Can't maintain my NFS/SMB client or server keytabs when using Samba AD kerberos server. Can't use heimdal ktutil as the kadmin server is unavailable.... This is critical for the functionality my Linux server infrastructure which uses winbind and Samba AD, and Im about to add keycloak which uses http/ principals for smartcard based web services. Could you please put the net ads keytab add/delete/add_update_ads back in so that my environment can continue to function when I upgrade. Thank you
Hi Matthew, the functionality provided by "net ads keytab add/delete/add_update_ads" can be now achieved via the new smb.conf parameter 'sync machine password to keytab'. You must first decide what type of principals you want to use in what keytab. Each keytab can contain only one type of principals. There are four options - from SMB.CONF(5) spn specifier can have exactly one of these forms: account_name sync_spns spn_prefixes=value1[,value2[...]] spns=value1[,value2[...]] No other combinations are allowed. ============= Some examples: 1) net ads keytab add <principal> If you were using "net ads keytab add <principal>" it means that you are not adding this <principal> to AD, so let's assume you want to use specifier "spns" where you list all principals (separated by ','). Old: "net ads keytab add wurst/brot@REALM" New: - add to smb.conf: sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password and run "net ads keytab create" 2) net ads keytab delete <principal> Again, let's assume you want to use specifier "spns". Old: "net ads keytab delete wurst/brot@REALM" New: - remove the principal (old the whole keytab line if there was just one) from smb.conf. and run "net ads keytab create" 3) net ads keytab add_update_ads <principal> This command was adding the principal to AD, so for this case use a keytab with specifier sync_spns. Old: "net ads keytab add_update_ads wurst/brot@REALM" New: - add to smb.conf: sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password - and run: "net ads setspn add wurst/brot@REALM" # this adds the principal to AD "net ads keytab create" # this sync it from AD to local keytab ----- I have just noticed that "man net" needs to remove "net ads keytab add/delete/add_update_ads".
This bug was referenced in samba master: 6c627903ee466cd1559d7f58821221c4dd668d1f 374680010d42d3bca52791159dba7b42eb8d0d6c a5f47f6efe67e02d7a12f30b4e6fb76bcd6aa71c
Created attachment 18392 [details] patch for v4-21-test Patches for v4-21-test
This bug was referenced in samba v4-21-test: ff9d9677bba1a95922c8183ba403402c238067ed ba6c2f68ec2e027a00af9c4226ef7518dff581b1 6f9a9394cfd16ee4ef80fa083105d2edc46bfd5d 725907587b8b419f773fea965ec899eee71b3bb9
Created attachment 18407 [details] patch for v4-21-test
This bug was referenced in samba master: 51784e80f2bdf84c296badba2caea800ce3813db cb774a74c4e1cc03ad0267cc68b93c06738e2ce6 adcad1b537ce2e2e213b72131517233a8d2d91fd 9f0183a9f55e52b09c6ae9f6c8badad6ba85bb64 ca7acec952b0e6154927b28b1afa3e9318f22035 2dd81ec2bea46ad6caa6e40194eae4340f4acc7d 9e4074d4268e34cf93f79cd1108e7dc661ad3845
This bug was referenced in samba v4-21-test: 4b6e24cba7bb2a4464056aad7bdc4d1f4a4265ea 80db72bdb3f55776f5b871e3055d0ad477aacace 5730327bef615c0c934ce84152a3bd74a1542970 ed391186250aea6f9e74d80c064d3810971368ce 4643ddbb7c76fc8348928685fb5adfb84a780eb3 5129858389d5b1e9f40b36e0c09f0655e435b182 8c0820a9199ed837bc0f9a96e582f67f1a8366fe 2552df221d4786782940683f3d2f2389ef56f519
This bug was referenced in samba v4-21-stable (Release samba-4.21.0rc2): ff9d9677bba1a95922c8183ba403402c238067ed ba6c2f68ec2e027a00af9c4226ef7518dff581b1 6f9a9394cfd16ee4ef80fa083105d2edc46bfd5d 725907587b8b419f773fea965ec899eee71b3bb9 4b6e24cba7bb2a4464056aad7bdc4d1f4a4265ea 80db72bdb3f55776f5b871e3055d0ad477aacace 5730327bef615c0c934ce84152a3bd74a1542970 ed391186250aea6f9e74d80c064d3810971368ce 4643ddbb7c76fc8348928685fb5adfb84a780eb3 5129858389d5b1e9f40b36e0c09f0655e435b182 8c0820a9199ed837bc0f9a96e582f67f1a8366fe 2552df221d4786782940683f3d2f2389ef56f519
This bug was referenced in samba master: 3929fdae1a13ab029e173ce53598d3fa6cf40e9c 31c9352099f5efeb88d27c603ec2dbfaf98b300d
This bug was referenced in samba master: f1cd250a6fd7e0571bd22493c838d6c12c2adf5b
Created attachment 18413 [details] patch for v4-21-test one more patch on top of the previously added patches
Pushed to autobuild-v4-21-test.
This bug was referenced in samba v4-21-test: c7e6ec6bae81fb663e5d8a69e7d86a740ef56913 fcca98200237f556a8aaa046f0f8d2d75608292d 294f9e47a3b064e6f0a7a7b95ce79379c5a66f7f
This bug was referenced in samba v4-21-stable (Release samba-4.21.0rc3): c7e6ec6bae81fb663e5d8a69e7d86a740ef56913 fcca98200237f556a8aaa046f0f8d2d75608292d 294f9e47a3b064e6f0a7a7b95ce79379c5a66f7f
Closing out bug report. Thanks!