[Samba] SPNs for a samba server

Rowland Penny rpenny at samba.org
Wed Jan 22 10:01:36 UTC 2025


On Wed, 22 Jan 2025 09:32:19 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:

> 21.01.2025 13:55, Rowland Penny via samba wrote:
> > On Tue, 21 Jan 2025 12:51:26 +0300
> > Michael Tokarev via samba <samba at lists.samba.org> wrote:
> > 
> >> Hi!
> >>
> >> I'm not sure I understand how SPNs are registered in the AD domain.
> >> I know when a regular samba server is joined to an AD domain, a few
> >> SPNs are registered - namely, CIFS/$netbios_name and each for
> >> CIFS/$netbios_aliases (where netbios name and netbios aliases are
> >> the parameters in smb.conf - yes I know these are obsolete, but in
> >> this case they're actually used for non-obsolete task).
> > 
> > Are you sure about that ?
> 
> I'm sure about the names after the / - ie, the "host" names of the
> SPNs it is registering.  I was wrong about the "CIFS" part though,
> exactly as you noted.
> 
> The thing is: I don't know the details here, hence I'm asking.  If I
> was sure, there'd no need to ask in the first place.
> 
> So I stand corrected.  Samba registers HOST/$netbios_name SPN, and it
> now actually registers HOST/$netbios_name.$REALM SPN too, - at least
> when doing `net ads join`.  It also registers all the same pairs for
> all names listed in netbios aliases parameter.
> 
> For the HOST/$netbios_name.$REALM SPN, it looks like this one wasn't
> registered before, but I'm not certain about this.  This my question
> come out because I found out that HOST/name.dom.ain SPN weren't
> registered, while HOST/name is, - for a samba server which joined
> a windows domain (not samba domain) with samba version 4.16 or maybe
> even 4.13.  The problematic missing SPN was HOST/name.dom.ain, the
> full name of the host.
> 
> But this is sort of orthogonal to my question.
> 
> My question was more how/who/when the additional names added AFTER the
> join - should I ask the domain admin to do this, or can samba do it
> from the samba host side?

When I join domain members, the domain member gets 4 SPNs:

servicePrincipalName: HOST/UPPERCASE_SHORT_HOSTNAME.lowercase_dns_domain
servicePrincipalName: RestrictedKrbHost/UPPERCASE_SHORT_HOSTNAME.lowercase_dns_domain
servicePrincipalName: HOST/UPPERCASE_SHORT_HOSTNAME
servicePrincipalName: RestrictedKrbHost/UPPERCASE_SHORT_HOSTNAME

> 
> And in particular, in this specific case, how to add the SPN for the
> full name for the host.

Isn't the first of the SPNs above what you are asking about ?

If you need to add any SPNS, you can do this with:

samba-tool spn add <name> <user>

Just remember that a computer is a user as well.

Rowland




More information about the samba mailing list