From: Pavel Filipenský <pfilipensky@samba.org>
Date: Mon, 12 Aug 2024 09:49:14 +0000 (+0200)
Subject: docs:smbdotconf: Improve documentation for 'sync machine password to keytab'
X-Git-Tag: tdb-1.4.13~1389
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=2dd81ec2bea46ad6caa6e40194eae4340f4acc7d;p=thirdparty%2Fsamba.git

docs:smbdotconf: Improve documentation for 'sync machine password to keytab'

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
---

diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
index b749ecb5c66..4cad9da73f2 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -67,10 +67,19 @@ Example:
 "/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password"
 </programlisting>
 If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.
+</para>
 
+<para>
 If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
 where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
 </para>
 
+<para>
+    Suggested configuration is together with <smbconfoption name="kerberos method"/> set to the default value 'secrets only'.
+</para>
+
+<para>
+    In clustered environments it is recommended to set <smbconfoption name="sync machine password script"/> to update the machine password on all nodes.
+</para>
 </description>
 </samba:parameter>