From 15e191736d3eaba83b2fb4b901e1df2214526b64 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 20 Jan 2025 16:00:51 +0100 Subject: [PATCH] s3: Add new keytab specifiers MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759 Signed-off-by: Pavel Filipenský Reviewed-by: Andreas Schneider Reviewed-by: Alexander Bokovoy --- selftest/target/Samba3.pm | 3 +- source3/libads/kerberos_keytab.c | 631 +++++++++++++-------- source3/script/tests/test_update_keytab.sh | 449 +++++++++++---- 3 files changed, 730 insertions(+), 353 deletions(-) diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm index 46995d6fdac..a6c2917d410 100755 --- a/selftest/target/Samba3.pm +++ b/selftest/target/Samba3.pm @@ -807,7 +807,8 @@ sub provision_ad_member \"$prefix_abs/keytab2:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\", \\ \"$prefix_abs/keytab2k:spn_prefixes=imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\", \\ \"$prefix_abs/keytab3:spns=wurst/brot\@$dcvars->{REALM}:machine_password:sync_etypes\", \\ - \"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\" + \"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\", \\ + \"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\" "; } diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c index dbf8af44c1f..619a7bda0d4 100644 --- a/source3/libads/kerberos_keytab.c +++ b/source3/libads/kerberos_keytab.c @@ -30,6 +30,7 @@ #include "ads.h" #include "secrets.h" #include "librpc/gen_ndr/ndr_secrets.h" +#include "lib/util/string_wrappers.h" #ifdef HAVE_KRB5 @@ -41,44 +42,59 @@ #endif enum spn_spec_type { - SPN_SPEC_DEFAULT, - SPN_SPEC_SYNC, + SPN_SPEC_ACCOUNT_NAME, + SPN_SPEC_SYNC_ACCOUNT_NAME, + SPN_SPEC_HOST, + SPN_SPEC_SYNC_UPN, + SPN_SPEC_SYNC_SPNS, SPN_SPEC_FULL, - SPN_SPEC_PREFIX + SPN_SPEC_PREFIX, + SPN_SPEC_MAX }; -/* pw2kt_conf contains 1 parsed line from "sync machine password to keytab" */ -struct pw2kt_conf { - enum spn_spec_type spn_spec; +/* Specifier */ +struct pw2kt_specifier { + bool is_set; + char **spn_spec_vals; /* Array of full SPNs or prefixes */ +}; + +/* Descriptor contains 1 parsed line from "sync machine password to keytab" */ +struct pw2kt_keytab_desc { char *keytab; bool sync_etypes; bool sync_kvno; bool additional_dns_hostnames; bool netbios_aliases; bool machine_password; - char **spn_spec_array; - size_t num_spn_spec; + struct pw2kt_specifier spec_array[SPN_SPEC_MAX]; }; -/* State used by pw2kt */ -struct pw2kt_state { +/* Global state - stores initial data */ +struct pw2kt_global_state { /* Array of parsed lines from "sync machine password to keytab" */ - struct pw2kt_conf *keytabs; - size_t num_keytabs; + struct pw2kt_keytab_desc *keytabs; + /* Accumulated configuration from all keytabs */ bool sync_etypes; bool sync_kvno; bool sync_spns; + bool sync_upn; + bool sync_sam_account; /* These are from DC */ krb5_kvno ad_kvno; uint32_t ad_etypes; + char *ad_upn; + char *ad_sam_account; char **ad_spn_array; size_t ad_num_spns; /* This is from secrets.db */ struct secrets_domain_info1 *info; }; -/* State used by pw2kt_process_keytab */ -struct pw2kt_process_state { +/* + * Manages krb5lib data created during processing of 'global state'. + * One instance per keytab. + */ +struct pw2kt_keytab_state { krb5_keytab keytab; krb5_context context; krb5_keytab_entry *array1; @@ -88,151 +104,206 @@ struct pw2kt_process_state { krb5_enctype preferred_etype; }; -static ADS_STATUS pw2kt_scan_add_spn(TALLOC_CTX *ctx, - const char *spn, - struct pw2kt_conf *conf) +static ADS_STATUS pw2kt_add_val(TALLOC_CTX *ctx, + struct pw2kt_specifier *spec, + const char *spn_val) { - conf->spn_spec_array = talloc_realloc(ctx, - conf->spn_spec_array, - char *, - conf->num_spn_spec + 1); - if (conf->spn_spec_array == NULL) { + size_t len = talloc_array_length(spec->spn_spec_vals); + spec->spn_spec_vals = talloc_realloc(ctx, + spec->spn_spec_vals, + char *, + len + 1); + if (spec->spn_spec_vals == NULL) { return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } - conf->spn_spec_array[conf->num_spn_spec] = talloc_strdup( - conf->spn_spec_array, spn); - if (conf->spn_spec_array[conf->num_spn_spec] == NULL) { + spec->spn_spec_vals[len] = talloc_strdup(spec->spn_spec_vals, spn_val); + if (spec->spn_spec_vals[len] == NULL) { return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } - conf->num_spn_spec++; return ADS_SUCCESS; } +static ADS_STATUS pw2kt_scan_spec(TALLOC_CTX *ctx, + struct pw2kt_global_state *gstate, + struct pw2kt_keytab_desc *desc, + const char *option) +{ + enum spn_spec_type spec_type; + struct pw2kt_specifier *spec; + char *vals = NULL; + char *tmp = NULL; + ADS_STATUS status; + + /* First check for options sync_kvno, sync_etypes, ... */ + if (strequal(option, "sync_kvno")) { + desc->sync_kvno = gstate->sync_kvno = true; + return ADS_SUCCESS; + } else if (strequal(option, "sync_etypes")) { + desc->sync_etypes = gstate->sync_etypes = true; + return ADS_SUCCESS; + } else if (strequal(option, "additional_dns_hostnames")) { + desc->additional_dns_hostnames = true; + return ADS_SUCCESS; + } else if (strequal(option, "netbios_aliases")) { + desc->netbios_aliases = true; + return ADS_SUCCESS; + } else if (strequal(option, "machine_password")) { + desc->machine_password = true; + return ADS_SUCCESS; + } + + vals = strchr_m(option, '='); + if (vals != NULL) { + *vals = 0; + vals++; + } + + if (strequal(option, "account_name")) { + spec_type = SPN_SPEC_ACCOUNT_NAME; + } else if (strequal(option, "sync_account_name")) { + spec_type = SPN_SPEC_SYNC_ACCOUNT_NAME; + gstate->sync_sam_account = true; + } else if (strequal(option, "host")) { + spec_type = SPN_SPEC_HOST; + } else if (strequal(option, "sync_upn")) { + spec_type = SPN_SPEC_SYNC_UPN; + gstate->sync_upn = true; + } else if (strequal(option, "sync_spns")) { + spec_type = SPN_SPEC_SYNC_SPNS; + gstate->sync_spns = true; + } else if (strequal(option, "spns")) { + spec_type = SPN_SPEC_FULL; + } else if (strequal(option, "spn_prefixes")) { + spec_type = SPN_SPEC_PREFIX; + } else { + DBG_ERR("Invalid option: '%s'\n", option); + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + + desc->spec_array[spec_type].is_set = true; + if (spec_type != SPN_SPEC_PREFIX && spec_type != SPN_SPEC_FULL) { + return ADS_SUCCESS; + } + if (vals == NULL) { + DBG_ERR("SPN specifier: %s is missing '='\n", option); + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + spec = &desc->spec_array[spec_type]; + + /* Entries are separated via ',' */ + while ((tmp = strchr_m(vals, ',')) != NULL) { + *tmp = 0; + tmp++; + status = pw2kt_add_val(ctx, spec, vals); + if (!ADS_ERR_OK(status)) { + return status; + } + vals = tmp; + if (*vals == 0) { + DBG_ERR("Invalid syntax (trailing ','): %s\n", option); + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + } + /* Process the last entry */ + return pw2kt_add_val(ctx, spec, vals); +} + /* * Parse the smb.conf and find out if it is needed to read from DC: - * - servicePrincipalNames + * - servicePrincipalName * - msDs-KeyVersionNumber + * - userPrincipalName + * - sAMAccountName + * + * Example of a line: + * /etc/krb5/krb5.keytab:account_name:snps=s1@REALM.COM,spn2@REALM.ORG:host:sync_kvno:machine_password */ -static ADS_STATUS pw2kt_scan_line(const char *line, struct pw2kt_state *state) +static ADS_STATUS pw2kt_scan_line(const char *line, + struct pw2kt_global_state *gstate) { - char *keytabname = NULL; - char *spn_spec = NULL; - char *spn_val = NULL; - char *option = NULL; - struct pw2kt_conf *conf = NULL; + char *tmp = NULL; + char *olist = NULL; + struct pw2kt_keytab_desc *desc = NULL; ADS_STATUS status; + size_t num_keytabs = talloc_array_length(gstate->keytabs); - state->keytabs = talloc_realloc(state, - state->keytabs, - struct pw2kt_conf, - state->num_keytabs + 1); - if (state->keytabs == NULL) { + gstate->keytabs = talloc_realloc(gstate, + gstate->keytabs, + struct pw2kt_keytab_desc, + num_keytabs + 1); + if (gstate->keytabs == NULL) { return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } - conf = &state->keytabs[state->num_keytabs]; - state->num_keytabs++; + desc = &gstate->keytabs[num_keytabs]; + ZERO_STRUCT(*desc); - keytabname = talloc_strdup(state->keytabs, line); - if (keytabname == NULL) { + desc->keytab = talloc_strdup(gstate->keytabs, line); + if (desc->keytab == NULL) { return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } - ZERO_STRUCT(*conf); - conf->keytab = keytabname; - spn_spec = strchr_m(keytabname, ':'); - if (spn_spec == NULL) { - DBG_ERR("Invalid format! ':' expected in '%s'\n", keytabname); + olist = strchr_m(desc->keytab, ':'); + if (olist == NULL) { + DBG_ERR("Invalid format! ':' expected in '%s'\n", line); return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } - *spn_spec++ = 0; - - /* reverse match with strrchr_m() */ - while ((option = strrchr_m(spn_spec, ':')) != NULL) { - *option++ = 0; - if (strequal(option, "sync_kvno")) { - conf->sync_kvno = state->sync_kvno = true; - } else if (strequal(option, "sync_etypes")) { - conf->sync_etypes = state->sync_etypes = true; - } else if (strequal(option, "additional_dns_hostnames")) { - conf->additional_dns_hostnames = true; - } else if (strequal(option, "netbios_aliases")) { - conf->netbios_aliases = true; - } else if (strequal(option, "machine_password")) { - conf->machine_password = true; - } else { - DBG_WARNING("Unknown option '%s'!\n", option); - return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); - } - } + *olist = 0; + olist++; - spn_val = strchr_m(spn_spec, '='); - if (spn_val != NULL) { - *spn_val++ = 0; - } + /* Always add 'host' principal */ + desc->spec_array[SPN_SPEC_HOST].is_set = true; - if (strcmp(spn_spec, "account_name") == 0) { - conf->spn_spec = SPN_SPEC_DEFAULT; - } else if (strcmp(spn_spec, "sync_spns") == 0) { - conf->spn_spec = SPN_SPEC_SYNC; - state->sync_spns = true; - } else if (strcmp(spn_spec, "spns") == 0 || - strcmp(spn_spec, "spn_prefixes") == 0) - { - char *spn = NULL, *tmp = NULL; - - conf->spn_spec = strcmp(spn_spec, "spns") == 0 - ? SPN_SPEC_FULL - : SPN_SPEC_PREFIX; - conf->num_spn_spec = 0; - spn = spn_val; - while ((tmp = strchr_m(spn, ',')) != NULL) { - *tmp++ = 0; - status = pw2kt_scan_add_spn(state->keytabs, spn, conf); - if (!ADS_ERR_OK(status)) { - return status; - } - spn = tmp; + /* Entries are separated via ':' */ + while ((tmp = strchr_m(olist, ':')) != NULL) { + *tmp = 0; + tmp++; + status = pw2kt_scan_spec(gstate->keytabs, gstate, desc, olist); + if (!ADS_ERR_OK(status)) { + return status; + } + olist = tmp; + if (*olist == 0) { + DBG_ERR("Invalid syntax (trailing ':'): %s\n", line); + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } - /* Do not forget the last entry */ - return pw2kt_scan_add_spn(state->keytabs, spn, conf); - } else { - DBG_WARNING("Invalid SPN specifier: %s\n", spn_spec); - return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } - - return ADS_SUCCESS; + /* Process the last entry */ + return pw2kt_scan_spec(gstate->keytabs, gstate, desc, olist); } /* - * Fill struct pw2kt_state with defaults if "sync machine password to keytab" - * is missing in smb.conf + * Fill struct pw2kt_global_state with defaults if + * "sync machine password to keytab" is missing in smb.conf + * Creates 1 keytab with 3 SPN specifiers (sync_spns, account_name, host). */ -static ADS_STATUS pw2kt_default_cfg(const char *name, struct pw2kt_state *state) +static ADS_STATUS pw2kt_default_cfg(const char *name, + struct pw2kt_global_state *state) { char *keytabname = NULL; - struct pw2kt_conf *conf = NULL; + struct pw2kt_keytab_desc *desc = NULL; state->keytabs = talloc_zero_array(state->keytabs, - struct pw2kt_conf, + struct pw2kt_keytab_desc, 1); if (state->keytabs == NULL) { return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } - conf = &state->keytabs[0]; - state->num_keytabs = 1; + desc = &state->keytabs[0]; keytabname = talloc_strdup(state->keytabs, name); if (keytabname == NULL) { return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } - - conf->spn_spec = SPN_SPEC_SYNC; - conf->keytab = keytabname; - conf->machine_password = true; - conf->sync_kvno = state->sync_kvno = true; + desc->keytab = keytabname; + desc->machine_password = true; + desc->sync_kvno = state->sync_kvno = true; state->sync_spns = true; + desc->spec_array[SPN_SPEC_SYNC_SPNS].is_set = true; + desc->spec_array[SPN_SPEC_ACCOUNT_NAME].is_set = true; + desc->spec_array[SPN_SPEC_HOST].is_set = true; + return ADS_SUCCESS; } @@ -240,7 +311,7 @@ static ADS_STATUS pw2kt_default_cfg(const char *name, struct pw2kt_state *state) * For the given principal add to the array entries created from all pw->keys[] */ static krb5_error_code pw2kt_process_add_pw( - struct pw2kt_process_state *state2, + struct pw2kt_keytab_state *state2, krb5_principal princ, krb5_kvno vno, struct secrets_domain_info1_password *pw) @@ -287,11 +358,10 @@ static krb5_error_code pw2kt_process_add_pw( * For the given principal add to the array entries based on password, * old_password, older_password and next_change->password. */ -static krb5_error_code pw2kt_process_add_info( - struct pw2kt_process_state *state2, - krb5_kvno kvno, - const char *princs, - struct secrets_domain_info1 *info) +static krb5_error_code pw2kt_process_add_info(struct pw2kt_keytab_state *state2, + krb5_kvno kvno, + const char *princs, + struct secrets_domain_info1 *info) { krb5_error_code ret; krb5_principal princ = NULL; @@ -336,7 +406,7 @@ static krb5_error_code pw2kt_process_add_info( return ret; } -static int pw2kt_process_state_destructor(struct pw2kt_process_state *state2) +static int pw2kt_keytab_state_destructor(struct pw2kt_keytab_state *state2) { int i; size_t len2 = talloc_array_length(state2->array2); @@ -356,7 +426,7 @@ static int pw2kt_process_state_destructor(struct pw2kt_process_state *state2) } /* Read the whole keytab to krb5_keytab_entry array */ -static krb5_error_code pw2kt_process_kt2ar(struct pw2kt_process_state *state2) +static krb5_error_code pw2kt_process_kt2ar(struct pw2kt_keytab_state *state2) { krb5_error_code ret = 0, ret2 = 0; krb5_kt_cursor cursor; @@ -402,18 +472,173 @@ static krb5_error_code pw2kt_process_kt2ar(struct pw2kt_process_state *state2) return ret != 0 ? ret : ret2; } -static ADS_STATUS pw2kt_process_keytab(struct pw2kt_state *state, - struct pw2kt_conf *keytabptr) +#define ADD_INFO(P) \ + ret = pw2kt_process_add_info(state2, kvno, (P), gstate->info); \ + if (ret != 0) { \ + return ADS_ERROR_KRB5(ret); \ + } + +static ADS_STATUS pw2kt_add_prefix(struct pw2kt_global_state *gstate, + struct pw2kt_keytab_state *state2, + struct pw2kt_keytab_desc *keytabptr, + const char *prefix) { krb5_error_code ret = 0; - krb5_kvno kvno = -1; - size_t i, j, len1 = 0, len2 = 0; + krb5_kvno kvno = keytabptr->sync_kvno ? gstate->ad_kvno : -1; char *princ_s = NULL; const char **netbios_alias = NULL; const char **addl_hostnames = NULL; + + /* Add prefix/dnshostname@REALM */ + princ_s = talloc_asprintf(talloc_tos(), + "%s/%s@%s", + prefix, + lp_dns_hostname(), + lp_realm()); + if (princ_s == NULL) { + return ADS_ERROR_KRB5(ENOMEM); + } + ADD_INFO(princ_s); + + /* Add prefix/NETBIOSNAME@REALM */ + princ_s = talloc_asprintf(talloc_tos(), + "%s/%s@%s", + prefix, + lp_netbios_name(), + lp_realm()); + if (princ_s == NULL) { + return ADS_ERROR_KRB5(ENOMEM); + } + ADD_INFO(princ_s); + + if (keytabptr->netbios_aliases) { + for (netbios_alias = lp_netbios_aliases(); + netbios_alias != NULL && *netbios_alias != NULL; + netbios_alias++) + { + fstring netbios_lower; + + fstrcpy(netbios_lower, *netbios_alias); + if (!strlower_m(netbios_lower)) { + return ADS_ERROR_NT( + NT_STATUS_INVALID_PARAMETER); + } + + /* Add prefix/NETBIOSALIAS@REALM */ + princ_s = talloc_asprintf(talloc_tos(), + "%s/%s@%s", + prefix, + *netbios_alias, + lp_realm()); + if (princ_s == NULL) { + return ADS_ERROR_KRB5(ENOMEM); + } + ADD_INFO(princ_s); + + /* Add prefix/netbiosalias.dnsdomain@REALM */ + princ_s = talloc_asprintf(talloc_tos(), + "%s/%s.%s@%s", + prefix, + netbios_lower, + lp_dnsdomain(), + lp_realm()); + if (princ_s == NULL) { + return ADS_ERROR_KRB5(ENOMEM); + } + ADD_INFO(princ_s); + } + } + + if (keytabptr->additional_dns_hostnames) { + for (addl_hostnames = lp_additional_dns_hostnames(); + addl_hostnames != NULL && *addl_hostnames != NULL; + addl_hostnames++) + { + /* Add prefix/additionalhostname@REALM */ + princ_s = talloc_asprintf(talloc_tos(), + "%s/%s@%s", + prefix, + *addl_hostnames, + lp_realm()); + if (princ_s == NULL) { + return ADS_ERROR_KRB5(ENOMEM); + } + ADD_INFO(princ_s); + } + } + return ADS_SUCCESS; +} + +static ADS_STATUS pw2kt_process_specifier(struct pw2kt_global_state *gstate, + struct pw2kt_keytab_state *state2, + struct pw2kt_keytab_desc *keytabptr, + enum spn_spec_type spec_type) +{ + krb5_error_code ret = 0; + ADS_STATUS status; + krb5_kvno kvno = keytabptr->sync_kvno ? gstate->ad_kvno : -1; + struct pw2kt_specifier *spec = &keytabptr->spec_array[spec_type]; + size_t i, num_spn_spec_vals; + + if (!spec->is_set) { + return ADS_SUCCESS; + } + switch (spec_type) { + case SPN_SPEC_ACCOUNT_NAME: + ADD_INFO(gstate->info->account_name); + break; + case SPN_SPEC_SYNC_ACCOUNT_NAME: + ADD_INFO(gstate->ad_sam_account); + break; + case SPN_SPEC_HOST: + status = pw2kt_add_prefix(gstate, state2, keytabptr, "host"); + if (!ADS_ERR_OK(status)) { + return status; + } + break; + case SPN_SPEC_SYNC_UPN: + if (gstate->ad_upn != NULL) { + ADD_INFO(gstate->ad_upn); + } + break; + case SPN_SPEC_SYNC_SPNS: + for (i = 0; i < gstate->ad_num_spns; i++) { + ADD_INFO(gstate->ad_spn_array[i]); + } + break; + case SPN_SPEC_FULL: + num_spn_spec_vals = talloc_array_length(spec->spn_spec_vals); + for (i = 0; i < num_spn_spec_vals; i++) { + ADD_INFO(spec->spn_spec_vals[i]); + } + break; + case SPN_SPEC_PREFIX: + num_spn_spec_vals = talloc_array_length(spec->spn_spec_vals); + for (i = 0; i < num_spn_spec_vals; i++) { + status = pw2kt_add_prefix(gstate, + state2, + keytabptr, + spec->spn_spec_vals[i]); + if (!ADS_ERR_OK(status)) { + return status; + } + } + break; + default: + return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); + } + return ADS_SUCCESS; +} + +static ADS_STATUS pw2kt_process_keytab(struct pw2kt_global_state *state, + struct pw2kt_keytab_desc *keytabptr) +{ + krb5_error_code ret = 0; + size_t i, j, k, len1 = 0, len2 = 0; size_t *index_array1 = NULL; size_t *index_array2 = NULL; - struct pw2kt_process_state *state2 = NULL; + struct pw2kt_keytab_state *state2 = NULL; + ADS_STATUS status; if (!keytabptr->machine_password) { DBG_ERR("No 'machine_password' option for '%s'. Skip it.\n", @@ -421,11 +646,11 @@ static ADS_STATUS pw2kt_process_keytab(struct pw2kt_state *state, return ADS_SUCCESS; } - state2 = talloc_zero(state, struct pw2kt_process_state); + state2 = talloc_zero(state, struct pw2kt_keytab_state); if (state2 == NULL) { return ADS_ERROR_NT(NT_STATUS_NO_MEMORY); } - talloc_set_destructor(state2, pw2kt_process_state_destructor); + talloc_set_destructor(state2, pw2kt_keytab_state_destructor); ret = smb_krb5_init_context_common(&state2->context); if (ret != 0) { @@ -479,100 +704,11 @@ static ADS_STATUS pw2kt_process_keytab(struct pw2kt_state *state, } } - if (keytabptr->sync_kvno) { - kvno = state->ad_kvno; - } - -#define ADD_INFO(P) \ - ret = pw2kt_process_add_info(state2, kvno, (P), state->info); \ - if (ret != 0) { \ - return ADS_ERROR_KRB5(ret); \ - } - - /* Add ACCOUNTNAME$ entries */ - switch (keytabptr->spn_spec) { - case SPN_SPEC_DEFAULT: - ADD_INFO(state->info->account_name); - break; - case SPN_SPEC_SYNC: - for (i = 0; i < state->ad_num_spns; i++) { - ADD_INFO(state->ad_spn_array[i]); - } - break; - case SPN_SPEC_FULL: - for (i = 0; i < keytabptr->num_spn_spec; i++) { - ADD_INFO(keytabptr->spn_spec_array[i]); - } - break; - case SPN_SPEC_PREFIX: - for (i = 0; i < keytabptr->num_spn_spec; i++) { - princ_s = talloc_asprintf(talloc_tos(), - "%s/%s@%s", - keytabptr->spn_spec_array[i], - lp_netbios_name(), - lp_realm()); - if (princ_s == NULL) { - return ADS_ERROR_KRB5(ENOMEM); - } - ADD_INFO(princ_s); - - if (!keytabptr->netbios_aliases) { - goto additional_dns_hostnames; - } - for (netbios_alias = lp_netbios_aliases(); - netbios_alias != NULL && *netbios_alias != NULL; - netbios_alias++) - { - /* Add PREFIX/netbiosname@REALM */ - princ_s = talloc_asprintf( - talloc_tos(), - "%s/%s@%s", - keytabptr->spn_spec_array[i], - *netbios_alias, - lp_realm()); - if (princ_s == NULL) { - return ADS_ERROR_KRB5(ENOMEM); - } - ADD_INFO(princ_s); - - /* Add PREFIX/netbiosname.domainname@REALM */ - princ_s = talloc_asprintf( - talloc_tos(), - "%s/%s.%s@%s", - keytabptr->spn_spec_array[i], - *netbios_alias, - lp_dnsdomain(), - lp_realm()); - if (princ_s == NULL) { - return ADS_ERROR_KRB5(ENOMEM); - } - ADD_INFO(princ_s); - } - -additional_dns_hostnames: - if (!keytabptr->additional_dns_hostnames) { - continue; - } - for (addl_hostnames = lp_additional_dns_hostnames(); - addl_hostnames != NULL && *addl_hostnames != NULL; - addl_hostnames++) - { - /* Add PREFIX/netbiosname@REALM */ - princ_s = talloc_asprintf( - talloc_tos(), - "%s/%s@%s", - keytabptr->spn_spec_array[i], - *addl_hostnames, - lp_realm()); - if (princ_s == NULL) { - return ADS_ERROR_KRB5(ENOMEM); - } - ADD_INFO(princ_s); - } + for (k = 0; k < SPN_SPEC_MAX; k++) { + status = pw2kt_process_specifier(state, state2, keytabptr, k); + if (!ADS_ERR_OK(status)) { + return status; } - break; - default: - return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } ret = smb_krb5_kt_open(state2->context, @@ -718,7 +854,7 @@ sync_kvno: return ADS_ERROR_KRB5(ret); } -static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state) +static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_global_state *state) { ADS_STATUS status; LDAPMessage *res = NULL; @@ -762,7 +898,7 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state) "msDS-SupportedEncryptionTypes", &state->ad_etypes); if (!ok) { - DBG_WARNING("Failed to determine encryption types.\n"); + DBG_ERR("Failed to determine encryption types.\n"); ads_msgfree(ads, res); TALLOC_FREE(tmp_ctx); return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); @@ -773,7 +909,7 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state) uint32_t kvno = -1; ok = ads_pull_uint32(ads, res, "msDS-KeyVersionNumber", &kvno); if (!ok) { - DBG_WARNING("Failed to determine the system's kvno.\n"); + DBG_ERR("Failed to determine the system's kvno.\n"); ads_msgfree(ads, res); TALLOC_FREE(tmp_ctx); return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); @@ -787,8 +923,34 @@ static ADS_STATUS pw2kt_get_dc_info(struct pw2kt_state *state) res, "servicePrincipalName", &state->ad_num_spns); - if (state->ad_spn_array == NULL) { - DBG_WARNING("Failed to determine SPNs.\n"); + if (state->ad_spn_array == NULL || state->ad_num_spns == 0) { + DBG_ERR("Failed to determine servicePrincipalName.\n"); + ads_msgfree(ads, res); + TALLOC_FREE(tmp_ctx); + return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); + } + } + + if (state->sync_upn) { + state->ad_upn = ads_pull_string(ads, + state, + res, + "userPrincipalName"); + if (state->ad_upn == NULL) { + DBG_ERR("Failed to determine userPrincipalName.\n"); + ads_msgfree(ads, res); + TALLOC_FREE(tmp_ctx); + return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); + } + } + + if (state->sync_sam_account) { + state->ad_sam_account = ads_pull_string(ads, + state, + res, + "sAMAccountName"); + if (state->ad_sam_account == NULL) { + DBG_ERR("Failed to determine sAMAccountName.\n"); ads_msgfree(ads, res); TALLOC_FREE(tmp_ctx); return ADS_ERROR_NT(NT_STATUS_INTERNAL_ERROR); @@ -864,13 +1026,14 @@ NTSTATUS sync_pw2keytabs(void) TALLOC_CTX *frame = talloc_stackframe(); const struct loadparm_substitution *lp_sub = loadparm_s3_global_substitution(); - struct pw2kt_state *state = NULL; + struct pw2kt_global_state *state = NULL; const char **line = NULL; const char **lp_ptr = NULL; const char *pwsync_script = NULL; NTSTATUS status_nt; ADS_STATUS status_ads; int i; + size_t num_keytabs; DBG_DEBUG("Syncing machine password from secrets to keytabs.\n"); @@ -879,7 +1042,7 @@ NTSTATUS sync_pw2keytabs(void) return NT_STATUS_OK; /* nothing todo */ } - state = talloc_zero(frame, struct pw2kt_state); + state = talloc_zero(frame, struct pw2kt_global_state); if (state == NULL) { TALLOC_FREE(frame); return NT_STATUS_NO_MEMORY; @@ -921,7 +1084,9 @@ NTSTATUS sync_pw2keytabs(void) } params_ready: - if (state->sync_etypes || state->sync_kvno || state->sync_spns) { + if (state->sync_etypes || state->sync_kvno || state->sync_spns || + state->sync_upn || state->sync_sam_account) + { status_ads = pw2kt_get_dc_info(state); if (!ADS_ERR_OK(status_ads)) { DBG_WARNING("cannot read from DC\n"); @@ -929,9 +1094,10 @@ params_ready: return NT_STATUS_INTERNAL_ERROR; } } else { - DBG_DEBUG("No 'sync_etypes', 'sync_kvno' and 'sync_spns' in " - "parameter 'sync machine password to keytab' => " - "no need to talk to DC.\n"); + DBG_DEBUG("No 'sync_etypes', 'sync_kvno', 'sync_spns', " + "'sync_upn' and 'sync_sam_account' in parameter " + "'sync machine password to keytab' => no need to " + "talk to DC.\n"); } if (!secrets_init()) { @@ -951,7 +1117,8 @@ params_ready: return status_nt; } - for (i = 0; i < state->num_keytabs; i++) { + num_keytabs = talloc_array_length(state->keytabs); + for (i = 0; i < num_keytabs; i++) { status_ads = pw2kt_process_keytab(state, &state->keytabs[i]); if (!ADS_ERR_OK(status_ads)) { TALLOC_FREE(frame); diff --git a/source3/script/tests/test_update_keytab.sh b/source3/script/tests/test_update_keytab.sh index 2e0da0381b6..0b7dcf0d7d5 100755 --- a/source3/script/tests/test_update_keytab.sh +++ b/source3/script/tests/test_update_keytab.sh @@ -20,208 +20,416 @@ samba_net="$BINDIR/net $CONFIGURATION" samba_rpcclient="$BINDIR/rpcclient $CONFIGURATION" smbclient="${BINDIR}/smbclient" -keytabs_sync_kvno="keytab0k keytab1k keytab2k keytab3k" +keytabs_sync_kvno="keytab0k keytab1k keytab2k keytab3k keytab4k" keytabs_nosync_kvno="keytab0 keytab1 keytab2 keytab3" keytabs_all="$keytabs_sync_kvno $keytabs_nosync_kvno" -# default, no specifiers +# Generate the next ~300 lines for keytab templates using these steps: +# make testenv SELFTEST_TESTENV="ad_member_idmap_nss:local" +# source3/script/tests/test_update_keytab.sh ADDOMAIN --configfile=st/ad_member_idmap_nss/lib/server.conf +# and finally source it from the vim editor +# :r! for k in keytab0 keytab0k keytab1 keytab1k keytab2 keytab2k keytab3 keytab3k keytab4k ; do (echo $k=\"\\; bin/net --configfile=st/ad_member_idmap_nss/lib/server.conf ads keytab list /path/st/ad_member_idmap_nss/$k |sort -k3 |grep -v Vno|sed 's/\$/\\$/'; echo '";'; echo ); done + keytab0="\ - -1 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM - -1 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM -1 arcfour-hmac-md5 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM - -2 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM -2 arcfour-hmac-md5 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM - -3 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM -3 arcfour-hmac-md5 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -1 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -2 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -3 aes128-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + -1 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -2 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -3 arcfour-hmac-md5 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -2 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -3 aes128-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 arcfour-hmac-md5 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes128-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM "; -# sync_kvno=yes keytab0k="\ - 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM "; -# sync_spns=yes keytab1="\ - -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM "; -# sync_spns=yes:sync_kvno=yes keytab1k="\ - 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM 5 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM 5 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 HOST/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 HOST/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 HOST/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - 4 aes256-cts-hmac-sha1-96 HOST/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 HOST/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 RestrictedKrbHost/ADMEMIDMAPNSS.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM "; -# spn_prefixes=imap,smtp keytab2="\ + -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 imap/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 imap/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 imap/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 imap/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 imap/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 imap/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 imap/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 imap/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 imap/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 smtp/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 smtp/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 smtp/NETBIOS3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - -1 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM - -2 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM - -3 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM "; -# spn_prefixes=imap,smtp:sync_kvno=yes keytab2k="\ - 5 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - 5 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM "; -# spns=wurst/brot\@$dcvars->{REALM} keytab3="\ + -1 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + -1 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -2 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + -3 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM -1 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM -2 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM -3 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM "; -# spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno=yes keytab3k="\ - 5 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM 5 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM 5 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM - 3 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM +"; + +keytab4k="\ + 4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 ADMEMIDMAPNSS\$@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 host/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 imap/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/ADMEMIDMAPNSS@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/admemidmapnss.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/host1.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/host2.other.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/NETBIOS1@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/netbios1.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/NETBIOS2@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/netbios2.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/NETBIOS3@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 smtp/netbios3.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 wurst1/brot@ADDOM.SAMBA.EXAMPLE.COM 4 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 wurst2/brot@ADDOM.SAMBA.EXAMPLE.COM + 4 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + 5 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM + 6 aes256-cts-hmac-sha1-96 wurst/brot@ADDOM.SAMBA.EXAMPLE.COM "; # find the biggest vno and store it into global variable vno @@ -289,9 +497,9 @@ SED2="s/^ \+-\?[0-9]\+ \+//" compare_keytabs_sync_kvno() { - sed "$SED1" < "$1" | sort -k1rn -k3 | sed "$SED2" > "${1}.sync_kvno" - sed "$SED1" < "$2" | sort -k1rn -k3 | sed "$SED2" > "${2}.sync_kvno" - diff --ignore-case "${1}.sync_kvno" "${2}.sync_kvno" + sed "$SED1" < "$1" | sed "$SED2" | sort > "${1}.sync_kvno" + sed "$SED1" < "$2" | sed "$SED2" | sort > "${2}.sync_kvno" + diff "${1}.sync_kvno" "${2}.sync_kvno" return $? } @@ -299,7 +507,7 @@ compare_keytabs_nosync_kvno() { sed "$SED1" < "$1" | sort -k1rn -k3 > "${1}.nosync_kvno" sed "$SED1" < "$2" | sort -k1rn -k3 > "${2}.nosync_kvno" - diff --ignore-case "${1}.nosync_kvno" "${2}.nosync_kvno" + diff "${1}.nosync_kvno" "${2}.nosync_kvno" return $? } @@ -391,6 +599,7 @@ printf '%s' "$keytab2" > "$TMPDIR/keytab2_template" printf '%s' "$keytab2k" > "$TMPDIR/keytab2k_template" printf '%s' "$keytab3" > "$TMPDIR/keytab3_template" printf '%s' "$keytab3k" > "$TMPDIR/keytab3k_template" +printf '%s' "$keytab4k" > "$TMPDIR/keytab4k_template" # Other approach could e.g. compare first six entries from the template. # The 6 entries correspond to password and old_password, each has 3 enc. types. -- 2.47.2