[Samba] Fwd: spn on joined vs. unjoined computer account

Rowland Penny rpenny at samba.org
Fri Jan 28 13:54:57 UTC 2022


On Fri, 2022-01-28 at 14:42 +0100, Kees van Vloten via samba wrote:
> A little more info:
> 
> samba-tool computer show nojoined-comp
> 
> dn: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> cn: nojoined-comp
> instanceType: 4
> whenCreated: 20211130212554.0Z
> uSNCreated: 9620
> name: nojoined-comp
> objectGUID: 44da3a8e-65b3-4ce3-95c3-e5b34034cfe1
> userAccountControl: 4098
> badPwdCount: 0
> codePage: 0
> countryCode: 0
> badPasswordTime: 0
> lastLogoff: 0
> lastLogon: 0
> pwdLastSet: 0
> primaryGroupID: 515
> objectSid: S-1-5-21-4190054395-3630394414-2036191173-1267
> accountExpires: 9223372036854775807
> logonCount: 0
> sAMAccountName: nojoined-comp$
> sAMAccountType: 805306369
> objectCategory:
> CN=Computer,CN=Schema,CN=Configuration,DC=samdom,DC=com
> isCriticalSystemObject: FALSE
> msDS-SupportedEncryptionTypes: 16
> servicePrincipalName: http/nojoined-comp.samdom.com
> whenChanged: 20220128090502.0Z
> uSNChanged: 10839
> distinguishedName: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com
> 
> Although it is impossible to export the keytab for the http SPN, it
> did 
> register it. Does that make any sense?
> 
> - Kees

Your problem is probably being caused by a lack of a password, you can
create a computer account in AD, but until you join it, it is unlikely
to have a unicodePwd attribute and hence, no password. No password
means no SPN in keytab and no SPN in keytab means no keytab.

Rowland





More information about the samba mailing list