mirror of
https://github.com/samba-team/samba.git
synced 2025-01-12 09:18:10 +03:00
18aa2d58ed
This change ensures the KVNO of the principal in secrets.ldb (which is also
exported to the dns.keytab) matches the KVNO associated with the "dns" user.
Without explicitly setting msDS-KeyVersionNumber, the KVNO exported into the
dns.keytab was 0.
KVNO needs to be > 0, as the client libs (at least MIT libs on Fedora)
consider KVNO == 0 as a sign to ignore that particular key.
(This used to be commit 572efc8e65)
40 lines
1.1 KiB
Plaintext
40 lines
1.1 KiB
Plaintext
dn: flatname=${DOMAIN},CN=Primary Domains
|
|
objectClass: top
|
|
objectClass: primaryDomain
|
|
objectClass: kerberosSecret
|
|
flatname: ${DOMAIN}
|
|
realm: ${REALM}
|
|
secret:: ${MACHINEPASS_B64}
|
|
secureChannelType: 6
|
|
sAMAccountName: ${NETBIOSNAME}$
|
|
msDS-KeyVersionNumber: 1
|
|
objectSid: ${DOMAINSID}
|
|
privateKeytab: ${SECRETS_KEYTAB}
|
|
|
|
# A hook from our credentials system into HDB, as we must be on a KDC,
|
|
# we can look directly into the database.
|
|
dn: samAccountName=krbtgt,flatname=${DOMAIN},CN=Principals
|
|
objectClass: top
|
|
objectClass: secret
|
|
objectClass: kerberosSecret
|
|
flatname: ${DOMAIN}
|
|
realm: ${REALM}
|
|
sAMAccountName: krbtgt
|
|
objectSid: ${DOMAINSID}
|
|
servicePrincipalName: kadmin/changepw
|
|
krb5Keytab: HDB:ldb:${SAM_LDB}:
|
|
#The trailing : here is a HACK, but it matches the Heimdal format.
|
|
|
|
# A hook from our credentials system into HDB, as we must be on a KDC,
|
|
# we can look directly into the database.
|
|
dn: servicePrincipalName=DNS/${DNSDOMAIN},CN=Principals
|
|
objectClass: top
|
|
objectClass: secret
|
|
objectClass: kerberosSecret
|
|
realm: ${REALM}
|
|
servicePrincipalName: DNS/${DNSDOMAIN}
|
|
msDS-KeyVersionNumber: 1
|
|
privateKeytab: ${DNS_KEYTAB}
|
|
secret:: ${DNSPASS_B64}
|
|
|