15855 – testparm problem validating "sync machine password to keytab" setting

Bug 15855 - testparm problem validating "sync machine password to keytab" setting

Summary: testparm problem validating "sync machine password to keytab" setting

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Tools (show other bugs)
Version:	4.22.1
Hardware:	All Linux

Importance:	P5 minor (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-05-15 13:57 UTC by pietsch
Modified:	2025-12-28 09:59 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description pietsch 2025-05-15 13:57:55 UTC

When configuring the setting "sync machine password to keytab" the testparm utility doesn't validate the settings correctly and/or the corresponding examples in the smb.conf man are invalid.

The smb.conf man page lists some examples for the "sync machine password to keytab" setting. With some of them the testparm utility is generating an error message:

- "/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password" generates an error 
  "ERROR: unknown option 'spns=wurst/brot@REALM'"

- "/path/to/keytab:host:account_name:sync_spns:sync_kvno:machine_password" (the winbind example) generates the error:
   "ERROR: unknown option 'sync_spns' in line: /path/to/keytab:host:account_name:sync_spns:sync_kvno:machine_password"

The settings seems to be applied correctly as in the keytab8 example the resulting keytab does contain the "wurst/brot@REALM" spn afterwards.

The issue occurred with a samba cluster setup with version 4.22.1-Debian-4.22.1+dfsg-1~bpo12+1 from debian bookworm-backports.

Comment 1 Christian Ullrich 2025-12-21 17:44:52 UTC

Still exists in 4.23.4 and is somewhat annoying on FreeBSD where the default init script runs testparm before each operation and refuses to work if that check fails.

Comment 2 Christian Ullrich 2025-12-21 18:26:47 UTC

(In reply to Christian Ullrich from comment #1)

The problem, as far as I can see, is that the parser in testparm.c treats everything after the second colon as options and complains when it sees a (valid per the docs) additional spn_spec instead.

The logic in testparm is basically:

1. Start with everything after the first colon.
2. From the end, check the string after each colon as an option.
3. Finally, check the remaining string (between the original first
   and second colons) as an spn_spec.

The idea that there can be more than one spn_spec is conspicuously absent, instead additional spn_spec s are rejected as unknown options.

There is another parser for this language somewhere. If that is better, perhaps it can be transplanted into testparm with little effort.

Comment 3 Christian Ullrich 2025-12-28 09:59:41 UTC

This was actually fixed in master this week via https://gitlab.com/samba-team/samba/-/merge_requests/4335/ .

Replacing the entire file in 4.23.4 builds fine and works insofar as it accepts valid lines, and rejects invalid ones, with multiple spn_spec s now.