[Samba] net ads keytab add has no visible effects
Rowland Penny
rpenny at samba.org
Sun Feb 26 17:15:47 UTC 2017
On Sun, 26 Feb 2017 17:13:28 +0100
Max Ober <max at mober.at> wrote:
>
> Since AD comes from the Win-World I thought SPNs might not be
> case-sensitive and this shouldn't be a problem.
Possibly not on Windows but, Unix is case sensitive.
> Sorry, but I can't follow.
> I thought the user member$ represents the computer account of the
> machine member? And therefore samba-tool spn list member$ should list
> all SPNs of that computer?
Yes, this is true
> And I also thought "net ads" lets me do some stuff while working on
> the member that I otherwise would do with samba-tool on the dc. So
> for my understanding it should make no difference whether I use "net
> ads keytab add" on the member to add an spn or use "samba-tool spn
> add" on the dc to do the same thing? Both should end up adding an SPN
> to the computer account,
Again yes.
> what I should be able to check with samba-tool spn list?
'samba tool spn list' will only show the SPNs in the machines AD,
this is the search it does:
res = sam.search(
expression="samaccountname=%s" % ldb.binary_encode(cleaneduser),
scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"])
The SPN you add to the keytab is not one of 'member$' SPNs, hence it
isn't shown by samba-tool.
If you want to know what is a keytab, use ktutil.
Rowland
Rowland
More information about the samba
mailing list