On Tue, 21 Jan 2025 12:51:26 +0300 Michael Tokarev via samba <samba at lists.samba.org> wrote:> Hi! > > I'm not sure I understand how SPNs are registered in the AD domain. > I know when a regular samba server is joined to an AD domain, a few > SPNs are registered - namely, CIFS/$netbios_name and each for > CIFS/$netbios_aliases (where netbios name and netbios aliases are > the parameters in smb.conf - yes I know these are obsolete, but in > this case they're actually used for non-obsolete task).Are you sure about that ?> > Is there a list of other SPNs - for other names this server is known > as - which should be registered too, or is it done later? > > A windows machine register CIFS/name and CIFS/name.domain principals, > but samba does not do this when joining - when and by whom the other > name should be registered? > > Can one add some principals to smb.conf so it gets registered > automatically, or should it be done by an AD administrator? > > Thanks, > > /mjt >I ask about your SPNs because I do not have any SPNs in AD that start with CIFS or cifs and there is a good reason for this, SPNMapping. If you run on a DC: sudo ldbsearch -P --cross-ncs -H /var/lib/samba/private/sam.ldb -b 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com' -s base sPNMappings That should be all on one line and replace 'DC=samdom,DC=example,DC=com' with your dns domain details. You should get something like this back: dn: CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicat or,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,i as,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstora ge,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclog on,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,ww w,http,w3svc,iisadmin,msdtc Which if you look closely, you will find that 'host' or 'HOST' is mapped to 'cifs', so you do not require explicit 'CIFS' SPNs. This isn't a Samba thing, it is a Windows AD thing. You do however need 'nfs' SPNs, if using NFS. Rowland
21.01.2025 13:55, Rowland Penny via samba wrote:> On Tue, 21 Jan 2025 12:51:26 +0300 > Michael Tokarev via samba <samba at lists.samba.org> wrote: > >> Hi! >> >> I'm not sure I understand how SPNs are registered in the AD domain. >> I know when a regular samba server is joined to an AD domain, a few >> SPNs are registered - namely, CIFS/$netbios_name and each for >> CIFS/$netbios_aliases (where netbios name and netbios aliases are >> the parameters in smb.conf - yes I know these are obsolete, but in >> this case they're actually used for non-obsolete task). > > Are you sure about that ?I'm sure about the names after the / - ie, the "host" names of the SPNs it is registering. I was wrong about the "CIFS" part though, exactly as you noted. The thing is: I don't know the details here, hence I'm asking. If I was sure, there'd no need to ask in the first place. So I stand corrected. Samba registers HOST/$netbios_name SPN, and it now actually registers HOST/$netbios_name.$REALM SPN too, - at least when doing `net ads join`. It also registers all the same pairs for all names listed in netbios aliases parameter. For the HOST/$netbios_name.$REALM SPN, it looks like this one wasn't registered before, but I'm not certain about this. This my question come out because I found out that HOST/name.dom.ain SPN weren't registered, while HOST/name is, - for a samba server which joined a windows domain (not samba domain) with samba version 4.16 or maybe even 4.13. The problematic missing SPN was HOST/name.dom.ain, the full name of the host. But this is sort of orthogonal to my question. My question was more how/who/when the additional names added AFTER the join - should I ask the domain admin to do this, or can samba do it from the samba host side? And in particular, in this specific case, how to add the SPN for the full name for the host. Thanks, /mjt>> Is there a list of other SPNs - for other names this server is known >> as - which should be registered too, or is it done later? >> >> A windows machine register CIFS/name and CIFS/name.domain principals, >> but samba does not do this when joining - when and by whom the other >> name should be registered? >> >> Can one add some principals to smb.conf so it gets registered >> automatically, or should it be done by an AD administrator?