sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-18 06:04:06 +03:00
Code

docs:manpages: Update 'net ads keytab create'

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=6750

Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Pavel Filipensky <pfilipensky@samba.org>
Autobuild-Date(master): Mon Dec 16 19:32:32 UTC 2024 on atb-devel-224

(cherry picked from commit 7b73c574d93668edd94f2eb18b58568d420487f4)

Autobuild-User(v4-21-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-21-test): Tue Dec 31 15:31:52 UTC 2024 on atb-devel-224
This commit is contained in:
Pavel Filipenský 2024-12-03 16:21:26 +01:00 committed by Jule Anger
parent 7202467477
commit e1c1b88170
1 changed files with 27 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
docs-xml/manpages/net.8.xml
View File

@ -1548,12 +1548,33 @@ to show in the result.
<title>ADS KEYTAB <replaceable>CREATE</replaceable></title>
<para>
Creates a new keytab file if one doesn't exist with default entries. Default
entries are kerberos principals created from the machinename of the
client, the UPN (if it exists) and any Windows SPN(s) associated with the
computer AD account for the client. If a keytab file already exists then only
missing kerberos principals from the default entries are added. No changes
are made to the computer AD account.
Since Samba 4.21.0, keytab file is created as specified in <smbconfoption
name="sync machine password to keytab"/>. The keytab is created only for
<smbconfoption name="kerberos method">secrets only</smbconfoption> and
<smbconfoption name="kerberos method">secrets and keytab</smbconfoption>. With
the smb.conf default values for <smbconfoption name="kerberos method"> secrets
only</smbconfoption> and <smbconfoption name="sync machine password to keytab"/>
(default is empty) the keytab is not generated at all. Keytab with a default
name and SPNs synced from AD is created for <smbconfoption name="kerberos
method">secrets and keytab</smbconfoption> if <smbconfoption name="sync machine
password to keytab"/> is missing.
</para>
<para>
Till Samba 4.20.0, two more entries were created by default: the machinename of
the client (ending with '$') and the UPN (host/domain@REALM). If these two
entries are still needed, each must be specified in an own keytab file.
Example below will generate three keytab files that contain SPNs synced from
AD, host UPN and machine$ SPN:
</para>
<programlisting>
<smbconfoption name="sync machine password to keytab">
/etc/krb5.keytab0:sync_spns:machine_password,
/etc/krb5.keytab1:spns=host/smb.com@SMB.COM:machine_password,
/etc/krb5.keytab2:account_name:machine_password
</smbconfoption>
</programlisting>
<para>
No changes are made to the computer AD account.
</para>
</refsect2>