PATCHv2: adjust 'net ads add keytab' for windows SPN(s) & add new 'net ads setspn' subcommand

Thu Feb 15 10:42:34 UTC 2018

Hi All

I've updated the patch set hopefully to address the details brought up

Summary of changes
==================

+ Firstly I found a bug in PATCH2 (have a look at the last hunk, I've
added an asprintf to add back the '$')

+ For 'net ads keytab add' I have added patches that make the default
not write the SPN(s) to the AD computer objects. I've added a new
subcommand 'net ads keytab add_update_ads' for that.

+ 'net ads keytab create' also was writing to the AD (because it
(re)uses the same 'ads_keytab_add_entry' function which by default
writes SPN(s) generated from the 'serviceclass' passed in. I have
disabled this behaviour for create also, e.g. now by default 'net ads
keytab create' does not try and write SPN(s) to the AD Note: I have not
provided an alternative, I think what create is doing is incorrect (see
the comments in PATCH 13)

What do you all think?, I could do like I did for 'keytab add'
 (and provide a create_update_ads option?) I do think what it was
doing is just.. wrong though. But... I am willing to do similar if you
think it makes sense

+ some man pages for keytab & setspn

+ whatsnew.txt

@Andreas -  please note there is a slight change to the last version of PATCH 11/12 you looked at, in patch 11 I had an incorrect default so now it is changed as below

-	ret |= ads_keytab_add_entry(ads, argv[i], false);
+	ret |= ads_keytab_add_entry(ads, argv[i], true);

patch 12 differs only because the hunk containing the same line above (now different content) had to also change.

Noel

On 05/02/18 14:56, Noel Power via samba-technical wrote:
> On 03/02/18 09:14, Andreas Schneider wrote:
>> On Friday, 2 February 2018 14:03:55 CET Stefan Metzmacher via samba-technical 
>> wrote:
>>> Hi Noel,
> [...]
>>> I haven't looked at the patches, but the above catched my attention.
>>>
>>> Does 'net ads keytab add' modify any AD objects today?
>> It just adds SPNs to the machine account. Nothing else, but we could remove 
>> that. However then we need a 'net ads keytab update' function which checks the 
>> the machine account SPNs and adds missing one to the local keytab.
> it's worth noting that 'net ads keytab create' afaics tries to do just
> that if the keytab already exists, e.g. it pulls down all spn(s) from
> the AD computer object converts those to kerberos principles to adds
> them to the keytab if they are not present. AFAICS xisting entries in
> the key tab are preserved
>
>
> Noel
>
>
>
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: keytab_setspn_and_testsv2.patch
Type: text/x-patch
Size: 68942 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20180215/6fcdbfba/keytab_setspn_and_testsv2.bin>