From: Pavel Filipenský <pfilipensky@samba.org>
Date: Tue, 3 Dec 2024 15:21:26 +0000 (+0100)
Subject: docs:manpages: Update 'net ads keytab create'
X-Git-Tag: samba-4.21.3~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e1c1b88170d7f7870c5ee1eb31805a744685aca7;p=thirdparty%2Fsamba.git

docs:manpages: Update 'net ads keytab create'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Dec 16 19:32:32 UTC 2024 on atb-devel-224

(cherry picked from commit 7b73c574d93668edd94f2eb18b58568d420487f4)

Autobuild-User(v4-21-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-21-test): Tue Dec 31 15:31:52 UTC 2024 on atb-devel-224
---

diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index e633c8c7c6a..f388644172f 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1548,12 +1548,33 @@ to show in the result.
 <title>ADS KEYTAB <replaceable>CREATE</replaceable></title>
 
 <para>
-Creates a new keytab file if one doesn't exist with default entries. Default
-entries are kerberos principals created from the machinename of the
-client, the UPN (if it exists) and any Windows SPN(s) associated with the
-computer AD account for the client. If a keytab file already exists then only
-missing kerberos principals from the default entries are added. No changes
-are made to the computer AD account.
+Since Samba 4.21.0, keytab file is created as specified in <smbconfoption
+name="sync machine password to keytab"/>. The keytab is created only for
+<smbconfoption name="kerberos method">secrets only</smbconfoption> and
+<smbconfoption name="kerberos method">secrets and keytab</smbconfoption>. With
+the smb.conf default values for <smbconfoption name="kerberos method"> secrets
+only</smbconfoption> and <smbconfoption name="sync machine password to keytab"/>
+(default is empty) the keytab is not generated at all.  Keytab with a default
+name and SPNs synced from AD is created for <smbconfoption name="kerberos
+method">secrets and keytab</smbconfoption> if <smbconfoption name="sync machine
+password to keytab"/> is missing.
+</para>
+<para>
+Till Samba 4.20.0, two more entries were created by default: the machinename of
+the client (ending with '$') and the UPN (host/domain@REALM).  If these two
+entries are still needed, each must be specified in an own keytab file.
+Example below will generate three keytab files that contain SPNs synced from
+AD, host UPN and machine$ SPN:
+</para>
+<programlisting>
+<smbconfoption name="sync machine password to keytab">
+/etc/krb5.keytab0:sync_spns:machine_password,
+/etc/krb5.keytab1:spns=host/smb.com@SMB.COM:machine_password,
+/etc/krb5.keytab2:account_name:machine_password
+</smbconfoption>
+</programlisting>
+<para>
+No changes are made to the computer AD account.
 </para>
 </refsect2>