From b5bbf4711a866a2a5206a3449858682ce44681b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Tue, 6 Aug 2024 23:22:42 +0200 Subject: [PATCH] Revert "docs-xml: Delete descriptions for removed commands "net ads keytab add" and "net ads keytab add_update_ads"" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit a5f47f6efe67e02d7a12f30b4e6fb76bcd6aa71c. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Signed-off-by: Pavel Filipenský Reviewed-by: Stefan Metzmacher (cherry picked from commit 6211a1f2177075f44542572fcd7bd16b493461f9) --- docs-xml/manpages/net.8.xml | 70 +++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml index 61a1e6362ce..f0b3df793d4 100644 --- a/docs-xml/manpages/net.8.xml +++ b/docs-xml/manpages/net.8.xml @@ -1557,6 +1557,76 @@ are made to the computer AD account. + +ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable> + + +Adds a new keytab entry, the entry can be either; + + kerberos principal + + A kerberos principal (identified by the presence of '@') is just + added to the keytab file. + + + machinename + + A machinename (identified by the trailing '$') is used to create a + a kerberos principal 'machinename@realm' which is added to the + keytab file. + + + serviceclass + + A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair + of kerberos principals 'serviceclass/fully_qualified_dns_name@realm' & + 'serviceclass/netbios_name@realm' which are added to the keytab file. + + + Windows SPN + + A Windows SPN is of the format 'serviceclass/host:port', it is used to + create a kerberos principal 'serviceclass/host@realm' which will + be written to the keytab file. + + + + + +Unlike old versions no computer AD objects are modified by this command. To +preserve the behaviour of older clients 'net ads keytab ad_update_ads' is +available. + + + + +ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable> + + +Adds a new keytab entry (see section for net ads keytab add). In addition to +adding entries to the keytab file corresponding Windows SPNs are created +from the entry passed to this command. These SPN(s) added to the AD computer +account object associated with the client machine running this command for +the following entry types; + + serviceclass + + A serviceclass (such as 'cifs', 'html' etc.) is used to create a + pair of Windows SPN(s) 'param/full_qualified_dns' & + 'param/netbios_name' which are added to the AD computer account object + for this client. + + + Windows SPN + + A Windows SPN is of the format 'serviceclass/host:port', it is + added as passed to the AD computer account object for this client. + + + + + + ADS setspn <replaceable>SETSPN LIST [machine]</replaceable> -- 2.45.2 From 771477e97120df0f412cfb246021a91bdb0505c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Tue, 6 Aug 2024 23:31:21 +0200 Subject: [PATCH] docs: Add examples to net.8 that use 'sync machine password to keytab' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Pavel Filipenský Signed-off-by: Stefan Metzmacher (cherry picked from commit 92e558b32efe7c4ae8e9f8ab1cd7658473c819f3) --- docs-xml/manpages/net.8.xml | 65 +++++++++++++++++++++++++++++++++++-- 1 file changed, 63 insertions(+), 2 deletions(-) diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml index f0b3df793d4..e633c8c7c6a 100644 --- a/docs-xml/manpages/net.8.xml +++ b/docs-xml/manpages/net.8.xml @@ -1558,8 +1558,28 @@ are made to the computer AD account. -ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable> +(Removed!) ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable> + +This command is no longer available in Samba 4.21.0 and newer. See for replacement. + + +To replace e.g. call of + +net ads keytab add wurst/brot@REALM + +Add to smb.conf: + +sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password + +and run: + +net ads keytab create + + + +Original description of this command: + Adds a new keytab entry, the entry can be either; @@ -1600,7 +1620,48 @@ available. -ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable> +(Removed!) ADS KEYTAB <replaceable>DELETE</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable> + + +This command is no longer available in Samba 4.21.0 and newer. See for replacement. + + + +To replace e.g. call of + +net ads keytab delete wurst/brot@REALM + +Delete from principal "wurst/brot@REALM" and run: + +net ads keytab create + + + + + + +(Removed!) ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable> + +This command is no longer available in Samba 4.21.0 and newer. See for replacement. + + +To replace e.g. call of + +net ads keytab add_update_ads wurst/brot@REALM + +Add to smb.conf: + +sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password + +and run: + +net ads setspn add wurst/brot@REALM +net ads keytab create + + + +Original description of this command: + Adds a new keytab entry (see section for net ads keytab add). In addition to -- 2.45.2 From 6671a67834012868b440aa311a099f56be621e3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 12 Aug 2024 11:49:35 +0200 Subject: [PATCH] s3:script: Rename updatekeytab.sh ==> winbind_ctdb_updatekeytab.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Signed-off-by: Pavel Filipenský Reviewed-by: Stefan Metzmacher (cherry picked from commit 5f30eb03e20da00c9e048322d47b33dc8469ffc8) --- source3/script/{updatekeytab.sh => winbind_ctdb_updatekeytab.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename source3/script/{updatekeytab.sh => winbind_ctdb_updatekeytab.sh} (100%) diff --git a/source3/script/updatekeytab.sh b/source3/script/winbind_ctdb_updatekeytab.sh similarity index 100% rename from source3/script/updatekeytab.sh rename to source3/script/winbind_ctdb_updatekeytab.sh -- 2.45.2 From 32002fce1f3ba0fb777a0107a1006df8bd0a1ddf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 12 Aug 2024 10:44:19 +0200 Subject: [PATCH] s3:script: Install winbind_ctdb_updatekeytab.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Signed-off-by: Pavel Filipenský Reviewed-by: Stefan Metzmacher (cherry picked from commit f55752ebf813010d26fe24be3bdf107b9e50faaa) --- source3/script/wscript_build | 1 + 1 file changed, 1 insertion(+) diff --git a/source3/script/wscript_build b/source3/script/wscript_build index 66acf1cfe9e..2b0643b0876 100644 --- a/source3/script/wscript_build +++ b/source3/script/wscript_build @@ -6,6 +6,7 @@ bld.INSTALL_FILES('${BINDIR}', 'smbtar', chmod=MODE_755, flat=True) bld.INSTALL_FILES('${BINDIR}', 'samba-log-parser', chmod=MODE_755, flat=True) +bld.INSTALL_FILES('${DATADIR}', 'winbind_ctdb_updatekeytab.sh', chmod=MODE_755, flat=True) # Callout scripts for use in selftest environment bld.SAMBA_SCRIPT('smbaddshare', pattern='smbaddshare', installdir='.') -- 2.45.2 From 0164b9f2dc50c11a91761fe24917004b06495e91 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 12 Aug 2024 11:49:14 +0200 Subject: [PATCH] docs:smbdotconf: Improve documentation for 'sync machine password script' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Pavel Filipenský Signed-off-by: Stefan Metzmacher (cherry picked from commit 131a32b568edff5ee889b0b596a8be6e0dc077be) --- .../security/syncmachinepasswordscript.xml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml index 341613372f5..9a7731930d5 100644 --- a/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml +++ b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml @@ -8,8 +8,19 @@ This is the full pathname to a script that will be run by winbindd 8 when a machine account password is updated. + + + If keytabs should be generated in clustered environments it is recommended to update them on all nodes. + You can set the config option to &pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh in clustering case. + It is also needed to activate the 46.update-keytabs.script in ctdb, + it re-creates the keytab during the ctdb recovered event: + + onnode all ctdb event script enable legacy 46.update-keytabs.script + + + -/usr/sbin/sync_machine_password +&pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh -- 2.45.2 From 58d0548f871cb6d9204eb37565b41daeb42d694a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 12 Aug 2024 11:49:14 +0200 Subject: [PATCH] docs:smbdotconf: Improve documentation for 'sync machine password to keytab' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Signed-off-by: Pavel Filipenský Reviewed-by: Stefan Metzmacher (cherry picked from commit fd40e40a4256534311d0f507c8934df35dfd8283) --- .../smbdotconf/security/syncmachinepasswordtokeytab.xml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml index b749ecb5c66..4cad9da73f2 100644 --- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml +++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml @@ -67,10 +67,19 @@ Example: "/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password" If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options. + + If no value is present, winbind uses value /path/to/keytab:sync_spns:sync_kvno:machine_password where the path to the keytab is obtained either from the krb5 library or from + + Suggested configuration is together with set to the default value 'secrets only'. + + + + In clustered environments it is recommended to set to update the machine password on all nodes. + -- 2.45.2 From a0472213f73195262b86c00b435c9571fcabc438 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Mon, 12 Aug 2024 11:49:14 +0200 Subject: [PATCH] docs:smbdotconf: Update 'kerberos method' with 'sync machine password to keytab' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Pavel Filipenský Signed-off-by: Stefan Metzmacher (cherry picked from commit 08b0d0faaa2e71f6a466276c5254440a7c1d26fd) --- docs-xml/smbdotconf/security/kerberosmethod.xml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml index b7cd988cd19..c9d70580c59 100644 --- a/docs-xml/smbdotconf/security/kerberosmethod.xml +++ b/docs-xml/smbdotconf/security/kerberosmethod.xml @@ -35,6 +35,12 @@ must be set to specify the location of the keytab file. + + + Suggested configuration is to use the default value 'secrets only' together with the + option. + + dedicated keytab file default -- 2.45.2 From 4debd4f2d16f57a28c3c2f1f14a74e6faf7c6d10 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= Date: Tue, 6 Aug 2024 08:42:34 +0200 Subject: [PATCH] WHATSNEW: update the "Automatic keytab update after machine password change" section MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689 Signed-off-by: Pavel Filipenský --- WHATSNEW.txt | 41 +++++++---------------------------------- 1 file changed, 7 insertions(+), 34 deletions(-) diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 9d5c0bac515..42aca22e848 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -200,42 +200,15 @@ From smb.conf(5) manpage - each keytab can have exactly one of these four forms: spn_prefixes=value1[,value2[...]] spns=value1[,value2[...]] -The functionaity provided by the removed commands "net ads keytab -add/delete/add_update_ads" can be achieved via the 'sync machine password to -keytab' as in these examples: - -"net ads keytab add wurst/brot@REALM" - -- this command is not adding to AD, so the best fit can be specifier - "spns" -- add to smb.conf: - sync machine password to keytab = /path/to/keytab1:spns=wurst/brot@REALM:machine_password -- run: - "net ads keytab create" - -"net ads keytab delete wurst/brot@REALM" - -- remove the principal (or the whole keytab line if there was just one) -- run: - "net ads keytab create" - -"net ads keytab add_update_ads wurst/brot@REALM" - -- this command was adding the principal to AD, so for this case use a keytab - with specifier sync_spns -- add to smb.conf: - sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password -- run: - "net ads setspn add wurst/brot@REALM" # this adds the principal to AD - "net ads keytab create" # this sync it from AD to local keytab - - A new parameter 'sync machine password script' allows to specify external script -that will be triggered after the automatic keytab update. Example of such script -that can be used in a cluster environment with ctdb is -source3/script/updatekeytab.sh +that will be triggered after the automatic keytab update. If keytabs should be +generated in clustered environments it is recommended to update them on all +nodes. Check in smb.conf(5) the scripts winbind_ctdb_updatekeytab.sh and +46.update-keytabs.script in section 'sync machine password script' for details. -For detailed information check the smb.conf(5) manpage. +The functionality provided by the removed commands "net ads keytab +add/delete/add_update_ads" can be achieved via the 'sync machine password to +keytab'. Check net(8) manpage for details. REMOVED FEATURES ================ -- 2.45.2