PATCH: adjust 'net ads add keytab' for windows SPN(s) & add new 'net ads setspn' subcommand

Stefan Metzmacher metze at
Fri Feb 2 13:03:55 UTC 2018

Hi Noel,

> c) 'net ads keytab add param' is passed a service (e.g. nfs, http etc.)
>    In this scenario the param containing the service is first converted to
>    into 2 kerberos principles (long and short forms) according to the
>    following recipe
>       i) long form:  'param/fully_qualified_dns at realm'
>      ii) short form: 'param/netbios_name at realm'
>      where 'fully_qualified_dns is retrieved from 'dNSHostName' attribute of
>      'this' machines computer account on the AD.
>      The principles are written to the keytab file
>    Secondly 2 windows SPNs are generated from 'param' as follows
>       i) long form 'param/full_qualified_dns'
>      ii) short form 'param/netbios_name'
>    These SPNs are written to the AD computer account object

I haven't looked at the patches, but the above catched my attention.

Does 'net ads keytab add' modify any AD objects today?

If not I think it should stay that way. It's not obvious
that this command would change anything bug the keytab file.

Maybe an optional option like --also-update-ad-account
could trigger changes in AD, but it should not be the default.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list