Rowland Penny
2022-Jan-28 13:54 UTC
[Samba] Fwd: spn on joined vs. unjoined computer account
On Fri, 2022-01-28 at 14:42 +0100, Kees van Vloten via samba wrote:> A little more info: > > samba-tool computer show nojoined-comp > > dn: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectClass: computer > cn: nojoined-comp > instanceType: 4 > whenCreated: 20211130212554.0Z > uSNCreated: 9620 > name: nojoined-comp > objectGUID: 44da3a8e-65b3-4ce3-95c3-e5b34034cfe1 > userAccountControl: 4098 > badPwdCount: 0 > codePage: 0 > countryCode: 0 > badPasswordTime: 0 > lastLogoff: 0 > lastLogon: 0 > pwdLastSet: 0 > primaryGroupID: 515 > objectSid: S-1-5-21-4190054395-3630394414-2036191173-1267 > accountExpires: 9223372036854775807 > logonCount: 0 > sAMAccountName: nojoined-comp$ > sAMAccountType: 805306369 > objectCategory: > CN=Computer,CN=Schema,CN=Configuration,DC=samdom,DC=com > isCriticalSystemObject: FALSE > msDS-SupportedEncryptionTypes: 16 > servicePrincipalName: http/nojoined-comp.samdom.com > whenChanged: 20220128090502.0Z > uSNChanged: 10839 > distinguishedName: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com > > Although it is impossible to export the keytab for the http SPN, it > did > register it. Does that make any sense? > > - KeesYour problem is probably being caused by a lack of a password, you can create a computer account in AD, but until you join it, it is unlikely to have a unicodePwd attribute and hence, no password. No password means no SPN in keytab and no SPN in keytab means no keytab. Rowland
Kees van Vloten
2022-Jan-28 14:08 UTC
[Samba] Fwd: spn on joined vs. unjoined computer account
On 28-01-2022 14:54, Rowland Penny via samba wrote:> On Fri, 2022-01-28 at 14:42 +0100, Kees van Vloten via samba wrote: >> A little more info: >> >> samba-tool computer show nojoined-comp >> >> dn: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> objectClass: computer >> cn: nojoined-comp >> instanceType: 4 >> whenCreated: 20211130212554.0Z >> uSNCreated: 9620 >> name: nojoined-comp >> objectGUID: 44da3a8e-65b3-4ce3-95c3-e5b34034cfe1 >> userAccountControl: 4098 >> badPwdCount: 0 >> codePage: 0 >> countryCode: 0 >> badPasswordTime: 0 >> lastLogoff: 0 >> lastLogon: 0 >> pwdLastSet: 0 >> primaryGroupID: 515 >> objectSid: S-1-5-21-4190054395-3630394414-2036191173-1267 >> accountExpires: 9223372036854775807 >> logonCount: 0 >> sAMAccountName: nojoined-comp$ >> sAMAccountType: 805306369 >> objectCategory: >> CN=Computer,CN=Schema,CN=Configuration,DC=samdom,DC=com >> isCriticalSystemObject: FALSE >> msDS-SupportedEncryptionTypes: 16 >> servicePrincipalName: http/nojoined-comp.samdom.com >> whenChanged: 20220128090502.0Z >> uSNChanged: 10839 >> distinguishedName: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com >> >> Although it is impossible to export the keytab for the http SPN, it >> did >> register it. Does that make any sense? >> >> - Kees > Your problem is probably being caused by a lack of a password, you can > create a computer account in AD, but until you join it, it is unlikely > to have a unicodePwd attribute and hence, no password. No password > means no SPN in keytab and no SPN in keytab means no keytab. > > Rowland > > >Indeed it shows 'pwdLastSet: 0', which probably means a password was never set, i.e no unicodePwd attribute. For user accounts samba-tool has an option to set the password, but there is no such thing for computer accounts. What would be the way to set a password on a computer-account on the DC (and without joining the machine)? - Kees