The branch, v4-21-test has been updated
via 725907587b8 WHATSNEW: update the "Automatic keytab update after
machine password change" section
via 6f9a9394cfd docs-xml: Delete descriptions for removed commands "net
ads keytab add" and "net ads keytab add_update_ads"
via ba6c2f68ec2 docs-xml: Fix trailing whitespace in net.8.xml
via ff9d9677bba docs:smbdotconf: Improve formatting of 'sync machine
password to keytab'
via de85c86c486 ldb: Fix ldb public library header files being unusable
via 6d69562e27c wafsamba: Fix ABI symbol name generation
from 5ba371e09ab WHATSNEW: update the Per-user and group "veto files"
and "hide files" section
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-test
- Log -----------------------------------------------------------------
commit 725907587b8b419f773fea965ec899eee71b3bb9
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Tue Aug 6 08:42:34 2024 +0200
WHATSNEW: update the "Automatic keytab update after machine password
change" section
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Autobuild-User(v4-21-test): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(v4-21-test): Tue Aug 6 12:49:02 UTC 2024 on atb-devel-224
commit 6f9a9394cfd16ee4ef80fa083105d2edc46bfd5d
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Aug 1 22:39:58 2024 +0200
docs-xml: Delete descriptions for removed commands "net ads keytab add" and
"net ads keytab add_update_ads"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <mar...@meltin.net>
Autobuild-User(master): Pavel Filipensky <pfilipen...@samba.org>
Autobuild-Date(master): Mon Aug 5 13:29:25 UTC 2024 on atb-devel-224
(cherry picked from commit a5f47f6efe67e02d7a12f30b4e6fb76bcd6aa71c)
commit ba6c2f68ec2e027a00af9c4226ef7518dff581b1
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Aug 1 22:39:56 2024 +0200
docs-xml: Fix trailing whitespace in net.8.xml
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <mar...@meltin.net>
(cherry picked from commit 374680010d42d3bca52791159dba7b42eb8d0d6c)
commit ff9d9677bba1a95922c8183ba403402c238067ed
Author: Pavel Filipenský <pfilipen...@samba.org>
Date: Thu Aug 1 21:49:19 2024 +0200
docs:smbdotconf: Improve formatting of 'sync machine password to keytab'
Hint: review this commit with ignoring white space changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
Signed-off-by: Pavel Filipenský <pfilipen...@samba.org>
Reviewed-by: Reviewed-by: Martin Schwenke <mar...@meltin.net>
(cherry picked from commit 6c627903ee466cd1559d7f58821221c4dd668d1f)
commit de85c86c48608a36211115106de424660973b2e7
Author: Jo Sutton <josut...@catalyst.net.nz>
Date: Fri Aug 2 10:14:52 2024 +1200
ldb: Fix ldb public library header files being unusable
An accidental negation means that ldb_version.h is not installed when
ldb is built as a public library.
This is a regression introduced by commit
625fb48326ec62a33ce0abdbfb0f6f3d33d7cc64.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15690
Signed-off-by: Jo Sutton <josut...@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Autobuild-User(master): Douglas Bagnall <dbagn...@samba.org>
Autobuild-Date(master): Sun Aug 4 01:35:55 UTC 2024 on atb-devel-224
(cherry picked from commit 5851ae555425ea2ba8e431162142ebae47be802e)
commit 6d69562e27c41ae24650304eb7b668f28e49d68d
Author: Andreas Schneider <a...@samba.org>
Date: Mon Aug 5 14:51:01 2024 +0200
wafsamba: Fix ABI symbol name generation
Commit 0bc5b6f29307ce758774c1b2f48ce62315fdc7f9 changed the script
for generating the ABI symbol version. It broke the ABI by changing all
dots to underscores.
This reverts the commit partially to preserve the dots in the version
part.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15673
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Andreas Schneider <a...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz>
Reviewed-by: Günther Deschner <g...@samba.org>
Autobuild-User(master): Douglas Bagnall <dbagn...@samba.org>
Autobuild-Date(master): Tue Aug 6 00:42:56 UTC 2024 on atb-devel-224
(cherry picked from commit 46215ab1b34aa79c4c831ea1c12f73eacf1e8a12)
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 44 ++++-
buildtools/wafsamba/samba_abi.py | 6 +-
docs-xml/manpages/net.8.xml | 190 +++++++--------------
.../security/syncmachinepasswordtokeytab.xml | 77 +++++----
lib/ldb/wscript | 2 +-
script/autobuild.py | 11 ++
6 files changed, 159 insertions(+), 171 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index bf2dbb94b3a..9d5c0bac515 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -193,9 +193,49 @@ updates or manually (e.g. net ads changetrustpw), now
winbind will also support
update of keytab entries in case you use newly added option
'sync machine password to keytab'.
The new parameter allows you to describe what keytabs and how should be
updated.
+From smb.conf(5) manpage - each keytab can have exactly one of these four
forms:
+
+ account_name
+ sync_spns
+ spn_prefixes=value1[,value2[...]]
+ spns=value1[,value2[...]]
+
+The functionaity provided by the removed commands "net ads keytab
+add/delete/add_update_ads" can be achieved via the 'sync machine password to
+keytab' as in these examples:
+
+"net ads keytab add wurst/brot@REALM"
+
+- this command is not adding <principal> to AD, so the best fit can be
specifier
+ "spns"
+- add to smb.conf:
+ sync machine password to keytab =
/path/to/keytab1:spns=wurst/brot@REALM:machine_password
+- run:
+ "net ads keytab create"
+
+"net ads keytab delete wurst/brot@REALM"
+
+- remove the principal (or the whole keytab line if there was just one)
+- run:
+ "net ads keytab create"
+
+"net ads keytab add_update_ads wurst/brot@REALM"
+
+- this command was adding the principal to AD, so for this case use a keytab
+ with specifier sync_spns
+- add to smb.conf:
+ sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
+- run:
+ "net ads setspn add wurst/brot@REALM" # this adds the principal to AD
+ "net ads keytab create" # this sync it from AD to local keytab
+
+
A new parameter 'sync machine password script' allows to specify external
script
-that will be triggered after the automatic keytab update. For detailed
-information check the smb.conf manpage.
+that will be triggered after the automatic keytab update. Example of such
script
+that can be used in a cluster environment with ctdb is
+source3/script/updatekeytab.sh
+
+For detailed information check the smb.conf(5) manpage.
REMOVED FEATURES
================
diff --git a/buildtools/wafsamba/samba_abi.py b/buildtools/wafsamba/samba_abi.py
index c82ba3424f9..e6deb839c0c 100644
--- a/buildtools/wafsamba/samba_abi.py
+++ b/buildtools/wafsamba/samba_abi.py
@@ -286,7 +286,7 @@ def abi_build_vscript(task):
f.close()
def VSCRIPT_MAP_PRIVATE(bld, libname, orig_vscript, version, private_vscript):
- version = re.sub(r'\W', '_', version).upper()
+ version = re.sub(r'[^.\w]', '_', version).upper()
t = bld.SAMBA_GENERATOR(private_vscript,
rule=abi_build_vscript,
source=orig_vscript,
@@ -314,8 +314,8 @@ def ABI_VSCRIPT(bld, libname, abi_directory, version,
vscript, abi_match=None, p
libname = os.path.basename(libname)
version = os.path.basename(version)
- libname = re.sub(r'\W', '_', libname).upper()
- version = re.sub(r'\W', '_', version).upper()
+ libname = re.sub(r'[^.\w]', '_', libname).upper()
+ version = re.sub(r'[^.\w]', '_', version).upper()
t = bld.SAMBA_GENERATOR(vscript,
rule=abi_build_vscript,
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index c284cc25b49..61a1e6362ce 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -80,12 +80,12 @@
<para>This tool is part of the
<citerefentry><refentrytitle>samba</refentrytitle>
<manvolnum>7</manvolnum></citerefentry> suite.</para>
- <para>The Samba net utility is meant to work just like the net utility
- available for windows and DOS. The first argument should be used
- to specify the protocol to use when executing a certain command.
- ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3)
- clients and RPC can be used for NT4 and Windows 2000. If this
- argument is omitted, net will try to determine it automatically.
+ <para>The Samba net utility is meant to work just like the net utility
+ available for windows and DOS. The first argument should be used
+ to specify the protocol to use when executing a certain command.
+ ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3)
+ clients and RPC can be used for NT4 and Windows 2000. If this
+ argument is omitted, net will try to determine it automatically.
Not all commands are available on all protocols.
</para>
@@ -98,7 +98,7 @@
<varlistentry>
<term>-w|--target-workgroup target-workgroup</term>
<listitem><para>
- Sets target workgroup or domain. You have to specify
+ Sets target workgroup or domain. You have to specify
either this option or the IP address or the name of a server.
</para></listitem>
</varlistentry>
@@ -115,7 +115,7 @@
<varlistentry>
<term>-p|--port port</term>
<listitem><para>
- Port on the target server to connect to (usually 139 or 445).
+ Port on the target server to connect to (usually 139 or 445).
Defaults to trying 445 first, then 139.
</para></listitem>
</varlistentry>
@@ -123,7 +123,7 @@
<varlistentry>
<term>-S|--server server</term>
<listitem><para>
- Name of target server. You should specify either
+ Name of target server. You should specify either
this option or a target workgroup or a target IP address.
</para></listitem>
</varlistentry>
@@ -524,7 +524,7 @@ YOU HAVE BEEN WARNED.
<refsect3>
<title>TIME</title>
-<para>Without any options, the <command>NET TIME</command> command
+<para>Without any options, the <command>NET TIME</command> command
displays the time on the remote server. The remote server must be
specified with the -S option.
</para>
@@ -542,7 +542,7 @@ The remote server must be specified with the -S option.
<refsect3>
<title>TIME SET</title>
-<para>Tries to set the date and time of the local server to that on
+<para>Tries to set the date and time of the local server to that on
the remote server using <command>/bin/date</command>.
The remote server must be specified with the -S option.
</para>
@@ -565,8 +565,8 @@ The remote server must be specified with the -S option.
[osName=string osVer=string] [options]</title>
<para>
-Join a domain. If the account already exists on the server, and
-[TYPE] is MEMBER, the machine will attempt to join automatically.
+Join a domain. If the account already exists on the server, and
+[TYPE] is MEMBER, the machine will attempt to join automatically.
(Assuming that the machine has been created in server manager)
Otherwise, a password will be prompted for, and a new account may
be created.</para>
@@ -590,7 +590,7 @@ format is host/netbiosname@REALM.
[OU] (ADS only) Precreate the computer account in a specific OU. The
OU string reads from top to bottom without RDNs, and is delimited by
a '/'. Please note that '\' is used for escape by both the shell
-and ldap, so it may need to be doubled or quadrupled to pass through,
+and ldap, so it may need to be doubled or quadrupled to pass through,
and it is not used as a delimiter.
</para>
<para>
@@ -607,8 +607,8 @@ must be specified for either to take effect.
<refsect2>
<title>[RPC] OLDJOIN [options]</title>
-<para>Join a domain. Use the OLDJOIN option to join the domain
-using the old style of domain joining - you need to create a trust
+<para>Join a domain. Use the OLDJOIN option to join the domain
+using the old style of domain joining - you need to create a trust
account in server manager first.</para>
</refsect2>
@@ -692,8 +692,8 @@ account in server manager first.</para>
<refsect3>
<title>[RAP|RPC] SHARE ADD <replaceable>name=serverpath</replaceable> [-C
comment] [-M maxusers] [targets]</title>
-<para>Adds a share from a server (makes the export active). Maxusers
-specifies the number of users that can be connected to the
+<para>Adds a share from a server (makes the export active). Maxusers
+specifies the number of users that can be connected to the
share simultaneously.</para>
</refsect3>
@@ -718,7 +718,7 @@ share simultaneously.</para>
<refsect3>
<title>[RPC|RAP] FILE CLOSE <replaceable>fileid</replaceable></title>
-<para>Close file with specified <replaceable>fileid</replaceable> on
+<para>Close file with specified <replaceable>fileid</replaceable> on
remote server.</para>
</refsect3>
@@ -727,7 +727,7 @@ remote server.</para>
<title>[RPC|RAP] FILE INFO <replaceable>fileid</replaceable></title>
<para>
-Print information on specified <replaceable>fileid</replaceable>.
+Print information on specified <replaceable>fileid</replaceable>.
Currently listed are: file-id, username, locks, path, permissions.
</para>
@@ -739,7 +739,7 @@ Currently listed are: file-id, username, locks, path,
permissions.
<para>
List files opened by specified <replaceable>user</replaceable>.
Please note that <command>net rap file user</command> does not work
-against Samba servers.
+against Samba servers.
</para>
</refsect3>
@@ -752,7 +752,7 @@ against Samba servers.
<refsect3>
<title>RAP SESSION</title>
-<para>Without any other options, SESSION enumerates all active SMB/CIFS
+<para>Without any other options, SESSION enumerates all active SMB/CIFS
sessions on the target server.</para>
</refsect3>
@@ -784,7 +784,7 @@ to local domain.</para>
<refsect2>
<title>RAP DOMAIN</title>
-<para>Lists all domains and workgroups visible on the
+<para>Lists all domains and workgroups visible on the
current network.</para>
</refsect2>
@@ -796,7 +796,7 @@ current network.</para>
<title>RAP PRINTQ INFO <replaceable>QUEUE_NAME</replaceable></title>
<para>Lists the specified print queue and print jobs on the server.
-If the <replaceable>QUEUE_NAME</replaceable> is omitted, all
+If the <replaceable>QUEUE_NAME</replaceable> is omitted, all
queues are listed.</para>
</refsect3>
@@ -814,9 +814,9 @@ queues are listed.</para>
<title>RAP VALIDATE <replaceable>user</replaceable>
[<replaceable>password</replaceable>]</title>
<para>
-Validate whether the specified user can log in to the
-remote server. If the password is not specified on the commandline, it
-will be prompted.
+Validate whether the specified user can log in to the
+remote server. If the password is not specified on the commandline, it
+will be prompted.
</para>
¬.implemented;
@@ -852,7 +852,7 @@ will be prompted.
<refsect2>
<title>RAP ADMIN <replaceable>command</replaceable></title>
-<para>Execute the specified <replaceable>command</replaceable> on
+<para>Execute the specified <replaceable>command</replaceable> on
the remote server. Only works with OS/2 servers.
</para>
@@ -899,7 +899,7 @@ Change password of <replaceable>USER</replaceable> from
<replaceable>OLDPASS</re
<title>LOOKUP HOST <replaceable>HOSTNAME</replaceable>
[<replaceable>TYPE</replaceable>]</title>
<para>
-Lookup the IP address of the given host with the specified type (netbios
suffix).
+Lookup the IP address of the given host with the specified type (netbios
suffix).
The type defaults to 0x20 (workstation).
</para>
@@ -965,7 +965,7 @@ or workgroup. Defaults to local domain.</para>
<refsect2>
<title>CACHE</title>
-<para>Samba uses a general caching interface called 'gencache'. It
+<para>Samba uses a general caching interface called 'gencache'. It
can be controlled using 'NET CACHE'.</para>
<para>All the timeout parameters support the suffixes:
@@ -1044,7 +1044,7 @@ omitted, the SID of the local server.</para>
<refsect2>
<title>GETDOMAINSID</title>
-<para>Prints the local machine SID and the SID of the current
+<para>Prints the local machine SID and the SID of the current
domain.</para>
</refsect2>
@@ -1158,15 +1158,15 @@ such as domain name, domain sid and number of users and
groups.
<refsect3>
<title>RPC TRUSTDOM ADD <replaceable>DOMAIN</replaceable></title>
-<para>Add a interdomain trust account for <replaceable>DOMAIN</replaceable>.
-This is in fact a Samba account named <replaceable>DOMAIN$</replaceable>
-with the account flag <constant>'I'</constant> (interdomain trust account).
+<para>Add a interdomain trust account for <replaceable>DOMAIN</replaceable>.
+This is in fact a Samba account named <replaceable>DOMAIN$</replaceable>
+with the account flag <constant>'I'</constant> (interdomain trust account).
This is required for incoming trusts to work. It makes Samba be a
trusted domain of the foreign (trusting) domain.
Users of the Samba domain will be made available in the foreign domain.
-If the command is used against localhost it has the same effect as
+If the command is used against localhost it has the same effect as
<command>smbpasswd -a -i DOMAIN</command>. Please note that both commands
-expect a appropriate UNIX account.
+expect a appropriate UNIX account.
</para>
</refsect3>
@@ -1174,9 +1174,9 @@ expect a appropriate UNIX account.
<refsect3>
<title>RPC TRUSTDOM DEL <replaceable>DOMAIN</replaceable></title>
-<para>Remove interdomain trust account for
-<replaceable>DOMAIN</replaceable>. If it is used against localhost
-it has the same effect as <command>smbpasswd -x DOMAIN$</command>.
+<para>Remove interdomain trust account for
+<replaceable>DOMAIN</replaceable>. If it is used against localhost
+it has the same effect as <command>smbpasswd -x DOMAIN$</command>.
</para>
</refsect3>
@@ -1185,7 +1185,7 @@ it has the same effect as <command>smbpasswd -x
DOMAIN$</command>.
<title>RPC TRUSTDOM ESTABLISH <replaceable>DOMAIN</replaceable></title>
<para>
-Establish a trust relationship to a trusted domain.
+Establish a trust relationship to a trusted domain.
Interdomain account must already be created on the remote PDC.
This is required for outgoing trusts to work. It makes Samba be a
trusting domain of a foreign (trusted) domain.
@@ -1326,9 +1326,9 @@ net rpc trust delete \
<refsect3>
<title>RPC RIGHTS</title>
-<para>This subcommand is used to view and manage Samba's rights assignments
(also
-referred to as privileges). There are three options currently available:
-<parameter>list</parameter>, <parameter>grant</parameter>, and
+<para>This subcommand is used to view and manage Samba's rights assignments
(also
+referred to as privileges). There are three options currently available:
+<parameter>list</parameter>, <parameter>grant</parameter>, and
<parameter>revoke</parameter>. More details on Samba's privilege model and
its use
can be found in the Samba-HOWTO-Collection.</para>
@@ -1367,14 +1367,14 @@ Force shutting down all applications.
<varlistentry>
<term>-t timeout</term>
<listitem><para>
-Timeout before system will be shut down. An interactive
+Timeout before system will be shut down. An interactive
user of the system can use this time to cancel the shutdown.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-C message</term>
-<listitem><para>Display the specified message on the screen to
+<listitem><para>Display the specified message on the screen to
announce the shutdown.</para></listitem>
</varlistentry>
</variablelist>
@@ -1391,8 +1391,8 @@ to run this against the PDC, from a Samba machine joined
as a BDC. </para>
<refsect2>
<title>RPC VAMPIRE</title>
-<para>Export users, aliases and groups from remote server to
-local server. You need to run this against the PDC, from a Samba machine
joined as a BDC.
+<para>Export users, aliases and groups from remote server to
+local server. You need to run this against the PDC, from a Samba machine
joined as a BDC.
This vampire command cannot be used against an Active Directory, only
against an NT4 Domain Controller.
</para>
@@ -1486,7 +1486,7 @@ against an NT4 Domain Controller.
<title>ADS STATUS</title>
<para>Print out status of machine account of the local machine in ADS.
-Prints out quite some debug info. Aimed at developers, regular
+Prints out quite some debug info. Aimed at developers, regular
users should use <command>NET ADS TESTJOIN</command>.</para>
</refsect2>
@@ -1498,7 +1498,7 @@ users should use <command>NET ADS
TESTJOIN</command>.</para>
<title>ADS PRINTER INFO [<replaceable>PRINTER</replaceable>]
[<replaceable>SERVER</replaceable>]</title>
<para>
-Lookup info for <replaceable>PRINTER</replaceable> on
<replaceable>SERVER</replaceable>. The printer name defaults to "*", the
+Lookup info for <replaceable>PRINTER</replaceable> on
<replaceable>SERVER</replaceable>. The printer name defaults to "*", the
server name defaults to the local host.</para>
</refsect3>
@@ -1522,8 +1522,8 @@ server name defaults to the local host.</para>
<refsect2>
<title>ADS SEARCH <replaceable>EXPRESSION</replaceable>
<replaceable>ATTRIBUTES...</replaceable></title>
-<para>Perform a raw LDAP search on a ADS server and dump the results. The
-expression is a standard LDAP search expression, and the
+<para>Perform a raw LDAP search on a ADS server and dump the results. The
+expression is a standard LDAP search expression, and the
attributes are a list of LDAP fields to show in the results.</para>
<para>Example: <userinput>net ads search '(objectCategory=group)'
sAMAccountName</userinput>
@@ -1535,9 +1535,9 @@ attributes are a list of LDAP fields to show in the
results.</para>
<title>ADS DN <replaceable>DN</replaceable>
<replaceable>(attributes)</replaceable></title>
<para>
-Perform a raw LDAP search on a ADS server and dump the results. The
-DN standard LDAP DN, and the attributes are a list of LDAP fields
-to show in the result.
+Perform a raw LDAP search on a ADS server and dump the results. The
+DN standard LDAP DN, and the attributes are a list of LDAP fields
+to show in the result.
</para>
<para>Example: <userinput>net ads dn
'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName</userinput></para>
@@ -1557,76 +1557,6 @@ are made to the computer AD account.
</para>
</refsect2>
-<refsect2>
-<title>ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal |
machine | serviceclass | windows SPN</replaceable></title>
-
-<para>
-Adds a new keytab entry, the entry can be either;
- <variablelist>
- <varlistentry><term>kerberos principal</term>
- <listitem><para>
- A kerberos principal (identified by the presence of '@') is just
- added to the keytab file.
- </para></listitem>
- </varlistentry>
- <varlistentry><term>machinename</term>
- <listitem><para>
- A machinename (identified by the trailing '$') is used to create a
- a kerberos principal 'machinename@realm' which is added to the
- keytab file.
- </para></listitem>
- </varlistentry>
- <varlistentry><term>serviceclass</term>
- <listitem><para>
- A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair
- of kerberos principals 'serviceclass/fully_qualified_dns_name@realm' &
- 'serviceclass/netbios_name@realm' which are added to the keytab file.
- </para></listitem>
- </varlistentry>
- <varlistentry><term>Windows SPN</term>
- <listitem><para>
- A Windows SPN is of the format 'serviceclass/host:port', it is used to
- create a kerberos principal 'serviceclass/host@realm' which will
- be written to the keytab file.
- </para></listitem>
- </varlistentry>
- </variablelist>
-</para>
-<para>
-Unlike old versions no computer AD objects are modified by this command. To
-preserve the behaviour of older clients 'net ads keytab ad_update_ads' is
-available.
-</para>
-</refsect2>
-
-<refsect2>
-<title>ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable>
<replaceable>(principal | machine | serviceclass | windows
SPN</replaceable></title>
-
-<para>
-Adds a new keytab entry (see section for net ads keytab add). In addition to
-adding entries to the keytab file corresponding Windows SPNs are created
-from the entry passed to this command. These SPN(s) added to the AD computer
-account object associated with the client machine running this command for
-the following entry types;
- <variablelist>
- <varlistentry><term>serviceclass</term>
- <listitem><para>
- A serviceclass (such as 'cifs', 'html' etc.) is used to create a
- pair of Windows SPN(s) 'param/full_qualified_dns' &
- 'param/netbios_name' which are added to the AD computer account object
- for this client.
- </para></listitem>
- </varlistentry>
- <varlistentry><term>Windows SPN</term>
- <listitem><para>
- A Windows SPN is of the format 'serviceclass/host:port', it is
- added as passed to the AD computer account object for this client.
- </para></listitem>
- </varlistentry>
- </variablelist>
-</para>
-</refsect2>
-
<refsect2>
<title>ADS setspn <replaceable>SETSPN LIST [machine]</replaceable></title>
@@ -2281,7 +2211,7 @@ share (no creation of new files or directories or writing
to files).
</para>
<para>
--
Samba Shared Repository
