PATCH: adjust 'net ads add keytab' for windows SPN(s) & add new 'net ads setspn' subcommand
Noel Power
nopower at suse.com
Fri Feb 2 13:14:55 UTC 2018
Hi Metz
On 02/02/18 13:03, Stefan Metzmacher wrote:
> Hi Noel,
>
>> c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
>> In this scenario the param containing the service is first converted to
>> into 2 kerberos principles (long and short forms) according to the
>> following recipe
>> i) long form: 'param/fully_qualified_dns at realm'
>> ii) short form: 'param/netbios_name at realm'
>> where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute of
>> 'this' machines computer account on the AD.
>> The principles are written to the keytab file
>> Secondly 2 windows SPNs are generated from 'param' as follows
>> i) long form 'param/full_qualified_dns'
>> ii) short form 'param/netbios_name'
>> These SPNs are written to the AD computer account object
> I haven't looked at the patches, but the above catched my attention.
>
> Does 'net ads keytab add' modify any AD objects today?
yes
>
> If not I think it should stay that way. It's not obvious
> that this command would change anything bug the keytab file.
I agree it's not obvious (note: net ads keytab add' param)'will
depending on the format of 'param' either update just the keytab or both
the keytab *and* the AD computer object (that is the current behaviour)
However I didn't want to change the existing behaviour as there is a
risk that people already depend on it. If we want to deprecate the
current behaviour that is probably done is a separate step ?
> Maybe an optional option like --also-update-ad-account
> could trigger changes in AD, but it should not be the default.
>
> metze
>
More information about the samba-technical
mailing list