From: Douglas Bagnall Date: Mon, 18 Aug 2025 09:02:57 +0000 (+1200) Subject: man samba-tool: computer keytrust X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0ff4d9e881cd0698247de99082981e8d0202157d;p=thirdparty%2Fsamba.git man samba-tool: computer keytrust Signed-off-by: Douglas Bagnall Reviewed-by: Gary Lockyer --- diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 922b7884d47..b27b168f471 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -295,6 +295,96 @@ + + computer keytrust + Manage Key Credential Links for a computer. + This can populate, describe or delete msDS-KeyCredentialLink attributes. + + + + +computer keytrust add <replaceable>computername</replaceable> <replaceable>public-key-or-certificate</replaceable>[options] +Add a key-credential-link, which is a linked attribute that holds a public key in a binary field. + + + The second argument is a filename that should refer to a 2048 bit RSA key (or a certificate containing that key) in PEM or DER format. By default the encoding format will be detected automatically, but you can attempt to override this with --encoding option. Other types of public key are not supported, though the --force option can be used to add a non-2048 bit key. + + + + + + --link-target=DN + link to this DN (default: the computer's DN) + + + --encoding=ENCODING + Key format, either pem, der, or auto. The default is auto, which is likely to detect the correct format in all circumstances. + + + --force + proceed with operations that seems ill-fated + + + + + + +computer keytrust delete <replaceable>computername</replaceable> [options] +Delete a key-credential-link. + +The link to be deleted can be selected in a number of ways. --all will delete all key credential links for the computer (often there will only be one). The --link-target option selects a key credential link based on the DN targeted by the link. The --fingerprint option selects a link to delete based on the key fingerprint. This is the SHA256 of the DER-encoded key material, expressed as hex-pairs separated by colons. See computer keytrust view to get a list of links and their fingerprints. + + +If more than one of --link-target, --fingerprint, and --all are used, links matched by any of them will be deleted. + + +The --dry-run option will prevent links from being deleted, and instead indicate what would happen if it was omitted. + + + + + + --link-target=DN + Delete this key credential link (a DN) + + + --fingerprint=HH:HH:.. + Delete the key credential link with this key fingerprint + + + --all + Delete all key credential links + + + -n, --dry-run + Do nothing but print what would happen + + + + + + +computer keytrust view <replaceable>computername</replaceable> [options] + +View a computer's key credential links. This can be used to find a link's fingerprint and target DN for computer keytrust delete. + +The --verbose includes more, probably useless, information. + + + + + + -h, --help + show this help message and exit + + + -v, --verbose + Be verbose + + + + + contact Manage contacts. @@ -621,7 +711,7 @@ return code will not indicate error. - +