From 2a8fc43048266282c3f04acc2712d9ad93a61855 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Thu, 1 Aug 2024 21:49:19 +0200 Subject: [PATCH 1/4] docs:smbdotconf: Improve formatting of 'sync machine password to keytab' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hint: review this commit with ignoring white space changes. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Signed-off-by: Pavel Filipenský Reviewed-by: Reviewed-by: Martin Schwenke (cherry picked from commit 6c627903ee466cd1559d7f58821221c4dd668d1f) --- .../security/syncmachinepasswordtokeytab.xml | 77 ++++++++++--------- 1 file changed, 42 insertions(+), 35 deletions(-) diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml index 48d89213acf..b749ecb5c66 100644 --- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml +++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml @@ -3,8 +3,9 @@ type="cmdlist" xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> - This option allows you to describe what keytabs and how should be - updated when machine account is changed via one of these commands + +This option allows you to describe what keytabs and how should be updated when +machine account is changed via one of these commands wbinfo --change-secret @@ -13,57 +14,63 @@ net rpc changetrustpw net ads changetrustpw - or by winbindd doing regular updates (see ) - +or by winbindd doing regular updates (see ) -The option takes a list of keytab strings. Each string has this form: - + +The option takes a list of keytab strings. Each string has this form: - absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password] +absolute_path_to_keytab:spn_spec[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password] - where spn_spec can have exactly one of these three forms: +where spn_spec can have exactly one of these four forms: - account_name - sync_spns - spn_prefixes=value1[,value2[...]] - spns=value1[,value2[...]] +account_name +sync_spns +spn_prefixes=value1[,value2[...]] +spns=value1[,value2[...]] - - No other combinations are allowed. - - Specifiers: - account_name - creates entry using principal 'computer$@REALM'. - sync_spns - uses principals received from AD DC. - spn_prefixes - creates principals from the prefixes and adds netbios_aliases or additional_dns_hostnames if specified. - spns - creates only the principals defined in the list. +No other combinations are allowed. + - Options: - sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read from DC and is used to find the highest common enc type for AD and KRB5 lib. - sync_kvno - the key version number ("msDS-KeyVersionNumber") is synchronized from DC, otherwise is set to -1. - netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for each alias. See - additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/dnshostname@REALM is added for each dns name. See - machine_password - mandatory, if missing the entry is ignored. For future use. + +Specifiers: + +account_name - creates entry using principal 'computer$@REALM'. +sync_spns - uses principals received from AD DC. +spn_prefixes - creates principals from the prefixes and adds netbios_aliases or additional_dns_hostnames if specified. +spns - creates only the principals defined in the list. + + +Options: + +sync_etypes - parameter "msDS-SupportedEncryptionTypes" is read from DC and is used to find the highest common enc type for AD and KRB5 lib. +sync_kvno - the key version number ("msDS-KeyVersionNumber") is synchronized from DC, otherwise is set to -1. +netbios_aliases - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/netbiosname@REALM and PREFIX/netbiosname.domainname@REALM are added for each alias. See +additional_dns_hostnames - evaluated only for SPN_SPEC_PREFIX. If present, PREFIX/dnshostname@REALM is added for each dns name. See +machine_password - mandatory, if missing the entry is ignored. For future use. + + Example: - "/path/to/keytab0:account_name:machine_password", - "/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password", - "/path/to/keytab2:sync_spns:machine_password", - "/path/to/keytab3:sync_spns:sync_kvno:machine_password", - "/path/to/keytab4:spn_prefixes=imap,smtp:machine_password", - "/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password", - "/path/to/keytab6:spns=wurst/brot@REALM:machine_password", - "/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password" +"/path/to/keytab0:account_name:machine_password", +"/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password", +"/path/to/keytab2:sync_spns:machine_password", +"/path/to/keytab3:sync_spns:sync_kvno:machine_password", +"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password", +"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password", +"/path/to/keytab6:spns=wurst/brot@REALM:machine_password", +"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password" If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options. -If no value is present, winbind uses value /path/to/keytab:sync_spns:sync_kvno:machine_password +If no value is present, winbind uses value /path/to/keytab:sync_spns:sync_kvno:machine_password where the path to the keytab is obtained either from the krb5 library or from + -- 2.45.2 From 76379574928d4c39b799e7ba47de2d28c788f9b9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Thu, 1 Aug 2024 22:39:56 +0200 Subject: [PATCH 2/4] docs-xml: Fix trailing whitespace in net.8.xml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Signed-off-by: Pavel Filipenský Reviewed-by: Reviewed-by: Martin Schwenke (cherry picked from commit 374680010d42d3bca52791159dba7b42eb8d0d6c) --- docs-xml/manpages/net.8.xml | 120 ++++++++++++++++++------------------ 1 file changed, 60 insertions(+), 60 deletions(-) diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml index c284cc25b49..f0b3df793d4 100644 --- a/docs-xml/manpages/net.8.xml +++ b/docs-xml/manpages/net.8.xml @@ -80,12 +80,12 @@ This tool is part of the samba 7 suite. - The Samba net utility is meant to work just like the net utility - available for windows and DOS. The first argument should be used - to specify the protocol to use when executing a certain command. - ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) - clients and RPC can be used for NT4 and Windows 2000. If this - argument is omitted, net will try to determine it automatically. + The Samba net utility is meant to work just like the net utility + available for windows and DOS. The first argument should be used + to specify the protocol to use when executing a certain command. + ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) + clients and RPC can be used for NT4 and Windows 2000. If this + argument is omitted, net will try to determine it automatically. Not all commands are available on all protocols. @@ -98,7 +98,7 @@ -w|--target-workgroup target-workgroup - Sets target workgroup or domain. You have to specify + Sets target workgroup or domain. You have to specify either this option or the IP address or the name of a server. @@ -115,7 +115,7 @@ -p|--port port - Port on the target server to connect to (usually 139 or 445). + Port on the target server to connect to (usually 139 or 445). Defaults to trying 445 first, then 139. @@ -123,7 +123,7 @@ -S|--server server - Name of target server. You should specify either + Name of target server. You should specify either this option or a target workgroup or a target IP address. @@ -524,7 +524,7 @@ YOU HAVE BEEN WARNED. TIME -Without any options, the NET TIME command +Without any options, the NET TIME command displays the time on the remote server. The remote server must be specified with the -S option. @@ -542,7 +542,7 @@ The remote server must be specified with the -S option. TIME SET -Tries to set the date and time of the local server to that on +Tries to set the date and time of the local server to that on the remote server using /bin/date. The remote server must be specified with the -S option. @@ -565,8 +565,8 @@ The remote server must be specified with the -S option. [osName=string osVer=string] [options] -Join a domain. If the account already exists on the server, and -[TYPE] is MEMBER, the machine will attempt to join automatically. +Join a domain. If the account already exists on the server, and +[TYPE] is MEMBER, the machine will attempt to join automatically. (Assuming that the machine has been created in server manager) Otherwise, a password will be prompted for, and a new account may be created. @@ -590,7 +590,7 @@ format is host/netbiosname@REALM. [OU] (ADS only) Precreate the computer account in a specific OU. The OU string reads from top to bottom without RDNs, and is delimited by a '/'. Please note that '\' is used for escape by both the shell -and ldap, so it may need to be doubled or quadrupled to pass through, +and ldap, so it may need to be doubled or quadrupled to pass through, and it is not used as a delimiter. @@ -607,8 +607,8 @@ must be specified for either to take effect. [RPC] OLDJOIN [options] -Join a domain. Use the OLDJOIN option to join the domain -using the old style of domain joining - you need to create a trust +Join a domain. Use the OLDJOIN option to join the domain +using the old style of domain joining - you need to create a trust account in server manager first. @@ -692,8 +692,8 @@ account in server manager first. [RAP|RPC] SHARE ADD <replaceable>name=serverpath</replaceable> [-C comment] [-M maxusers] [targets] -Adds a share from a server (makes the export active). Maxusers -specifies the number of users that can be connected to the +Adds a share from a server (makes the export active). Maxusers +specifies the number of users that can be connected to the share simultaneously. @@ -718,7 +718,7 @@ share simultaneously. [RPC|RAP] FILE CLOSE <replaceable>fileid</replaceable> -Close file with specified fileid on +Close file with specified fileid on remote server. @@ -727,7 +727,7 @@ remote server. [RPC|RAP] FILE INFO <replaceable>fileid</replaceable> -Print information on specified fileid. +Print information on specified fileid. Currently listed are: file-id, username, locks, path, permissions. @@ -739,7 +739,7 @@ Currently listed are: file-id, username, locks, path, permissions. List files opened by specified user. Please note that net rap file user does not work -against Samba servers. +against Samba servers. @@ -752,7 +752,7 @@ against Samba servers. RAP SESSION -Without any other options, SESSION enumerates all active SMB/CIFS +Without any other options, SESSION enumerates all active SMB/CIFS sessions on the target server. @@ -784,7 +784,7 @@ to local domain. RAP DOMAIN -Lists all domains and workgroups visible on the +Lists all domains and workgroups visible on the current network. @@ -796,7 +796,7 @@ current network. RAP PRINTQ INFO <replaceable>QUEUE_NAME</replaceable> Lists the specified print queue and print jobs on the server. -If the QUEUE_NAME is omitted, all +If the QUEUE_NAME is omitted, all queues are listed. @@ -814,9 +814,9 @@ queues are listed. RAP VALIDATE <replaceable>user</replaceable> [<replaceable>password</replaceable>] -Validate whether the specified user can log in to the -remote server. If the password is not specified on the commandline, it -will be prompted. +Validate whether the specified user can log in to the +remote server. If the password is not specified on the commandline, it +will be prompted. ¬.implemented; @@ -852,7 +852,7 @@ will be prompted. RAP ADMIN <replaceable>command</replaceable> -Execute the specified command on +Execute the specified command on the remote server. Only works with OS/2 servers. @@ -899,7 +899,7 @@ Change password of USER from OLDPASSLOOKUP HOST HOSTNAME [TYPE] -Lookup the IP address of the given host with the specified type (netbios suffix). +Lookup the IP address of the given host with the specified type (netbios suffix). The type defaults to 0x20 (workstation). @@ -965,7 +965,7 @@ or workgroup. Defaults to local domain. CACHE -Samba uses a general caching interface called 'gencache'. It +Samba uses a general caching interface called 'gencache'. It can be controlled using 'NET CACHE'. All the timeout parameters support the suffixes: @@ -1044,7 +1044,7 @@ omitted, the SID of the local server. GETDOMAINSID -Prints the local machine SID and the SID of the current +Prints the local machine SID and the SID of the current domain. @@ -1158,15 +1158,15 @@ such as domain name, domain sid and number of users and groups. RPC TRUSTDOM ADD <replaceable>DOMAIN</replaceable> -Add a interdomain trust account for DOMAIN. -This is in fact a Samba account named DOMAIN$ -with the account flag 'I' (interdomain trust account). +Add a interdomain trust account for DOMAIN. +This is in fact a Samba account named DOMAIN$ +with the account flag 'I' (interdomain trust account). This is required for incoming trusts to work. It makes Samba be a trusted domain of the foreign (trusting) domain. Users of the Samba domain will be made available in the foreign domain. -If the command is used against localhost it has the same effect as +If the command is used against localhost it has the same effect as smbpasswd -a -i DOMAIN. Please note that both commands -expect a appropriate UNIX account. +expect a appropriate UNIX account. @@ -1174,9 +1174,9 @@ expect a appropriate UNIX account. RPC TRUSTDOM DEL <replaceable>DOMAIN</replaceable> -Remove interdomain trust account for -DOMAIN. If it is used against localhost -it has the same effect as smbpasswd -x DOMAIN$. +Remove interdomain trust account for +DOMAIN. If it is used against localhost +it has the same effect as smbpasswd -x DOMAIN$. @@ -1185,7 +1185,7 @@ it has the same effect as smbpasswd -x DOMAIN$. RPC TRUSTDOM ESTABLISH <replaceable>DOMAIN</replaceable> -Establish a trust relationship to a trusted domain. +Establish a trust relationship to a trusted domain. Interdomain account must already be created on the remote PDC. This is required for outgoing trusts to work. It makes Samba be a trusting domain of a foreign (trusted) domain. @@ -1326,9 +1326,9 @@ net rpc trust delete \ RPC RIGHTS -This subcommand is used to view and manage Samba's rights assignments (also -referred to as privileges). There are three options currently available: -list, grant, and +This subcommand is used to view and manage Samba's rights assignments (also +referred to as privileges). There are three options currently available: +list, grant, and revoke. More details on Samba's privilege model and its use can be found in the Samba-HOWTO-Collection. @@ -1367,14 +1367,14 @@ Force shutting down all applications. -t timeout -Timeout before system will be shut down. An interactive +Timeout before system will be shut down. An interactive user of the system can use this time to cancel the shutdown. -C message -Display the specified message on the screen to +Display the specified message on the screen to announce the shutdown. @@ -1391,8 +1391,8 @@ to run this against the PDC, from a Samba machine joined as a BDC. RPC VAMPIRE -Export users, aliases and groups from remote server to -local server. You need to run this against the PDC, from a Samba machine joined as a BDC. +Export users, aliases and groups from remote server to +local server. You need to run this against the PDC, from a Samba machine joined as a BDC. This vampire command cannot be used against an Active Directory, only against an NT4 Domain Controller. @@ -1486,7 +1486,7 @@ against an NT4 Domain Controller. ADS STATUS Print out status of machine account of the local machine in ADS. -Prints out quite some debug info. Aimed at developers, regular +Prints out quite some debug info. Aimed at developers, regular users should use NET ADS TESTJOIN. @@ -1498,7 +1498,7 @@ users should use NET ADS TESTJOIN. ADS PRINTER INFO [<replaceable>PRINTER</replaceable>] [<replaceable>SERVER</replaceable>] -Lookup info for PRINTER on SERVER. The printer name defaults to "*", the +Lookup info for PRINTER on SERVER. The printer name defaults to "*", the server name defaults to the local host. @@ -1522,8 +1522,8 @@ server name defaults to the local host. ADS SEARCH <replaceable>EXPRESSION</replaceable> <replaceable>ATTRIBUTES...</replaceable> -Perform a raw LDAP search on a ADS server and dump the results. The -expression is a standard LDAP search expression, and the +Perform a raw LDAP search on a ADS server and dump the results. The +expression is a standard LDAP search expression, and the attributes are a list of LDAP fields to show in the results. Example: net ads search '(objectCategory=group)' sAMAccountName @@ -1535,9 +1535,9 @@ attributes are a list of LDAP fields to show in the results. ADS DN <replaceable>DN</replaceable> <replaceable>(attributes)</replaceable> -Perform a raw LDAP search on a ADS server and dump the results. The -DN standard LDAP DN, and the attributes are a list of LDAP fields -to show in the result. +Perform a raw LDAP search on a ADS server and dump the results. The +DN standard LDAP DN, and the attributes are a list of LDAP fields +to show in the result. Example: net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName @@ -2281,7 +2281,7 @@ share (no creation of new files or directories or writing to files). -The default if no "acl" is given is "Everyone:R", which means any +The default if no "acl" is given is "Everyone:R", which means any authenticated user has read-only access. @@ -3675,20 +3675,20 @@ net witness force-response Force an AsyncNotify response based on json input ( VERSION - This man page is complete for version 3 of the Samba + This man page is complete for version 3 of the Samba suite. AUTHOR - - The original Samba software and related utilities + + The original Samba software and related utilities were created by Andrew Tridgell. Samba is now developed - by the Samba Team as an Open Source project similar + by the Samba Team as an Open Source project similar to the way the Linux kernel is developed. The net manpage was written by Jelmer Vernooij. - + -- 2.45.2 From 48c804ca18ed537fc4355cb61928ac038137f72c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Thu, 1 Aug 2024 22:39:58 +0200 Subject: [PATCH 3/4] docs-xml: Delete descriptions for removed commands "net ads keytab add" and "net ads keytab add_update_ads" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Signed-off-by: Pavel Filipenský Reviewed-by: Reviewed-by: Martin Schwenke Autobuild-User(master): Pavel Filipensky Autobuild-Date(master): Mon Aug 5 13:29:25 UTC 2024 on atb-devel-224 (cherry picked from commit a5f47f6efe67e02d7a12f30b4e6fb76bcd6aa71c) --- docs-xml/manpages/net.8.xml | 70 ------------------------------------- 1 file changed, 70 deletions(-) diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml index f0b3df793d4..61a1e6362ce 100644 --- a/docs-xml/manpages/net.8.xml +++ b/docs-xml/manpages/net.8.xml @@ -1557,76 +1557,6 @@ are made to the computer AD account. - -ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable> - - -Adds a new keytab entry, the entry can be either; - - kerberos principal - - A kerberos principal (identified by the presence of '@') is just - added to the keytab file. - - - machinename - - A machinename (identified by the trailing '$') is used to create a - a kerberos principal 'machinename@realm' which is added to the - keytab file. - - - serviceclass - - A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair - of kerberos principals 'serviceclass/fully_qualified_dns_name@realm' & - 'serviceclass/netbios_name@realm' which are added to the keytab file. - - - Windows SPN - - A Windows SPN is of the format 'serviceclass/host:port', it is used to - create a kerberos principal 'serviceclass/host@realm' which will - be written to the keytab file. - - - - - -Unlike old versions no computer AD objects are modified by this command. To -preserve the behaviour of older clients 'net ads keytab ad_update_ads' is -available. - - - - -ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable> - - -Adds a new keytab entry (see section for net ads keytab add). In addition to -adding entries to the keytab file corresponding Windows SPNs are created -from the entry passed to this command. These SPN(s) added to the AD computer -account object associated with the client machine running this command for -the following entry types; - - serviceclass - - A serviceclass (such as 'cifs', 'html' etc.) is used to create a - pair of Windows SPN(s) 'param/full_qualified_dns' & - 'param/netbios_name' which are added to the AD computer account object - for this client. - - - Windows SPN - - A Windows SPN is of the format 'serviceclass/host:port', it is - added as passed to the AD computer account object for this client. - - - - - - ADS setspn <replaceable>SETSPN LIST [machine]</replaceable> -- 2.45.2 From 12280863c69cf06de5db452a55af586298aacf7e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Tue, 6 Aug 2024 08:42:34 +0200 Subject: [PATCH 4/4] WHATSNEW: update the "Automatic keytab update after machine password change" section MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Signed-off-by: Pavel Filipenský --- WHATSNEW.txt | 44 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 42 insertions(+), 2 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index bf2dbb94b3a..d10269f9082 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -193,9 +193,49 @@ updates or manually (e.g. net ads changetrustpw), now winbind will also support update of keytab entries in case you use newly added option 'sync machine password to keytab'. The new parameter allows you to describe what keytabs and how should be updated. +From smb.conf(5) manpage - each keytab can have exactly one of these four forms: + + account_name + sync_spns + spn_prefixes=value1[,value2[...]] + spns=value1[,value2[...]] + +The functionaity provided by the removed commands "net ads keytab +add/delete/add_update_ads" can be achieved via the 'sync machine password to +keytab' as in these examples: + +"net ads keytab add wurst/brot@REALM" + +- this command is not adding to AD, so the best fit can be specifier + "spns" +- add to smb.conf: + sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password +- run: + "net ads keytab create" + +"net ads keytab delete wurst/brot@REALM" + +- remove the principal (or the whole keytab line if there was just one) +- run: + "net ads keytab create" + +"net ads keytab add_update_ads wurst/brot@REALM" + +- this command was adding the principal to AD, so for this case use a keytab + with specifier sync_spns +- add to smb.conf: + sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password +- run: + "net ads setspn add wurst/brot@REALM" # this adds the principal to AD + "net ads keytab create" # this sync it from AD to local keytab + + A new parameter 'sync machine password script' allows to specify external script -that will be triggered after the automatic keytab update. For detailed -information check the smb.conf manpage. +that will be triggered after the automatic keytab update. Example of such script +that can be used in a cluster enviromnent with ctdb is +source3/script/updatekeytab.sh + +For detailed information check the smb.conf(5) manpage. REMOVED FEATURES ================ -- 2.45.2