2025-02-24 13:57:43 +03:00 · 2025-02-14 17:27:26 +01:00 · 2025-02-14 17:27:26 +01:00 · 7cae7aad1c
commit 7cae7aad1c
parent ccc3b2b2fb
2 changed files with 7 additions and 8 deletions
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@ -1564,10 +1564,10 @@ keytab"/> is missing.
 <para>
 Till Samba 4.20, these entries were created by default: the account name
 COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates
-such keytab ('host' is added implicitly):
+such keytab:
 </para>
 <programlisting>
-<smbconfoption name="sync machine password to keytab">/etc/krb5.keytab:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
+<smbconfoption name="sync machine password to keytab">/etc/krb5.keytab:spn_prefixes=host:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
 </programlisting>
 <para>
 No changes are made to the computer AD account.
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@ -39,12 +39,10 @@ spns=value1[,value2[...]]
 </para>

 <para>
-Every keytab contains the 'host' principal and principals according the specification below:
+Every keytab contains principals according the specification below:
 <programlisting>
 account_name      - COMPUTER$@REALM
 sync_account_name - uses attribute "sAMAccountName" from AD
-host              - always present, no need to specify it explicitly
-                    the 'host' principal is created for the same variants (netbios name, dns hostname, netbiosalias, additional_dns_hostname) as in spn_prefixes
 sync_upn          - uses attribute "userPrincipalName" (if exists in AD)
 sync_spns         - uses attribute "servicePrincipalName" (if exists in AD)
 spn_prefixes      - creates these two principals from each prefix. e.g.:
@ -55,6 +53,7 @@ spn_prefixes      - creates these two principals from each prefix. e.g.:
                      prefix/netbiosalias.dnsdomain@REALM
                    with :additional_dns_hostnames for each additionaldnshostname in <smbconfoption name="additional dns hostnames"/>
                      prefix/additionaldnshostname@REALM
+                  - 'host' principal should be created using specifier spn_prefixes
 spns              - creates only the principals defined in the list
 </programlisting>
 'account_name' and 'sync_account_name' are the same, just the source differs (secrets.tdb vs. AD).
@ -65,8 +64,8 @@ Options:
 <programlisting>
 sync_etypes              - attribute "msDS-SupportedEncryptionTypes" is read from AD and is used to find the highest common enc type for AD and KRB5 lib.
 sync_kvno                - attribute "msDS-KeyVersionNumber" from AD is used to set KVNO. If this option is missing, KVNO is set to -1.
-netbios_aliases          - evaluated only for spn_prefixes (see details above) and for the 'host' principal.
-additional_dns_hostnames - evaluated only for spn_prefixes (see details above) and for the 'host' principal.
+netbios_aliases          - evaluated only for spn_prefixes (see details above).
+additional_dns_hostnames - evaluated only for spn_prefixes (see details above).
 machine_password         - mandatory, if missing the entry is ignored. For future use.
 </programlisting>
 </para>
@ -82,7 +81,7 @@ Example:
 "/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
 "/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
 "/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password",
-"/path/to/keytab8:account_name:sync_account_name:host:sync_upn:sync_spns:spn_prefixes=cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
+"/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
 </programlisting>
 If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.
 </para>