The branch, master has been updated
via 7a662e097be docs-xml:smbdotconf: Document new options for 'sync
machinepassword to keytab'
via 15e191736d3 s3: Add new keytab specifiers
from 67b09b481b0 ndr: fix coda logic around in ndr_pull_security_ace()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7a662e097be5e0d3f7779fa544486968b8f57063
Author: Pavel Filipenský <[email protected]>
Date: Tue Jan 14 11:29:54 2025 +0100
docs-xml:smbdotconf: Document new options for 'sync machinepassword to
keytab'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
Autobuild-User(master): Pavel Filipensky <[email protected]>
Autobuild-Date(master): Thu Feb 13 18:45:21 UTC 2025 on atb-devel-224
commit 15e191736d3eaba83b2fb4b901e1df2214526b64
Author: Pavel Filipenský <[email protected]>
Date: Mon Jan 20 16:00:51 2025 +0100
s3: Add new keytab specifiers
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Andreas Schneider <[email protected]>
Reviewed-by: Alexander Bokovoy <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/net.8.xml | 24 +-
.../security/syncmachinepasswordtokeytab.xml | 42 +-
selftest/target/Samba3.pm | 3 +-
source3/libads/kerberos_keytab.c | 631 +++++++++++++--------
source3/script/tests/test_update_keytab.sh | 449 +++++++++++----
5 files changed, 768 insertions(+), 381 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index ca34d322512..39ae5c79508 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1549,29 +1549,25 @@ to show in the result.
<para>
Since Samba 4.21.0, keytab file is created as specified in <smbconfoption
-name="sync machine password to keytab"/>. The keytab is created only for
+name="sync machine password to keytab"/> . The keytab can be created only when
+machine password is available in secrets.tdb, i.e. only for
<smbconfoption name="kerberos method">secrets only</smbconfoption> and
<smbconfoption name="kerberos method">secrets and keytab</smbconfoption>. With
the smb.conf default values for <smbconfoption name="kerberos method"> secrets
only</smbconfoption> and <smbconfoption name="sync machine password to
keytab"/>
(default is empty) the keytab is not generated at all. Keytab with a default
-name and SPNs synced from AD is created for <smbconfoption name="kerberos
-method">secrets and keytab</smbconfoption> if <smbconfoption name="sync machine
-password to keytab"/> is missing.
+name containing: SPNs synced from AD, account name COMPUTER$ and principal
+host/dns_hostname is created for <smbconfoption name="kerberos method">secrets
+and keytab</smbconfoption> if <smbconfoption name="sync machine password to
+keytab"/> is missing.
</para>
<para>
-Till Samba 4.20.0, two more entries were created by default: the machinename of
-the client (ending with '$') and the UPN (host/domain@REALM). If these two
-entries are still needed, each must be specified in an own keytab file.
-Example below will generate three keytab files that contain SPNs synced from
-AD, host UPN and machine$ SPN:
+Till Samba 4.20, these entries were created by default: the account name
+COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates
+such keytab ('host' is added implicitly):
</para>
<programlisting>
-<smbconfoption name="sync machine password to keytab">
-/etc/krb5.keytab0:sync_spns:machine_password,
-/etc/krb5.keytab1:spns=host/[email protected]:machine_password,
-/etc/krb5.keytab2:account_name:machine_password
-</smbconfoption>
+<smbconfoption name="sync machine password to
keytab">/etc/krb5.keytab:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
</programlisting>
<para>
No changes are made to the computer AD account.
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
index f7dc30023d4..02eaf3162c0 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -24,36 +24,49 @@ synchronization.
Each string has this form:
<programlisting>
-absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
+absolute_path_to_keytab:spn_spec[:spn_spec]*[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
</programlisting>
-where spn_spec can have exactly one of these four forms:
+spn_spec can be specified multiple times (separated using ':') and each
spn_spec can have exactly one of these forms:
<programlisting>
account_name
+sync_account_name
+sync_upn
sync_spns
spn_prefixes=value1[,value2[...]]
spns=value1[,value2[...]]
</programlisting>
-No other combinations are allowed.
</para>
<para>
-Specifiers:
+Every keytab contains the 'host' principal and principals according the
specification below:
<programlisting>
-account_name - creates entry using principal 'computer$@REALM'.
-sync_spns - uses principals received from AD DC.
-spn_prefixes - creates principals from the prefixes and adds netbios_aliases
or additional_dns_hostnames if specified.
-spns - creates only the principals defined in the list.
+account_name - COMPUTER$@REALM
+sync_account_name - uses attribute "sAMAccountName" from AD
+host - always present, no need to specify it explicitly
+ the 'host' principal is created for the same variants
(netbios name, dns hostname, netbiosalias, additional_dns_hostname) as in
spn_prefixes
+sync_upn - uses attribute "userPrincipalName" (if exists in AD)
+sync_spns - uses attribute "servicePrincipalName" (if exists in AD)
+spn_prefixes - creates these two principals from each prefix. e.g.:
+ prefix/<smbconfoption name="netbios name"/>@REALM
+ prefix/<smbconfoption name="dns hostname"/>@REALM
+ with :netbios_aliases for each netbiosalias in
<smbconfoption name="netbios aliases"/>
+ prefix/netbiosalias@REALM
+ prefix/netbiosalias.dnsdomain@REALM
+ with :additional_dns_hostnames for each
additionaldnshostname in <smbconfoption name="additional dns hostnames"/>
+ prefix/additionaldnshostname@REALM
+spns - creates only the principals defined in the list
</programlisting>
+'account_name' and 'sync_account_name' are the same, just the source differs
(secrets.tdb vs. AD).
</para>
<para>
Options:
<programlisting>
-sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read
from DC and is used to find the highest common enc type for AD and KRB5 lib.
-sync_kvno - the key version number ("msDS-KeyVersionNumber") is
synchronized from DC, otherwise is set to -1.
-netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present,
PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for
each alias. See <smbconfoption name="netbios aliases"/>
-additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present,
PREFIX/dnshostname@REALM is added for each dns name. See <smbconfoption
name="additional dns hostnames"/>
+sync_etypes - attribute "msDS-SupportedEncryptionTypes" is read
from AD and is used to find the highest common enc type for AD and KRB5 lib.
+sync_kvno - attribute "msDS-KeyVersionNumber" from AD is used
to set KVNO. If this option is missing, KVNO is set to -1.
+netbios_aliases - evaluated only for spn_prefixes (see details above)
and for the 'host' principal.
+additional_dns_hostnames - evaluated only for spn_prefixes (see details above)
and for the 'host' principal.
machine_password - mandatory, if missing the entry is ignored. For
future use.
</programlisting>
</para>
@@ -68,7 +81,8 @@ Example:
"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password",
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
-"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password"
+"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password",
+"/path/to/keytab8:account_name:sync_account_name:host:sync_upn:sync_spns:spn_prefixes=cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
</programlisting>
If sync_etypes or sync_kvno or sync_spns is present then winbind connects to
DC. For "offline domain join" it might be useful not to use these options.
</para>
@@ -80,7 +94,7 @@ If no value is present and <smbconfoption name="kerberos
method"/> is different
<itemizedlist>
<listitem>
<para><userinput>winbind</userinput> uses value
-
<programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
+
<programlisting>/path/to/keytab:host:account_name:sync_spns:sync_kvno:machine_password</programlisting>
where the path to the keytab is obtained either from the
krb5 library or from
<smbconfoption name="dedicated keytab file"/>.
</para>
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index 46995d6fdac..a6c2917d410 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -807,7 +807,8 @@ sub provision_ad_member
\"$prefix_abs/keytab2:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\",
\\
\"$prefix_abs/keytab2k:spn_prefixes=imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\",
\\
\"$prefix_abs/keytab3:spns=wurst/brot\@$dcvars->{REALM}:machine_password:sync_etypes\",
\\
-
\"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\"
+
\"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\",
\\
+
\"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\"
";
}
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index dbf8af44c1f..619a7bda0d4 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -30,6 +30,7 @@
#include "ads.h"
#include "secrets.h"
#include "librpc/gen_ndr/ndr_secrets.h"
+#include "lib/util/string_wrappers.h"
#ifdef HAVE_KRB5
@@ -41,44 +42,59 @@
#endif
enum spn_spec_type {
- SPN_SPEC_DEFAULT,
- SPN_SPEC_SYNC,
+ SPN_SPEC_ACCOUNT_NAME,
+ SPN_SPEC_SYNC_ACCOUNT_NAME,
+ SPN_SPEC_HOST,
+ SPN_SPEC_SYNC_UPN,
+ SPN_SPEC_SYNC_SPNS,
SPN_SPEC_FULL,
- SPN_SPEC_PREFIX
+ SPN_SPEC_PREFIX,
+ SPN_SPEC_MAX
};
-/* pw2kt_conf contains 1 parsed line from "sync machine password to keytab" */
-struct pw2kt_conf {
- enum spn_spec_type spn_spec;
+/* Specifier */
+struct pw2kt_specifier {
+ bool is_set;
+ char **spn_spec_vals; /* Array of full SPNs or prefixes */
+};
+
+/* Descriptor contains 1 parsed line from "sync machine password to keytab" */
+struct pw2kt_keytab_desc {
char *keytab;
bool sync_etypes;
bool sync_kvno;
bool additional_dns_hostnames;
bool netbios_aliases;
bool machine_password;
- char **spn_spec_array;
- size_t num_spn_spec;
+ struct pw2kt_specifier spec_array[SPN_SPEC_MAX];
};
-/* State used by pw2kt */
-struct pw2kt_state {
+/* Global state - stores initial data */
+struct pw2kt_global_state {
/* Array of parsed lines from "sync machine password to keytab" */
- struct pw2kt_conf *keytabs;
- size_t num_keytabs;
+ struct pw2kt_keytab_desc *keytabs;
+ /* Accumulated configuration from all keytabs */
bool sync_etypes;
bool sync_kvno;
bool sync_spns;
+ bool sync_upn;
+ bool sync_sam_account;
/* These are from DC */
krb5_kvno ad_kvno;
uint32_t ad_etypes;
+ char *ad_upn;
+ char *ad_sam_account;
char **ad_spn_array;
size_t ad_num_spns;
/* This is from secrets.db */
struct secrets_domain_info1 *info;
};
-/* State used by pw2kt_process_keytab */
-struct pw2kt_process_state {
+/*
+ * Manages krb5lib data created during processing of 'global state'.
+ * One instance per keytab.
+ */
+struct pw2kt_keytab_state {
krb5_keytab keytab;
krb5_context context;
krb5_keytab_entry *array1;
@@ -88,151 +104,206 @@ struct pw2kt_process_state {
krb5_enctype preferred_etype;
};
-static ADS_STATUS pw2kt_scan_add_spn(TALLOC_CTX *ctx,
- const char *spn,
- struct pw2kt_conf *conf)
+static ADS_STATUS pw2kt_add_val(TALLOC_CTX *ctx,
+ struct pw2kt_specifier *spec,
+ const char *spn_val)
{
- conf->spn_spec_array = talloc_realloc(ctx,
- conf->spn_spec_array,
- char *,
- conf->num_spn_spec + 1);
- if (conf->spn_spec_array == NULL) {
+ size_t len = talloc_array_length(spec->spn_spec_vals);
+ spec->spn_spec_vals = talloc_realloc(ctx,
+ spec->spn_spec_vals,
+ char *,
+ len + 1);
+ if (spec->spn_spec_vals == NULL) {
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
- conf->spn_spec_array[conf->num_spn_spec] = talloc_strdup(
- conf->spn_spec_array, spn);
- if (conf->spn_spec_array[conf->num_spn_spec] == NULL) {
+ spec->spn_spec_vals[len] = talloc_strdup(spec->spn_spec_vals, spn_val);
+ if (spec->spn_spec_vals[len] == NULL) {
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
- conf->num_spn_spec++;
return ADS_SUCCESS;
}
+static ADS_STATUS pw2kt_scan_spec(TALLOC_CTX *ctx,
+ struct pw2kt_global_state *gstate,
+ struct pw2kt_keytab_desc *desc,
+ const char *option)
+{
+ enum spn_spec_type spec_type;
+ struct pw2kt_specifier *spec;
+ char *vals = NULL;
+ char *tmp = NULL;
+ ADS_STATUS status;
+
+ /* First check for options sync_kvno, sync_etypes, ... */
+ if (strequal(option, "sync_kvno")) {
+ desc->sync_kvno = gstate->sync_kvno = true;
+ return ADS_SUCCESS;
+ } else if (strequal(option, "sync_etypes")) {
+ desc->sync_etypes = gstate->sync_etypes = true;
+ return ADS_SUCCESS;
+ } else if (strequal(option, "additional_dns_hostnames")) {
+ desc->additional_dns_hostnames = true;
+ return ADS_SUCCESS;
+ } else if (strequal(option, "netbios_aliases")) {
+ desc->netbios_aliases = true;
+ return ADS_SUCCESS;
+ } else if (strequal(option, "machine_password")) {
+ desc->machine_password = true;
+ return ADS_SUCCESS;
+ }
+
+ vals = strchr_m(option, '=');
+ if (vals != NULL) {
+ *vals = 0;
+ vals++;
+ }
+
+ if (strequal(option, "account_name")) {
+ spec_type = SPN_SPEC_ACCOUNT_NAME;
+ } else if (strequal(option, "sync_account_name")) {
+ spec_type = SPN_SPEC_SYNC_ACCOUNT_NAME;
+ gstate->sync_sam_account = true;
+ } else if (strequal(option, "host")) {
+ spec_type = SPN_SPEC_HOST;
+ } else if (strequal(option, "sync_upn")) {
+ spec_type = SPN_SPEC_SYNC_UPN;
+ gstate->sync_upn = true;
+ } else if (strequal(option, "sync_spns")) {
+ spec_type = SPN_SPEC_SYNC_SPNS;
+ gstate->sync_spns = true;
+ } else if (strequal(option, "spns")) {
+ spec_type = SPN_SPEC_FULL;
+ } else if (strequal(option, "spn_prefixes")) {
+ spec_type = SPN_SPEC_PREFIX;
+ } else {
+ DBG_ERR("Invalid option: '%s'\n", option);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ desc->spec_array[spec_type].is_set = true;
+ if (spec_type != SPN_SPEC_PREFIX && spec_type != SPN_SPEC_FULL) {
+ return ADS_SUCCESS;
+ }
+ if (vals == NULL) {
+ DBG_ERR("SPN specifier: %s is missing '='\n", option);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+ spec = &desc->spec_array[spec_type];
+
+ /* Entries are separated via ',' */
+ while ((tmp = strchr_m(vals, ',')) != NULL) {
+ *tmp = 0;
+ tmp++;
+ status = pw2kt_add_val(ctx, spec, vals);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+ vals = tmp;
+ if (*vals == 0) {
+ DBG_ERR("Invalid syntax (trailing ','): %s\n", option);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+ }
+ /* Process the last entry */
+ return pw2kt_add_val(ctx, spec, vals);
+}
+
/*
* Parse the smb.conf and find out if it is needed to read from DC:
- * - servicePrincipalNames
+ * - servicePrincipalName
* - msDs-KeyVersionNumber
+ * - userPrincipalName
+ * - sAMAccountName
+ *
+ * Example of a line:
+ *
/etc/krb5/krb5.keytab:account_name:[email protected],[email protected]:host:sync_kvno:machine_password
*/
-static ADS_STATUS pw2kt_scan_line(const char *line, struct pw2kt_state *state)
+static ADS_STATUS pw2kt_scan_line(const char *line,
+ struct pw2kt_global_state *gstate)
{
- char *keytabname = NULL;
- char *spn_spec = NULL;
- char *spn_val = NULL;
- char *option = NULL;
- struct pw2kt_conf *conf = NULL;
+ char *tmp = NULL;
+ char *olist = NULL;
+ struct pw2kt_keytab_desc *desc = NULL;
ADS_STATUS status;
+ size_t num_keytabs = talloc_array_length(gstate->keytabs);
- state->keytabs = talloc_realloc(state,
- state->keytabs,
- struct pw2kt_conf,
- state->num_keytabs + 1);
- if (state->keytabs == NULL) {
+ gstate->keytabs = talloc_realloc(gstate,
+ gstate->keytabs,
+ struct pw2kt_keytab_desc,
+ num_keytabs + 1);
+ if (gstate->keytabs == NULL) {
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
- conf = &state->keytabs[state->num_keytabs];
- state->num_keytabs++;
+ desc = &gstate->keytabs[num_keytabs];
+ ZERO_STRUCT(*desc);
- keytabname = talloc_strdup(state->keytabs, line);
- if (keytabname == NULL) {
+ desc->keytab = talloc_strdup(gstate->keytabs, line);
+ if (desc->keytab == NULL) {
return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
}
- ZERO_STRUCT(*conf);
- conf->keytab = keytabname;
- spn_spec = strchr_m(keytabname, ':');
- if (spn_spec == NULL) {
- DBG_ERR("Invalid format! ':' expected in '%s'\n", keytabname);
+ olist = strchr_m(desc->keytab, ':');
+ if (olist == NULL) {
+ DBG_ERR("Invalid format! ':' expected in '%s'\n", line);
return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
- *spn_spec++ = 0;
-
- /* reverse match with strrchr_m() */
- while ((option = strrchr_m(spn_spec, ':')) != NULL) {
- *option++ = 0;
- if (strequal(option, "sync_kvno")) {
- conf->sync_kvno = state->sync_kvno = true;
- } else if (strequal(option, "sync_etypes")) {
- conf->sync_etypes = state->sync_etypes = true;
- } else if (strequal(option, "additional_dns_hostnames")) {
- conf->additional_dns_hostnames = true;
- } else if (strequal(option, "netbios_aliases")) {
- conf->netbios_aliases = true;
- } else if (strequal(option, "machine_password")) {
- conf->machine_password = true;
- } else {
- DBG_WARNING("Unknown option '%s'!\n", option);
- return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
- }
- }
+ *olist = 0;
+ olist++;
- spn_val = strchr_m(spn_spec, '=');
- if (spn_val != NULL) {
- *spn_val++ = 0;
- }
+ /* Always add 'host' principal */
+ desc->spec_array[SPN_SPEC_HOST].is_set = true;
- if (strcmp(spn_spec, "account_name") == 0) {
- conf->spn_spec = SPN_SPEC_DEFAULT;
- } else if (strcmp(spn_spec, "sync_spns") == 0) {
- conf->spn_spec = SPN_SPEC_SYNC;
- state->sync_spns = true;
- } else if (strcmp(spn_spec, "spns") == 0 ||
- strcmp(spn_spec, "spn_prefixes") == 0)
- {
- char *spn = NULL, *tmp = NULL;
-
- conf->spn_spec = strcmp(spn_spec, "spns") == 0
- ? SPN_SPEC_FULL
- : SPN_SPEC_PREFIX;
- conf->num_spn_spec = 0;
- spn = spn_val;
- while ((tmp = strchr_m(spn, ',')) != NULL) {
- *tmp++ = 0;
- status = pw2kt_scan_add_spn(state->keytabs, spn, conf);
- if (!ADS_ERR_OK(status)) {
- return status;
- }
- spn = tmp;
+ /* Entries are separated via ':' */
+ while ((tmp = strchr_m(olist, ':')) != NULL) {
+ *tmp = 0;
+ tmp++;
+ status = pw2kt_scan_spec(gstate->keytabs, gstate, desc, olist);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+ olist = tmp;
+ if (*olist == 0) {
+ DBG_ERR("Invalid syntax (trailing ':'): %s\n", line);
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
- /* Do not forget the last entry */
- return pw2kt_scan_add_spn(state->keytabs, spn, conf);
- } else {
- DBG_WARNING("Invalid SPN specifier: %s\n", spn_spec);
- return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
}
-
- return ADS_SUCCESS;
+ /* Process the last entry */
+ return pw2kt_scan_spec(gstate->keytabs, gstate, desc, olist);
}
/*
- * Fill struct pw2kt_state with defaults if "sync machine password to keytab"
- * is missing in smb.conf
+ * Fill struct pw2kt_global_state with defaults if
+ * "sync machine password to keytab" is missing in smb.conf
+ * Creates 1 keytab with 3 SPN specifiers (sync_spns, account_name, host).
*/
-static ADS_STATUS pw2kt_default_cfg(const char *name, struct pw2kt_state
*state)
+static ADS_STATUS pw2kt_default_cfg(const char *name,
+ struct pw2kt_global_state *state)
{
char *keytabname = NULL;
- struct pw2kt_conf *conf = NULL;
--
Samba Shared Repository
