On Wed, 2021-11-24 at 21:55 +0300, Oljas Kuzembaev via samba
wrote:> I think I got orphan SPN in KDC. I want to remove it, but I cant
> find
> user of that SPN.
>
> That is why I think it is actually an orphan SPN:
>
> #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su
>
> Output gives me keys.
>
> But then, also this works:
>
> #samba-tool spn add cifs/oml.su oljas
>
> #samba-tool spn delete cifs/oml.su oljas
>
> And then, this still works:
>
> #samba-tool domain exportkeytab orphan.keytab --principal=cifs/oml.su
>
> I`ve tried to search SPN via ldapsearch, powershell and in ADUC going
> on
> objects one by one. Cant track it.
>
> I think, that this SPN was created by me years ago for some
> insignificant reason. But I cannot recall how I did it. Since then
> DFL
> was reised from 2003 to 2008, if that matter.
>
> Is there any way to find out which user holds that SPN, or is there
> any
> way to remove it?
Look for host/omu.su
There is an attribute sPNMappings that controls the mapping between
host and the services it implicitly aliases, so the cifs/ entry (and
http/ along with many others) don't need to be listed explicitly on
every service.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions