I think I got orphan SPN in KDC. I want to remove it, but I cant find user of that SPN. That is why I think it is actually an orphan SPN: #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su Output gives me keys. But then, also this works: #samba-tool spn add cifs/oml.su oljas #samba-tool spn delete cifs/oml.su oljas And then, this still works: #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su I`ve tried to search SPN via ldapsearch, powershell and in ADUC going on objects one by one. Cant track it. I think, that this SPN was created by me years ago for some insignificant reason. But I cannot recall how I did it. Since then DFL was reised from 2003 to 2008, if that matter. Is there any way to find out which user holds that SPN, or is there any way to remove it?
On Wed, 2021-11-24 at 21:55 +0300, Oljas Kuzembaev via samba wrote:> I think I got orphan SPN in KDC. I want to remove it, but I cant > find > user of that SPN. > > That is why I think it is actually an orphan SPN: > > #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su > > Output gives me keys. > > But then, also this works: > > #samba-tool spn add cifs/oml.su oljas > > #samba-tool spn delete cifs/oml.su oljas > > And then, this still works: > > #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su > > I`ve tried to search SPN via ldapsearch, powershell and in ADUC going > on > objects one by one. Cant track it. > > I think, that this SPN was created by me years ago for some > insignificant reason. But I cannot recall how I did it. Since then > DFL > was reised from 2003 to 2008, if that matter. > > Is there any way to find out which user holds that SPN, or is there > any > way to remove it? >Running this on a Samba AD DC, should show the SPN: ldbsearch -H ldap://"$(hostname -s)" -P -b "dc=$(echo "$(hostname -d)" | sed 's/\./,dc=/g')" -s sub "(servicePrincipalName=cifs/oml.su)" servicePrincipalName samAccountName It works for myself (using a different SPN). Rowland
On Wed, 2021-11-24 at 21:55 +0300, Oljas Kuzembaev via samba wrote:> I think I got orphan SPN in KDC. I want to remove it, but I cant > find > user of that SPN. > > That is why I think it is actually an orphan SPN: > > #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su > > Output gives me keys. > > But then, also this works: > > #samba-tool spn add cifs/oml.su oljas > > #samba-tool spn delete cifs/oml.su oljas > > And then, this still works: > > #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su > > I`ve tried to search SPN via ldapsearch, powershell and in ADUC going > on > objects one by one. Cant track it. > > I think, that this SPN was created by me years ago for some > insignificant reason. But I cannot recall how I did it. Since then > DFL > was reised from 2003 to 2008, if that matter. > > Is there any way to find out which user holds that SPN, or is there > any > way to remove it?Look for host/omu.su There is an attribute sPNMappings that controls the mapping between host and the services it implicitly aliases, so the cifs/ entry (and http/ along with many others) don't need to be listed explicitly on every service. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba Samba Development and Support, Catalyst IT - Expert Open Source Solutions