[Samba] SPNs for a samba server

Rowland Penny rpenny at samba.org
Tue Jan 21 10:55:47 UTC 2025


On Tue, 21 Jan 2025 12:51:26 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:

> Hi!
> 
> I'm not sure I understand how SPNs are registered in the AD domain.
> I know when a regular samba server is joined to an AD domain, a few
> SPNs are registered - namely, CIFS/$netbios_name and each for
> CIFS/$netbios_aliases (where netbios name and netbios aliases are
> the parameters in smb.conf - yes I know these are obsolete, but in
> this case they're actually used for non-obsolete task).

Are you sure about that ?

> 
> Is there a list of other SPNs - for other names this server is known
> as - which should be registered too, or is it done later?
> 
> A windows machine register CIFS/name and CIFS/name.domain principals,
> but samba does not do this when joining - when and by whom the other
> name should be registered?
> 
> Can one add some principals to smb.conf so it gets registered
> automatically, or should it be done by an AD administrator?
> 
> Thanks,
> 
> /mjt
> 

I ask about your SPNs because I do not have any SPNs in AD that start
with CIFS or cifs and there is a good reason for this,  SPNMapping.

If you run on a DC:

sudo ldbsearch -P --cross-ncs -H /var/lib/samba/private/sam.ldb -b
'CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com' -s base
sPNMappings

That should be all on one line and replace
'DC=samdom,DC=example,DC=com' with your dns domain details.

You should get something like this back:

dn: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com
sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicat
 or,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,i
 as,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstora
 ge,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclog
 on,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,ww
 w,http,w3svc,iisadmin,msdtc

Which if you look closely, you will find that 'host' or 'HOST' is mapped
to 'cifs', so you do not require explicit 'CIFS' SPNs.

This isn't a Samba thing, it is a Windows AD thing.

You do however need 'nfs' SPNs, if using NFS.

Rowland
 



More information about the samba mailing list