[Samba] net ads keytab add has no visible effects
Max Ober
max at mober.at
Sun Feb 26 16:13:28 UTC 2017
> > Okay ... looks like this time it worked as expected in the first try.
>
> You sure about that ?
> You used samba-tool to add the SPN with 'NFS', yet the SPN's are shown
> with 'nfs'.
> This could just be down to using 'net to create the keytab, try
> 'samba-tool domain exportkeytab /etc/krb5.keytab' instead
Since AD comes from the Win-World I thought SPNs might not be case-sensitive
and this shouldn't be a problem.
> > And there seems something missing again.
>
> Not sure there is anything missing, you first use 'net' to add an SPN
> and everything seems okay, you then use samba-tool to list the SPNs for
> the Unix domain member. Perhaps if you ran 'samba-tool spn list
> --help' and read the second line, which says this:
>
> List spns of a given user.
>
> It might give you a hint ;-)
>
> A computer account in AD is also a user
>
> I am fairly sure if you were to examine the computers object in AD, you
> will not find the SPN 'nfs/nas.site-a.mober.at at AD-DOMAIN.MOBER.AT'
Sorry, but I can't follow.
I thought the user member$ represents the computer account of the machine
member? And therefore samba-tool spn list member$ should list all SPNs of that
computer?
And I also thought "net ads" lets me do some stuff while working on the member
that I otherwise would do with samba-tool on the dc. So for my understanding
it should make no difference whether I use "net ads keytab add" on the member
to add an spn or use "samba-tool spn add" on the dc to do the same thing? Both
should end up adding an SPN to the computer account, what I should be able to
check with samba-tool spn list?
/Max
More information about the samba
mailing list