[PATCH] Patch for bug 1703

[Ralph Boehme]

On Mon, May 02, 2016 at 09:57:45AM -0700, Richard Sharpe wrote:
> On Mon, May 2, 2016 at 8:50 AM, Ralph Boehme <slow at samba.org> wrote:
> > Hi!
> >
> > Attached is a patch to fix bug 1703:
> >
> > s3:libnet:libnet_join: add netbios aliases as SPNs
> >
> > Add all listed smb.conf netbios aliases as SPNs to the machine account:
> >
> >   HOST/NETBIOS_ALIAS at REALM
> >
> > and
> >
> >   HOST/netbios_alias.dnsdomain.name at REALM
> >
> > I wasn't entirely sure where to pull the DNS name info from, but
> > decided against calling getaddrinfo() on the netbios alias via
> > name_to_fqdn(), but instead just pick up the DNS domain name from
> > r->out.dns_domain_name.
> >
> > Please review and push if ok, thanks!
> 
> I notice that the bug also mentions net ads updatejoin or some such,
> which no longer exists.
> 
> Recent tests indicate that if you modify the machine account at join
> time to change the SD to allow modifying the servicePrincipalName
> attribute, you can update SPNs using -P ...

??

With a fresh machine account, default SD, domain admins have write
access:

slow at samba-member1:~/samba/master$ cat test.ldif
dn: CN=SAMBA-MEMBER1,CN=Computers,DC=win2008r2,DC=site
changetype: modify
add: servicePrincipalName
servicePrincipalName: hi/richard

slow at samba-member1:~/samba/master$ ./bin/ldbmodify -H
ldap://10.10.11.200/ -UAdministrator test.ldif
Password for [WIN2008R2\Administrator]:
Modified 1 records successfully

slow at samba-member1:~/samba/master$ ./bin/ldbsearch -H
ldap://10.10.11.200/ -UAdministrator CN=SAMBA-MEMBER1
servicePrincipalName
Password for [WIN2008R2\Administrator]:
# record 1
dn: CN=SAMBA-MEMBER1,CN=Computers,DC=win2008r2,DC=site
servicePrincipalName: hi/richard
servicePrincipalName: foo/SAMBA-MEMBER1
servicePrincipalName: HOST/SAMBA-MEMBER1

Cheerio!
-slow