[Samba] 3-part SPN problem after update 4.13.8 to 4.13.14

Rowland Penny rpenny at samba.org
Wed Nov 17 15:42:11 UTC 2021


On Wed, 2021-11-17 at 16:28 +0100, Nikita Druba via samba wrote:
> 17.11.2021 10:27, Andrew Bartlett via samba пишет:
> > On Wed, 2021-11-17 at 08:36 +0100, Nikita Druba via samba wrote:
> > > 16.11.2021 18:36, Andrew Bartlett пишет:
> > > 
> > > I checked ldap base and for my DC$ account
> > > 
> > > userAccountControl=69632
> > This is your issue.  Have you perhaps joined a FreeNAS server to
> > your
> > DC at some point?  It had a very confusing GUI that encouraged you
> > to
> > wipe out the DC account.
> > 
> > This userAccountControl is
> > UF_WORKSTATION_TRUST_ACCOUNT|UF_DONT_EXPIRE_PASSWD and is therefore
> > not
> > a real Domain Controller.
> This domain was started from samba 4.0 and DC several time moved
> from 
> one server to other by adding new DC and removing old. May be
> somewhere 
> in this migration procedures was some failures. I see at one of my
> new 
> domain, that there
> 
> userAccountControl=532480

That is: SERVER_TRUST_ACCOUNT|TRUSTED_FOR_DELEGATION
> 
> I need just to set this value to userAccountControl? Or this task not
> so 
> easy?

Changing the userAccountControl attribute is fairly easy, but the
question has to be asked, how did it get changed and did anything else
get changed ?

> 
> I will try to run tests today's night.

I wouldn't.

Is this the only DC in the domain ? If not, I would demote it (forcibly
if required), then join a new DC to replace it.

Rowland





More information about the samba mailing list