[Samba] Orphan SPN
Oljas Kuzembaev
oljas at oml.su
Wed Nov 24 21:36:56 UTC 2021
On 25.11.2021 0:27, Rowland Penny via samba wrote:
> Then by the look of it, the SPN doesn't exist in AD, is there a keytab
> ? if so, delete it and then recreate it.
That`s what I thought! But:
root at home:~ # samba-tool spn delete cifs/oml.su
ERROR: Service principal cifs/oml.su not affected
root at home:~ # samba-tool domain exportkeytab orphan.keytab
--principal=cifs/oml.su
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
Export one principal to orphan.keytab
Unsupported keytype ignored - type 3
Unsupported keytype ignored - type 1
../../lib/krb5_wrap/krb5_samba.c:1752: adding keytab entry for
(cifs/oml.su at OML.SU) with encryption type (18) and version (3)
../../lib/krb5_wrap/krb5_samba.c:1512: Will try to delete old keytab entries
../../lib/krb5_wrap/krb5_samba.c:1752: adding keytab entry for
(cifs/oml.su at OML.SU) with encryption type (17) and version (3)
../../lib/krb5_wrap/krb5_samba.c:1512: Will try to delete old keytab entries
../../lib/krb5_wrap/krb5_samba.c:1752: adding keytab entry for
(cifs/oml.su at OML.SU) with encryption type (23) and version (3)
root at home:~ # ktutil -k orphan.keytab list
orphan.keytab:
Vno Type Principal Aliases
3 aes256-cts-hmac-sha1-96 cifs/oml.su at OML.SU
3 aes128-cts-hmac-sha1-96 cifs/oml.su at OML.SU
3 arcfour-hmac-md5 cifs/oml.su at OML.SU
More information about the samba
mailing list