[Samba] SPNs for a samba server
Rowland Penny
rpenny at samba.org
Tue Jan 21 10:55:47 UTC 2025
On Tue, 21 Jan 2025 12:51:26 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:
> Hi!
>
> I'm not sure I understand how SPNs are registered in the AD domain.
> I know when a regular samba server is joined to an AD domain, a few
> SPNs are registered - namely, CIFS/$netbios_name and each for
> CIFS/$netbios_aliases (where netbios name and netbios aliases are
> the parameters in smb.conf - yes I know these are obsolete, but in
> this case they're actually used for non-obsolete task).
Are you sure about that ?
>
> Is there a list of other SPNs - for other names this server is known
> as - which should be registered too, or is it done later?
>
> A windows machine register CIFS/name and CIFS/name.domain principals,
> but samba does not do this when joining - when and by whom the other
> name should be registered?
>
> Can one add some principals to smb.conf so it gets registered
> automatically, or should it be done by an AD administrator?
>
> Thanks,
>
> /mjt
>
I ask about your SPNs because I do not have any SPNs in AD that start
with CIFS or cifs and there is a good reason for this, SPNMapping.
If you run on a DC:
sudo ldbsearch -P --cross-ncs -H /var/lib/samba/private/sam.ldb -b
'CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com' -s base
sPNMappings
That should be all on one line and replace
'DC=samdom,DC=example,DC=com' with your dns domain details.
You should get something like this back:
dn: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com
sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicat
or,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,i
as,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstora
ge,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclog
on,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,ww
w,http,w3svc,iisadmin,msdtc
Which if you look closely, you will find that 'host' or 'HOST' is mapped
to 'cifs', so you do not require explicit 'CIFS' SPNs.
This isn't a Samba thing, it is a Windows AD thing.
You do however need 'nfs' SPNs, if using NFS.
Rowland
More information about the samba
mailing list