docs:smbdotconf: Improve documentation for 'sync machine password to keytab'

author Pavel Filipenský <pfilipensky@samba.org>

Mon, 12 Aug 2024 09:49:14 +0000 (11:49 +0200)

committer Stefan Metzmacher <metze@samba.org>

Tue, 13 Aug 2024 14:10:37 +0000 (14:10 +0000)
author Pavel Filipenský <pfilipensky@samba.org>
Mon, 12 Aug 2024 09:49:14 +0000 (11:49 +0200)
committer Stefan Metzmacher <metze@samba.org>
Tue, 13 Aug 2024 14:10:37 +0000 (14:10 +0000)
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml

index b749ecb5c665723e9a31c0d3daccc2ff62a35482..4cad9da73f25fb1d38457aeb9c1d4a3430aeab34 100644 (file)
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -67,10 +67,19 @@ Example:
  "/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password"
  </programlisting>
  If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.
+</para>
  
+<para>
  If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
  where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
  </para>
  
+<para>
+    Suggested configuration is together with <smbconfoption name="kerberos method"/> set to the default value 'secrets only'.
+</para>
+
+<para>
+    In clustered environments it is recommended to set <smbconfoption name="sync machine password script"/> to update the machine password on all nodes.
+</para>
  </description>
  </samba:parameter>
author	Pavel Filipenský <pfilipensky@samba.org>
	Mon, 12 Aug 2024 09:49:14 +0000 (11:49 +0200)
committer	Stefan Metzmacher <metze@samba.org>
	Tue, 13 Aug 2024 14:10:37 +0000 (14:10 +0000)