Samba-tool commands for handling KDS[/gkdi/gMSA] root keys, and tests
Samba-tool commands for handling KDS[/gkdi/gMSA] root keys, and tests, and some bits to improve error output with --json across samba-tool.
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key create -s st/ad_dc/etc/smb.conf
created root key 4fa6832d-ef85-830a-d0a4-87490ededbf5, used from 2024-02-28T20:34:46.564888+00:00 (about now)
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key list -s st/ad_dc/etc/smb.conf
2 root keys found.
name 4fa6832d-ef85-830a-d0a4-87490ededbf5
created 2024-02-28T20:34:46.564888+00:00 (about 10 seconds ago)
used from 2024-02-28T20:34:46.564888+00:00 (about 10 seconds ago)
dn CN=4fa6832d-ef85-830a-d0a4-87490ededbf5,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
name cb9d2ad8-d391-3eb9-3f64-3e5007880ec3
created 2024-02-28T20:34:12.049728+00:00 (about 44 seconds ago)
used from 2024-02-28T20:34:12.049728+00:00 (about 44 seconds ago)
dn CN=cb9d2ad8-d391-3eb9-3f64-3e5007880ec3,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key create -s st/ad_dc/etc/smb.conf --use-start-time=2003-11-22T22:00:00.123
created root key 6c935a3e-a405-992f-6b14-7d96595e3749, used from 2003-11-22T22:00:00.122998+00:00 (about 7402 days ago)
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key create -s st/ad_dc/etc/smb.conf --use-start-time=2024-11-22T22:00:00+11:00
created root key f6f26f60-def3-3ab1-a234-9e6ad8e923cc, used from 2024-11-22T11:00:00+00:00 (about 267 days in the FUTURE)
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key list -s st/ad_dc/etc/smb.conf
4 root keys found.
name f6f26f60-def3-3ab1-a234-9e6ad8e923cc
created 2024-02-28T20:36:39.968696+00:00 (about 8 seconds ago)
used from 2024-11-22T11:00:00+00:00 (about 267 days in the FUTURE)
dn CN=f6f26f60-def3-3ab1-a234-9e6ad8e923cc,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
name 4fa6832d-ef85-830a-d0a4-87490ededbf5
created 2024-02-28T20:34:46.564888+00:00 (about 2 minutes ago)
used from 2024-02-28T20:34:46.564888+00:00 (about 2 minutes ago)
dn CN=4fa6832d-ef85-830a-d0a4-87490ededbf5,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
name cb9d2ad8-d391-3eb9-3f64-3e5007880ec3
created 2024-02-28T20:34:12.049728+00:00 (about 2 minutes ago)
used from 2024-02-28T20:34:12.049728+00:00 (about 2 minutes ago)
dn CN=cb9d2ad8-d391-3eb9-3f64-3e5007880ec3,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
name 6c935a3e-a405-992f-6b14-7d96595e3749
created 2024-02-28T20:36:08.137956+00:00 (about 40 seconds ago)
used from 2003-11-22T22:00:00.122998+00:00 (about 7402 days ago)
dn CN=6c935a3e-a405-992f-6b14-7d96595e3749,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key list -s st/ad_dc/etc/smb.conf --verbose
4 root keys found.
name f6f26f60-def3-3ab1-a234-9e6ad8e923cc
created 2024-02-28T20:36:39.968696+00:00 (about 21 seconds ago)
used from 2024-11-22T11:00:00+00:00 (about 267 days in the FUTURE)
dn CN=f6f26f60-def3-3ab1-a234-9e6ad8e923cc,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
cn f6f26f60-def3-3ab1-a234-9e6ad8e923cc
whenCreated 20240228203640.0Z
whenChanged 20240228203640.0Z
objectGUID 18263f3b-5539-49ef-8bd0-7cdfb966f8c5
msKds-KDFAlgorithmID SP800_108_CTR_HMAC
msKds-KDFParam 00000000010000000e000000000000005300480041003500310032000000
msKds-SecretAgreementAlgorithmID DH
msKds-PublicKeyLength 2048
msKds-PrivateKeyLength 512
msKds-Version 1
msKds-DomainID CN=ADDC,OU=Domain Controllers,DC=addom,DC=samba,DC=example,DC=com
name 4fa6832d-ef85-830a-d0a4-87490ededbf5
created 2024-02-28T20:34:46.564888+00:00 (about 2 minutes ago)
used from 2024-02-28T20:34:46.564888+00:00 (about 2 minutes ago)
dn CN=4fa6832d-ef85-830a-d0a4-87490ededbf5,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
cn 4fa6832d-ef85-830a-d0a4-87490ededbf5
whenCreated 20240228203446.0Z
whenChanged 20240228203446.0Z
objectGUID b06e2b6e-2e7d-4d29-9d9c-f152319fbd03
msKds-KDFAlgorithmID SP800_108_CTR_HMAC
msKds-KDFParam 00000000010000000e000000000000005300480041003500310032000000
msKds-SecretAgreementAlgorithmID DH
msKds-PublicKeyLength 2048
msKds-PrivateKeyLength 512
msKds-Version 1
msKds-DomainID CN=ADDC,OU=Domain Controllers,DC=addom,DC=samba,DC=example,DC=com
name cb9d2ad8-d391-3eb9-3f64-3e5007880ec3
created 2024-02-28T20:34:12.049728+00:00 (about 2 minutes ago)
used from 2024-02-28T20:34:12.049728+00:00 (about 2 minutes ago)
dn CN=cb9d2ad8-d391-3eb9-3f64-3e5007880ec3,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
cn cb9d2ad8-d391-3eb9-3f64-3e5007880ec3
whenCreated 20240228203412.0Z
whenChanged 20240228203412.0Z
objectGUID 509efe34-44ed-4396-962a-aa90178f5621
msKds-KDFAlgorithmID SP800_108_CTR_HMAC
msKds-KDFParam 00000000010000000e000000000000005300480041003500310032000000
msKds-SecretAgreementAlgorithmID DH
msKds-PublicKeyLength 2048
msKds-PrivateKeyLength 512
msKds-Version 1
msKds-DomainID CN=ADDC,OU=Domain Controllers,DC=addom,DC=samba,DC=example,DC=com
name 6c935a3e-a405-992f-6b14-7d96595e3749
created 2024-02-28T20:36:08.137956+00:00 (about 53 seconds ago)
used from 2003-11-22T22:00:00.122998+00:00 (about 7402 days ago)
dn CN=6c935a3e-a405-992f-6b14-7d96595e3749,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
cn 6c935a3e-a405-992f-6b14-7d96595e3749
whenCreated 20240228203608.0Z
whenChanged 20240228203608.0Z
objectGUID 873c371b-c34f-49d0-ba37-d189d5ed7893
msKds-KDFAlgorithmID SP800_108_CTR_HMAC
msKds-KDFParam 00000000010000000e000000000000005300480041003500310032000000
msKds-SecretAgreementAlgorithmID DH
msKds-PublicKeyLength 2048
msKds-PrivateKeyLength 512
msKds-Version 1
msKds-DomainID CN=ADDC,OU=Domain Controllers,DC=addom,DC=samba,DC=example,DC=com
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key view -s st/ad_dc/etc/smb.conf --name 6c935a3e-a405-992f-6b14-7d96595e3749
name 6c935a3e-a405-992f-6b14-7d96595e3749
created 2024-02-28T20:36:08.137956+00:00 (about 77 seconds ago)
used from 2003-11-22T22:00:00.122998+00:00 (about 7402 days ago)
dn CN=6c935a3e-a405-992f-6b14-7d96595e3749,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
cn 6c935a3e-a405-992f-6b14-7d96595e3749
whenCreated 20240228203608.0Z
whenChanged 20240228203608.0Z
objectGUID 873c371b-c34f-49d0-ba37-d189d5ed7893
msKds-KDFAlgorithmID SP800_108_CTR_HMAC
msKds-KDFParam 00000000010000000e000000000000005300480041003500310032000000
msKds-SecretAgreementAlgorithmID DH
msKds-PublicKeyLength 2048
msKds-PrivateKeyLength 512
msKds-Version 1
msKds-DomainID CN=ADDC,OU=Domain Controllers,DC=addom,DC=samba,DC=example,DC=com
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key view -s st/ad_dc/etc/smb.conf --latest
name f6f26f60-def3-3ab1-a234-9e6ad8e923cc
created 2024-02-28T20:36:39.968696+00:00 (about 60 seconds ago)
used from 2024-11-22T11:00:00+00:00 (about 267 days in the FUTURE)
dn CN=f6f26f60-def3-3ab1-a234-9e6ad8e923cc,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
cn f6f26f60-def3-3ab1-a234-9e6ad8e923cc
whenCreated 20240228203640.0Z
whenChanged 20240228203640.0Z
objectGUID 18263f3b-5539-49ef-8bd0-7cdfb966f8c5
msKds-KDFAlgorithmID SP800_108_CTR_HMAC
msKds-KDFParam 00000000010000000e000000000000005300480041003500310032000000
msKds-SecretAgreementAlgorithmID DH
msKds-PublicKeyLength 2048
msKds-PrivateKeyLength 512
msKds-Version 1
msKds-DomainID CN=ADDC,OU=Domain Controllers,DC=addom,DC=samba,DC=example,DC=com
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key view -s st/ad_dc/etc/smb.conf --latest --verbose
name f6f26f60-def3-3ab1-a234-9e6ad8e923cc
created 2024-02-28T20:36:39.968696+00:00 (about 69 seconds ago)
used from 2024-11-22T11:00:00+00:00 (about 267 days in the FUTURE)
dn CN=f6f26f60-def3-3ab1-a234-9e6ad8e923cc,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
objectClass ['top', 'msKds-ProvRootKey']
cn f6f26f60-def3-3ab1-a234-9e6ad8e923cc
instanceType 4
whenCreated 20240228203640.0Z
whenChanged 20240228203640.0Z
uSNCreated 4233
uSNChanged 4233
showInAdvancedViewOnly TRUE
objectGUID 18263f3b-5539-49ef-8bd0-7cdfb966f8c5
objectCategory CN=ms-Kds-Prov-RootKey,CN=Schema,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
msKds-KDFAlgorithmID SP800_108_CTR_HMAC
msKds-KDFParam 00000000010000000e000000000000005300480041003500310032000000
msKds-SecretAgreementAlgorithmID DH
msKds-PublicKeyLength 2048
msKds-PrivateKeyLength 512
msKds-Version 1
msKds-DomainID CN=ADDC,OU=Domain Controllers,DC=addom,DC=samba,DC=example,DC=com
distinguishedName CN=f6f26f60-def3-3ab1-a234-9e6ad8e923cc,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key view -s st/ad_dc/etc/smb.conf --latest --show-secrets
name f6f26f60-def3-3ab1-a234-9e6ad8e923cc
created 2024-02-28T20:36:39.968696+00:00 (about 75 seconds ago)
used from 2024-11-22T11:00:00+00:00 (about 267 days in the FUTURE)
msKds-RootKeyData 606ff2f6f3deb13aa2349e6ad8e923cc184bea8d08c01adffb30689c7d6c1bad2b0d688c939c10803520ac3832c6a7a1f7f8aa4de21f50a9fdb6cd7c7eac718a
msKds-SecretAgreementParam 0c0200004448504d0001000087a8e61db4b6663cffbbd19c651959998ceef608660dd0f25d2ceed4435e3b00e00df8f1d61957d4faf7df4561b2aa3016c3d91134096faa3bf4296d830e9a7c209e0c6497517abd5a8a9d306bcf67ed91f9e6725b4758c022e0b1ef4275bf7b6c5bfc11d45f9088b941f54eb1e59bb8bc39a0bf12307f5c4fdb70c581b23f76b63acae1caa6b7902d52526735488a0ef13c6d9a51bfa4ab3ad8347796524d8ef6a167b5a41825d967e144e5140564251ccacb83e6b486f6b3ca3f7971506026c0b857f689962856ded4010abd0be621c3a3960a54e710c375f26375d7014103a4b54330c198af126116d2276e11715f693877fad7ef09cadb094ae91e1a15973fb32c9b73134d0b2e77506660edbd484ca7b18f21ef205407f4793a1a0ba12510dbc15077be463fff4fed4aac0bb555be3a6c1b0c6b47b1bc3773bf7e8c6f62901228f8c28cbb18a55ae31341000a650196f931c77a57f2ddf463e5e9ec144b777de62aaab8a8628ac376d282d6ed3864e67982428ebc831d14348f6f2f9193b5045af2767164e1dfc967c1fb3f2e55a4bd1bffe83b9c80d052b985d182ea0adb2a3b7313d3fe14c8484b1e052588b9b7d2bbd2df016199ecd06e1557cd0915b3353bbb64e0ec377fd028370df92b52c7891428cdc67eb6184b523d1db246c32f63078490f00ef8d647d148d47954515e2327cfef98c582664b4c0f6cc41659
dn CN=f6f26f60-def3-3ab1-a234-9e6ad8e923cc,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
cn f6f26f60-def3-3ab1-a234-9e6ad8e923cc
whenCreated 20240228203640.0Z
whenChanged 20240228203640.0Z
objectGUID 18263f3b-5539-49ef-8bd0-7cdfb966f8c5
msKds-KDFAlgorithmID SP800_108_CTR_HMAC
msKds-KDFParam 00000000010000000e000000000000005300480041003500310032000000
msKds-SecretAgreementAlgorithmID DH
msKds-PublicKeyLength 2048
msKds-PrivateKeyLength 512
msKds-Version 1
msKds-DomainID CN=ADDC,OU=Domain Controllers,DC=addom,DC=samba,DC=example,DC=com
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key delete -s st/ad_dc/etc/smb.conf --name 6c935a3e-a405-992f-6b14-7d96595e3749
deleted root key 6c935a3e-a405-992f-6b14-7d96595e3749
douglasb 🔥 /data/samba/samba (douglas-samba-tool-kds-rebase-2)$ bin/samba-tool domain kds root-key list -s st/ad_dc/etc/smb.conf
3 root keys found.
name f6f26f60-def3-3ab1-a234-9e6ad8e923cc
created 2024-02-28T20:36:39.968696+00:00 (about 96 seconds ago)
used from 2024-11-22T11:00:00+00:00 (about 267 days in the FUTURE)
dn CN=f6f26f60-def3-3ab1-a234-9e6ad8e923cc,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
name 4fa6832d-ef85-830a-d0a4-87490ededbf5
created 2024-02-28T20:34:46.564888+00:00 (about 3 minutes ago)
used from 2024-02-28T20:34:46.564888+00:00 (about 3 minutes ago)
dn CN=4fa6832d-ef85-830a-d0a4-87490ededbf5,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com
name cb9d2ad8-d391-3eb9-3f64-3e5007880ec3
created 2024-02-28T20:34:12.049728+00:00 (about 4 minutes ago)
used from 2024-02-28T20:34:12.049728+00:00 (about 4 minutes ago)
dn CN=cb9d2ad8-d391-3eb9-3f64-3e5007880ec3,CN=Master Root Keys,CN=Group Key Distribution Service,CN=Services,CN=Configuration,DC=addom,DC=samba,DC=example,DC=comChecklist
-
Commits have Signed-off-by:with name/author being identical to the commit author -
(optional) This MR is just one part towards a larger feature. -
(optional, if backport required) Bugzilla bug filed and BUG:tag added -
Test suite updated with functionality tests -
Test suite updated with negative tests -
Documentation updated -
CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)
Reviewer's checklist:
-
There is a test suite reasonably covering new functionality or modifications -
Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md -
This feature/change has adequate documentation added -
No obvious mistakes in the code