[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Tue Aug 13 15:28:01 UTC 2024


The branch, master has been updated
       via  9e4074d4268 docs:smbdotconf: Update 'kerberos method' with 'sync machine password to keytab'
       via  2dd81ec2bea docs:smbdotconf: Improve documentation for 'sync machine password to keytab'
       via  ca7acec952b docs:smbdotconf: Improve documentation for 'sync machine password script'
       via  9f0183a9f55 s3:script: Install winbind_ctdb_updatekeytab.sh
       via  adcad1b537c s3:script: Rename updatekeytab.sh ==> winbind_ctdb_updatekeytab.sh
       via  cb774a74c4e docs: Add examples to net.8 that use 'sync machine password to keytab'
       via  51784e80f2b Revert "docs-xml: Delete descriptions for removed commands "net ads keytab add" and "net ads keytab add_update_ads""
      from  68f0835c8e1 docs-xml/manpages: 'ceph_new' prefix for config-param of vfs_ceph_new

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 9e4074d4268e34cf93f79cd1108e7dc661ad3845
Author: Pavel Filipenský <pfilipensky at samba.org>
Date:   Mon Aug 12 11:49:14 2024 +0200

    docs:smbdotconf: Update 'kerberos method' with 'sync machine password to keytab'
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Tue Aug 13 15:27:26 UTC 2024 on atb-devel-224

commit 2dd81ec2bea46ad6caa6e40194eae4340f4acc7d
Author: Pavel Filipenský <pfilipensky at samba.org>
Date:   Mon Aug 12 11:49:14 2024 +0200

    docs:smbdotconf: Improve documentation for 'sync machine password to keytab'
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
    
    Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit ca7acec952b0e6154927b28b1afa3e9318f22035
Author: Pavel Filipenský <pfilipensky at samba.org>
Date:   Mon Aug 12 11:49:14 2024 +0200

    docs:smbdotconf: Improve documentation for 'sync machine password script'
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 9f0183a9f55e52b09c6ae9f6c8badad6ba85bb64
Author: Pavel Filipenský <pfilipensky at samba.org>
Date:   Mon Aug 12 10:44:19 2024 +0200

    s3:script: Install winbind_ctdb_updatekeytab.sh
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
    
    Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit adcad1b537ce2e2e213b72131517233a8d2d91fd
Author: Pavel Filipenský <pfilipensky at samba.org>
Date:   Mon Aug 12 11:49:35 2024 +0200

    s3:script: Rename updatekeytab.sh ==> winbind_ctdb_updatekeytab.sh
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
    
    Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit cb774a74c4e1cc03ad0267cc68b93c06738e2ce6
Author: Pavel Filipenský <pfilipensky at samba.org>
Date:   Tue Aug 6 23:31:21 2024 +0200

    docs: Add examples to net.8 that use 'sync machine password to keytab'
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>

commit 51784e80f2bdf84c296badba2caea800ce3813db
Author: Pavel Filipenský <pfilipensky at samba.org>
Date:   Tue Aug 6 23:22:42 2024 +0200

    Revert "docs-xml: Delete descriptions for removed commands "net ads keytab add" and "net ads keytab add_update_ads""
    
    This reverts commit a5f47f6efe67e02d7a12f30b4e6fb76bcd6aa71c.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
    
    Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 docs-xml/manpages/net.8.xml                        | 131 +++++++++++++++++++++
 docs-xml/smbdotconf/security/kerberosmethod.xml    |   6 +
 .../security/syncmachinepasswordscript.xml         |  13 +-
 .../security/syncmachinepasswordtokeytab.xml       |   9 ++
 ...pdatekeytab.sh => winbind_ctdb_updatekeytab.sh} |   0
 source3/script/wscript_build                       |   1 +
 6 files changed, 159 insertions(+), 1 deletion(-)
 rename source3/script/{updatekeytab.sh => winbind_ctdb_updatekeytab.sh} (100%)


Changeset truncated at 500 lines:

diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 61a1e6362ce..e633c8c7c6a 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1557,6 +1557,137 @@ are made to the computer AD account.
 </para>
 </refsect2>
 
+<refsect2>
+<title>(Removed!) ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
+
+<para>
+This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement.
+</para>
+
+To replace e.g. call of
+<programlisting>
+net ads keytab add wurst/brot at REALM
+</programlisting>
+Add to smb.conf:
+<programlisting>
+sync machine password to keytab = /path/to/keytab1:spns=wurst/brot at REALM:machine_password
+</programlisting>
+and run:
+<programlisting>
+net ads keytab create
+</programlisting>
+
+<para>
+Original description of this command:
+</para>
+<para>
+Adds a new keytab entry, the entry can be either;
+  <variablelist>
+    <varlistentry><term>kerberos principal</term>
+    <listitem><para>
+      A kerberos principal (identified by the presence of '@') is just
+      added to the keytab file.
+    </para></listitem>
+    </varlistentry>
+    <varlistentry><term>machinename</term>
+    <listitem><para>
+      A machinename (identified by the trailing '$') is used to create a
+      a kerberos principal 'machinename at realm' which is added to the
+      keytab file.
+    </para></listitem>
+    </varlistentry>
+    <varlistentry><term>serviceclass</term>
+    <listitem><para>
+    A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair
+    of kerberos principals 'serviceclass/fully_qualified_dns_name at realm' &
+    'serviceclass/netbios_name at realm' which are added to the keytab file.
+    </para></listitem>
+    </varlistentry>
+    <varlistentry><term>Windows SPN</term>
+    <listitem><para>
+    A Windows SPN is of the format 'serviceclass/host:port', it is used to
+    create a kerberos principal 'serviceclass/host at realm' which will
+    be written to the keytab file.
+    </para></listitem>
+    </varlistentry>
+  </variablelist>
+</para>
+<para>
+Unlike old versions no computer AD objects are modified by this command. To
+preserve the behaviour of older clients 'net ads keytab ad_update_ads' is
+available.
+</para>
+</refsect2>
+
+<refsect2>
+<title>(Removed!) ADS KEYTAB <replaceable>DELETE</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
+
+<para>
+This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement.
+</para>
+
+<para>
+To replace e.g. call of
+<programlisting>
+net ads keytab delete wurst/brot at REALM
+</programlisting>
+Delete from <smbconfoption name="sync machine password to keytab"/> principal "wurst/brot at REALM" and run:
+<programlisting>
+net ads keytab create
+</programlisting>
+
+</para>
+</refsect2>
+
+<refsect2>
+<title>(Removed!) ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
+<para>
+This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement.
+</para>
+
+To replace e.g. call of
+<programlisting>
+net ads keytab add_update_ads wurst/brot at REALM
+</programlisting>
+Add to smb.conf:
+<programlisting>
+sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
+</programlisting>
+and run:
+<programlisting>
+net ads setspn add wurst/brot at REALM
+net ads keytab create
+</programlisting>
+
+<para>
+Original description of this command:
+</para>
+
+<para>
+Adds a new keytab entry (see section for net ads keytab add). In addition to
+adding entries to the keytab file corresponding Windows SPNs are created
+from the entry passed to this command. These SPN(s) added to the AD computer
+account object associated with the client machine running this command for
+the following entry types;
+  <variablelist>
+    <varlistentry><term>serviceclass</term>
+    <listitem><para>
+    A serviceclass (such as 'cifs', 'html' etc.) is used to create a
+    pair of Windows SPN(s) 'param/full_qualified_dns' &
+    'param/netbios_name' which are added to the AD computer account object
+   for this client.
+    </para></listitem>
+    </varlistentry>
+    <varlistentry><term>Windows SPN</term>
+    <listitem><para>
+    A Windows SPN is of the format 'serviceclass/host:port', it is
+    added as passed to the AD computer account object for this client.
+    </para></listitem>
+    </varlistentry>
+  </variablelist>
+</para>
+</refsect2>
+
 <refsect2>
 <title>ADS setspn <replaceable>SETSPN LIST [machine]</replaceable></title>
 
diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml
index b7cd988cd19..c9d70580c59 100644
--- a/docs-xml/smbdotconf/security/kerberosmethod.xml
+++ b/docs-xml/smbdotconf/security/kerberosmethod.xml
@@ -35,6 +35,12 @@
 	  <smbconfoption name="dedicated keytab file"/> must be set to
 	  specify the location of the keytab file.
 	</para>
+
+	<para>
+	Suggested configuration is to use the default value 'secrets only' together with the
+	<smbconfoption name="sync machine password to keytab"/> option.
+	</para>
+
 </description>
 <related>dedicated keytab file</related>
 <value type="default">default</value>
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
index 341613372f5..9a7731930d5 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
@@ -8,8 +8,19 @@
 	This is the full pathname to a script that will be run by
         <citerefentry><refentrytitle>winbindd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> when a machine account password is updated.
 	</para>
+
+    <para>
+    If keytabs should be generated in clustered environments it is recommended to update them on all nodes.
+    You can set the config option to &pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh in clustering case.
+    It is also needed to activate the <constant>46.update-keytabs.script</constant> in ctdb,
+    it re-creates the keytab during the ctdb recovered event:
+    <programlisting>
+    onnode all ctdb event script enable legacy 46.update-keytabs.script
+    </programlisting>
+    </para>
+
 </description>
 
 <value type="default"/>
-<value type="example">/usr/sbin/sync_machine_password</value>
+<value type="example">&pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh</value>
 </samba:parameter>
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
index b749ecb5c66..4cad9da73f2 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -67,10 +67,19 @@ Example:
 "/path/to/keytab7:spns=wurst/brot at REALM,wurst2/brot at REALM:sync_kvno:machine_password"
 </programlisting>
 If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.
+</para>
 
+<para>
 If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
 where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
 </para>
 
+<para>
+    Suggested configuration is together with <smbconfoption name="kerberos method"/> set to the default value 'secrets only'.
+</para>
+
+<para>
+    In clustered environments it is recommended to set <smbconfoption name="sync machine password script"/> to update the machine password on all nodes.
+</para>
 </description>
 </samba:parameter>
diff --git a/source3/script/updatekeytab.sh b/source3/script/winbind_ctdb_updatekeytab.sh
similarity index 100%
rename from source3/script/updatekeytab.sh
rename to source3/script/winbind_ctdb_updatekeytab.sh
diff --git a/source3/script/wscript_build b/source3/script/wscript_build
index 66acf1cfe9e..2b0643b0876 100644
--- a/source3/script/wscript_build
+++ b/source3/script/wscript_build
@@ -6,6 +6,7 @@ bld.INSTALL_FILES('${BINDIR}',
 	          'smbtar',
                   chmod=MODE_755, flat=True)
 bld.INSTALL_FILES('${BINDIR}', 'samba-log-parser', chmod=MODE_755, flat=True)
+bld.INSTALL_FILES('${DATADIR}', 'winbind_ctdb_updatekeytab.sh', chmod=MODE_755, flat=True)
 
 # Callout scripts for use in selftest environment
 bld.SAMBA_SCRIPT('smbaddshare', pattern='smbaddshare', installdir='.')


-- 
Samba Shared Repository



More information about the samba-cvs mailing list