[Samba] SPNs for a samba server

Michael Tokarev mjt at tls.msk.ru
Wed Jan 22 07:03:53 UTC 2025


22.01.2025 09:32, Michael Tokarev via samba wrote:
> 21.01.2025 13:55, Rowland Penny via samba wrote:
>> On Tue, 21 Jan 2025 12:51:26 +0300
>> Michael Tokarev via samba <samba at lists.samba.org> wrote:
>>
>>> Hi!
>>>
>>> I'm not sure I understand how SPNs are registered in the AD domain.
>>> I know when a regular samba server is joined to an AD domain, a few
>>> SPNs are registered - namely, CIFS/$netbios_name and each for
>>> CIFS/$netbios_aliases (where netbios name and netbios aliases are
>>> the parameters in smb.conf - yes I know these are obsolete, but in
>>> this case they're actually used for non-obsolete task).
>>
>> Are you sure about that ?
> 
> I'm sure about the names after the / - ie, the "host" names of the SPNs
> it is registering.  I was wrong about the "CIFS" part though, exactly as
> you noted.
> 
> The thing is: I don't know the details here, hence I'm asking.  If I
> was sure, there'd no need to ask in the first place.

For the curious - I had to actually find out how it works.

The client (smbclient) actually asks for CIFS/host.  This is where I thought
such SPN is actually registered, because the reply is positive.  But the
only real service part of the SPN being registered is HOST/*, not CIFS/* -
CIFS one is derived from the (global) sPNMappings record.

There's one more "service part" SPN which is registered for a samba
server in a domain -- RestrictedKrbHost/* - which is not aliased using
sPNMappings.

/mjt



More information about the samba mailing list