mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
docs:smbdotconf: Improve formatting of 'sync machine password to keytab'
Hint: review this commit with ignoring white space changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Signed-off-by: Pavel Filipenský <pfilipensky@samba.org> Reviewed-by: Reviewed-by: Martin Schwenke <martin@meltin.net>
This commit is contained in:
parent
5851ae5554
commit
6c627903ee
@ -3,8 +3,9 @@
|
||||
type="cmdlist"
|
||||
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
||||
<description>
|
||||
<para>This option allows you to describe what keytabs and how should be
|
||||
updated when machine account is changed via one of these commands
|
||||
<para>
|
||||
This option allows you to describe what keytabs and how should be updated when
|
||||
machine account is changed via one of these commands
|
||||
|
||||
<programlisting>
|
||||
wbinfo --change-secret
|
||||
@ -13,57 +14,63 @@ net rpc changetrustpw
|
||||
net ads changetrustpw
|
||||
</programlisting>
|
||||
|
||||
or by winbindd doing regular updates (see <smbconfoption name="machine password timeout"/>)
|
||||
|
||||
or by winbindd doing regular updates (see <smbconfoption name="machine password timeout"/>)
|
||||
</para>
|
||||
|
||||
<para>The option takes a list of keytab strings. Each string has this form:
|
||||
|
||||
<programlisting>
|
||||
absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
|
||||
</programlisting>
|
||||
|
||||
where spn_spec can have exactly one of these three forms:
|
||||
<programlisting>
|
||||
account_name
|
||||
sync_spns
|
||||
spn_prefixes=value1[,value2[...]]
|
||||
spns=value1[,value2[...]]
|
||||
</programlisting>
|
||||
<para>
|
||||
No other combinations are allowed.
|
||||
The option takes a list of keytab strings. Each string has this form:
|
||||
<programlisting>
|
||||
absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
|
||||
</programlisting>
|
||||
|
||||
Specifiers:
|
||||
account_name - creates entry using principal 'computer$@REALM'.
|
||||
sync_spns - uses principals received from AD DC.
|
||||
spn_prefixes - creates principals from the prefixes and adds netbios_aliases or additional_dns_hostnames if specified.
|
||||
spns - creates only the principals defined in the list.
|
||||
|
||||
Options:
|
||||
sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read from DC and is used to find the highest common enc type for AD and KRB5 lib.
|
||||
sync_kvno - the key version number ("msDS-KeyVersionNumber") is synchronized from DC, otherwise is set to -1.
|
||||
netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for each alias. See <smbconfoption name="netbios aliases"/>
|
||||
additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/dnshostname@REALM is added for each dns name. See <smbconfoption name="additional dns hostnames"/>
|
||||
machine_password - mandatory, if missing the entry is ignored. For future use.
|
||||
where spn_spec can have exactly one of these four forms:
|
||||
<programlisting>
|
||||
account_name
|
||||
sync_spns
|
||||
spn_prefixes=value1[,value2[...]]
|
||||
spns=value1[,value2[...]]
|
||||
</programlisting>
|
||||
No other combinations are allowed.
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Specifiers:
|
||||
<programlisting>
|
||||
account_name - creates entry using principal 'computer$@REALM'.
|
||||
sync_spns - uses principals received from AD DC.
|
||||
spn_prefixes - creates principals from the prefixes and adds netbios_aliases or additional_dns_hostnames if specified.
|
||||
spns - creates only the principals defined in the list.
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Options:
|
||||
<programlisting>
|
||||
sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read from DC and is used to find the highest common enc type for AD and KRB5 lib.
|
||||
sync_kvno - the key version number ("msDS-KeyVersionNumber") is synchronized from DC, otherwise is set to -1.
|
||||
netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for each alias. See <smbconfoption name="netbios aliases"/>
|
||||
additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/dnshostname@REALM is added for each dns name. See <smbconfoption name="additional dns hostnames"/>
|
||||
machine_password - mandatory, if missing the entry is ignored. For future use.
|
||||
</programlisting>
|
||||
</para>
|
||||
|
||||
<para>
|
||||
Example:
|
||||
<programlisting>
|
||||
"/path/to/keytab0:account_name:machine_password",
|
||||
"/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password",
|
||||
"/path/to/keytab2:sync_spns:machine_password",
|
||||
"/path/to/keytab3:sync_spns:sync_kvno:machine_password",
|
||||
"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password",
|
||||
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
|
||||
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
|
||||
"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password"
|
||||
"/path/to/keytab0:account_name:machine_password",
|
||||
"/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password",
|
||||
"/path/to/keytab2:sync_spns:machine_password",
|
||||
"/path/to/keytab3:sync_spns:sync_kvno:machine_password",
|
||||
"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password",
|
||||
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
|
||||
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
|
||||
"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password"
|
||||
</programlisting>
|
||||
If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.
|
||||
|
||||
If no value is present, winbind uses value /path/to/keytab:sync_spns:sync_kvno:machine_password
|
||||
If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
|
||||
where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
|
||||
</para>
|
||||
|
||||
</description>
|
||||
</samba:parameter>
|
||||
|
Loading…
Reference in New Issue
Block a user