Bug 15689 - Can't add/delete special keys to keytab for nfs, cifs, http etc
Summary: Can't add/delete special keys to keytab for nfs, cifs, http etc
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.21.0rc1
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-08-01 09:58 UTC by Matthew Grant
Modified: 2024-09-02 11:24 UTC (History)
2 users (show)

See Also:


Attachments
patch for v4-21-test (29.13 KB, patch)
2024-08-06 06:48 UTC, Pavel Filipenský
metze: review+
Details
patch for v4-21-test (17.59 KB, patch)
2024-08-13 14:48 UTC, Pavel Filipenský
metze: review+
Details
patch for v4-21-test (6.46 KB, patch)
2024-08-19 13:57 UTC, Pavel Filipenský
asn: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthew Grant 2024-08-01 09:58:08 UTC
Can't maintain my NFS/SMB client or server keytabs when using Samba AD kerberos server.  Can't use heimdal ktutil as the kadmin server is unavailable....

This is critical for the functionality my Linux server infrastructure which uses winbind and Samba AD, and Im about to add keycloak which uses http/ principals for smartcard based web services.

Could you please put the net ads keytab add/delete/add_update_ads back in so that my environment can continue to function when I upgrade.

Thank you
Comment 1 Pavel Filipenský 2024-08-01 19:41:57 UTC
Hi Matthew,

the functionality provided by "net ads keytab add/delete/add_update_ads" can be now achieved via the new smb.conf parameter 'sync machine password to keytab'.
You must first decide what type of principals you want to use in what keytab. Each keytab can contain only one type of principals. There are four options - from SMB.CONF(5) 

spn specifier can have exactly one of these forms:

                   account_name
                   sync_spns
                   spn_prefixes=value1[,value2[...]]
                   spns=value1[,value2[...]]

No other combinations are allowed. 


=============
Some examples:

1) net ads keytab add <principal>

If you were using "net ads keytab add <principal>" it means that you are not adding this <principal> to AD, so let's assume you want to use specifier "spns" where you list all principals (separated by ',').


Old:
"net ads keytab add  wurst/brot@REALM"

New: - add to smb.conf:
sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password
and run "net ads keytab create"

2) net ads keytab delete <principal>

Again, let's assume you want to use specifier "spns".

Old:
"net ads keytab delete wurst/brot@REALM"

New: - remove the principal (old the whole keytab line if there was just one) from  smb.conf.
and run "net ads keytab create"

3) net ads keytab add_update_ads <principal>

This command was adding the principal to AD, so for this case use a keytab with specifier sync_spns.

Old:
"net ads keytab add_update_ads  wurst/brot@REALM"

New: - add to smb.conf:
sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
- and run:
"net ads setspn add  wurst/brot@REALM"  # this adds the principal to AD
"net ads keytab create"  # this sync it from AD to local keytab

-----

I have just noticed that "man net" needs to remove "net ads keytab add/delete/add_update_ads".
Comment 2 Samba QA Contact 2024-08-05 13:30:04 UTC
This bug was referenced in samba master:

6c627903ee466cd1559d7f58821221c4dd668d1f
374680010d42d3bca52791159dba7b42eb8d0d6c
a5f47f6efe67e02d7a12f30b4e6fb76bcd6aa71c
Comment 3 Pavel Filipenský 2024-08-06 06:48:22 UTC
Created attachment 18392 [details]
patch for v4-21-test

Patches for v4-21-test
Comment 4 Samba QA Contact 2024-08-06 12:50:20 UTC
This bug was referenced in samba v4-21-test:

ff9d9677bba1a95922c8183ba403402c238067ed
ba6c2f68ec2e027a00af9c4226ef7518dff581b1
6f9a9394cfd16ee4ef80fa083105d2edc46bfd5d
725907587b8b419f773fea965ec899eee71b3bb9
Comment 5 Pavel Filipenský 2024-08-13 14:48:05 UTC
Created attachment 18407 [details]
patch for v4-21-test
Comment 6 Samba QA Contact 2024-08-13 15:28:04 UTC
This bug was referenced in samba master:

51784e80f2bdf84c296badba2caea800ce3813db
cb774a74c4e1cc03ad0267cc68b93c06738e2ce6
adcad1b537ce2e2e213b72131517233a8d2d91fd
9f0183a9f55e52b09c6ae9f6c8badad6ba85bb64
ca7acec952b0e6154927b28b1afa3e9318f22035
2dd81ec2bea46ad6caa6e40194eae4340f4acc7d
9e4074d4268e34cf93f79cd1108e7dc661ad3845
Comment 7 Samba QA Contact 2024-08-13 16:56:13 UTC
This bug was referenced in samba v4-21-test:

4b6e24cba7bb2a4464056aad7bdc4d1f4a4265ea
80db72bdb3f55776f5b871e3055d0ad477aacace
5730327bef615c0c934ce84152a3bd74a1542970
ed391186250aea6f9e74d80c064d3810971368ce
4643ddbb7c76fc8348928685fb5adfb84a780eb3
5129858389d5b1e9f40b36e0c09f0655e435b182
8c0820a9199ed837bc0f9a96e582f67f1a8366fe
2552df221d4786782940683f3d2f2389ef56f519
Comment 8 Samba QA Contact 2024-08-13 17:03:40 UTC
This bug was referenced in samba v4-21-stable (Release samba-4.21.0rc2):

ff9d9677bba1a95922c8183ba403402c238067ed
ba6c2f68ec2e027a00af9c4226ef7518dff581b1
6f9a9394cfd16ee4ef80fa083105d2edc46bfd5d
725907587b8b419f773fea965ec899eee71b3bb9
4b6e24cba7bb2a4464056aad7bdc4d1f4a4265ea
80db72bdb3f55776f5b871e3055d0ad477aacace
5730327bef615c0c934ce84152a3bd74a1542970
ed391186250aea6f9e74d80c064d3810971368ce
4643ddbb7c76fc8348928685fb5adfb84a780eb3
5129858389d5b1e9f40b36e0c09f0655e435b182
8c0820a9199ed837bc0f9a96e582f67f1a8366fe
2552df221d4786782940683f3d2f2389ef56f519
Comment 9 Samba QA Contact 2024-08-16 09:50:05 UTC
This bug was referenced in samba master:

3929fdae1a13ab029e173ce53598d3fa6cf40e9c
31c9352099f5efeb88d27c603ec2dbfaf98b300d
Comment 10 Samba QA Contact 2024-08-19 13:22:05 UTC
This bug was referenced in samba master:

f1cd250a6fd7e0571bd22493c838d6c12c2adf5b
Comment 11 Pavel Filipenský 2024-08-19 13:57:51 UTC
Created attachment 18413 [details]
patch for v4-21-test

one more patch on top of the previously added patches
Comment 12 Jule Anger 2024-08-20 07:23:56 UTC
Pushed to autobuild-v4-21-test.
Comment 13 Samba QA Contact 2024-08-20 09:05:12 UTC
This bug was referenced in samba v4-21-test:

c7e6ec6bae81fb663e5d8a69e7d86a740ef56913
fcca98200237f556a8aaa046f0f8d2d75608292d
294f9e47a3b064e6f0a7a7b95ce79379c5a66f7f
Comment 14 Samba QA Contact 2024-08-20 11:25:05 UTC
This bug was referenced in samba v4-21-stable (Release samba-4.21.0rc3):

c7e6ec6bae81fb663e5d8a69e7d86a740ef56913
fcca98200237f556a8aaa046f0f8d2d75608292d
294f9e47a3b064e6f0a7a7b95ce79379c5a66f7f
Comment 15 Jule Anger 2024-09-02 11:24:04 UTC
Closing out bug report.

Thanks!