[Samba] Orphan SPN
Rowland Penny
rpenny at samba.org
Fri Nov 26 10:51:29 UTC 2021
On Fri, 2021-11-26 at 04:38 -0600, Patrick Goetz via samba wrote:
>
> On 11/24/21 13:43, Rowland Penny via samba wrote:
> > On Wed, 2021-11-24 at 21:55 +0300, Oljas Kuzembaev via samba wrote:
> > > I think I got orphan SPN in KDC. I want to remove it, but I cant
> > > find
> > > user of that SPN.
> > >
> > > That is why I think it is actually an orphan SPN:
> > >
> > > #samba-tool domain exportkeytab orphan.keytab --
> > > principal=cifs/oml.su
> > >
> > > Output gives me keys.
> > >
> > > But then, also this works:
> > >
> > > #samba-tool spn add cifs/oml.su oljas
> > >
> > > #samba-tool spn delete cifs/oml.su oljas
> > >
> > > And then, this still works:
> > >
> > > #samba-tool domain exportkeytab orphan.keytab --
> > > principal=cifs/oml.su
> > >
> > > I`ve tried to search SPN via ldapsearch, powershell and in ADUC
> > > going
> > > on
> > > objects one by one. Cant track it.
> > >
> > > I think, that this SPN was created by me years ago for some
> > > insignificant reason. But I cannot recall how I did it. Since
> > > then
> > > DFL
> > > was reised from 2003 to 2008, if that matter.
> > >
> > > Is there any way to find out which user holds that SPN, or is
> > > there
> > > any
> > > way to remove it?
> > >
> >
> > Running this on a Samba AD DC, should show the SPN:
> >
> > ldbsearch -H ldap://"$(hostname -s)" -P -b "dc=$(echo "$(hostname
> > -d)"
> > > sed 's/\./,dc=/g')" -s sub "(servicePrincipalName=cifs/oml.su)"
> > servicePrincipalName samAccountName
> >
>
> Possibly ignorant question:
>
> Why are you using samAccountName here rather than userPrincipalName ?
You could use 'userPrincipalName' instead of 'samAccountName', the ones
I used are just the attributes I wanted returned (along with the DN).
Rowland
More information about the samba
mailing list