[Samba] SPNs for a samba server
Michael Tokarev
mjt at tls.msk.ru
Wed Jan 22 07:03:53 UTC 2025
22.01.2025 09:32, Michael Tokarev via samba wrote:
> 21.01.2025 13:55, Rowland Penny via samba wrote:
>> On Tue, 21 Jan 2025 12:51:26 +0300
>> Michael Tokarev via samba <samba at lists.samba.org> wrote:
>>
>>> Hi!
>>>
>>> I'm not sure I understand how SPNs are registered in the AD domain.
>>> I know when a regular samba server is joined to an AD domain, a few
>>> SPNs are registered - namely, CIFS/$netbios_name and each for
>>> CIFS/$netbios_aliases (where netbios name and netbios aliases are
>>> the parameters in smb.conf - yes I know these are obsolete, but in
>>> this case they're actually used for non-obsolete task).
>>
>> Are you sure about that ?
>
> I'm sure about the names after the / - ie, the "host" names of the SPNs
> it is registering. I was wrong about the "CIFS" part though, exactly as
> you noted.
>
> The thing is: I don't know the details here, hence I'm asking. If I
> was sure, there'd no need to ask in the first place.
For the curious - I had to actually find out how it works.
The client (smbclient) actually asks for CIFS/host. This is where I thought
such SPN is actually registered, because the reply is positive. But the
only real service part of the SPN being registered is HOST/*, not CIFS/* -
CIFS one is derived from the (global) sPNMappings record.
There's one more "service part" SPN which is registered for a samba
server in a domain -- RestrictedKrbHost/* - which is not aliased using
sPNMappings.
/mjt
More information about the samba
mailing list