On Wed, 2021-11-24 at 21:55 +0300, Oljas Kuzembaev via samba wrote:> I think I got orphan SPN in KDC. I want to remove it, but I cant > find > user of that SPN. > > That is why I think it is actually an orphan SPN: > > #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su > > Output gives me keys. > > But then, also this works: > > #samba-tool spn add cifs/oml.su oljas > > #samba-tool spn delete cifs/oml.su oljas > > And then, this still works: > > #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su > > I`ve tried to search SPN via ldapsearch, powershell and in ADUC going > on > objects one by one. Cant track it. > > I think, that this SPN was created by me years ago for some > insignificant reason. But I cannot recall how I did it. Since then > DFL > was reised from 2003 to 2008, if that matter. > > Is there any way to find out which user holds that SPN, or is there > any > way to remove it? >Running this on a Samba AD DC, should show the SPN: ldbsearch -H ldap://"$(hostname -s)" -P -b "dc=$(echo "$(hostname -d)" | sed 's/\./,dc=/g')" -s sub "(servicePrincipalName=cifs/oml.su)" servicePrincipalName samAccountName It works for myself (using a different SPN). Rowland
Thank you! I am on FreeBSD and my knowledge of sed is poor. Trying to adapt to my shell, I`ve butchered your line to this: # samba-ldbsearch -H ldap://home.oml.su -P -b "dc=oml,dc=su" | grep cifs that lists some osX machines: servicePrincipalName: cifs/air1411.oml.su servicePrincipalName: cifs/macpro2008.oml.su servicePrincipalName: cifs/macmini20151116.oml.su servicePrincipalName: cifs/macbook-air-150.oml.su But no sign of SPN cifs/oml.su, which I am looking for. Is that because of bad interpretation of your line? On 24.11.2021 22:43, Rowland Penny via samba wrote:> Running this on a Samba AD DC, should show the SPN: > > ldbsearch -Hldap://"$(hostname -s)" -P -b "dc=$(echo "$(hostname -d)" > | sed 's/\./,dc=/g')" -s sub "(servicePrincipalName=cifs/oml.su)" > servicePrincipalName samAccountName
On 11/24/21 13:43, Rowland Penny via samba wrote:> On Wed, 2021-11-24 at 21:55 +0300, Oljas Kuzembaev via samba wrote: >> I think I got orphan SPN in KDC. I want to remove it, but I cant >> find >> user of that SPN. >> >> That is why I think it is actually an orphan SPN: >> >> #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su >> >> Output gives me keys. >> >> But then, also this works: >> >> #samba-tool spn add cifs/oml.su oljas >> >> #samba-tool spn delete cifs/oml.su oljas >> >> And then, this still works: >> >> #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su >> >> I`ve tried to search SPN via ldapsearch, powershell and in ADUC going >> on >> objects one by one. Cant track it. >> >> I think, that this SPN was created by me years ago for some >> insignificant reason. But I cannot recall how I did it. Since then >> DFL >> was reised from 2003 to 2008, if that matter. >> >> Is there any way to find out which user holds that SPN, or is there >> any >> way to remove it? >> > > Running this on a Samba AD DC, should show the SPN: > > ldbsearch -H ldap://"$(hostname -s)" -P -b "dc=$(echo "$(hostname -d)" > | sed 's/\./,dc=/g')" -s sub "(servicePrincipalName=cifs/oml.su)" > servicePrincipalName samAccountName >Possibly ignorant question: Why are you using samAccountName here rather than userPrincipalName ?> It works for myself (using a different SPN). > > Rowland > > >