PATCH: adjust 'net ads add keytab' for windows SPN(s) & add new 'net ads setspn' subcommand

Noel Power nopower at
Fri Feb 2 13:14:55 UTC 2018

Hi Metz
On 02/02/18 13:03, Stefan Metzmacher wrote:
> Hi Noel,
>> c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
>>    In this scenario the param containing the service is first converted to
>>    into 2 kerberos principles (long and short forms) according to the
>>    following recipe
>>       i) long form:  'param/fully_qualified_dns at realm'
>>      ii) short form: 'param/netbios_name at realm'
>>      where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute of
>>      'this' machines computer account on the AD.
>>      The principles are written to the keytab file
>>    Secondly 2 windows SPNs are generated from 'param' as follows
>>       i) long form 'param/full_qualified_dns'
>>      ii) short form 'param/netbios_name'
>>    These SPNs are written to the AD computer account object
> I haven't looked at the patches, but the above catched my attention.
> Does 'net ads keytab add' modify any AD objects today?
> If not I think it should stay that way. It's not obvious
> that this command would change anything bug the keytab file.
I agree it's not obvious (note: net ads keytab add' param)'will
depending on the format of 'param' either update just the keytab or both
the keytab *and* the AD computer object (that is the current behaviour)

However I didn't want to change the existing behaviour as there is a
risk that people already depend on it. If we want to deprecate the
current behaviour that is probably done is a separate step ?
> Maybe an optional option like --also-update-ad-account
> could trigger changes in AD, but it should not be the default.
> metze

More information about the samba-technical mailing list