[Samba] Orphan SPN
Rowland Penny
rpenny at samba.org
Wed Nov 24 19:43:59 UTC 2021
On Wed, 2021-11-24 at 21:55 +0300, Oljas Kuzembaev via samba wrote:
> I think I got orphan SPN in KDC. I want to remove it, but I cant
> find
> user of that SPN.
>
> That is why I think it is actually an orphan SPN:
>
> #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su
>
> Output gives me keys.
>
> But then, also this works:
>
> #samba-tool spn add cifs/oml.su oljas
>
> #samba-tool spn delete cifs/oml.su oljas
>
> And then, this still works:
>
> #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su
>
> I`ve tried to search SPN via ldapsearch, powershell and in ADUC going
> on
> objects one by one. Cant track it.
>
> I think, that this SPN was created by me years ago for some
> insignificant reason. But I cannot recall how I did it. Since then
> DFL
> was reised from 2003 to 2008, if that matter.
>
> Is there any way to find out which user holds that SPN, or is there
> any
> way to remove it?
>
Running this on a Samba AD DC, should show the SPN:
ldbsearch -H ldap://"$(hostname -s)" -P -b "dc=$(echo "$(hostname -d)"
| sed 's/\./,dc=/g')" -s sub "(servicePrincipalName=cifs/oml.su)"
servicePrincipalName samAccountName
It works for myself (using a different SPN).
Rowland
More information about the samba
mailing list