentry> >+ <varlistentry><term>Windows SPN</term> >+ <listitem><para> >+ A Windows SPN is of the format 'serviceclass/host:port', it is used to >+ create a kerberos principal 'serviceclass/host@realm' which will >+ be written to the keytab file. >+ </para></listitem> >+ </varlistentry> >+ </variablelist> >+</para> >+<para> >+Unlike old versions no computer AD objects are modified by this command. To >+preserve the behaviour of older clients 'net ads keytab ad_update_ads' is >+available. >+</para> >+</refsect2> >+ >+<refsect2> >+<title>ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title> >+ >+<para> >+Adds a new keytab entry (see section for net ads keytab add). In addition to >+adding entries to the keytab file corresponding Windows SPNs are created >+from the entry passed to this command. These SPN(s) added to the AD computer >+account object associated with the client machine running this command for >+the following entry types; >+ <variablelist> >+ <varlistentry><term>serviceclass</term> >+ <listitem><para> >+ A serviceclass (such as 'cifs', 'html' etc.) is used to create a >+ pair of Windows SPN(s) 'param/full_qualified_dns' & >+ 'param/netbios_name' which are added to the AD computer account object >+ for this client. >+ </para></listitem> >+ </varlistentry> >+ <varlistentry><term>Windows SPN</term> >+ <listitem><para> >+ A Windows SPN is of the format 'serviceclass/host:port', it is >+ added as passed to the AD computer account object for this client. >+ </para></listitem> >+ </varlistentry> >+ </variablelist> >+</para> >+</refsect2> >+ > <refsect2> > <title>ADS setspn <replaceable>SETSPN LIST [machine]</replaceable></title> > >-- >2.45.2 > > >From 771477e97120df0f412cfb246021a91bdb0505c8 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Tue, 6 Aug 2024 23:31:21 +0200 >Subject: [PATCH] docs: Add examples to net.8 that use 'sync machine password > to keytab' >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 92e558b32efe7c4ae8e9f8ab1cd7658473c819f3) >--- > docs-xml/manpages/net.8.xml | 65 +++++++++++++++++++++++++++++++++++-- > 1 file changed, 63 insertions(+), 2 deletions(-) > >diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml >index f0b3df793d4..e633c8c7c6a 100644 >--- a/docs-xml/manpages/net.8.xml >+++ b/docs-xml/manpages/net.8.xml >@@ -1558,8 +1558,28 @@ are made to the computer AD account. > </refsect2> > > <refsect2> >-<title>ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title> >+<title>(Removed!) ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title> > >+<para> >+This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement. >+</para> >+ >+To replace e.g. call of >+<programlisting> >+net ads keytab add wurst/brot@REALM >+</programlisting> >+Add to smb.conf: >+<programlisting> >+sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password >+</programlisting> >+and run: >+<programlisting> >+net ads keytab create >+</programlisting> >+ >+<para> >+Original description of this command: >+</para> > <para> > Adds a new keytab entry, the entry can be either; > <variablelist> >@@ -1600,7 +1620,48 @@ available. > </refsect2> > > <refsect2> >-<title>ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title> >+<title>(Removed!) ADS KEYTAB <replaceable>DELETE</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title> >+ >+<para> >+This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement. >+</para> >+ >+<para> >+To replace e.g. call of >+<programlisting> >+net ads keytab delete wurst/brot@REALM >+</programlisting> >+Delete from <smbconfoption name="sync machine password to keytab"/> principal "wurst/brot@REALM" and run: >+<programlisting> >+net ads keytab create >+</programlisting> >+ >+</para> >+</refsect2> >+ >+<refsect2> >+<title>(Removed!) ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title> >+<para> >+This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement. >+</para> >+ >+To replace e.g. call of >+<programlisting> >+net ads keytab add_update_ads wurst/brot@REALM >+</programlisting> >+Add to smb.conf: >+<programlisting> >+sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password >+</programlisting> >+and run: >+<programlisting> >+net ads setspn add wurst/brot@REALM >+net ads keytab create >+</programlisting> >+ >+<para> >+Original description of this command: >+</para> > > <para> > Adds a new keytab entry (see section for net ads keytab add). In addition to >-- >2.45.2 > > >From 6671a67834012868b440aa311a099f56be621e3d Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Mon, 12 Aug 2024 11:49:35 +0200 >Subject: [PATCH] s3:script: Rename updatekeytab.sh ==> > winbind_ctdb_updatekeytab.sh >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 5f30eb03e20da00c9e048322d47b33dc8469ffc8) >--- > source3/script/{updatekeytab.sh => winbind_ctdb_updatekeytab.sh} | 0 > 1 file changed, 0 insertions(+), 0 deletions(-) > rename source3/script/{updatekeytab.sh => winbind_ctdb_updatekeytab.sh} (100%) > >diff --git a/source3/script/updatekeytab.sh b/source3/script/winbind_ctdb_updatekeytab.sh >similarity index 100% >rename from source3/script/updatekeytab.sh >rename to source3/script/winbind_ctdb_updatekeytab.sh >-- >2.45.2 > > >From 32002fce1f3ba0fb777a0107a1006df8bd0a1ddf Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Mon, 12 Aug 2024 10:44:19 +0200 >Subject: [PATCH] s3:script: Install winbind_ctdb_updatekeytab.sh >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit f55752ebf813010d26fe24be3bdf107b9e50faaa) >--- > source3/script/wscript_build | 1 + > 1 file changed, 1 insertion(+) > >diff --git a/source3/script/wscript_build b/source3/script/wscript_build >index 66acf1cfe9e..2b0643b0876 100644 >--- a/source3/script/wscript_build >+++ b/source3/script/wscript_build >@@ -6,6 +6,7 @@ bld.INSTALL_FILES('${BINDIR}', > 'smbtar', > chmod=MODE_755, flat=True) > bld.INSTALL_FILES('${BINDIR}', 'samba-log-parser', chmod=MODE_755, flat=True) >+bld.INSTALL_FILES('${DATADIR}', 'winbind_ctdb_updatekeytab.sh', chmod=MODE_755, flat=True) > > # Callout scripts for use in selftest environment > bld.SAMBA_SCRIPT('smbaddshare', pattern='smbaddshare', installdir='.') >-- >2.45.2 > > >From 0164b9f2dc50c11a91761fe24917004b06495e91 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Mon, 12 Aug 2024 11:49:14 +0200 >Subject: [PATCH] docs:smbdotconf: Improve documentation for 'sync machine > password script' >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 131a32b568edff5ee889b0b596a8be6e0dc077be) >--- > .../security/syncmachinepasswordscript.xml | 13 ++++++++++++- > 1 file changed, 12 insertions(+), 1 deletion(-) > >diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml >index 341613372f5..9a7731930d5 100644 >--- a/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml >+++ b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml >@@ -8,8 +8,19 @@ > This is the full pathname to a script that will be run by > <citerefentry><refentrytitle>winbindd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> when a machine account password is updated. > </para> >+ >+ <para> >+ If keytabs should be generated in clustered environments it is recommended to update them on all nodes. >+ You can set the config option to &pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh in clustering case. >+ It is also needed to activate the <constant>46.update-keytabs.script</constant> in ctdb, >+ it re-creates the keytab during the ctdb recovered event: >+ <programlisting> >+ onnode all ctdb event script enable legacy 46.update-keytabs.script >+ </programlisting> >+ </para> >+ > </description> > > <value type="default"/> >-<value type="example">/usr/sbin/sync_machine_password</value> >+<value type="example">&pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh</value> > </samba:parameter> >-- >2.45.2 > > >From 58d0548f871cb6d9204eb37565b41daeb42d694a Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Mon, 12 Aug 2024 11:49:14 +0200 >Subject: [PATCH] docs:smbdotconf: Improve documentation for 'sync machine > password to keytab' >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit fd40e40a4256534311d0f507c8934df35dfd8283) >--- > .../smbdotconf/security/syncmachinepasswordtokeytab.xml | 9 +++++++++ > 1 file changed, 9 insertions(+) > >diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml >index b749ecb5c66..4cad9da73f2 100644 >--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml >+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml >@@ -67,10 +67,19 @@ Example: > "/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password" > </programlisting> > If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options. >+</para> > >+<para> > If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting> > where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/> > </para> > >+<para> >+ Suggested configuration is together with <smbconfoption name="kerberos method"/> set to the default value 'secrets only'. >+</para> >+ >+<para> >+ In clustered environments it is recommended to set <smbconfoption name="sync machine password script"/> to update the machine password on all nodes. >+</para> > </description> > </samba:parameter> >-- >2.45.2 > > >From a0472213f73195262b86c00b435c9571fcabc438 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Mon, 12 Aug 2024 11:49:14 +0200 >Subject: [PATCH] docs:smbdotconf: Update 'kerberos method' with 'sync machine > password to keytab' >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >Signed-off-by: Stefan Metzmacher <metze@samba.org> >(cherry picked from commit 08b0d0faaa2e71f6a466276c5254440a7c1d26fd) >--- > docs-xml/smbdotconf/security/kerberosmethod.xml | 6 ++++++ > 1 file changed, 6 insertions(+) > >diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml >index b7cd988cd19..c9d70580c59 100644 >--- a/docs-xml/smbdotconf/security/kerberosmethod.xml >+++ b/docs-xml/smbdotconf/security/kerberosmethod.xml >@@ -35,6 +35,12 @@ > <smbconfoption name="dedicated keytab file"/> must be set to > specify the location of the keytab file. > </para> >+ >+ <para> >+ Suggested configuration is to use the default value 'secrets only' together with the >+ <smbconfoption name="sync machine password to keytab"/> option. >+ </para> >+ > </description> > <related>dedicated keytab file</related> > <value type="default">default</value> >-- >2.45.2 > > >From 4debd4f2d16f57a28c3c2f1f14a74e6faf7c6d10 Mon Sep 17 00:00:00 2001 >From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org> >Date: Tue, 6 Aug 2024 08:42:34 +0200 >Subject: [PATCH] WHATSNEW: update the "Automatic keytab update after machine > password change" section >MIME-Version: 1.0 >Content-Type: text/plain; charset=UTF-8 >Content-Transfer-Encoding: 8bit > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 > >Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> >--- > WHATSNEW.txt | 41 +++++++---------------------------------- > 1 file changed, 7 insertions(+), 34 deletions(-) > >diff --git a/WHATSNEW.txt b/WHATSNEW.txt >index 9d5c0bac515..42aca22e848 100644 >--- a/WHATSNEW.txt >+++ b/WHATSNEW.txt >@@ -200,42 +200,15 @@ From smb.conf(5) manpage - each keytab can have exactly one of these four forms: > spn_prefixes=value1[,value2[...]] > spns=value1[,value2[...]] > >-The functionaity provided by the removed commands "net ads keytab >-add/delete/add_update_ads" can be achieved via the 'sync machine password to >-keytab' as in these examples: >- >-"net ads keytab add wurst/brot@REALM" >- >-- this command is not adding <principal> to AD, so the best fit can be specifier >- "spns" >-- add to smb.conf: >- sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password >-- run: >- "net ads keytab create" >- >-"net ads keytab delete wurst/brot@REALM" >- >-- remove the principal (or the whole keytab line if there was just one) >-- run: >- "net ads keytab create" >- >-"net ads keytab add_update_ads wurst/brot@REALM" >- >-- this command was adding the principal to AD, so for this case use a keytab >- with specifier sync_spns >-- add to smb.conf: >- sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password >-- run: >- "net ads setspn add wurst/brot@REALM" # this adds the principal to AD >- "net ads keytab create" # this sync it from AD to local keytab >- >- > A new parameter 'sync machine password script' allows to specify external script >-that will be triggered after the automatic keytab update. Example of such script >-that can be used in a cluster environment with ctdb is >-source3/script/updatekeytab.sh >+that will be triggered after the automatic keytab update. If keytabs should be >+generated in clustered environments it is recommended to update them on all >+nodes. Check in smb.conf(5) the scripts winbind_ctdb_updatekeytab.sh and >+46.update-keytabs.script in section 'sync machine password script' for details. > >-For detailed information check the smb.conf(5) manpage. >+The functionality provided by the removed commands "net ads keytab >+add/delete/add_update_ads" can be achieved via the 'sync machine password to >+keytab'. Check net(8) manpage for details. > > REMOVED FEATURES > ================ >-- >2.45.2 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18407">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 15689
:
18392
| 18407 |
18413