[Samba] SPNs for a samba server
Rowland Penny
rpenny at samba.org
Wed Jan 22 10:01:36 UTC 2025
On Wed, 22 Jan 2025 09:32:19 +0300
Michael Tokarev via samba <samba at lists.samba.org> wrote:
> 21.01.2025 13:55, Rowland Penny via samba wrote:
> > On Tue, 21 Jan 2025 12:51:26 +0300
> > Michael Tokarev via samba <samba at lists.samba.org> wrote:
> >
> >> Hi!
> >>
> >> I'm not sure I understand how SPNs are registered in the AD domain.
> >> I know when a regular samba server is joined to an AD domain, a few
> >> SPNs are registered - namely, CIFS/$netbios_name and each for
> >> CIFS/$netbios_aliases (where netbios name and netbios aliases are
> >> the parameters in smb.conf - yes I know these are obsolete, but in
> >> this case they're actually used for non-obsolete task).
> >
> > Are you sure about that ?
>
> I'm sure about the names after the / - ie, the "host" names of the
> SPNs it is registering. I was wrong about the "CIFS" part though,
> exactly as you noted.
>
> The thing is: I don't know the details here, hence I'm asking. If I
> was sure, there'd no need to ask in the first place.
>
> So I stand corrected. Samba registers HOST/$netbios_name SPN, and it
> now actually registers HOST/$netbios_name.$REALM SPN too, - at least
> when doing `net ads join`. It also registers all the same pairs for
> all names listed in netbios aliases parameter.
>
> For the HOST/$netbios_name.$REALM SPN, it looks like this one wasn't
> registered before, but I'm not certain about this. This my question
> come out because I found out that HOST/name.dom.ain SPN weren't
> registered, while HOST/name is, - for a samba server which joined
> a windows domain (not samba domain) with samba version 4.16 or maybe
> even 4.13. The problematic missing SPN was HOST/name.dom.ain, the
> full name of the host.
>
> But this is sort of orthogonal to my question.
>
> My question was more how/who/when the additional names added AFTER the
> join - should I ask the domain admin to do this, or can samba do it
> from the samba host side?
When I join domain members, the domain member gets 4 SPNs:
servicePrincipalName: HOST/UPPERCASE_SHORT_HOSTNAME.lowercase_dns_domain
servicePrincipalName: RestrictedKrbHost/UPPERCASE_SHORT_HOSTNAME.lowercase_dns_domain
servicePrincipalName: HOST/UPPERCASE_SHORT_HOSTNAME
servicePrincipalName: RestrictedKrbHost/UPPERCASE_SHORT_HOSTNAME
>
> And in particular, in this specific case, how to add the SPN for the
> full name for the host.
Isn't the first of the SPNs above what you are asking about ?
If you need to add any SPNS, you can do this with:
samba-tool spn add <name> <user>
Just remember that a computer is a user as well.
Rowland
More information about the samba
mailing list