samba 4 TP3 and Windows SSPI

Joshua Masiko geniedren at
Thu Nov 9 14:33:10 GMT 2006

DsWriteAccountSpn allows you to de-couple the way the client connects from
the account the server is running under

it basically maps a service principal name to the server account such that
in InitializeSecurityContext the client can specify the SPN as the target
without knowing the account under which the server is running. Details are
on MSDN online.

Which brings me to another problem.
When running the server under any domain account other than
localsystem(e.gjoshua) InitializeSecurityContext fails. A look at the
Samba log shows
Kerberos: Principal may not act as server -- joshua at YOUR.REALM

Runnning the server under the localsystem account works since it uses the
machine account and one can use DOMAIN\machinename$ as the target in

On 11/9/06, Andrew Bartlett <abartlet at> wrote:
> On Wed, 2006-11-08 at 17:56 +0300, Joshua Masiko wrote:
> > Using DsWriteAccountSpn on a domain account fails. Samba verbose log
> says:
> >
> > dcerpc fault in call drsuapi:0d DCERPC_FAULT_OP_RNG_ERROR.
> >
> > Does that mean it's not implemented
> Yes, it means it's not implemented.  I'm happy to look at implementing
> it however.
> Andrew Bartlett
> --
> Andrew Bartlett                      
> Authentication Developer, Samba Team 
> Samba Developer, Red Hat Inc.        

More information about the samba-technical mailing list