<manvolnum>8</manvolnum>
<refmiscinfo class="source">Samba</refmiscinfo>
<refmiscinfo class="manual">System Administration tools</refmiscinfo>
- <refmiscinfo class="version">4.1</refmiscinfo>
+ <refmiscinfo class="version">&doc.version;</refmiscinfo>
</refmeta>
</varlistentry>
&stdarg.netbios.name;
- &stdarg.configfile;
<varlistentry>
<term>-S|--server server</term>
<term>--single-obj-repl</term>
<listitem><para>
When calling "net rpc vampire keytab" this option
- allows to replicate just a single object to the generated keytab file.
+ allows one to replicate just a single object to the generated keytab file.
</para></listitem>
</varlistentry>
<term>--clean-old-entries</term>
<listitem><para>
When calling "net rpc vampire keytab" this option
- allows to cleanup old entries from the generated keytab file.
+ allows one to cleanup old entries from the generated keytab file.
</para></listitem>
</varlistentry>
<varlistentry>
<term>-X|--exclude DIRECTORY</term>
- <listitem><para>Allows to exclude directories when copying with "net rpc share migrate".
+ <listitem><para>Allows one to exclude directories when copying with "net rpc share migrate".
</para></listitem>
</varlistentry>
<varlistentry>
<term>--wipe</term>
- <listitem><para>Createa a new database from scratch
+ <listitem><para>Create a new database from scratch
(used in "net registry check").
</para></listitem>
</varlistentry>
</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term>--no-dns-updates</term>
+ <listitem><para>Do not perform DNS updates as part of
+ "net ads join".
+ </para></listitem>
+ </varlistentry>
+
&stdarg.encrypt;
&popt.common.samba.client;
</refsect2>
<refsect2>
-<title>[RPC|ADS] JOIN [TYPE] [-U username[%password]] [createupn=UPN]
-[createcomputer=OU] [machinepass=PASS] [osName=string osVer=string] [options]</title>
+<title>[RPC|ADS] JOIN [TYPE] [--no-dns-updates] [-U username[%password]]
+[createupn=UPN] [createcomputer=OU] [machinepass=PASS]
+[osName=string osVer=string] [options]</title>
<para>
Join a domain. If the account already exists on the server, and
<refsect2>
<title>RPC GETSID</title>
-<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename> (or <filename>secrets.ntdb</filename>). </para>
+<para>Fetch domain SID and store it in the local <filename>secrets.tdb</filename>. </para>
</refsect2>
</refsect2>
+<refsect2>
+<title>ADS KEYTAB <replaceable>CREATE</replaceable></title>
+
+<para>
+Creates a new keytab file if one doesn't exist with default entries. Default
+entries are kerberos principals created from the machinename of the
+client, the UPN (if it exists) and any Windows SPN(s) associated with the
+computer AD account for the client. If a keytab file already exists then only
+missing kerberos principals from the default entries are added. No changes
+are made to the computer AD account.
+</para>
+</refsect2>
+
+<refsect2>
+<title>ADS KEYTAB <replaceable>ADD</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
+
+<para>
+Adds a new keytab entry, the entry can be either;
+ <variablelist>
+ <varlistentry><term>kerberos principal</term>
+ <listitem><para>
+ A kerberos principal (identified by the presence of '@') is just
+ added to the keytab file.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>machinename</term>
+ <listitem><para>
+ A machinename (identified by the trailing '$') is used to create a
+ a kerberos principal 'machinename@realm' which is added to the
+ keytab file.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>serviceclass</term>
+ <listitem><para>
+ A serviceclass (such as 'cifs', 'html' etc.) is used to create a pair
+ of kerberos principals 'serviceclass/fully_qualified_dns_name@realm' &
+ 'serviceclass/netbios_name@realm' which are added to the keytab file.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>Windows SPN</term>
+ <listitem><para>
+ A Windows SPN is of the format 'serviceclass/host:port', it is used to
+ create a kerberos principal 'serviceclass/host@realm' which will
+ be written to the keytab file.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</para>
+<para>
+Unlike old versions no computer AD objects are modified by this command. To
+preserve the bevhaviour of older clients 'net ads keytab ad_update_ads' is
+available.
+</para>
+</refsect2>
+
+<refsect2>
+<title>ADS KEYTAB <replaceable>ADD_UPDATE_ADS</replaceable> <replaceable>(principal | machine | serviceclass | windows SPN</replaceable></title>
+
+<para>
+Adds a new keytab entry (see section for net ads keytab add). In addition to
+adding entries to the keytab file corrosponding Windows SPNs are created
+from the entry passed to this command. These SPN(s) added to the AD computer
+account object associated with the client machine running this command for
+the following entry types;
+ <variablelist>
+ <varlistentry><term>serviceclass</term>
+ <listitem><para>
+ A serviceclass (such as 'cifs', 'html' etc.) is used to create a
+ pair of Windows SPN(s) 'param/full_qualified_dns' &
+ 'param/netbios_name' which are added to the AD computer account object
+ for this client.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry><term>Windows SPN</term>
+ <listitem><para>
+ A Windows SPN is of the format 'serviceclass/host:port', it is
+ added as passed to the AD computer account object for this client.
+ </para></listitem>
+ </varlistentry>
+ </variablelist>
+</para>
+</refsect2>
+
<refsect2>
<title>ADS WORKGROUP</title>
</refsect2>
+<refsect2>
+ <title>ADS ENCTYPES</title>
+
+<para>
+ List, modify or delete the value of the "msDS-SupportedEncryptionTypes" attribute of an account in AD.
+</para>
+
+<para>
+ This attribute allows one to control which Kerberos encryption types are used for the generation of initial and service tickets. The value consists of an integer bitmask with the following values:
+</para>
+
+<para>0x00000001 DES-CBC-CRC</para>
+<para>0x00000002 DES-CBC-MD5</para>
+<para>0x00000004 RC4-HMAC</para>
+<para>0x00000008 AES128-CTS-HMAC-SHA1-96</para>
+<para>0x00000010 AES256-CTS-HMAC-SHA1-96</para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS ENCTYPES LIST <replaceable><ACCOUNTNAME></replaceable></title>
+
+<para>
+ List the value of the "msDS-SupportedEncryptionTypes" attribute of a given account.
+</para>
+
+<para>Example: <userinput>net ads enctypes list Computername</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS ENCTYPES SET <replaceable><ACCOUNTNAME></replaceable> <replaceable>[enctypes]</replaceable></title>
+
+<para>
+ Set the value of the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME to a given value. If the value is omitted, the value is set to 31 which enables all the currently supported encryption types.
+</para>
+
+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
+
+</refsect2>
+
+<refsect2>
+ <title>ADS ENCTYPES DELETE <replaceable><ACCOUNTNAME></replaceable></title>
+
+<para>
+ Deletes the "msDS-SupportedEncryptionTypes" attribute of the LDAP object of ACCOUNTNAME.
+</para>
+
+<para>Example: <userinput>net ads enctypes set Computername 24</userinput></para>
+
+</refsect2>
+
+
<refsect2>
<title>SAM CREATEBUILTINGROUP <NAME></title>
</refsect2>
+<refsect2>
+ <title>TDB</title>
+
+ <para>Print information from tdb records.</para>
+
+ <refsect3>
+ <title>TDB LOCKING <replaceable>key</replaceable> [DUMP]</title>
+
+ <para>List sharename, filename and number of share modes
+ for a record from locking.tdb. With the optional DUMP options,
+ dump the complete record.</para>
+
+ <itemizedlist>
+ <listitem>
+ <para><replaceable>KEY</replaceable>
+ Key of the tdb record as hex string.</para>
+ </listitem>
+ </itemizedlist>
+
+ </refsect3>
+</refsect2>
+
<refsect2>
<title>HELP [COMMAND]</title>