15138 – net ads setspn add/delete over-enthusiastic checking - need to add placeholder host SPN

Bug 15138 - net ads setspn add/delete over-enthusiastic checking - need to add placeholder host SPN

Summary: net ads setspn add/delete over-enthusiastic checking - need to add placeholde...

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Tools (show other bugs)
Version:	4.16.1
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-08-08 01:23 UTC by Matthew Grant
Modified:	2022-08-08 10:38 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Ansible code to currently manipulate keytab... (3.17 KB, text/plain) 2022-08-08 01:26 UTC, Matthew Grant	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Matthew Grant 2022-08-08 01:23:00 UTC

This is Annoying...

To empty the Samba keytab and rebuild it, refresh original principals with new key material etc, you need to add a 'canary' placeholder spn so that the checks for net ads set spn add/delete allow you to empty and refill/recreate the Samba keytab....

Removing some of the 'hand holding' checks that the key tab contains an SPN of the form 'host/netbiosname' for the net ads setspn add/delete command would be useful for use with Ansible, Chef, Puppet, and other administrative scripts etc.

Will create a patch for this when I get the chance.

Comment 1 Matthew Grant 2022-08-08 01:26:23 UTC

Created attachment 17463 [details]
Ansible code to currently manipulate keytab...

Added the current shenanigans I have to do with the Samba key tab in Ansible for winbind setup.  Note I have told Samba in smb.conf to always use the system keytab /etc/krb5.keytab.