From: Günther Deschner Date: Sat, 13 Dec 2025 12:49:37 +0000 (+0100) Subject: doc-xml: Document "net ads kerberos" commands X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4fef05e5dff17a4ba575f6fc621b624cb81375d2;p=thirdparty%2Fsamba.git doc-xml: Document "net ads kerberos" commands BUG: https://bugzilla.samba.org/show_bug.cgi?id=15840 Guenther Signed-off-by: Guenther Deschner Reviewed-by: Andreas Schneider Autobuild-User(master): Günther Deschner Autobuild-Date(master): Mon Jan 5 15:49:04 UTC 2026 on atb-devel-224 --- diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml index d5043e7d07b..65ff0fa41c1 100644 --- a/docs-xml/manpages/net.8.xml +++ b/docs-xml/manpages/net.8.xml @@ -1810,7 +1810,146 @@ the following entry types; + + ADS KERBEROS + + + Issue Kerberos operations against an Active Directory KDC. + + + + + + ADS KERBEROS KINIT + + + Issue a kinit request for a given user. When no other options are + defined the ticket granting ticket (TGT) will be stored in a memory cache. + + + + To store the TGT in a different location either use the + option or set the + KRB5CCNAME environment variable. + + +Example: net ads kerberos kinit -P --krb5-ccache=/tmp/krb5cache + + + + + ADS KERBEROS RENEW + + + Renew an already acquired ticket granting ticket (TGT). + + +Example: net ads kerberos renew + + + + + ADS KERBEROS PAC + + + Request a Kerberos PAC while authenticating to an Active Directory KDC. + + + + The following commands are provided: + + + +net ads kerberos pac dump - Dump a PAC to stdout. +net ads kerneros pac save - Save a PAC to a file. + + + + All commands allow to define an impersonation principal to do a Kerberos + Service for User (S4U2SELF) operation via + the impersonate=STRING option. + The impersonation principal can have multiple different formats: + + + + + user@MY.REALM + This is the default format. + + + user@MY.REALM@MY.REALM + The Kerberos Service for User (S4U2SELF) also supports + Enterprise Principals. + + + user@UPN.SUFFIX@MY.REALM + Enterprise Principal using a defined upn suffix. + + + user@WORKGROUP@MY.REALM + Enterprise Principal with netbios domain name. + This format is currently not supported by Samba AD. + + + + By default net will request a service ticket for the local service + of the joined machine. A different service can be defined via + local_service=STRING. + + + + + ADS KERBEROS PAC DUMP [impersonate=string] [local_service=string] [pac_buffer_type=int] + + + Request a Kerberos PAC while authenticating to an Active Directory KDC. + The PAC will be printed on stdout. + + + + When no specific pac_buffer is selected, all buffers will be printed. + It is possible to select a specific one via + pac_buffer_type=INT from this list: + + + +1 PAC_TYPE_LOGON_INFO +2 PAC_TYPE_CREDENTIAL_INFO +6 PAC_TYPE_SRV_CHECKSUM +7 PAC_TYPE_KDC_CHECKSUM +10 PAC_TYPE_LOGON_NAME +11 PAC_TYPE_CONSTRAINED_DELEGATION +12 PAC_TYPE_UPN_DNS_INFO +13 PAC_TYPE_CLIENT_CLAIMS_INFO +14 PAC_TYPE_DEVICE_INFO +15 PAC_TYPE_DEVICE_CLAIMS_INFO +16 PAC_TYPE_TICKET_CHECKSUM +17 PAC_TYPE_ATTRIBUTES_INFO +18 PAC_TYPE_REQUESTER_SID +19 PAC_TYPE_FULL_CHECKSUM + + +Example: net ads kerberos pac dump -P impersonate=anyuser@MY.REALM.COM + + + + + ADS KERBEROS PAC SAVE [impersonate=string] [local_service=string] [filename=string] + + + Request a Kerberos PAC while authenticating to an Active Directory KDC. + The PAC will be saved in a file. + + + + The filename to store the PAC can be set via the + filename=STRING option. + + +Example: net ads kerberos pac save -U user%password filename=/tmp/pacstore + + SAM CREATEBUILTINGROUP <NAME>