[Samba] SPNs for a samba server
Michael Tokarev
mjt at tls.msk.ru
Wed Jan 22 06:32:19 UTC 2025
21.01.2025 13:55, Rowland Penny via samba wrote:
> On Tue, 21 Jan 2025 12:51:26 +0300
> Michael Tokarev via samba <samba at lists.samba.org> wrote:
>
>> Hi!
>>
>> I'm not sure I understand how SPNs are registered in the AD domain.
>> I know when a regular samba server is joined to an AD domain, a few
>> SPNs are registered - namely, CIFS/$netbios_name and each for
>> CIFS/$netbios_aliases (where netbios name and netbios aliases are
>> the parameters in smb.conf - yes I know these are obsolete, but in
>> this case they're actually used for non-obsolete task).
>
> Are you sure about that ?
I'm sure about the names after the / - ie, the "host" names of the SPNs
it is registering. I was wrong about the "CIFS" part though, exactly as
you noted.
The thing is: I don't know the details here, hence I'm asking. If I
was sure, there'd no need to ask in the first place.
So I stand corrected. Samba registers HOST/$netbios_name SPN, and it
now actually registers HOST/$netbios_name.$REALM SPN too, - at least
when doing `net ads join`. It also registers all the same pairs for
all names listed in netbios aliases parameter.
For the HOST/$netbios_name.$REALM SPN, it looks like this one wasn't
registered before, but I'm not certain about this. This my question
come out because I found out that HOST/name.dom.ain SPN weren't
registered, while HOST/name is, - for a samba server which joined
a windows domain (not samba domain) with samba version 4.16 or maybe
even 4.13. The problematic missing SPN was HOST/name.dom.ain, the
full name of the host.
But this is sort of orthogonal to my question.
My question was more how/who/when the additional names added AFTER the
join - should I ask the domain admin to do this, or can samba do it
from the samba host side?
And in particular, in this specific case, how to add the SPN for the
full name for the host.
Thanks,
/mjt
>> Is there a list of other SPNs - for other names this server is known
>> as - which should be registered too, or is it done later?
>>
>> A windows machine register CIFS/name and CIFS/name.domain principals,
>> but samba does not do this when joining - when and by whom the other
>> name should be registered?
>>
>> Can one add some principals to smb.conf so it gets registered
>> automatically, or should it be done by an AD administrator?
More information about the samba
mailing list