docs-xml/smbdotconf/security/syncmachinepasswordtokeytab.xml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121

<samba:parameter name="sync machine password to keytab"
                 context="G"
                 type="cmdlist"
                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
<para>
This option allows you to describe what keytabs and how should be updated when
machine account is changed via one of these commands

<programlisting>
wbinfo --change-secret
rpcclient --machine-pass -c change_trust_pw
net rpc changetrustpw
net ads changetrustpw
</programlisting>

or by winbindd doing regular updates (see <smbconfoption name="machine password timeout"/>)
</para>

<para>
The option takes a list of keytab strings to describe how to synchronize
content of those keytabs or a single 'disabled' value to disable the
synchronization.

Each string has this form:
<programlisting>
absolute_path_to_keytab:spn_spec[:spn_spec]*[:sync_etypes][:sync_kvno][:netbios_aliases][:additional_dns_hostnames][:machine_password]
</programlisting>

spn_spec can be specified multiple times (separated using ':') and each spn_spec can have exactly one of these forms:
<programlisting>
account_name
sync_account_name
sync_upn
sync_spns
spn_prefixes=value1[,value2[...]]
spns=value1[,value2[...]]
</programlisting>
</para>

<para>
Every keytab contains principals according the specification below:
<programlisting>
account_name      - COMPUTER$@REALM
sync_account_name - uses attribute "sAMAccountName" from AD
sync_upn          - uses attribute "userPrincipalName" (if exists in AD)
sync_spns         - uses attribute "servicePrincipalName" (if exists in AD)
spn_prefixes      - creates these two principals from each prefix. e.g.:
                      prefix/<smbconfoption name="netbios name"/>@REALM
                      prefix/<smbconfoption name="dns hostname"/>@REALM
                    with :netbios_aliases for each netbiosalias in <smbconfoption name="netbios aliases"/>
                      prefix/netbiosalias@REALM
                      prefix/netbiosalias.dnsdomain@REALM
                    with :additional_dns_hostnames for each additionaldnshostname in <smbconfoption name="additional dns hostnames"/>
                      prefix/additionaldnshostname@REALM
                  - 'host' principal should be created using specifier spn_prefixes
spns              - creates only the principals defined in the list
</programlisting>
'account_name' and 'sync_account_name' are the same, just the source differs (secrets.tdb vs. AD).
</para>

<para>
Options:
<programlisting>
sync_etypes              - attribute "msDS-SupportedEncryptionTypes" is read from AD and is used to find the highest common enc type for AD and KRB5 lib.
sync_kvno                - attribute "msDS-KeyVersionNumber" from AD is used to set KVNO. If this option is missing, KVNO is set to -1.
netbios_aliases          - evaluated only for spn_prefixes (see details above).
additional_dns_hostnames - evaluated only for spn_prefixes (see details above).
machine_password         - mandatory, if missing the entry is ignored. For future use.
</programlisting>
</para>

<para>
Example:
<programlisting>
"/path/to/keytab0:account_name:machine_password",
"/path/to/keytab1:account_name:sync_etypes:sync_kvno:machine_password",
"/path/to/keytab2:sync_spns:machine_password",
"/path/to/keytab3:sync_spns:sync_kvno:machine_password",
"/path/to/keytab4:spn_prefixes=imap,smtp:machine_password",
"/path/to/keytab5:spn_prefixes=imap,smtp:netbios_aliases:additional_dns_hostnames:sync_kvno:machine_password",
"/path/to/keytab6:spns=wurst/brot@REALM:machine_password",
"/path/to/keytab7:spns=wurst/brot@REALM,wurst2/brot@REALM:sync_kvno:machine_password",
"/path/to/keytab8:sync_account_name:sync_upn:sync_spns:spn_prefixes=host,cifs,http:spns=wurst/brot@REALM:sync_kvno:machine_password"
</programlisting>
If sync_etypes or sync_kvno or sync_spns is present then winbind connects to DC. For "offline domain join" it might be useful not to use these options.
</para>

<para>
If no value is present and <smbconfoption name="kerberos method"/> is different from
'secrets only', the behavior differs between winbind and net utility:
</para>
<itemizedlist>
        <listitem>
                <para><userinput>winbind</userinput> uses value
                      <programlisting>/path/to/keytab:host:account_name:sync_spns:sync_kvno:machine_password</programlisting>
                      where the path to the keytab is obtained either from the krb5 library or from
                      <smbconfoption name="dedicated keytab file"/>.
                </para>
        </listitem>
        <listitem>
                <para><userinput>net changesecretpw -f</userinput> command uses the default 'disabled' value.</para>
        </listitem>
        <listitem><para>No other <userinput>net</userinput> subcommands use the 'disabled' value.</para></listitem>
</itemizedlist>

<para>
If a single value 'disabled' is present, the synchronization process is
disabled. This is required for FreeIPA domain member setup where keytab
synchronization uses a protocol not implemented by Samba.
</para>

<para>
    Suggested configuration is together with <smbconfoption name="kerberos method"/> set to the default value 'secrets only'.
</para>

<para>
    In clustered environments it is recommended to set <smbconfoption name="sync machine password script"/> to update the machine password on all nodes.
</para>
</description>
</samba:parameter>