[Samba] SPNs for a samba server

Michael Tokarev mjt at tls.msk.ru
Wed Jan 22 14:53:23 UTC 2025


22.01.2025 13:01, Rowland Penny via samba wrote:

> When I join domain members, the domain member gets 4 SPNs:
> 
> servicePrincipalName: HOST/UPPERCASE_SHORT_HOSTNAME.lowercase_dns_domain
> servicePrincipalName: RestrictedKrbHost/UPPERCASE_SHORT_HOSTNAME.lowercase_dns_domain
> servicePrincipalName: HOST/UPPERCASE_SHORT_HOSTNAME
> servicePrincipalName: RestrictedKrbHost/UPPERCASE_SHORT_HOSTNAME

This is the list I posted in my previous email.

>> And in particular, in this specific case, how to add the SPN for the
>> full name for the host.
> 
> Isn't the first of the SPNs above what you are asking about ?

It is.

> If you need to add any SPNS, you can do this with:
> 
> samba-tool spn add <name> <user>

Sure.  I did this countless number of times.

I wonder why it's so difficult to follow.

So ok, as usual, I'll find answer myself.

FWIW, this command asks me the domain admin account.

So it seems like it's not possible for a computer itself to add an
SPN to its own account.  Which is kinda logical.

> Just remember that a computer is a user as well.

Thank you Cap.

/mjt



More information about the samba mailing list