[Samba] Fwd: spn on joined vs. unjoined computer account
Rowland Penny
rpenny at samba.org
Fri Jan 28 14:28:47 UTC 2022
On Fri, 2022-01-28 at 15:08 +0100, Kees van Vloten via samba wrote:
> On 28-01-2022 14:54, Rowland Penny via samba wrote:
> > On Fri, 2022-01-28 at 14:42 +0100, Kees van Vloten via samba wrote:
> > > A little more info:
> > >
> > > samba-tool computer show nojoined-comp
> > >
> > > dn: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com
> > > objectClass: top
> > > objectClass: person
> > > objectClass: organizationalPerson
> > > objectClass: user
> > > objectClass: computer
> > > cn: nojoined-comp
> > > instanceType: 4
> > > whenCreated: 20211130212554.0Z
> > > uSNCreated: 9620
> > > name: nojoined-comp
> > > objectGUID: 44da3a8e-65b3-4ce3-95c3-e5b34034cfe1
> > > userAccountControl: 4098
> > > badPwdCount: 0
> > > codePage: 0
> > > countryCode: 0
> > > badPasswordTime: 0
> > > lastLogoff: 0
> > > lastLogon: 0
> > > pwdLastSet: 0
> > > primaryGroupID: 515
> > > objectSid: S-1-5-21-4190054395-3630394414-2036191173-1267
> > > accountExpires: 9223372036854775807
> > > logonCount: 0
> > > sAMAccountName: nojoined-comp$
> > > sAMAccountType: 805306369
> > > objectCategory:
> > > CN=Computer,CN=Schema,CN=Configuration,DC=samdom,DC=com
> > > isCriticalSystemObject: FALSE
> > > msDS-SupportedEncryptionTypes: 16
> > > servicePrincipalName: http/nojoined-comp.samdom.com
> > > whenChanged: 20220128090502.0Z
> > > uSNChanged: 10839
> > > distinguishedName: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com
> > >
> > > Although it is impossible to export the keytab for the http SPN,
> > > it
> > > did
> > > register it. Does that make any sense?
> > >
> > > - Kees
> > Your problem is probably being caused by a lack of a password, you
> > can
> > create a computer account in AD, but until you join it, it is
> > unlikely
> > to have a unicodePwd attribute and hence, no password. No password
> > means no SPN in keytab and no SPN in keytab means no keytab.
> >
> > Rowland
> >
> >
> >
> Indeed it shows 'pwdLastSet: 0', which probably means a password was
> never set, i.e no unicodePwd attribute.
> For user accounts samba-tool has an option to set the password, but
> there is no such thing for computer accounts.
>
> What would be the way to set a password on a computer-account on the
> DC
> (and without joining the machine)?
>
> - Kees
>
You need to add the unicodePwd attribute with something like this:
#!/bin/bash
_USER_PW=C0mpL3xP4ssW0rd
UNICODEPWD=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE |
base64 -w 0)
# add the ldif
echo "dn: CN=notindom,OU=NonDom,DC=samdom,DC=example,DC=com
changetype: modify
replace: unicodePwd
unicodePwd::$UNICODEPWD" | ldbmodify -H /var/lib/samba/private/sam.ldb
Rowland
More information about the samba
mailing list