[Samba] Fwd: spn on joined vs. unjoined computer account
Kees van Vloten
keesvanvloten at gmail.com
Fri Jan 28 14:08:08 UTC 2022
On 28-01-2022 14:54, Rowland Penny via samba wrote:
> On Fri, 2022-01-28 at 14:42 +0100, Kees van Vloten via samba wrote:
>> A little more info:
>>
>> samba-tool computer show nojoined-comp
>>
>> dn: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> objectClass: computer
>> cn: nojoined-comp
>> instanceType: 4
>> whenCreated: 20211130212554.0Z
>> uSNCreated: 9620
>> name: nojoined-comp
>> objectGUID: 44da3a8e-65b3-4ce3-95c3-e5b34034cfe1
>> userAccountControl: 4098
>> badPwdCount: 0
>> codePage: 0
>> countryCode: 0
>> badPasswordTime: 0
>> lastLogoff: 0
>> lastLogon: 0
>> pwdLastSet: 0
>> primaryGroupID: 515
>> objectSid: S-1-5-21-4190054395-3630394414-2036191173-1267
>> accountExpires: 9223372036854775807
>> logonCount: 0
>> sAMAccountName: nojoined-comp$
>> sAMAccountType: 805306369
>> objectCategory:
>> CN=Computer,CN=Schema,CN=Configuration,DC=samdom,DC=com
>> isCriticalSystemObject: FALSE
>> msDS-SupportedEncryptionTypes: 16
>> servicePrincipalName: http/nojoined-comp.samdom.com
>> whenChanged: 20220128090502.0Z
>> uSNChanged: 10839
>> distinguishedName: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com
>>
>> Although it is impossible to export the keytab for the http SPN, it
>> did
>> register it. Does that make any sense?
>>
>> - Kees
> Your problem is probably being caused by a lack of a password, you can
> create a computer account in AD, but until you join it, it is unlikely
> to have a unicodePwd attribute and hence, no password. No password
> means no SPN in keytab and no SPN in keytab means no keytab.
>
> Rowland
>
>
>
Indeed it shows 'pwdLastSet: 0', which probably means a password was
never set, i.e no unicodePwd attribute.
For user accounts samba-tool has an option to set the password, but
there is no such thing for computer accounts.
What would be the way to set a password on a computer-account on the DC
(and without joining the machine)?
- Kees
More information about the samba
mailing list