Blame SOURCES/0001-doc-extend-user-principal-section.patch

deab74
From d6d1ce2f8b1c81903115b018973c61fc71235b7b Mon Sep 17 00:00:00 2001
deab74
From: Sumit Bose <sbose@redhat.com>
deab74
Date: Fri, 29 Nov 2019 18:10:03 +0100
deab74
Subject: [PATCH] doc: extend user-principal section
deab74
deab74
Related to https://bugzilla.redhat.com/show_bug.cgi?id=1643814
deab74
---
deab74
 doc/manual/realm.xml       | 21 +++++++++++++++++++--
deab74
 doc/manual/realmd.conf.xml | 15 ++++++++++-----
deab74
 2 files changed, 29 insertions(+), 7 deletions(-)
deab74
deab74
diff --git a/doc/manual/realm.xml b/doc/manual/realm.xml
deab74
index 7b73331..55a7640 100644
deab74
--- a/doc/manual/realm.xml
deab74
+++ b/doc/manual/realm.xml
deab74
@@ -254,10 +254,27 @@ $ realm join --user=admin --computer-ou=OU=Special domain.example.com
deab74
 		</varlistentry>
deab74
 		<varlistentry>
deab74
 			<term><option>--user-principal=<parameter>host/name@REALM</parameter></option></term>
deab74
-			<listitem><para>Set the userPrincipalName field of the
deab74
+			<listitem><para>Set the
deab74
+			<option>userPrincipalName</option> field of the
deab74
 			computer account to this kerberos principal. If you omit
deab74
 			the value for this option, then a principal will be set
deab74
-			in the form of <literal>host/shortname@REALM</literal></para></listitem>
deab74
+			based on the defaults of the membership software.</para>
deab74
+			<para>AD makes a distinction between user and service
deab74
+			principals. Only with user principals you can request a
deab74
+			Kerberos Ticket-Granting-Ticket (TGT), i.e. only user
deab74
+			principals can be used with the <command>kinit</command>
deab74
+			command. By default the user principal and the canonical
deab74
+			principal name of an AD computer account is
deab74
+			shortname$@AD.DOMAIN, where shortname is
deab74
+			the NetBIOS name which is limited to 15 characters.</para>
deab74
+			<para>If there are applications which are not aware of
deab74
+			the AD default and are using a hard-coded default
deab74
+			principal the <option>--user-principal</option> can be
deab74
+			used to make AD aware of this principal. Please note
deab74
+			that <option>userPrincipalName</option> is a single
deab74
+			value LDAP attribute, i.e. only one alternative user
deab74
+			principal besides the AD default user principal can be
deab74
+			set.</para></listitem>
deab74
 		</varlistentry>
deab74
 	</variablelist>
deab74
 
deab74
diff --git a/doc/manual/realmd.conf.xml b/doc/manual/realmd.conf.xml
deab74
index f0b0879..a26a60c 100644
deab74
--- a/doc/manual/realmd.conf.xml
deab74
+++ b/doc/manual/realmd.conf.xml
deab74
@@ -365,12 +365,17 @@ computer-name = SERVER01
deab74
 	</listitem>
deab74
 	</varlistentry>
deab74
 	<varlistentry>
deab74
-	<term><option>user-prinicpal</option></term>
deab74
+	<term><option>user-principal</option></term>
deab74
 	<listitem>
deab74
-		<para>Set the <option>user-prinicpal</option> to yes
deab74
-		to create <option>userPrincipalName</option> attributes for the
deab74
-		computer account in the realm, in the form
deab74
-		host/computer@REALM</para>
deab74
+		<para>Set the <option>user-principal</option> to yes
deab74
+		to create <option>userPrincipalName</option> attribute for the
deab74
+		computer accounts in the realm. The exact value depends on the
deab74
+		defaults of the used membership software. To have full control
deab74
+		over the value please use the
deab74
+		<option>--user-principal</option> option of the
deab74
+		<command>realm</command> command, see
deab74
+		<citerefentry><refentrytitle>realm</refentrytitle>
deab74
+		<manvolnum>8</manvolnum></citerefentry> for details.</para>
deab74
 
deab74
 		<informalexample>
deab74
 <programlisting language="js">
deab74
-- 
deab74
2.21.0
deab74