PATCH: adjust 'net ads add keytab' for windows SPN(s) & add new 'net ads setspn' subcommand
Stefan Metzmacher
metze at samba.org
Fri Feb 2 13:03:55 UTC 2018
Hi Noel,
> c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
> In this scenario the param containing the service is first converted to
> into 2 kerberos principles (long and short forms) according to the
> following recipe
> i) long form: 'param/fully_qualified_dns at realm'
> ii) short form: 'param/netbios_name at realm'
> where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute of
> 'this' machines computer account on the AD.
> The principles are written to the keytab file
> Secondly 2 windows SPNs are generated from 'param' as follows
> i) long form 'param/full_qualified_dns'
> ii) short form 'param/netbios_name'
> These SPNs are written to the AD computer account object
I haven't looked at the patches, but the above catched my attention.
Does 'net ads keytab add' modify any AD objects today?
If not I think it should stay that way. It's not obvious
that this command would change anything bug the keytab file.
Maybe an optional option like --also-update-ad-account
could trigger changes in AD, but it should not be the default.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180202/a7522d98/signature.sig>
More information about the samba-technical
mailing list