<para>
Till Samba 4.20, these entries were created by default: the account name
COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates
-such keytab ('host' is added implicitly):
+such keytab:
</para>
<programlisting>
-<smbconfoption name="sync machine password to keytab">/etc/krb5.keytab:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
+<smbconfoption name="sync machine password to keytab">/etc/krb5.keytab:spn_prefixes=host:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
</programlisting>
<para>
No changes are made to the computer AD account.
</para>
<para>
-Every keytab contains the 'host' principal and principals according the specification below:
+Every keytab contains principals according the specification below:
<programlisting>
account_name - COMPUTER$@REALM
sync_account_name - uses attribute "sAMAccountName" from AD
-host - always present, no need to specify it explicitly
- the 'host' principal is created for the same variants (netbios name, dns hostname, netbiosalias, additional_dns_hostname) as in spn_prefixes
sync_upn - uses attribute "userPrincipalName" (if exists in AD)
sync_spns - uses attribute "servicePrincipalName" (if exists in AD)
spn_prefixes - creates these two principals from each prefix. e.g.:
prefix/netbiosalias.dnsdomain@REALM
with :additional_dns_hostnames for each additionaldnshostname in <smbconfoption name="additional dns hostnames"/>
prefix/additionaldnshostname@REALM
+ - 'host' principal should be created using specifier spn_prefixes
spns - creates only the principals defined in the list
</programlisting>
'account_name' and 'sync_account_name' are the same, just the source differs (secrets.tdb vs. AD).
<programlisting>
sync_etypes - attribute "msDS-SupportedEncryptionTypes" is read from AD and is used to find the highest common enc type for AD and KRB5 lib.
sync_kvno - attribute "msDS-KeyVersionNumber" from AD is used to set KVNO. If this option is missing, KVNO is set to -1.
-netbios_aliases - evaluated only for spn_prefixes (see details above) and for the 'host' principal.
-additional_dns_hostnames - evaluated only for spn_prefixes (see details above) and for the 'host' principal.
+netbios_aliases - evaluated only for spn_prefixes (see details above).
+additional_dns_hostnames - evaluated only for spn_prefixes (see details above).
machine_password - mandatory, if missing the entry is ignored. For future use.
</programlisting>
</para>
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password",
-"/path/to/keytab8:account_name:sync_account_name:host:sync_upn:sync_spns:spn_prefixes=cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
+"/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
</programlisting>
If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.
</para>
projects / thirdparty / samba.git / commitdiff
