[SCM] Samba Shared Repository - branch v4-21-test updated

Stefan Metzmacher metze at samba.org
Tue Aug 6 12:50:01 UTC 2024


The branch, v4-21-test has been updated
       via  725907587b8 WHATSNEW: update the "Automatic keytab update after machine password change" section
       via  6f9a9394cfd docs-xml: Delete descriptions for removed commands "net ads keytab add" and "net ads keytab add_update_ads"
       via  ba6c2f68ec2 docs-xml: Fix trailing whitespace in net.8.xml
       via  ff9d9677bba docs:smbdotconf: Improve formatting of 'sync machine password to keytab'
       via  de85c86c486 ldb: Fix ldb public library header files being unusable
       via  6d69562e27c wafsamba: Fix ABI symbol name generation
      from  5ba371e09ab WHATSNEW: update the Per-user and group "veto files" and "hide files" section

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-21-test


- Log -----------------------------------------------------------------
commit 725907587b8b419f773fea965ec899eee71b3bb9
Author: Pavel Filipenský <pfilipensky at samba.org>
Date:   Tue Aug 6 08:42:34 2024 +0200

    WHATSNEW: update the "Automatic keytab update after machine password change" section
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
    
    Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
    
    Autobuild-User(v4-21-test): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(v4-21-test): Tue Aug  6 12:49:02 UTC 2024 on atb-devel-224

commit 6f9a9394cfd16ee4ef80fa083105d2edc46bfd5d
Author: Pavel Filipenský <pfilipensky at samba.org>
Date:   Thu Aug 1 22:39:58 2024 +0200

    docs-xml: Delete descriptions for removed commands "net ads keytab add" and "net ads keytab add_update_ads"
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
    
    Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
    Reviewed-by: Reviewed-by: Martin Schwenke <martin at meltin.net>
    
    Autobuild-User(master): Pavel Filipensky <pfilipensky at samba.org>
    Autobuild-Date(master): Mon Aug  5 13:29:25 UTC 2024 on atb-devel-224
    
    (cherry picked from commit a5f47f6efe67e02d7a12f30b4e6fb76bcd6aa71c)

commit ba6c2f68ec2e027a00af9c4226ef7518dff581b1
Author: Pavel Filipenský <pfilipensky at samba.org>
Date:   Thu Aug 1 22:39:56 2024 +0200

    docs-xml: Fix trailing whitespace in net.8.xml
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
    
    Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
    Reviewed-by: Reviewed-by: Martin Schwenke <martin at meltin.net>
    (cherry picked from commit 374680010d42d3bca52791159dba7b42eb8d0d6c)

commit ff9d9677bba1a95922c8183ba403402c238067ed
Author: Pavel Filipenský <pfilipensky at samba.org>
Date:   Thu Aug 1 21:49:19 2024 +0200

    docs:smbdotconf: Improve formatting of 'sync machine password to keytab'
    
    Hint: review this commit with ignoring white space changes.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
    
    Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
    Reviewed-by: Reviewed-by: Martin Schwenke <martin at meltin.net>
    (cherry picked from commit 6c627903ee466cd1559d7f58821221c4dd668d1f)

commit de85c86c48608a36211115106de424660973b2e7
Author: Jo Sutton <josutton at catalyst.net.nz>
Date:   Fri Aug 2 10:14:52 2024 +1200

    ldb: Fix ldb public library header files being unusable
    
    An accidental negation means that ldb_version.h is not installed when
    ldb is built as a public library.
    
    This is a regression introduced by commit
    625fb48326ec62a33ce0abdbfb0f6f3d33d7cc64.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15690
    
    Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    
    Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
    Autobuild-Date(master): Sun Aug  4 01:35:55 UTC 2024 on atb-devel-224
    
    (cherry picked from commit 5851ae555425ea2ba8e431162142ebae47be802e)

commit 6d69562e27c41ae24650304eb7b668f28e49d68d
Author: Andreas Schneider <asn at samba.org>
Date:   Mon Aug 5 14:51:01 2024 +0200

    wafsamba: Fix ABI symbol name generation
    
    Commit 0bc5b6f29307ce758774c1b2f48ce62315fdc7f9 changed the script
    for generating the ABI symbol version. It broke the ABI by changing all
    dots to underscores.
    
    This reverts the commit partially to preserve the dots in the version
    part.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15673
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Andreas Schneider <asn at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
    Reviewed-by: Günther Deschner <gd at samba.org>
    
    Autobuild-User(master): Douglas Bagnall <dbagnall at samba.org>
    Autobuild-Date(master): Tue Aug  6 00:42:56 UTC 2024 on atb-devel-224
    
    (cherry picked from commit 46215ab1b34aa79c4c831ea1c12f73eacf1e8a12)

-----------------------------------------------------------------------

Summary of changes:
 WHATSNEW.txt                                       |  44 ++++-
 buildtools/wafsamba/samba_abi.py                   |   6 +-
 docs-xml/manpages/net.8.xml                        | 190 +++++++--------------
 .../security/syncmachinepasswordtokeytab.xml       |  77 +++++----
 lib/ldb/wscript                                    |   2 +-
 script/autobuild.py                                |  11 ++
 6 files changed, 159 insertions(+), 171 deletions(-)


Changeset truncated at 500 lines:

diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index bf2dbb94b3a..9d5c0bac515 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -193,9 +193,49 @@ updates or manually (e.g. net ads changetrustpw), now winbind will also support
 update of keytab entries in case you use newly added option
 'sync machine password to keytab'.
 The new parameter allows you to describe what keytabs and how should be updated.
+From smb.conf(5) manpage - each keytab can have exactly one of these four forms:
+
+               account_name
+               sync_spns
+               spn_prefixes=value1[,value2[...]]
+               spns=value1[,value2[...]]
+
+The functionaity provided by the removed commands "net ads keytab
+add/delete/add_update_ads" can be achieved via the 'sync machine password to
+keytab' as in these examples:
+
+"net ads keytab add  wurst/brot at REALM"
+
+- this command is not adding <principal> to AD, so the best fit can be specifier
+  "spns"
+- add to smb.conf:
+  sync machine password to keytab = /path/to/keytab1:spns=wurst/brot at REALM:machine_password
+- run:
+  "net ads keytab create"
+
+"net ads keytab delete wurst/brot at REALM"
+
+- remove the principal (or the whole keytab line if there was just one)
+- run:
+  "net ads keytab create"
+
+"net ads keytab add_update_ads wurst/brot at REALM"
+
+- this command was adding the principal to AD, so for this case use a keytab
+  with specifier sync_spns
+- add to smb.conf:
+  sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
+- run:
+  "net ads setspn add  wurst/brot at REALM"  # this adds the principal to AD
+  "net ads keytab create"  # this sync it from AD to local keytab
+
+
 A new parameter 'sync machine password script' allows to specify external script
-that will be triggered after the automatic keytab update. For detailed
-information check the smb.conf manpage.
+that will be triggered after the automatic keytab update. Example of such script
+that can be used in a cluster environment with ctdb is
+source3/script/updatekeytab.sh
+
+For detailed information check the smb.conf(5) manpage.
 
 REMOVED FEATURES
 ================
diff --git a/buildtools/wafsamba/samba_abi.py b/buildtools/wafsamba/samba_abi.py
index c82ba3424f9..e6deb839c0c 100644
--- a/buildtools/wafsamba/samba_abi.py
+++ b/buildtools/wafsamba/samba_abi.py
@@ -286,7 +286,7 @@ def abi_build_vscript(task):
         f.close()
 
 def VSCRIPT_MAP_PRIVATE(bld, libname, orig_vscript, version, private_vscript):
-    version = re.sub(r'\W', '_', version).upper()
+    version = re.sub(r'[^.\w]', '_', version).upper()
     t = bld.SAMBA_GENERATOR(private_vscript,
                             rule=abi_build_vscript,
                             source=orig_vscript,
@@ -314,8 +314,8 @@ def ABI_VSCRIPT(bld, libname, abi_directory, version, vscript, abi_match=None, p
 
     libname = os.path.basename(libname)
     version = os.path.basename(version)
-    libname = re.sub(r'\W', '_', libname).upper()
-    version = re.sub(r'\W', '_', version).upper()
+    libname = re.sub(r'[^.\w]', '_', libname).upper()
+    version = re.sub(r'[^.\w]', '_', version).upper()
 
     t = bld.SAMBA_GENERATOR(vscript,
                             rule=abi_build_vscript,
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index c284cc25b49..61a1e6362ce 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -80,12 +80,12 @@
 	<para>This tool is part of the <citerefentry><refentrytitle>samba</refentrytitle>
 	<manvolnum>7</manvolnum></citerefentry> suite.</para>
 
-	<para>The Samba net utility is meant to work just like the net utility 
-	available for windows and DOS. The first argument should be used 
-	to specify the protocol to use when executing a certain command. 
-	ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3) 
-	clients and RPC can be used for NT4 and Windows 2000. If this 
-	argument is omitted, net will try to determine it automatically. 
+	<para>The Samba net utility is meant to work just like the net utility
+	available for windows and DOS. The first argument should be used
+	to specify the protocol to use when executing a certain command.
+	ADS is used for ActiveDirectory, RAP is using for old (Win9x/NT3)
+	clients and RPC can be used for NT4 and Windows 2000. If this
+	argument is omitted, net will try to determine it automatically.
 	Not all commands are available on all protocols.
 	</para>
 
@@ -98,7 +98,7 @@
 		<varlistentry>
 		<term>-w|--target-workgroup target-workgroup</term>
 		<listitem><para>
-		Sets target workgroup or domain. You have to specify 
+		Sets target workgroup or domain. You have to specify
 		either this option or the IP address or the name of a server.
 		</para></listitem>
 		</varlistentry>
@@ -115,7 +115,7 @@
 		<varlistentry>
 		<term>-p|--port port</term>
 		<listitem><para>
-		Port on the target server to connect to (usually 139 or 445). 
+		Port on the target server to connect to (usually 139 or 445).
 		Defaults to trying 445 first, then 139.
 		</para></listitem>
 		</varlistentry>
@@ -123,7 +123,7 @@
 		<varlistentry>
 		<term>-S|--server server</term>
 		<listitem><para>
-		Name of target server. You should specify either 
+		Name of target server. You should specify either
 		this option or a target workgroup or a target IP address.
 		</para></listitem>
 		</varlistentry>
@@ -524,7 +524,7 @@ YOU HAVE BEEN WARNED.
 <refsect3>
 <title>TIME</title>
 
-<para>Without any options, the <command>NET TIME</command> command 
+<para>Without any options, the <command>NET TIME</command> command
 displays the time on the remote server. The remote server must be
 specified with the -S option.
 </para>
@@ -542,7 +542,7 @@ The remote server must be specified with the -S option.
 
 <refsect3>
 <title>TIME SET</title>
-<para>Tries to set the date and time of the local server to that on 
+<para>Tries to set the date and time of the local server to that on
 the remote server using <command>/bin/date</command>.
 The remote server must be specified with the -S option.
 </para>
@@ -565,8 +565,8 @@ The remote server must be specified with the -S option.
 [osName=string osVer=string] [options]</title>
 
 <para>
-Join a domain.  If the account already exists on the server, and 
-[TYPE] is MEMBER, the machine will attempt to join automatically. 
+Join a domain.  If the account already exists on the server, and
+[TYPE] is MEMBER, the machine will attempt to join automatically.
 (Assuming that the machine has been created in server manager)
 Otherwise, a password will be prompted for, and a new account may
 be created.</para>
@@ -590,7 +590,7 @@ format is host/netbiosname at REALM.
 [OU] (ADS only) Precreate the computer account in a specific OU.  The
 OU string reads from top to bottom without RDNs, and is delimited by
 a '/'.  Please note that '\' is used for escape by both the shell
-and ldap, so it may need to be doubled or quadrupled to pass through, 
+and ldap, so it may need to be doubled or quadrupled to pass through,
 and it is not used as a delimiter.
 </para>
 <para>
@@ -607,8 +607,8 @@ must be specified for either to take effect.
 <refsect2>
 <title>[RPC] OLDJOIN [options]</title>
 
-<para>Join a domain. Use the OLDJOIN option to join the domain 
-using the old style of domain joining - you need to create a trust 
+<para>Join a domain. Use the OLDJOIN option to join the domain
+using the old style of domain joining - you need to create a trust
 account in server manager first.</para>
 </refsect2>
 
@@ -692,8 +692,8 @@ account in server manager first.</para>
 <refsect3>
 <title>[RAP|RPC] SHARE ADD <replaceable>name=serverpath</replaceable> [-C comment] [-M maxusers] [targets]</title>
 
-<para>Adds a share from a server (makes the export active). Maxusers 
-specifies the number of users that can be connected to the 
+<para>Adds a share from a server (makes the export active). Maxusers
+specifies the number of users that can be connected to the
 share simultaneously.</para>
 
 </refsect3>
@@ -718,7 +718,7 @@ share simultaneously.</para>
 <refsect3>
 <title>[RPC|RAP] FILE CLOSE <replaceable>fileid</replaceable></title>
 
-<para>Close file with specified <replaceable>fileid</replaceable> on 
+<para>Close file with specified <replaceable>fileid</replaceable> on
 remote server.</para>
 
 </refsect3>
@@ -727,7 +727,7 @@ remote server.</para>
 <title>[RPC|RAP] FILE INFO <replaceable>fileid</replaceable></title>
 
 <para>
-Print information on specified <replaceable>fileid</replaceable>. 
+Print information on specified <replaceable>fileid</replaceable>.
 Currently listed are: file-id, username, locks, path, permissions.
 </para>
 
@@ -739,7 +739,7 @@ Currently listed are: file-id, username, locks, path, permissions.
 <para>
 List files opened by specified <replaceable>user</replaceable>.
 Please note that <command>net rap file user</command> does not work
-against Samba servers. 
+against Samba servers.
 </para>
 
 </refsect3>
@@ -752,7 +752,7 @@ against Samba servers.
 <refsect3>
 <title>RAP SESSION</title>
 
-<para>Without any other options, SESSION enumerates all active SMB/CIFS 
+<para>Without any other options, SESSION enumerates all active SMB/CIFS
 sessions on the target server.</para>
 
 </refsect3>
@@ -784,7 +784,7 @@ to local domain.</para>
 <refsect2>
 <title>RAP DOMAIN</title>
 
-<para>Lists all domains and workgroups visible on the 
+<para>Lists all domains and workgroups visible on the
 current network.</para>
 
 </refsect2>
@@ -796,7 +796,7 @@ current network.</para>
 <title>RAP PRINTQ INFO <replaceable>QUEUE_NAME</replaceable></title>
 
 <para>Lists the specified print queue and print jobs on the server.
-If the <replaceable>QUEUE_NAME</replaceable> is omitted, all 
+If the <replaceable>QUEUE_NAME</replaceable> is omitted, all
 queues are listed.</para>
 
 </refsect3>
@@ -814,9 +814,9 @@ queues are listed.</para>
 <title>RAP VALIDATE <replaceable>user</replaceable> [<replaceable>password</replaceable>]</title>
 
 <para>
-Validate whether the specified user can log in to the 
-remote server. If the password is not specified on the commandline, it 
-will be prompted. 
+Validate whether the specified user can log in to the
+remote server. If the password is not specified on the commandline, it
+will be prompted.
 </para>
 
 &not.implemented;
@@ -852,7 +852,7 @@ will be prompted.
 <refsect2>
 <title>RAP ADMIN <replaceable>command</replaceable></title>
 
-<para>Execute the specified <replaceable>command</replaceable> on 
+<para>Execute the specified <replaceable>command</replaceable> on
 the remote server. Only works with OS/2 servers.
 </para>
 
@@ -899,7 +899,7 @@ Change password of <replaceable>USER</replaceable> from <replaceable>OLDPASS</re
 <title>LOOKUP HOST <replaceable>HOSTNAME</replaceable> [<replaceable>TYPE</replaceable>]</title>
 
 <para>
-Lookup the IP address of the given host with the specified type (netbios suffix). 
+Lookup the IP address of the given host with the specified type (netbios suffix).
 The type defaults to 0x20 (workstation).
 </para>
 
@@ -965,7 +965,7 @@ or workgroup. Defaults to local domain.</para>
 <refsect2>
 <title>CACHE</title>
 
-<para>Samba uses a general caching interface called 'gencache'. It 
+<para>Samba uses a general caching interface called 'gencache'. It
 can be controlled using 'NET CACHE'.</para>
 
 <para>All the timeout parameters support the suffixes:
@@ -1044,7 +1044,7 @@ omitted, the SID of the local server.</para>
 <refsect2>
 <title>GETDOMAINSID</title>
 
-<para>Prints the local machine SID and the SID of the current 
+<para>Prints the local machine SID and the SID of the current
 domain.</para>
 
 </refsect2>
@@ -1158,15 +1158,15 @@ such as domain name, domain sid and number of users and groups.
 <refsect3>
 <title>RPC TRUSTDOM ADD <replaceable>DOMAIN</replaceable></title>
 
-<para>Add a interdomain trust account for <replaceable>DOMAIN</replaceable>. 
-This is in fact a Samba account named <replaceable>DOMAIN$</replaceable> 
-with the account flag <constant>'I'</constant> (interdomain trust account). 
+<para>Add a interdomain trust account for <replaceable>DOMAIN</replaceable>.
+This is in fact a Samba account named <replaceable>DOMAIN$</replaceable>
+with the account flag <constant>'I'</constant> (interdomain trust account).
 This is required for incoming trusts to work. It makes Samba be a
 trusted domain of the foreign (trusting) domain.
 Users of the Samba domain will be made available in the foreign domain.
-If the command is used against localhost it has the same effect as 
+If the command is used against localhost it has the same effect as
 <command>smbpasswd -a -i DOMAIN</command>. Please note that both commands
-expect a appropriate UNIX account. 
+expect a appropriate UNIX account.
 </para>
 
 </refsect3>
@@ -1174,9 +1174,9 @@ expect a appropriate UNIX account.
 <refsect3>
 <title>RPC TRUSTDOM DEL <replaceable>DOMAIN</replaceable></title>
 
-<para>Remove interdomain trust account for 
-<replaceable>DOMAIN</replaceable>. If it is used against localhost 
-it has the same effect as <command>smbpasswd -x DOMAIN$</command>. 
+<para>Remove interdomain trust account for
+<replaceable>DOMAIN</replaceable>. If it is used against localhost
+it has the same effect as <command>smbpasswd -x DOMAIN$</command>.
 </para>
 
 </refsect3>
@@ -1185,7 +1185,7 @@ it has the same effect as <command>smbpasswd -x DOMAIN$</command>.
 <title>RPC TRUSTDOM ESTABLISH <replaceable>DOMAIN</replaceable></title>
 
 <para>
-Establish a trust relationship to a trusted domain. 
+Establish a trust relationship to a trusted domain.
 Interdomain account must already be created on the remote PDC.
 This is required for outgoing trusts to work. It makes Samba be a
 trusting domain of a foreign (trusted) domain.
@@ -1326,9 +1326,9 @@ net rpc trust delete \
 <refsect3>
 <title>RPC RIGHTS</title>
 
-<para>This subcommand is used to view and manage Samba's rights assignments (also 
-referred to as privileges).  There are three options currently available: 
-<parameter>list</parameter>, <parameter>grant</parameter>, and 
+<para>This subcommand is used to view and manage Samba's rights assignments (also
+referred to as privileges).  There are three options currently available:
+<parameter>list</parameter>, <parameter>grant</parameter>, and
 <parameter>revoke</parameter>.  More details on Samba's privilege model and its use
 can be found in the Samba-HOWTO-Collection.</para>
 
@@ -1367,14 +1367,14 @@ Force shutting down all applications.
 <varlistentry>
 <term>-t timeout</term>
 <listitem><para>
-Timeout before system will be shut down. An interactive 
+Timeout before system will be shut down. An interactive
 user of the system can use this time to cancel the shutdown.
 </para></listitem>
 </varlistentry>
 
 <varlistentry>
 <term>-C message</term>
-<listitem><para>Display the specified message on the screen to 
+<listitem><para>Display the specified message on the screen to
 announce the shutdown.</para></listitem>
 </varlistentry>
 </variablelist>
@@ -1391,8 +1391,8 @@ to run this against the PDC, from a Samba machine joined as a BDC. </para>
 <refsect2>
 <title>RPC VAMPIRE</title>
 
-<para>Export users, aliases and groups from remote server to 
-local server.  You need to run this against the PDC, from a Samba machine joined as a BDC. 
+<para>Export users, aliases and groups from remote server to
+local server.  You need to run this against the PDC, from a Samba machine joined as a BDC.
 This vampire command cannot be used against an Active Directory, only
 against an NT4 Domain Controller.
 </para>
@@ -1486,7 +1486,7 @@ against an NT4 Domain Controller.
 <title>ADS STATUS</title>
 
 <para>Print out status of machine account of the local machine in ADS.
-Prints out quite some debug info. Aimed at developers, regular 
+Prints out quite some debug info. Aimed at developers, regular
 users should use <command>NET ADS TESTJOIN</command>.</para>
 
 </refsect2>
@@ -1498,7 +1498,7 @@ users should use <command>NET ADS TESTJOIN</command>.</para>
 <title>ADS PRINTER INFO [<replaceable>PRINTER</replaceable>] [<replaceable>SERVER</replaceable>]</title>
 
 <para>
-Lookup info for <replaceable>PRINTER</replaceable> on <replaceable>SERVER</replaceable>. The printer name defaults to "*", the 
+Lookup info for <replaceable>PRINTER</replaceable> on <replaceable>SERVER</replaceable>. The printer name defaults to "*", the
 server name defaults to the local host.</para>
 
 </refsect3>
@@ -1522,8 +1522,8 @@ server name defaults to the local host.</para>
 <refsect2>
 <title>ADS SEARCH <replaceable>EXPRESSION</replaceable> <replaceable>ATTRIBUTES...</replaceable></title>
 
-<para>Perform a raw LDAP search on a ADS server and dump the results. The 
-expression is a standard LDAP search expression, and the 
+<para>Perform a raw LDAP search on a ADS server and dump the results. The
+expression is a standard LDAP search expression, and the
 attributes are a list of LDAP fields to show in the results.</para>
 
 <para>Example: <userinput>net ads search '(objectCategory=group)' sAMAccountName</userinput>
@@ -1535,9 +1535,9 @@ attributes are a list of LDAP fields to show in the results.</para>
 <title>ADS DN <replaceable>DN</replaceable> <replaceable>(attributes)</replaceable></title>
 
 <para>
-Perform a raw LDAP search on a ADS server and dump the results. The 
-DN standard LDAP DN, and the attributes are a list of LDAP fields 
-to show in the result. 
+Perform a raw LDAP search on a ADS server and dump the results. The
+DN standard LDAP DN, and the attributes are a list of LDAP fields
+to show in the result.
 </para>
 
 <para>Example: <userinput>net ads dn 'CN=administrator,CN=Users,DC=my,DC=domain' SAMAccountName</userinput></para>
@@ -1557,76 +1557,6 @@ are made to the computer AD account.
 </para>
 </refsect2>
 
-<refsect2>
-<title>ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
-
-<para>
-Adds a new keytab entry, the entry can be either;
-  <variablelist>
-    <varlistentry><term>kerberos principal</term>
-    <listitem><para>
-      A kerberos principal (identified by the presence of '@') is just
-      added to the keytab file.
-    </para></listitem>
-    </varlistentry>
-    <varlistentry><term>machinename</term>
-    <listitem><para>
-      A machinename (identified by the trailing '$') is used to create a
-      a kerberos principal 'machinename at realm' which is added to the
-      keytab file.
-    </para></listitem>
-    </varlistentry>
-    <varlistentry><term>serviceclass</term>
-    <listitem><para>
-    A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair
-    of kerberos principals 'serviceclass/fully_qualified_dns_name at realm' &
-    'serviceclass/netbios_name at realm' which are added to the keytab file.
-    </para></listitem>
-    </varlistentry>
-    <varlistentry><term>Windows SPN</term>
-    <listitem><para>
-    A Windows SPN is of the format 'serviceclass/host:port', it is used to
-    create a kerberos principal 'serviceclass/host at realm' which will
-    be written to the keytab file.
-    </para></listitem>
-    </varlistentry>
-  </variablelist>
-</para>
-<para>
-Unlike old versions no computer AD objects are modified by this command. To
-preserve the behaviour of older clients 'net ads keytab ad_update_ads' is
-available.
-</para>
-</refsect2>
-
-<refsect2>
-<title>ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
-
-<para>
-Adds a new keytab entry (see section for net ads keytab add). In addition to
-adding entries to the keytab file corresponding Windows SPNs are created
-from the entry passed to this command. These SPN(s) added to the AD computer
-account object associated with the client machine running this command for
-the following entry types;
-  <variablelist>
-    <varlistentry><term>serviceclass</term>
-    <listitem><para>
-    A serviceclass (such as 'cifs', 'html' etc.) is used to create a
-    pair of Windows SPN(s) 'param/full_qualified_dns' &
-    'param/netbios_name' which are added to the AD computer account object
-   for this client.
-    </para></listitem>
-    </varlistentry>
-    <varlistentry><term>Windows SPN</term>
-    <listitem><para>
-    A Windows SPN is of the format 'serviceclass/host:port', it is
-    added as passed to the AD computer account object for this client.
-    </para></listitem>
-    </varlistentry>
-  </variablelist>
-</para>
-</refsect2>
-
 <refsect2>
 <title>ADS setspn <replaceable>SETSPN LIST [machine]</replaceable></title>
 
@@ -2281,7 +2211,7 @@ share (no creation of new files or directories or writing to files).
 </para>
 
 <para>


-- 
Samba Shared Repository



More information about the samba-cvs mailing list