PATCH: adjust 'net ads add keytab' for windows SPN(s) & add new 'net ads setspn' subcommand
Andreas Schneider
asn at samba.org
Sat Feb 3 09:14:30 UTC 2018
On Friday, 2 February 2018 14:03:55 CET Stefan Metzmacher via samba-technical
wrote:
> Hi Noel,
>
> > c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
> >
> > In this scenario the param containing the service is first converted to
> > into 2 kerberos principles (long and short forms) according to the
> > following recipe
> >
> > i) long form: 'param/fully_qualified_dns at realm'
> >
> > ii) short form: 'param/netbios_name at realm'
> > where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute
> > of
> > 'this' machines computer account on the AD.
> > The principles are written to the keytab file
> >
> > Secondly 2 windows SPNs are generated from 'param' as follows
> >
> > i) long form 'param/full_qualified_dns'
> >
> > ii) short form 'param/netbios_name'
> >
> > These SPNs are written to the AD computer account object
>
> I haven't looked at the patches, but the above catched my attention.
>
> Does 'net ads keytab add' modify any AD objects today?
It just adds SPNs to the machine account. Nothing else, but we could remove
that. However then we need a 'net ads keytab update' function which checks the
the machine account SPNs and adds missing one to the local keytab.
> Maybe an optional option like --also-update-ad-account
> could trigger changes in AD, but it should not be the default.
I would go with 'net ads setspn' and 'net ads keytab update'.
Andreas
More information about the samba-technical
mailing list