[Samba] Different spns for DC1 and DC2

Rowland Penny rpenny at samba.org
Sat May 13 14:54:43 UTC 2023 


On 11/05/2023 22:21, Ricardo Esteves via samba wrote:
> Hi,
>   I have 2 domain controllers with samba4, and i realized i have some 
> missing spns for the second domain controller:
>   > samba-tool spn list dc1$
>   dc1$
>   User CN=dc1,OU=Domain Controllers,DC=test,DC=pt has the following 
> servicePrincipalName:
>        HOST/dc1.test.pt
>        HOST/dc1.test.pt/test
>        ldap/dc1.test.pt/test
>        GC/dc1.test.pt/test.pt
>        ldap/dc1.test.pt
>        HOST/dc1.test.pt/test.pt
>        ldap/dc1.test.pt/test.pt
>        HOST/dc1
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/ea763557-5bb4-4885-bf7b-239eb94f483a/test.pt
>        ldap/ea763557-5bb4-4885-bf7b-239eb94f483a._msdcs.test.pt
>        ldap/dc1
>        RestrictedKrbHost/dc1
>        RestrictedKrbHost/dc1.test.pt
> 
>   > samba-tool spn list dc2$
>   dc2$
>   User CN=dc2,OU=Domain Controllers,DC=test,DC=pt has the following 
> servicePrincipalName:
>        HOST/dc2
>        HOST/dc2.test.pt
>        GC/dc2.test.pt/test.pt
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/2a9b50c9-dc62-4201-b235-e72f3c36f0aa/test.pt
>        gc/dc2
>        gc/dc2.test.pt
>        e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc2
>        e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc2.test.pt
> 
>   Is this normal? Or should i create the missing ldap and 
> RestrictedKrbHost spns for dc2?
> 
> Ligações:

I do not think this is normal and if I compare it with my two DC's, DC1 
is missing these SPN's:

	 ldap/dc1.test.pt/DomainDnsZones.test.pt
	 ldap/dc1.test.pt/ForestDnsZones.test.pt

DC2 seems to be missing these:

       HOST/dc2.test.pt/test
       ldap/dc2.test.pt/test
       ldap/dc2.test.pt
       HOST/dc2.test.pt/test.pt
       ldap/dc2.test.pt/test.pt
       ldap/ea763557-5bb4-4885-bf7b-239eb94f483a._msdcs.test.pt
       ldap/dc2
       RestrictedKrbHost/dc2
       RestrictedKrbHost/dc2.test.pt
       ldap/dc2.test.pt/DomainDnsZones.test.pt
       ldap/dc2.test.pt/ForestDnsZones.test.pt

But does have these (which I do not):

       gc/dc2
       gc/dc2.test.pt
       e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc2
       e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc2.test.pt

Now I said that this isn't normal, but it could be, but from the 
information provided, who knows, all that is known is that you have two 
Samba AD DC's, no versions, no OS etc.

Rowland

More information about the samba mailing list