The branch, master has been updated
via 7b73c574d93 docs:manpages: Update 'net ads keytab create'
from 86cdaf5a2ee ctdb-scripts: Change default persistent DB for
statd_callout_helper
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7b73c574d93668edd94f2eb18b58568d420487f4
Author: Pavel Filipenský <[email protected]>
Date: Tue Dec 3 16:21:26 2024 +0100
docs:manpages: Update 'net ads keytab create'
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Autobuild-User(master): Pavel Filipensky <[email protected]>
Autobuild-Date(master): Mon Dec 16 19:32:32 UTC 2024 on atb-devel-224
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/net.8.xml | 33 +++++++++++++++++++++++++++------
1 file changed, 27 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index e633c8c7c6a..f388644172f 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1548,12 +1548,33 @@ to show in the result.
<title>ADS KEYTAB <replaceable>CREATE</replaceable></title>
<para>
-Creates a new keytab file if one doesn't exist with default entries. Default
-entries are kerberos principals created from the machinename of the
-client, the UPN (if it exists) and any Windows SPN(s) associated with the
-computer AD account for the client. If a keytab file already exists then only
-missing kerberos principals from the default entries are added. No changes
-are made to the computer AD account.
+Since Samba 4.21.0, keytab file is created as specified in <smbconfoption
+name="sync machine password to keytab"/>. The keytab is created only for
+<smbconfoption name="kerberos method">secrets only</smbconfoption> and
+<smbconfoption name="kerberos method">secrets and keytab</smbconfoption>. With
+the smb.conf default values for <smbconfoption name="kerberos method"> secrets
+only</smbconfoption> and <smbconfoption name="sync machine password to
keytab"/>
+(default is empty) the keytab is not generated at all. Keytab with a default
+name and SPNs synced from AD is created for <smbconfoption name="kerberos
+method">secrets and keytab</smbconfoption> if <smbconfoption name="sync machine
+password to keytab"/> is missing.
+</para>
+<para>
+Till Samba 4.20.0, two more entries were created by default: the machinename of
+the client (ending with '$') and the UPN (host/domain@REALM). If these two
+entries are still needed, each must be specified in an own keytab file.
+Example below will generate three keytab files that contain SPNs synced from
+AD, host UPN and machine$ SPN:
+</para>
+<programlisting>
+<smbconfoption name="sync machine password to keytab">
+/etc/krb5.keytab0:sync_spns:machine_password,
+/etc/krb5.keytab1:spns=host/[email protected]:machine_password,
+/etc/krb5.keytab2:account_name:machine_password
+</smbconfoption>
+</programlisting>
+<para>
+No changes are made to the computer AD account.
</para>
</refsect2>
--
Samba Shared Repository
