[prev in list] [next in list] [prev in thread] [next in thread]
List: samba
Subject: [Samba] spn on joined vs. unjoined computer account
From: Kees van Vloten via samba <samba () lists ! samba ! org>
Date: 2022-01-28 12:59:22
Message-ID: 83f00ee1-539c-9579-ece0-b2a80d0fbe63 () gmail ! com
[Download RAW message or body]
Hi Team,
Recently I was pointed by Rowland at the spnmapping which assigns a lot
of SPNs to a computer account by default.
(I am using Samba 4.15.3 (from Louis' repo) on Bullseye)
When trying to export the keytab for http on a computer account with a
machine that has joined the domain, the export works fine. However on an
account where the machine has not joined, the keytab is not exported and
samba-tool just return with rc=0.
With loglevel on 8 there is a clear difference in the output though:
samba-tool domain exportkeytab -d 8
--principal=http/joined-comp.samdom.com ~/spn_joined-comp_apache_http.keytab
<lot of lines>
schema_fsmo_init: we are master[yes] updates allowed[no]
gendb_search_v: DC=samdom,DC=com NULL -> 1
gendb_search_v: DC=samdom,DC=com NULL -> 1
Export one principal to
/var/lib/ansible-admin/ansible/cache/samba_ad_dc/spn_joined-comp_apache_http.keytab
gendb_search_v: DC=samdom,DC=com NULL -> 1
sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0012
../../lib/krb5_wrap/krb5_samba.c:1878: adding keytab entry for
(http/joined-comp.samdom.com@SAMDOM.COM) with encryption type (18) and
version (3)
sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0017
../../lib/krb5_wrap/krb5_samba.c:1638: Will try to delete old keytab entries
../../lib/krb5_wrap/krb5_samba.c:1716: Saving entry with kvno [3]
enctype [18] for principal: http/joined-comp.samdom.com@SAMDOM.COM.
../../lib/krb5_wrap/krb5_samba.c:1878: adding keytab entry for
(http/joined-comp.samdom.com@SAMDOM.COM) with encryption type (23) and
version (3)
echo $?
0
samba-tool domain exportkeytab -d 8
--principal=http/nojoined-comp.samdom.com
~/spn_nojoined-comp_apache_http.keytab
<lot of lines>
schema_fsmo_init: we are master[yes] updates allowed[no]
gendb_search_v: DC=samdom,DC=com NULL -> 1
gendb_search_v: DC=samdom,DC=com NULL -> 1
Export one principal to
/var/lib/ansible-admin/ansible/cache/samba_ad_dc/spn_nojoined-comp_apache_http.keytab
gendb_search_v: DC=samdom,DC=com NULL -> 1
echo $?
0
Is it possible get the export for http SPN for the account of
'nojoined-comp$' ?
Or shall I create a separate user account and put the http SPN on that
for the unjoined situation? I have tried this but it fails with a SPN
conflict when the machine is joined (which is correct due the default
spn-mapping).
- Kees
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic