samba - Jan 2022 - spn on joined vs. unjoined computer account

Hi Team,

Recently I was pointed by Rowland at the spnmapping which assigns a lot 
of SPNs to a computer account by default.

(I am using Samba 4.15.3 (from Louis' repo) on Bullseye)

When trying to export the keytab for http on a computer account with a 
machine that has joined the domain, the export works fine. However on an 
account where the machine has not joined, the keytab is not exported and 
samba-tool just return with rc=0.

With loglevel on 8 there is a clear difference in the output though:

samba-tool domain exportkeytab -d 8 
--principal=http/joined-comp.samdom.com ~/spn_joined-comp_apache_http.keytab
<lot of lines>
schema_fsmo_init: we are master[yes] updates allowed[no]
gendb_search_v: DC=samdom,DC=com NULL -> 1
gendb_search_v: DC=samdom,DC=com NULL -> 1
Export one principal to 
/var/lib/ansible-admin/ansible/cache/samba_ad_dc/spn_joined-comp_apache_http.keytab
gendb_search_v: DC=samdom,DC=com NULL -> 1
sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0012
../../lib/krb5_wrap/krb5_samba.c:1878: adding keytab entry for 
(http/joined-comp.samdom.com at SAMDOM.COM) with encryption type (18) and 
version (3)
sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0017
../../lib/krb5_wrap/krb5_samba.c:1638: Will try to delete old keytab entries
../../lib/krb5_wrap/krb5_samba.c:1716: Saving entry with kvno [3] 
enctype [18] for principal: http/joined-comp.samdom.com at SAMDOM.COM.
../../lib/krb5_wrap/krb5_samba.c:1878: adding keytab entry for 
(http/joined-comp.samdom.com at SAMDOM.COM) with encryption type (23) and 
version (3)

echo $?
0

samba-tool domain exportkeytab -d 8 
--principal=http/nojoined-comp.samdom.com 
~/spn_nojoined-comp_apache_http.keytab
<lot of lines>
schema_fsmo_init: we are master[yes] updates allowed[no]
gendb_search_v: DC=samdom,DC=com NULL -> 1
gendb_search_v: DC=samdom,DC=com NULL -> 1
Export one principal to 
/var/lib/ansible-admin/ansible/cache/samba_ad_dc/spn_nojoined-comp_apache_http.keytab
gendb_search_v: DC=samdom,DC=com NULL -> 1

echo $?
0

Is it possible get the export for http SPN for the account of 
'nojoined-comp$' ?

Or shall I create a separate user account and put the http SPN on that 
for the unjoined situation? I have tried this but it fails with a SPN 
conflict when the machine is joined (which is correct due the default 
spn-mapping).


- Kees

A little more info:

samba-tool computer show nojoined-comp

dn: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: nojoined-comp
instanceType: 4
whenCreated: 20211130212554.0Z
uSNCreated: 9620
name: nojoined-comp
objectGUID: 44da3a8e-65b3-4ce3-95c3-e5b34034cfe1
userAccountControl: 4098
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 0
primaryGroupID: 515
objectSid: S-1-5-21-4190054395-3630394414-2036191173-1267
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: nojoined-comp$
sAMAccountType: 805306369
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=samdom,DC=com
isCriticalSystemObject: FALSE
msDS-SupportedEncryptionTypes: 16
servicePrincipalName: http/nojoined-comp.samdom.com
whenChanged: 20220128090502.0Z
uSNChanged: 10839
distinguishedName: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com

Although it is impossible to export the keytab for the http SPN, it did 
register it. Does that make any sense?

- Kees





Hi Team,

Recently I was pointed by Rowland at the spnmapping which assigns a lot 
of SPNs to a computer account by default.

(I am using Samba 4.15.3 (from Louis' repo) on Bullseye)

When trying to export the keytab for http on a computer account with a 
machine that has joined the domain, the export works fine. However on an 
account where the machine has not joined, the keytab is not exported and 
samba-tool just return with rc=0.

With loglevel on 8 there is a clear difference in the output though:

samba-tool domain exportkeytab -d 8 
--principal=http/joined-comp.samdom.com ~/spn_joined-comp_apache_http.keytab
<lot of lines>
schema_fsmo_init: we are master[yes] updates allowed[no]
gendb_search_v: DC=samdom,DC=com NULL -> 1
gendb_search_v: DC=samdom,DC=com NULL -> 1
Export one principal to 
/var/lib/ansible-admin/ansible/cache/samba_ad_dc/spn_joined-comp_apache_http.keytab
gendb_search_v: DC=samdom,DC=com NULL -> 1
sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0012
../../lib/krb5_wrap/krb5_samba.c:1878: adding keytab entry for 
(http/joined-comp.samdom.com at SAMDOM.COM) with encryption type (18) and 
version (3)
sdb_kt_copy: smb_krb5_kt_add_entry for enctype=0x0017
../../lib/krb5_wrap/krb5_samba.c:1638: Will try to delete old keytab entries
../../lib/krb5_wrap/krb5_samba.c:1716: Saving entry with kvno [3] 
enctype [18] for principal: http/joined-comp.samdom.com at SAMDOM.COM.
../../lib/krb5_wrap/krb5_samba.c:1878: adding keytab entry for 
(http/joined-comp.samdom.com at SAMDOM.COM) with encryption type (23) and 
version (3)

echo $?
0

samba-tool domain exportkeytab -d 8 
--principal=http/nojoined-comp.samdom.com 
~/spn_nojoined-comp_apache_http.keytab
<lot of lines>
schema_fsmo_init: we are master[yes] updates allowed[no]
gendb_search_v: DC=samdom,DC=com NULL -> 1
gendb_search_v: DC=samdom,DC=com NULL -> 1
Export one principal to 
/var/lib/ansible-admin/ansible/cache/samba_ad_dc/spn_nojoined-comp_apache_http.keytab
gendb_search_v: DC=samdom,DC=com NULL -> 1

echo $?
0

Is it possible get the export for http SPN for the account of 
'nojoined-comp$' ?

Or shall I create a separate user account and put the http SPN on that 
for the unjoined situation? I have tried this but it fails with a SPN 
conflict when the machine is joined (which is correct due the default 
spn-mapping).


- Kees