Implement 'update keytab' for winbind and tools
This is a fix for Bug 6750 - After 'machine password timeout' /etc/krb5.keytab is not updated
https://bugzilla.samba.org/show_bug.cgi?id=6750
NEW solution proposed by Metze:
sync machine password to keytab =
"/path/to/keytab:sync_spns=yes",
"/path/to/keytab1:sync_spns=yes:sync_kvno=yes",
"/path/to/keytab2:spn_prefixes=imap,smtp"
"/path/to/keytab2:spn_prefixes=imap,smtp:sync_kvno=yes"
"/path/to/keytab3:spns=wurst/brot@REALM"
"/path/to/keytab4:spns=wurst/brot@REALM:sync_kvno=yes"
no other combinations...
Also check if application servers really require spwcific spns or kvnos values in the keytab and don't just iterate over all keytab entries.
- Don't make existing ads_keytab* function more complicated by modifying them, just leave them alone.
- We need new code with a context that:
- reads secrets_domain_infoB from secrets.tdb
- only if needed get the servicePrincipalNames from the dc
- only if needed get the msDs-KeyVersionNumber from the dc
- Then it should just dump the precalculated keys into
the explicitly specified keytab files
- Then replace ads_keytab_create_default etc. with the new functions
As a separate step remove the implicit keytab update for 'net ads changetrustpw'. In progress: !2190
The code is updated that periodical winbindd password change and following tools update the explicit keytab specified via
sync machine password to keytab
net ads changetrustpw
net rpc changetrustpw
wbinfo --change-secret
rpcclient --machine-pass -c change_trust_pw
Example smb.conf:
sync machine password to keytab = \
"/home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab0:sync_spns=yes", \
"/home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab1:sync_spns=yes:sync_kvno=yes", \
"/home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab2:spn_prefixes=imap,smtp", \
"/home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab3:spn_prefixes=imap,smtp:sync_kvno=yes", \
"/home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab4:spns=wurst/brot@REALM", \
"/home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab5:spns=wurst/brot@REALM,wurst1/brot@REALM,wurst2/brot@REALM:sync_kvno=yes"
Resulting keytabs:
bin/net ads keytab list /home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab0
Vno Type Principal
0 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-1 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-1 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-1 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-2 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 AES-128 CTS mode with 96-bit SHA-1 HMAC host@ADDOM.SAMBA.EXAMPLE.COM
0 ArcFour with HMAC/md5 host@ADDOM.SAMBA.EXAMPLE.COM
-2 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-2 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 AES-128 CTS mode with 96-bit SHA-1 HMAC restrictedkrbhost@ADDOM.SAMBA.EXAMPLE.COM
0 AES-256 CTS mode with 96-bit SHA-1 HMAC host@ADDOM.SAMBA.EXAMPLE.COM
0 AES-256 CTS mode with 96-bit SHA-1 HMAC restrictedkrbhost@ADDOM.SAMBA.EXAMPLE.COM
0 ArcFour with HMAC/md5 restrictedkrbhost@ADDOM.SAMBA.EXAMPLE.COM
bin/net ads keytab list /home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab1
Vno Type Principal
4 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
3 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
3 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
3 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
2 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 AES-128 CTS mode with 96-bit SHA-1 HMAC host@ADDOM.SAMBA.EXAMPLE.COM
4 ArcFour with HMAC/md5 host@ADDOM.SAMBA.EXAMPLE.COM
2 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
2 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 AES-128 CTS mode with 96-bit SHA-1 HMAC restrictedkrbhost@ADDOM.SAMBA.EXAMPLE.COM
4 AES-256 CTS mode with 96-bit SHA-1 HMAC host@ADDOM.SAMBA.EXAMPLE.COM
4 AES-256 CTS mode with 96-bit SHA-1 HMAC restrictedkrbhost@ADDOM.SAMBA.EXAMPLE.COM
4 ArcFour with HMAC/md5 restrictedkrbhost@ADDOM.SAMBA.EXAMPLE.COM
bin/net ads keytab list /home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab2
Vno Type Principal
0 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-1 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-1 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-1 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-2 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 AES-128 CTS mode with 96-bit SHA-1 HMAC imap@ADDOM.SAMBA.EXAMPLE.COM
0 ArcFour with HMAC/md5 imap@ADDOM.SAMBA.EXAMPLE.COM
-2 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 AES-128 CTS mode with 96-bit SHA-1 HMAC smtp@ADDOM.SAMBA.EXAMPLE.COM
0 ArcFour with HMAC/md5 smtp@ADDOM.SAMBA.EXAMPLE.COM
-2 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 AES-256 CTS mode with 96-bit SHA-1 HMAC imap@ADDOM.SAMBA.EXAMPLE.COM
0 AES-256 CTS mode with 96-bit SHA-1 HMAC smtp@ADDOM.SAMBA.EXAMPLE.COM
bin/net ads keytab list /home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab3
Vno Type Principal
4 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
3 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
3 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
3 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
2 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 AES-128 CTS mode with 96-bit SHA-1 HMAC imap@ADDOM.SAMBA.EXAMPLE.COM
4 ArcFour with HMAC/md5 imap@ADDOM.SAMBA.EXAMPLE.COM
2 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 AES-128 CTS mode with 96-bit SHA-1 HMAC smtp@ADDOM.SAMBA.EXAMPLE.COM
4 ArcFour with HMAC/md5 smtp@ADDOM.SAMBA.EXAMPLE.COM
2 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 AES-256 CTS mode with 96-bit SHA-1 HMAC imap@ADDOM.SAMBA.EXAMPLE.COM
4 AES-256 CTS mode with 96-bit SHA-1 HMAC smtp@ADDOM.SAMBA.EXAMPLE.COM
bin/net ads keytab list /home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab4
Vno Type Principal
0 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-1 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-1 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-1 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
0 AES-256 CTS mode with 96-bit SHA-1 HMAC wurst/brot@REALM
0 AES-128 CTS mode with 96-bit SHA-1 HMAC wurst/brot@REALM
0 ArcFour with HMAC/md5 wurst/brot@REALM
-2 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-2 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
-2 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
bin/net ads keytab list /home/pfilipen/workspace/projects/samba-keytab-new/st/ad_member_keytab/keytab5
Vno Type Principal
4 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
3 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
3 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
3 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
4 AES-256 CTS mode with 96-bit SHA-1 HMAC wurst/brot@REALM
4 AES-128 CTS mode with 96-bit SHA-1 HMAC wurst/brot@REALM
4 ArcFour with HMAC/md5 wurst/brot@REALM
4 AES-256 CTS mode with 96-bit SHA-1 HMAC wurst1/brot@REALM
4 AES-128 CTS mode with 96-bit SHA-1 HMAC wurst1/brot@REALM
4 ArcFour with HMAC/md5 wurst1/brot@REALM
4 AES-256 CTS mode with 96-bit SHA-1 HMAC wurst2/brot@REALM
4 AES-128 CTS mode with 96-bit SHA-1 HMAC wurst2/brot@REALM
4 ArcFour with HMAC/md5 wurst2/brot@REALM
2 AES-256 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
2 AES-128 CTS mode with 96-bit SHA-1 HMAC ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
2 ArcFour with HMAC/md5 ADMEMKEYTAB$@ADDOM.SAMBA.EXAMPLE.COM
Checklist
-
Commits have Signed-off-by:
with name/author being identical to the commit author -
(optional) This MR is just one part towards a larger feature. -
(optional, if backport required) Bugzilla bug filed and BUG:
tag added -
Test suite updated with functionality tests -
Test suite updated with negative tests -
Documentation updated -
CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)
Reviewer's checklist:
-
There is a test suite reasonably covering new functionality or modifications -
Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
-
This feature/change has adequate documentation added -
No obvious mistakes in the code