From: Douglas Bagnall Date: Wed, 11 Jun 2025 02:20:51 +0000 (+1200) Subject: man samba-tool: user keytrust X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9322a71a4fdc781a79292158f770cadfedc60abb;p=thirdparty%2Fsamba.git man samba-tool: user keytrust This documentation anticipates changes that will occur over the next ~20 commits. Signed-off-by: Douglas Bagnall Reviewed-by: Gary Lockyer --- diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml index 1189ca4e27a..922b7884d47 100644 --- a/docs-xml/manpages/samba-tool.8.xml +++ b/docs-xml/manpages/samba-tool.8.xml @@ -4303,6 +4303,96 @@ in use. View the assigned authentication silo for user. + + user keytrust + Manage Key Credential Links for a user. + This can populate, describe or delete msDS-KeyCredentialLink attributes. + + + + +user keytrust add <replaceable>username</replaceable> <replaceable>public-key-or-certificate</replaceable>[options] +Add a key-credential-link, which is a linked attribute that holds a public key in a binary field. + + + The second argument is a filename that should refer to a 2048 bit RSA key (or a certificate containing that key) in PEM or DER format. By default the encoding format will be detected automatically, but you can attempt to override this with --encoding option. Other types of public key are not supported, though the --force option can be used to add a non-2048 bit key. + + + + + + --link-target=DN + link to this DN (default: the user's DN) + + + --encoding=ENCODING + Key format, either pem, der, or auto. The default is auto, which is likely to detect the correct format in all circumstances. + + + --force + proceed with operations that seems ill-fated + + + + + + +user keytrust delete <replaceable>username</replaceable> [options] +Delete a key-credential-link. + +The link to be deleted can be selected in a number of ways. --all will delete all key credential links for the user (often there will only be one). The --link-target option selects a key credential link based on the DN targeted by the link. The --fingerprint option selects a link to delete based on the key fingerprint. This is the SHA256 of the DER-encoded key material, expressed as hex-pairs separated by colons. See user keytrust view to get a list of links and their fingerprints. + + +If more than one of --link-target, --fingerprint, and --all are used, links matched by any of them will be deleted. + + +The --dry-run option will prevent links from being deleted, and instead indicate what would happen if it was omitted. + + + + + + --link-target=DN + Delete this key credential link (a DN) + + + --fingerprint=HH:HH:.. + Delete the key credential link with this key fingerprint + + + --all + Delete all key credential links + + + -n, --dry-run + Do nothing but print what would happen + + + + + + +user keytrust view <replaceable>username</replaceable> [options] + +View a user's key credential links. This can be used to find a link's fingerprint and target DN for user keytrust delete. + +The --verbose includes more, probably useless, information. + + + + + + -h, --help + show this help message and exit + + + -v, --verbose + Be verbose + + + + + vampire [options] <replaceable>domain</replaceable> Join and synchronise a remote AD domain to the local server.