Kees van Vloten
2022-Jan-28 15:08 UTC
[Samba] Fwd: Fwd: spn on joined vs. unjoined computer account
On 28-01-2022 15:28, Rowland Penny via samba wrote:> On Fri, 2022-01-28 at 15:08 +0100, Kees van Vloten via samba wrote: >> On 28-01-2022 14:54, Rowland Penny via samba wrote: >>> On Fri, 2022-01-28 at 14:42 +0100, Kees van Vloten via samba wrote: >>>> A little more info: >>>> >>>> samba-tool computer show nojoined-comp >>>> >>>> dn: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com >>>> objectClass: top >>>> objectClass: person >>>> objectClass: organizationalPerson >>>> objectClass: user >>>> objectClass: computer >>>> cn: nojoined-comp >>>> instanceType: 4 >>>> whenCreated: 20211130212554.0Z >>>> uSNCreated: 9620 >>>> name: nojoined-comp >>>> objectGUID: 44da3a8e-65b3-4ce3-95c3-e5b34034cfe1 >>>> userAccountControl: 4098 >>>> badPwdCount: 0 >>>> codePage: 0 >>>> countryCode: 0 >>>> badPasswordTime: 0 >>>> lastLogoff: 0 >>>> lastLogon: 0 >>>> pwdLastSet: 0 >>>> primaryGroupID: 515 >>>> objectSid: S-1-5-21-4190054395-3630394414-2036191173-1267 >>>> accountExpires: 9223372036854775807 >>>> logonCount: 0 >>>> sAMAccountName: nojoined-comp$ >>>> sAMAccountType: 805306369 >>>> objectCategory: >>>> CN=Computer,CN=Schema,CN=Configuration,DC=samdom,DC=com >>>> isCriticalSystemObject: FALSE >>>> msDS-SupportedEncryptionTypes: 16 >>>> servicePrincipalName: http/nojoined-comp.samdom.com >>>> whenChanged: 20220128090502.0Z >>>> uSNChanged: 10839 >>>> distinguishedName: CN=nojoined-comp,OU=Servers,DC=samdom,DC=com >>>> >>>> Although it is impossible to export the keytab for the http SPN, >>>> it >>>> did >>>> register it. Does that make any sense? >>>> >>>> - Kees >>> Your problem is probably being caused by a lack of a password, you >>> can >>> create a computer account in AD, but until you join it, it is >>> unlikely >>> to have a unicodePwd attribute and hence, no password. No password >>> means no SPN in keytab and no SPN in keytab means no keytab. >>> >>> Rowland >>> >>> >>> >> Indeed it shows 'pwdLastSet: 0', which probably means a password was >> never set, i.e no unicodePwd attribute. >> For user accounts samba-tool has an option to set the password, but >> there is no such thing for computer accounts. >> >> What would be the way to set a password on a computer-account on the >> DC >> (and without joining the machine)? >> >> - Kees >> > You need to add the unicodePwd attribute with something like this: > > #!/bin/bash > > _USER_PW=C0mpL3xP4ssW0rd > UNICODEPWD=$(echo -n "\"$_USER_PW\"" | iconv -f UTF-8 -t UTF-16LE | > base64 -w 0) > > # add the ldif > echo "dn: CN=notindom,OU=NonDom,DC=samdom,DC=example,DC=com > changetype: modify > replace: unicodePwd > unicodePwd::$UNICODEPWD" | ldbmodify -H /var/lib/samba/private/sam.ldb > > Rowland > > >Thanks Rowland! I have just run your bash script and I can confirm that extracting the keytab works now :-) - Kees