The branch, master has been updated
via 7cae7aad1ca docs: Update documentation for 'sync machine password
to keytab'
via ccc3b2b2fba s3:libads: Remove specifier for 'host' principal from
'sync machine password to keytab'
from 3e1c19c2c3f pytests: test pysmbd with relative path names via
samba-tool ntacl
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7cae7aad1ca6dcd5e0a3a102f36af74fa49a2c2b
Author: Pavel Filipenský <[email protected]>
Date: Fri Feb 14 17:27:26 2025 +0100
docs: Update documentation for 'sync machine password to keytab'
Use specifier 'spn_prefixes=host' instead of 'host'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
Autobuild-User(master): Pavel Filipensky <[email protected]>
Autobuild-Date(master): Sat Feb 15 19:21:56 UTC 2025 on atb-devel-224
commit ccc3b2b2fba7b5d223c79bffc0f655490aed19cf
Author: Pavel Filipenský <[email protected]>
Date: Fri Feb 14 17:28:54 2025 +0100
s3:libads: Remove specifier for 'host' principal from 'sync machine
password to keytab'
Use specifier 'spn_prefixes=host' instead of 'host'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15759
Signed-off-by: Pavel Filipenský <[email protected]>
Reviewed-by: Stefan Metzmacher <[email protected]>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/net.8.xml | 4 +-
.../security/syncmachinepasswordtokeytab.xml | 11 +++--
selftest/target/Samba3.pm | 6 +--
source3/libads/kerberos_keytab.c | 21 +++-------
source3/script/tests/test_update_keytab.sh | 48 ----------------------
5 files changed, 16 insertions(+), 74 deletions(-)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 39ae5c79508..05191236ecc 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1564,10 +1564,10 @@ keytab"/> is missing.
<para>
Till Samba 4.20, these entries were created by default: the account name
COMPUTER$, 'host' principal and SPNs synced from AD. Example below generates
-such keytab ('host' is added implicitly):
+such keytab:
</para>
<programlisting>
-<smbconfoption name="sync machine password to
keytab">/etc/krb5.keytab:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
+<smbconfoption name="sync machine password to
keytab">/etc/krb5.keytab:spn_prefixes=host:account_name:sync_spns:sync_kvno:machine_password</smbconfoption>
</programlisting>
<para>
No changes are made to the computer AD account.
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
index 02eaf3162c0..ec3fffc1119 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -39,12 +39,10 @@ spns=value1[,value2[...]]
</para>
<para>
-Every keytab contains the 'host' principal and principals according the
specification below:
+Every keytab contains principals according the specification below:
<programlisting>
account_name - COMPUTER$@REALM
sync_account_name - uses attribute "sAMAccountName" from AD
-host - always present, no need to specify it explicitly
- the 'host' principal is created for the same variants
(netbios name, dns hostname, netbiosalias, additional_dns_hostname) as in
spn_prefixes
sync_upn - uses attribute "userPrincipalName" (if exists in AD)
sync_spns - uses attribute "servicePrincipalName" (if exists in AD)
spn_prefixes - creates these two principals from each prefix. e.g.:
@@ -55,6 +53,7 @@ spn_prefixes - creates these two principals from each
prefix. e.g.:
prefix/netbiosalias.dnsdomain@REALM
with :additional_dns_hostnames for each
additionaldnshostname in <smbconfoption name="additional dns hostnames"/>
prefix/additionaldnshostname@REALM
+ - 'host' principal should be created using specifier
spn_prefixes
spns - creates only the principals defined in the list
</programlisting>
'account_name' and 'sync_account_name' are the same, just the source differs
(secrets.tdb vs. AD).
@@ -65,8 +64,8 @@ Options:
<programlisting>
sync_etypes - attribute "msDS-SupportedEncryptionTypes" is read
from AD and is used to find the highest common enc type for AD and KRB5 lib.
sync_kvno - attribute "msDS-KeyVersionNumber" from AD is used
to set KVNO. If this option is missing, KVNO is set to -1.
-netbios_aliases - evaluated only for spn_prefixes (see details above)
and for the 'host' principal.
-additional_dns_hostnames - evaluated only for spn_prefixes (see details above)
and for the 'host' principal.
+netbios_aliases - evaluated only for spn_prefixes (see details above).
+additional_dns_hostnames - evaluated only for spn_prefixes (see details above).
machine_password - mandatory, if missing the entry is ignored. For
future use.
</programlisting>
</para>
@@ -82,7 +81,7 @@ Example:
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password",
-"/path/to/keytab8:account_name:sync_account_name:host:sync_upn:sync_spns:spn_prefixes=cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
+"/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
</programlisting>
If sync_etypes or sync_kvno or sync_spns is present then winbind connects to
DC. For "offline domain join" it might be useful not to use these options.
</para>
diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm
index a6c2917d410..8906608bc1f 100755
--- a/selftest/target/Samba3.pm
+++ b/selftest/target/Samba3.pm
@@ -804,11 +804,11 @@ sub provision_ad_member
\"$prefix_abs/keytab0k:account_name:sync_kvno:machine_password:sync_etypes\", \\
\"$prefix_abs/keytab1:sync_spns:machine_password:sync_etypes\", \\
\"$prefix_abs/keytab1k:sync_spns:sync_kvno:machine_password:sync_etypes\", \\
-
\"$prefix_abs/keytab2:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\",
\\
-
\"$prefix_abs/keytab2k:spn_prefixes=imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\",
\\
+
\"$prefix_abs/keytab2:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:machine_password:sync_etypes\",
\\
+
\"$prefix_abs/keytab2k:spn_prefixes=host,imap,smtp:additional_dns_hostnames:sync_kvno:machine_password:sync_etypes\",
\\
\"$prefix_abs/keytab3:spns=wurst/brot\@$dcvars->{REALM}:machine_password:sync_etypes\",
\\
\"$prefix_abs/keytab3k:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\",
\\
-
\"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\"
+
\"$prefix_abs/keytab4k:account_name:sync_account_name:spn_prefixes=host,imap,smtp:additional_dns_hostnames:netbios_aliases:spns=wurst/brot\@$dcvars->{REALM},wurst1/brot\@$dcvars->{REALM},wurst2/brot\@$dcvars->{REALM}:sync_kvno:machine_password:sync_etypes\"
";
}
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index 619a7bda0d4..5913db299ad 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -44,7 +44,6 @@
enum spn_spec_type {
SPN_SPEC_ACCOUNT_NAME,
SPN_SPEC_SYNC_ACCOUNT_NAME,
- SPN_SPEC_HOST,
SPN_SPEC_SYNC_UPN,
SPN_SPEC_SYNC_SPNS,
SPN_SPEC_FULL,
@@ -164,8 +163,6 @@ static ADS_STATUS pw2kt_scan_spec(TALLOC_CTX *ctx,
} else if (strequal(option, "sync_account_name")) {
spec_type = SPN_SPEC_SYNC_ACCOUNT_NAME;
gstate->sync_sam_account = true;
- } else if (strequal(option, "host")) {
- spec_type = SPN_SPEC_HOST;
} else if (strequal(option, "sync_upn")) {
spec_type = SPN_SPEC_SYNC_UPN;
gstate->sync_upn = true;
@@ -251,9 +248,6 @@ static ADS_STATUS pw2kt_scan_line(const char *line,
*olist = 0;
olist++;
- /* Always add 'host' principal */
- desc->spec_array[SPN_SPEC_HOST].is_set = true;
-
/* Entries are separated via ':' */
while ((tmp = strchr_m(olist, ':')) != NULL) {
*tmp = 0;
@@ -275,7 +269,8 @@ static ADS_STATUS pw2kt_scan_line(const char *line,
/*
* Fill struct pw2kt_global_state with defaults if
* "sync machine password to keytab" is missing in smb.conf
- * Creates 1 keytab with 3 SPN specifiers (sync_spns, account_name, host).
+ * Creates 1 keytab with these SPN specifiers:
+ * sync_spns:account_name:spn_prefixes=host:sync_kvno:machine_password
*/
static ADS_STATUS pw2kt_default_cfg(const char *name,
struct pw2kt_global_state *state)
@@ -302,9 +297,11 @@ static ADS_STATUS pw2kt_default_cfg(const char *name,
desc->spec_array[SPN_SPEC_SYNC_SPNS].is_set = true;
desc->spec_array[SPN_SPEC_ACCOUNT_NAME].is_set = true;
- desc->spec_array[SPN_SPEC_HOST].is_set = true;
+ desc->spec_array[SPN_SPEC_PREFIX].is_set = true;
- return ADS_SUCCESS;
+ return pw2kt_add_val(state->keytabs,
+ &desc->spec_array[SPN_SPEC_PREFIX],
+ "host");
}
/*
@@ -590,12 +587,6 @@ static ADS_STATUS pw2kt_process_specifier(struct
pw2kt_global_state *gstate,
case SPN_SPEC_SYNC_ACCOUNT_NAME:
ADD_INFO(gstate->ad_sam_account);
break;
- case SPN_SPEC_HOST:
- status = pw2kt_add_prefix(gstate, state2, keytabptr, "host");
- if (!ADS_ERR_OK(status)) {
- return status;
- }
- break;
case SPN_SPEC_SYNC_UPN:
if (gstate->ad_upn != NULL) {
ADD_INFO(gstate->ad_upn);
diff --git a/source3/script/tests/test_update_keytab.sh
b/source3/script/tests/test_update_keytab.sh
index 0b7dcf0d7d5..964e71036fd 100755
--- a/source3/script/tests/test_update_keytab.sh
+++ b/source3/script/tests/test_update_keytab.sh
@@ -40,48 +40,18 @@ keytab0="\
-2 aes256-cts-hmac-sha1-96
ADMEMIDMAPNSS\[email protected]
-3 aes128-cts-hmac-sha1-96
ADMEMIDMAPNSS\[email protected]
-3 aes256-cts-hmac-sha1-96
ADMEMIDMAPNSS\[email protected]
- -1 arcfour-hmac-md5
host/[email protected]
- -2 arcfour-hmac-md5
host/[email protected]
- -3 arcfour-hmac-md5
host/[email protected]
- -1 aes128-cts-hmac-sha1-96
host/[email protected]
- -1 aes256-cts-hmac-sha1-96
host/[email protected]
- -2 aes128-cts-hmac-sha1-96
host/[email protected]
- -2 aes256-cts-hmac-sha1-96
host/[email protected]
- -3 aes128-cts-hmac-sha1-96
host/[email protected]
- -3 aes256-cts-hmac-sha1-96
host/[email protected]
- -1 arcfour-hmac-md5
host/[email protected]
- -2 arcfour-hmac-md5
host/[email protected]
- -3 arcfour-hmac-md5
host/[email protected]
- -1 aes128-cts-hmac-sha1-96
host/[email protected]
- -1 aes256-cts-hmac-sha1-96
host/[email protected]
- -2 aes128-cts-hmac-sha1-96
host/[email protected]
- -2 aes256-cts-hmac-sha1-96
host/[email protected]
- -3 aes128-cts-hmac-sha1-96
host/[email protected]
- -3 aes256-cts-hmac-sha1-96
host/[email protected]
";
keytab0k="\
4 aes256-cts-hmac-sha1-96
ADMEMIDMAPNSS\[email protected]
5 aes256-cts-hmac-sha1-96
ADMEMIDMAPNSS\[email protected]
6 aes256-cts-hmac-sha1-96
ADMEMIDMAPNSS\[email protected]
- 4 aes256-cts-hmac-sha1-96
host/[email protected]
- 5 aes256-cts-hmac-sha1-96
host/[email protected]
- 6 aes256-cts-hmac-sha1-96
host/[email protected]
- 4 aes256-cts-hmac-sha1-96
host/[email protected]
- 5 aes256-cts-hmac-sha1-96
host/[email protected]
- 6 aes256-cts-hmac-sha1-96
host/[email protected]
";
keytab1="\
- -1 aes256-cts-hmac-sha1-96
host/[email protected]
- -2 aes256-cts-hmac-sha1-96
host/[email protected]
- -3 aes256-cts-hmac-sha1-96
host/[email protected]
-1 aes256-cts-hmac-sha1-96
HOST/[email protected]
-2 aes256-cts-hmac-sha1-96
HOST/[email protected]
-3 aes256-cts-hmac-sha1-96
HOST/[email protected]
- -1 aes256-cts-hmac-sha1-96
host/[email protected]
- -2 aes256-cts-hmac-sha1-96
host/[email protected]
- -3 aes256-cts-hmac-sha1-96
host/[email protected]
-1 aes256-cts-hmac-sha1-96
HOST/[email protected]
-2 aes256-cts-hmac-sha1-96
HOST/[email protected]
-3 aes256-cts-hmac-sha1-96
HOST/[email protected]
@@ -118,15 +88,9 @@ keytab1="\
";
keytab1k="\
- 4 aes256-cts-hmac-sha1-96
host/[email protected]
- 5 aes256-cts-hmac-sha1-96
host/[email protected]
- 6 aes256-cts-hmac-sha1-96
host/[email protected]
4 aes256-cts-hmac-sha1-96
HOST/[email protected]
5 aes256-cts-hmac-sha1-96
HOST/[email protected]
6 aes256-cts-hmac-sha1-96
HOST/[email protected]
- 4 aes256-cts-hmac-sha1-96
host/[email protected]
- 5 aes256-cts-hmac-sha1-96
host/[email protected]
- 6 aes256-cts-hmac-sha1-96
host/[email protected]
4 aes256-cts-hmac-sha1-96
HOST/[email protected]
5 aes256-cts-hmac-sha1-96
HOST/[email protected]
6 aes256-cts-hmac-sha1-96
HOST/[email protected]
@@ -295,24 +259,12 @@ keytab2k="\
";
keytab3="\
- -1 aes256-cts-hmac-sha1-96
host/[email protected]
- -2 aes256-cts-hmac-sha1-96
host/[email protected]
- -3 aes256-cts-hmac-sha1-96
host/[email protected]
- -1 aes256-cts-hmac-sha1-96
host/[email protected]
- -2 aes256-cts-hmac-sha1-96
host/[email protected]
- -3 aes256-cts-hmac-sha1-96
host/[email protected]
-1 aes256-cts-hmac-sha1-96
wurst/[email protected]
-2 aes256-cts-hmac-sha1-96
wurst/[email protected]
-3 aes256-cts-hmac-sha1-96
wurst/[email protected]
";
keytab3k="\
- 4 aes256-cts-hmac-sha1-96
host/[email protected]
- 5 aes256-cts-hmac-sha1-96
host/[email protected]
- 6 aes256-cts-hmac-sha1-96
host/[email protected]
- 4 aes256-cts-hmac-sha1-96
host/[email protected]
- 5 aes256-cts-hmac-sha1-96
host/[email protected]
- 6 aes256-cts-hmac-sha1-96
host/[email protected]
4 aes256-cts-hmac-sha1-96
wurst1/[email protected]
5 aes256-cts-hmac-sha1-96
wurst1/[email protected]
6 aes256-cts-hmac-sha1-96
wurst1/[email protected]
--
Samba Shared Repository
