[Samba] net ads keytab add has no visible effects

Rowland Penny rpenny at samba.org
Sun Feb 26 17:15:47 UTC 2017


On Sun, 26 Feb 2017 17:13:28 +0100
Max Ober <max at mober.at> wrote:

> 
> Since AD comes from the Win-World I thought SPNs might not be
> case-sensitive and this shouldn't be a problem.

Possibly not on Windows but, Unix is case sensitive.


> Sorry, but I can't follow.
> I thought the user member$ represents the computer account of the
> machine member? And therefore samba-tool spn list member$ should list
> all SPNs of that computer?

Yes, this is true

> And I also thought "net ads" lets me do some stuff while working on
> the member that I otherwise would do with samba-tool on the dc. So
> for my understanding it should make no difference whether I use "net
> ads keytab add" on the member to add an spn or use "samba-tool spn
> add" on the dc to do the same thing? Both should end up adding an SPN
> to the computer account, 

Again yes.

> what I should be able to check with samba-tool spn list?


'samba tool spn list' will only show the SPNs in the machines AD,
this is the search it does:

        res = sam.search(
            expression="samaccountname=%s" % ldb.binary_encode(cleaneduser),
            scope=ldb.SCOPE_SUBTREE, attrs=["servicePrincipalName"])

The SPN you add to the keytab is not one of 'member$' SPNs, hence it
isn't shown by samba-tool.

If you want to know what is a keytab, use ktutil.

Rowland

Rowland




More information about the samba mailing list