From: Pavel Filipenský Date: Fri, 14 Feb 2025 16:27:26 +0000 (+0100) Subject: docs: Update documentation for 'sync machine password to keytab' X-Git-Tag: samba-4.22.0rc3~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b9c08aec94a6bf41fd7fe7f810349b3c243542ba;p=thirdparty%2Fsamba.git docs: Update documentation for 'sync machine password to keytab' Use specifier 'spn_prefixes=host' instead of 'host' BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759 Signed-off-by: Pavel Filipenský Reviewed-by: Stefan Metzmacher Autobuild-User(master): Pavel Filipensky Autobuild-Date(master): Sat Feb 15 19:21:56 UTC 2025 on atb-devel-224 (cherry picked from commit 7cae7aad1ca6dcd5e0a3a102f36af74fa49a2c2b) --- diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml index 39ae5c79508..05191236ecc 100644 --- a/docs-xml/manpages/net.8.xml +++ b/docs-xml/manpages/net.8.xml @@ -1564,10 +1564,10 @@ keytab"/> is missing. Till Samba 4.20, these entries were created by default: the account name COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates -such keytab ('host' is added implicitly): +such keytab: -/etc/krb5.keytab:account_name:sync_spns:sync_kvno:machine_password +/etc/krb5.keytab:spn_prefixes=host:account_name:sync_spns:sync_kvno:machine_password No changes are made to the computer AD account. diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml index 02eaf3162c0..ec3fffc1119 100644 --- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml +++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml @@ -39,12 +39,10 @@ spns=value1[,value2[...]] -Every keytab contains the 'host' principal and principals according the specification below: +Every keytab contains principals according the specification below: account_name - COMPUTER$@REALM sync_account_name - uses attribute "sAMAccountName" from AD -host - always present, no need to specify it explicitly - the 'host' principal is created for the same variants (netbios name, dns hostname, netbiosalias, additional_dns_hostname) as in spn_prefixes sync_upn - uses attribute "userPrincipalName" (if exists in AD) sync_spns - uses attribute "servicePrincipalName" (if exists in AD) spn_prefixes - creates these two principals from each prefix. e.g.: @@ -55,6 +53,7 @@ spn_prefixes - creates these two principals from each prefix. e.g.: prefix/netbiosalias.dnsdomain@REALM with :additional_dns_hostnames for each additionaldnshostname in prefix/additionaldnshostname@REALM + - 'host' principal should be created using specifier spn_prefixes spns - creates only the principals defined in the list 'account_name' and 'sync_account_name' are the same, just the source differs (secrets.tdb vs. AD). @@ -65,8 +64,8 @@ Options: sync_etypes - attribute "msDS-SupportedEncryptionTypes" is read from AD and is used to find the highest common enc type for AD and KRB5 lib. sync_kvno - attribute "msDS-KeyVersionNumber" from AD is used to set KVNO. If this option is missing, KVNO is set to -1. -netbios_aliases - evaluated only for spn_prefixes (see details above) and for the 'host' principal. -additional_dns_hostnames - evaluated only for spn_prefixes (see details above) and for the 'host' principal. +netbios_aliases - evaluated only for spn_prefixes (see details above). +additional_dns_hostnames - evaluated only for spn_prefixes (see details above). machine_password - mandatory, if missing the entry is ignored. For future use. @@ -82,7 +81,7 @@ Example: "/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password", "/path/to/keytab6:spns=wurst/brot@REALM:machine_password", "/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password", -"/path/to/keytab8:account_name:sync_account_name:host:sync_upn:sync_spns:spn_prefixes=cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password" +"/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password" If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.