[Samba] Orphan SPN
Patrick Goetz
pgoetz at math.utexas.edu
Fri Nov 26 10:38:30 UTC 2021
On 11/24/21 13:43, Rowland Penny via samba wrote:
> On Wed, 2021-11-24 at 21:55 +0300, Oljas Kuzembaev via samba wrote:
>> I think I got orphan SPN in KDC. I want to remove it, but I cant
>> find
>> user of that SPN.
>>
>> That is why I think it is actually an orphan SPN:
>>
>> #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su
>>
>> Output gives me keys.
>>
>> But then, also this works:
>>
>> #samba-tool spn add cifs/oml.su oljas
>>
>> #samba-tool spn delete cifs/oml.su oljas
>>
>> And then, this still works:
>>
>> #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su
>>
>> I`ve tried to search SPN via ldapsearch, powershell and in ADUC going
>> on
>> objects one by one. Cant track it.
>>
>> I think, that this SPN was created by me years ago for some
>> insignificant reason. But I cannot recall how I did it. Since then
>> DFL
>> was reised from 2003 to 2008, if that matter.
>>
>> Is there any way to find out which user holds that SPN, or is there
>> any
>> way to remove it?
>>
>
> Running this on a Samba AD DC, should show the SPN:
>
> ldbsearch -H ldap://"$(hostname -s)" -P -b "dc=$(echo "$(hostname -d)"
> | sed 's/\./,dc=/g')" -s sub "(servicePrincipalName=cifs/oml.su)"
> servicePrincipalName samAccountName
>
Possibly ignorant question:
Why are you using samAccountName here rather than userPrincipalName ?
> It works for myself (using a different SPN).
>
> Rowland
>
>
>
More information about the samba
mailing list