git.samba.org - samba.git/commit

author	Noel Power <noel.power@suse.com>
	Fri, 9 Feb 2018 14:07:27 +0000 (14:07 +0000)
committer	Andreas Schneider <asn@cryptomilk.org>
	Fri, 2 Mar 2018 13:07:15 +0000 (14:07 +0100)
commit	0af66455ef87626b97689d75d17782d95455b55e
tree	bc35d1585f18eb011ececa283d3f7b9f7f0e27f8	tree
parent	284f5508a9563341817291aabf2640d05c2e8594	commit \| diff

s3:libads: 'net ads keytab create' shouldn't write SPN(s)

Modify default behaviour of 'net ads keytab create'

The change modifies the behaviour of 'net ads keytab create' such
that only the keytab file is modified. The current behaviour doesn't
make sense, existing SPN(s) pulled from the computer AD object have
the format 'serviceclass/host:port/servicename'.
'ads_keytab_create_default' calls ads_keytab_add_entry passing
'serviceclass' for each SPN retrieved from the AD. For each
serviceclass passed in a new pair of SPN(s) is generated as follows
i) long form 'param/full_qualified_dns'
ii) short form 'param/netbios_name'

This doesn't make sense as we are creating a new SPN(s) from an existing
one probably replacing the existing host with the 'client' machine.

If the keytab file exists then additionally each kerberos principal in the
keytab file is parsed to strip out the primary, then 'ads_keytab_add_entry'
is called which then tries by default to generate a SPN from any primary
that doesn't end in '$'. By default those SPNs are then added to the AD
computer account for the client running the command.

Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

source3/libads/kerberos_keytab.c		diff \| blob \| history
source3/utils/net_ads.c		diff \| blob \| history