[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Tue Aug 13 15:28:01 UTC 2024
The branch, master has been updated
via 9e4074d4268 docs:smbdotconf: Update 'kerberos method' with 'sync machine password to keytab'
via 2dd81ec2bea docs:smbdotconf: Improve documentation for 'sync machine password to keytab'
via ca7acec952b docs:smbdotconf: Improve documentation for 'sync machine password script'
via 9f0183a9f55 s3:script: Install winbind_ctdb_updatekeytab.sh
via adcad1b537c s3:script: Rename updatekeytab.sh ==> winbind_ctdb_updatekeytab.sh
via cb774a74c4e docs: Add examples to net.8 that use 'sync machine password to keytab'
via 51784e80f2b Revert "docs-xml: Delete descriptions for removed commands "net ads keytab add" and "net ads keytab add_update_ads""
from 68f0835c8e1 docs-xml/manpages: 'ceph_new' prefix for config-param of vfs_ceph_new
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9e4074d4268e34cf93f79cd1108e7dc661ad3845
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Mon Aug 12 11:49:14 2024 +0200
docs:smbdotconf: Update 'kerberos method' with 'sync machine password to keytab'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Tue Aug 13 15:27:26 UTC 2024 on atb-devel-224
commit 2dd81ec2bea46ad6caa6e40194eae4340f4acc7d
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Mon Aug 12 11:49:14 2024 +0200
docs:smbdotconf: Improve documentation for 'sync machine password to keytab'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ca7acec952b0e6154927b28b1afa3e9318f22035
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Mon Aug 12 11:49:14 2024 +0200
docs:smbdotconf: Improve documentation for 'sync machine password script'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 9f0183a9f55e52b09c6ae9f6c8badad6ba85bb64
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Mon Aug 12 10:44:19 2024 +0200
s3:script: Install winbind_ctdb_updatekeytab.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit adcad1b537ce2e2e213b72131517233a8d2d91fd
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Mon Aug 12 11:49:35 2024 +0200
s3:script: Rename updatekeytab.sh ==> winbind_ctdb_updatekeytab.sh
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit cb774a74c4e1cc03ad0267cc68b93c06738e2ce6
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Tue Aug 6 23:31:21 2024 +0200
docs: Add examples to net.8 that use 'sync machine password to keytab'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
commit 51784e80f2bdf84c296badba2caea800ce3813db
Author: Pavel Filipenský <pfilipensky at samba.org>
Date: Tue Aug 6 23:22:42 2024 +0200
Revert "docs-xml: Delete descriptions for removed commands "net ads keytab add" and "net ads keytab add_update_ads""
This reverts commit a5f47f6efe67e02d7a12f30b4e6fb76bcd6aa71c.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15689
Signed-off-by: Pavel Filipenský <pfilipensky at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/manpages/net.8.xml | 131 +++++++++++++++++++++
docs-xml/smbdotconf/security/kerberosmethod.xml | 6 +
.../security/syncmachinepasswordscript.xml | 13 +-
.../security/syncmachinepasswordtokeytab.xml | 9 ++
...pdatekeytab.sh => winbind_ctdb_updatekeytab.sh} | 0
source3/script/wscript_build | 1 +
6 files changed, 159 insertions(+), 1 deletion(-)
rename source3/script/{updatekeytab.sh => winbind_ctdb_updatekeytab.sh} (100%)
Changeset truncated at 500 lines:
diff --git a/docs-xml/manpages/net.8.xml b/docs-xml/manpages/net.8.xml
index 61a1e6362ce..e633c8c7c6a 100644
--- a/docs-xml/manpages/net.8.xml
+++ b/docs-xml/manpages/net.8.xml
@@ -1557,6 +1557,137 @@ are made to the computer AD account.
</para>
</refsect2>
+<refsect2>
+<title>(Removed!) ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
+
+<para>
+This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement.
+</para>
+
+To replace e.g. call of
+<programlisting>
+net ads keytab add wurst/brot at REALM
+</programlisting>
+Add to smb.conf:
+<programlisting>
+sync machine password to keytab = /path/to/keytab1:spns=wurst/brot at REALM:machine_password
+</programlisting>
+and run:
+<programlisting>
+net ads keytab create
+</programlisting>
+
+<para>
+Original description of this command:
+</para>
+<para>
+Adds a new keytab entry, the entry can be either;
+ <variablelist>
+ <varlistentry><term>kerberos principal</term>
+ <listitem><para>
+ A kerberos principal (identified by the presence of '@') is just
+ added to the keytab file.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>machinename</term>
+ <listitem><para>
+ A machinename (identified by the trailing '$') is used to create a
+ a kerberos principal 'machinename at realm' which is added to the
+ keytab file.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>serviceclass</term>
+ <listitem><para>
+ A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair
+ of kerberos principals 'serviceclass/fully_qualified_dns_name at realm' &
+ 'serviceclass/netbios_name at realm' which are added to the keytab file.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>Windows SPN</term>
+ <listitem><para>
+ A Windows SPN is of the format 'serviceclass/host:port', it is used to
+ create a kerberos principal 'serviceclass/host at realm' which will
+ be written to the keytab file.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</para>
+<para>
+Unlike old versions no computer AD objects are modified by this command. To
+preserve the behaviour of older clients 'net ads keytab ad_update_ads' is
+available.
+</para>
+</refsect2>
+
+<refsect2>
+<title>(Removed!) ADS KEYTAB <replaceable>DELETE</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
+
+<para>
+This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement.
+</para>
+
+<para>
+To replace e.g. call of
+<programlisting>
+net ads keytab delete wurst/brot at REALM
+</programlisting>
+Delete from <smbconfoption name="sync machine password to keytab"/> principal "wurst/brot at REALM" and run:
+<programlisting>
+net ads keytab create
+</programlisting>
+
+</para>
+</refsect2>
+
+<refsect2>
+<title>(Removed!) ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
+<para>
+This command is no longer available in Samba 4.21.0 and newer. See <smbconfoption name="sync machine password to keytab"/> for replacement.
+</para>
+
+To replace e.g. call of
+<programlisting>
+net ads keytab add_update_ads wurst/brot at REALM
+</programlisting>
+Add to smb.conf:
+<programlisting>
+sync machine password to keytab = /path/to/keytab2:sync_spns:machine_password
+</programlisting>
+and run:
+<programlisting>
+net ads setspn add wurst/brot at REALM
+net ads keytab create
+</programlisting>
+
+<para>
+Original description of this command:
+</para>
+
+<para>
+Adds a new keytab entry (see section for net ads keytab add). In addition to
+adding entries to the keytab file corresponding Windows SPNs are created
+from the entry passed to this command. These SPN(s) added to the AD computer
+account object associated with the client machine running this command for
+the following entry types;
+ <variablelist>
+ <varlistentry><term>serviceclass</term>
+ <listitem><para>
+ A serviceclass (such as 'cifs', 'html' etc.) is used to create a
+ pair of Windows SPN(s) 'param/full_qualified_dns' &
+ 'param/netbios_name' which are added to the AD computer account object
+ for this client.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>Windows SPN</term>
+ <listitem><para>
+ A Windows SPN is of the format 'serviceclass/host:port', it is
+ added as passed to the AD computer account object for this client.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</para>
+</refsect2>
+
<refsect2>
<title>ADS setspn <replaceable>SETSPN LIST [machine]</replaceable></title>
diff --git a/docs-xml/smbdotconf/security/kerberosmethod.xml b/docs-xml/smbdotconf/security/kerberosmethod.xml
index b7cd988cd19..c9d70580c59 100644
--- a/docs-xml/smbdotconf/security/kerberosmethod.xml
+++ b/docs-xml/smbdotconf/security/kerberosmethod.xml
@@ -35,6 +35,12 @@
<smbconfoption name="dedicated keytab file"/> must be set to
specify the location of the keytab file.
</para>
+
+ <para>
+ Suggested configuration is to use the default value 'secrets only' together with the
+ <smbconfoption name="sync machine password to keytab"/> option.
+ </para>
+
</description>
<related>dedicated keytab file</related>
<value type="default">default</value>
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
index 341613372f5..9a7731930d5 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordscript.xml
@@ -8,8 +8,19 @@
This is the full pathname to a script that will be run by
<citerefentry><refentrytitle>winbindd</refentrytitle> <manvolnum>8</manvolnum></citerefentry> when a machine account password is updated.
</para>
+
+ <para>
+ If keytabs should be generated in clustered environments it is recommended to update them on all nodes.
+ You can set the config option to &pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh in clustering case.
+ It is also needed to activate the <constant>46.update-keytabs.script</constant> in ctdb,
+ it re-creates the keytab during the ctdb recovered event:
+ <programlisting>
+ onnode all ctdb event script enable legacy 46.update-keytabs.script
+ </programlisting>
+ </para>
+
</description>
<value type="default"/>
-<value type="example">/usr/sbin/sync_machine_password</value>
+<value type="example">&pathconfig.SAMBA_DATADIR;/scripts/winbind_ctdb_updatekeytab.sh</value>
</samba:parameter>
diff --git a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
index b749ecb5c66..4cad9da73f2 100644
--- a/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
+++ b/docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml
@@ -67,10 +67,19 @@ Example:
"/path/to/keytab7:spns=wurst/brot at REALM,wurst2/brot at REALM:sync_kvno:machine_password"
</programlisting>
If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.
+</para>
+<para>
If no value is present, winbind uses value <programlisting>/path/to/keytab:sync_spns:sync_kvno:machine_password</programlisting>
where the path to the keytab is obtained either from the krb5 library or from <smbconfoption name="dedicated keytab file"/>
</para>
+<para>
+ Suggested configuration is together with <smbconfoption name="kerberos method"/> set to the default value 'secrets only'.
+</para>
+
+<para>
+ In clustered environments it is recommended to set <smbconfoption name="sync machine password script"/> to update the machine password on all nodes.
+</para>
</description>
</samba:parameter>
diff --git a/source3/script/updatekeytab.sh b/source3/script/winbind_ctdb_updatekeytab.sh
similarity index 100%
rename from source3/script/updatekeytab.sh
rename to source3/script/winbind_ctdb_updatekeytab.sh
diff --git a/source3/script/wscript_build b/source3/script/wscript_build
index 66acf1cfe9e..2b0643b0876 100644
--- a/source3/script/wscript_build
+++ b/source3/script/wscript_build
@@ -6,6 +6,7 @@ bld.INSTALL_FILES('${BINDIR}',
'smbtar',
chmod=MODE_755, flat=True)
bld.INSTALL_FILES('${BINDIR}', 'samba-log-parser', chmod=MODE_755, flat=True)
+bld.INSTALL_FILES('${DATADIR}', 'winbind_ctdb_updatekeytab.sh', chmod=MODE_755, flat=True)
# Callout scripts for use in selftest environment
bld.SAMBA_SCRIPT('smbaddshare', pattern='smbaddshare', installdir='.')
--
Samba Shared Repository
More information about the samba-cvs
mailing list