21.01.2025 13:55, Rowland Penny via samba wrote:> On Tue, 21 Jan 2025 12:51:26 +0300 > Michael Tokarev via samba <samba at lists.samba.org> wrote: > >> Hi! >> >> I'm not sure I understand how SPNs are registered in the AD domain. >> I know when a regular samba server is joined to an AD domain, a few >> SPNs are registered - namely, CIFS/$netbios_name and each for >> CIFS/$netbios_aliases (where netbios name and netbios aliases are >> the parameters in smb.conf - yes I know these are obsolete, but in >> this case they're actually used for non-obsolete task). > > Are you sure about that ?I'm sure about the names after the / - ie, the "host" names of the SPNs it is registering. I was wrong about the "CIFS" part though, exactly as you noted. The thing is: I don't know the details here, hence I'm asking. If I was sure, there'd no need to ask in the first place. So I stand corrected. Samba registers HOST/$netbios_name SPN, and it now actually registers HOST/$netbios_name.$REALM SPN too, - at least when doing `net ads join`. It also registers all the same pairs for all names listed in netbios aliases parameter. For the HOST/$netbios_name.$REALM SPN, it looks like this one wasn't registered before, but I'm not certain about this. This my question come out because I found out that HOST/name.dom.ain SPN weren't registered, while HOST/name is, - for a samba server which joined a windows domain (not samba domain) with samba version 4.16 or maybe even 4.13. The problematic missing SPN was HOST/name.dom.ain, the full name of the host. But this is sort of orthogonal to my question. My question was more how/who/when the additional names added AFTER the join - should I ask the domain admin to do this, or can samba do it from the samba host side? And in particular, in this specific case, how to add the SPN for the full name for the host. Thanks, /mjt>> Is there a list of other SPNs - for other names this server is known >> as - which should be registered too, or is it done later? >> >> A windows machine register CIFS/name and CIFS/name.domain principals, >> but samba does not do this when joining - when and by whom the other >> name should be registered? >> >> Can one add some principals to smb.conf so it gets registered >> automatically, or should it be done by an AD administrator?
22.01.2025 09:32, Michael Tokarev via samba wrote:> 21.01.2025 13:55, Rowland Penny via samba wrote: >> On Tue, 21 Jan 2025 12:51:26 +0300 >> Michael Tokarev via samba <samba at lists.samba.org> wrote: >> >>> Hi! >>> >>> I'm not sure I understand how SPNs are registered in the AD domain. >>> I know when a regular samba server is joined to an AD domain, a few >>> SPNs are registered - namely, CIFS/$netbios_name and each for >>> CIFS/$netbios_aliases (where netbios name and netbios aliases are >>> the parameters in smb.conf - yes I know these are obsolete, but in >>> this case they're actually used for non-obsolete task). >> >> Are you sure about that ? > > I'm sure about the names after the / - ie, the "host" names of the SPNs > it is registering.? I was wrong about the "CIFS" part though, exactly as > you noted. > > The thing is: I don't know the details here, hence I'm asking.? If I > was sure, there'd no need to ask in the first place.For the curious - I had to actually find out how it works. The client (smbclient) actually asks for CIFS/host. This is where I thought such SPN is actually registered, because the reply is positive. But the only real service part of the SPN being registered is HOST/*, not CIFS/* - CIFS one is derived from the (global) sPNMappings record. There's one more "service part" SPN which is registered for a samba server in a domain -- RestrictedKrbHost/* - which is not aliased using sPNMappings. /mjt
On Wed, 22 Jan 2025 09:32:19 +0300 Michael Tokarev via samba <samba at lists.samba.org> wrote:> 21.01.2025 13:55, Rowland Penny via samba wrote: > > On Tue, 21 Jan 2025 12:51:26 +0300 > > Michael Tokarev via samba <samba at lists.samba.org> wrote: > > > >> Hi! > >> > >> I'm not sure I understand how SPNs are registered in the AD domain. > >> I know when a regular samba server is joined to an AD domain, a few > >> SPNs are registered - namely, CIFS/$netbios_name and each for > >> CIFS/$netbios_aliases (where netbios name and netbios aliases are > >> the parameters in smb.conf - yes I know these are obsolete, but in > >> this case they're actually used for non-obsolete task). > > > > Are you sure about that ? > > I'm sure about the names after the / - ie, the "host" names of the > SPNs it is registering. I was wrong about the "CIFS" part though, > exactly as you noted. > > The thing is: I don't know the details here, hence I'm asking. If I > was sure, there'd no need to ask in the first place. > > So I stand corrected. Samba registers HOST/$netbios_name SPN, and it > now actually registers HOST/$netbios_name.$REALM SPN too, - at least > when doing `net ads join`. It also registers all the same pairs for > all names listed in netbios aliases parameter. > > For the HOST/$netbios_name.$REALM SPN, it looks like this one wasn't > registered before, but I'm not certain about this. This my question > come out because I found out that HOST/name.dom.ain SPN weren't > registered, while HOST/name is, - for a samba server which joined > a windows domain (not samba domain) with samba version 4.16 or maybe > even 4.13. The problematic missing SPN was HOST/name.dom.ain, the > full name of the host. > > But this is sort of orthogonal to my question. > > My question was more how/who/when the additional names added AFTER the > join - should I ask the domain admin to do this, or can samba do it > from the samba host side?When I join domain members, the domain member gets 4 SPNs: servicePrincipalName: HOST/UPPERCASE_SHORT_HOSTNAME.lowercase_dns_domain servicePrincipalName: RestrictedKrbHost/UPPERCASE_SHORT_HOSTNAME.lowercase_dns_domain servicePrincipalName: HOST/UPPERCASE_SHORT_HOSTNAME servicePrincipalName: RestrictedKrbHost/UPPERCASE_SHORT_HOSTNAME> > And in particular, in this specific case, how to add the SPN for the > full name for the host.Isn't the first of the SPNs above what you are asking about ? If you need to add any SPNS, you can do this with: samba-tool spn add <name> <user> Just remember that a computer is a user as well. Rowland