question about service principals (samba4)

Natxo Asenjo natxo.asenjo at gmail.com
Thu Sep 23 01:49:10 MDT 2010


On Thu, Sep 23, 2010 at 8:00 AM, Love Hörnquist Åstrand <lha at kth.se> wrote:
>
> 22 sep 2010 kl. 17:27 skrev Andrew Bartlett:
>
>>> Something is broken for me then.  If I 'kinit FOO$' I get a password error
>>> (since it's a randomly generated key), but if I 'kinit host/foo' I get the error
>>> that host/foo at REALM is not found in the database.
>>
>> An error from the client, or from the server?   In any case, I'm not
>> sure if we allow kinit on SPNs.
>
> msft doesn't, I don't remember if host/hostname.fqdn is an SPN or not though.

Apparetently it gets set, from netsetup.log (written during unattended
installations of windows machines):

/17 23:55:42 NetpValidateName: checking to see if 'DOMAIN' is valid as
type 3 name
08/17 23:55:42 NetpCheckDomainNameIsValid [ Exists ] for 'DOMAIN' returned 0x0
08/17 23:55:42 NetpValidateName: name 'DOMAIN' is valid for type 3
08/17 23:55:42 NetpDsGetDcName: trying to find DC in domain 'DOMAIN',
flags: 0x1020
08/17 23:55:57 NetpDsGetDcName: failed to find a DC having account
'host$': 0x525
08/17 23:55:57 NetpDsGetDcName: found DC '\\domaincontroller' in the
specified domain
08/17 23:55:57 NetpJoinDomain: status of connecting to dc
'\\domaincontroller': 0x0
08/17 23:55:57 NetpGetLsaPrimaryDomain: status: 0x0
08/17 23:55:57 NetpGetDnsHostName: Read NV Hostname: host
08/17 23:55:57 NetpGetDnsHostName: PrimaryDnsSuffix defaulted to DNS
domain name: domain.tld
08/17 23:55:57 NetpLsaOpenSecret: status: 0xc0000034
08/17 23:55:57 NetpGetComputerObjectDn: Cracking account name
DOMAIN\host$ on \\domaincontroller
08/17 23:55:57 NetpGetComputerObjectDn: Crack results: 	Account does not exist
08/17 23:55:57 NetpGetComputerObjectDn: Got DN
CN=host,ou=unattended,ou=hardware,dc=domain,dc=tld from the passed OU
08/17 23:55:57 NetpModifyComputerObjectInDs: Initial attribute values:
08/17 23:55:57 		objectClass  =  Computer
08/17 23:55:57 		SamAccountName  =  host$
08/17 23:55:57 		userAccountControl  =  4096
08/17 23:55:57 		DnsHostName  =  host.domain.tld
08/17 23:55:57 		ServicePrincipalName  =  HOST/host.domain.tld  HOST/host
08/17 23:55:57 NetpModifyComputerObjectInDs: Computer Object does not
exist in OU
08/17 23:55:57 NetpModifyComputerObjectInDs: Attribute values to set:
08/17 23:55:57 		objectClass  =  Computer
08/17 23:55:57 		SamAccountName  =  host$
08/17 23:55:57 		userAccountControl  =  4096
08/17 23:55:57 		DnsHostName  =  host.domain.tld
08/17 23:55:57 		ServicePrincipalName  =  HOST/host.domain.tld  HOST/host
08/17 23:55:57 NetpModifyComputerObjectInDs: Toggled
UserAccountControl successfully

-- 
natxo


More information about the samba-technical mailing list