diff options
| author | Noel Power <noel.power@suse.com> | 2018-02-09 14:07:27 +0000 |
|---|---|---|
| committer | Andreas Schneider <asn@cryptomilk.org> | 2018-03-02 14:07:15 +0100 |
| commit | 0af66455ef87626b97689d75d17782d95455b55e (patch) | |
| tree | bc35d1585f18eb011ececa283d3f7b9f7f0e27f8 /testprogs | |
| parent | 284f5508a9563341817291aabf2640d05c2e8594 (diff) | |
| download | samba-0af66455ef87626b97689d75d17782d95455b55e.tar.gz | |
s3:libads: 'net ads keytab create' shouldn't write SPN(s)
Modify default behaviour of 'net ads keytab create'
The change modifies the behaviour of 'net ads keytab create' such
that only the keytab file is modified. The current behaviour doesn't
make sense, existing SPN(s) pulled from the computer AD object have
the format 'serviceclass/host:port/servicename'.
'ads_keytab_create_default' calls ads_keytab_add_entry passing
'serviceclass' for each SPN retrieved from the AD. For each
serviceclass passed in a new pair of SPN(s) is generated as follows
i) long form 'param/full_qualified_dns'
ii) short form 'param/netbios_name'
This doesn't make sense as we are creating a new SPN(s) from an existing
one probably replacing the existing host with the 'client' machine.
If the keytab file exists then additionally each kerberos principal in the
keytab file is parsed to strip out the primary, then 'ads_keytab_add_entry'
is called which then tries by default to generate a SPN from any primary
that doesn't end in '$'. By default those SPNs are then added to the AD
computer account for the client running the command.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Diffstat (limited to 'testprogs')
0 files changed, 0 insertions, 0 deletions