[Samba] Fwd: Fwd: spn on joined vs. unjoined computer account
Kees van Vloten
keesvanvloten at gmail.com
Fri Jan 28 15:08:12 UTC 2022
On 28-01-2022 15:28, Rowland Penny via samba wrote:
> On Fri, 2022-01-28 at 15:08 +0100, Kees van Vloten via samba wrote:
>> On 28-01-2022 14:54, Rowland Penny via samba wrote:
>>> On Fri, 2022-01-28 at 14:42 +0100, Kees van Vloten via samba wrote:
>>>> A little more info:
>>>>
>>>> samba-tool computer show nojoined-comp
>>>>
>>>> dn: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> objectClass: computer
>>>> cn: nojoined-comp
>>>> instanceType: 4
>>>> whenCreated: 20211130212554.0Z
>>>> uSNCreated: 9620
>>>> name: nojoined-comp
>>>> objectGUID: 44da3a8e-65b3-4ce3-95c3-e5b34034cfe1
>>>> userAccountControl: 4098
>>>> badPwdCount: 0
>>>> codePage: 0
>>>> countryCode: 0
>>>> badPasswordTime: 0
>>>> lastLogoff: 0
>>>> lastLogon: 0
>>>> pwdLastSet: 0
>>>> primaryGroupID: 515
>>>> objectSid: S-1-5-21-4190054395-3630394414-2036191173-1267
>>>> accountExpires: 9223372036854775807
>>>> logonCount: 0
>>>> sAMAccountName: nojoined-comp$
>>>> sAMAccountType: 805306369
>>>> objectCategory:
>>>> CN=Computer,CN=Schema,CN=Configuration,DC=samdom,DC=com
>>>> isCriticalSystemObject: FALSE
>>>> msDS-SupportedEncryptionTypes: 16
>>>> servicePrincipalName: http/nojoined-comp.samdom.com
>>>> whenChanged: 20220128090502.0Z
>>>> uSNChanged: 10839
>>>> distinguishedName: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com
>>>>
>>>> Although it is impossible to export the keytab for the http SPN,
>>>> it
>>>> did
>>>> register it. Does that make any sense?
>>>>
>>>> - Kees
>>> Your problem is probably being caused by a lack of a password, you
>>> can
>>> create a computer account in AD, but until you join it, it is
>>> unlikely
>>> to have a unicodePwd attribute and hence, no password. No password
>>> means no SPN in keytab and no SPN in keytab means no keytab.
>>>
>>> Rowland
>>>
>>>
>>>
>> Indeed it shows 'pwdLastSet: 0', which probably means a password was
>> never set, i.e no unicodePwd attribute.
>> For user accounts samba-tool has an option to set the password, but
>> there is no such thing for computer accounts.
>>
>> What would be the way to set a password on a computer-account on the
>> DC
>> (and without joining the machine)?
>>
>> - Kees
>>
> You need to add the unicodePwd attribute with something like this:
>
> #!/bin/bash
>
> _USER_PW=C0mpL3xP4ssW0rd
> UNICODEPWD=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE |
> base64 -w 0)
>
> # add the ldif
> echo "dn: CN=notindom,OU=NonDom,DC=samdom,DC=example,DC=com
> changetype: modify
> replace: unicodePwd
> unicodePwd::$UNICODEPWD" | ldbmodify -H /var/lib/samba/private/sam.ldb
>
> Rowland
>
>
>
Thanks Rowland!
I have just run your bash script and I can confirm that extracting the
keytab works now :-)
- Kees
More information about the samba
mailing list