search for: restrictedkrbhost

...s_get_kvno: Searching for account HOSTNAME$ ads_get_kvno: Using: CN=HOSTNAME,OU=UXServers,OU=Servers,DC=domain,DC=net ads_get_kvno: Looked Up KVNO of: 9 ../../lib/krb5_wrap/krb5_samba.c:1692: Will try to delete old keytab entries ../../lib/krb5_wrap/krb5_samba.c:1771: Found old entry for principal: restrictedkrbhost/hostname.domain.net at DOMAIN.NET<mailto:restrictedkrbhost/gvlac231.dolgen.net at DOLGEN.NET>(kvno 1) - trying to remove it. ../../lib/krb5_wrap/krb5_samba.c:1788: removed old entry for principal: restrictedkrbhost/hostname.domain.net at DOMAIN.NET<mailto:restrictedkrbhost/gvlac231.dolgen....

...[2] ?? ? ldap/dc1.test.pt ?? ? HOST/dc1.test.pt/test.pt[2] ?? ? ldap/dc1.test.pt/test.pt[2] ?? ? HOST/dc1 ?? ? E3514235-4B06-11D1-AB04-00C04FC2DCD2/ea763557-5bb4-4885-bf7b-239eb94f483a/test.pt ?? ? ldap/ea763557-5bb4-4885-bf7b-239eb94f483a._msdcs.test.pt ?? ? ldap/dc1 ?? ? RestrictedKrbHost/dc1 ?? ? RestrictedKrbHost/dc1.test.pt > samba-tool spn list dc2$ dc2$ User CN=dc2,OU=Domain Controllers,DC=test,DC=pt has the following servicePrincipalName: ?? ? HOST/dc2 ?? ? HOST/dc2.test.pt ?? ? GC/dc2.test.pt/test.pt[3] ?? ? E3514235-4B06-11D1-AB04-00C04FC2D...

...= SMB2_10 client min protocol = SMB2 client max protocol = SMB3 [root at client ~]# hostname client.base.domain.org [root at client ~]# ktutil ktutil: rkt /etc/krb5.keytab ktutil: l slot KVNO Principal ---- ---- ----------------------------------------------------------- ---------- 1 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG 2 2 restrictedkrbhost/CLIENT at DOMAIN.ORG 3 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG 4 2 restrictedkrbhost/CLIENT at DOMAIN.ORG 5 2 restrictedkrbhost/client.domain.org at DOMAIN.ORG 6 2 restrictedkrbhost/CLIENT at DOMAIN.ORG 7 2 restrict...

...me of the computer object in Active Directory failed. The updated value was 'DC8.us.dignitastech.com'. The following error occurred: Access is denied. ----- Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed. The updated values were 'RestrictedKrbHost/DC8.us.dignitastech.com' and 'RestrictedKrbHost/DC8'. The following error occurred: Access is denied. ----- Internal error: An Active Directory Domain Services error has occurred. Additional Data Error value (decimal): 8374 Error value (hex): 20b6 Internal ID: 30d07c5 —— On the samb...

...of error I'm getting when joining my DC: ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for index on servicePrincipalName, duplicate of objectGUID 00000000-1111-2222-3333-444444444444 in @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC Cheers Jonathan -- "If we knew what it was we were doing, it would not be called research, would it?" - Albert Einstein

...ain.tld > servicePrincipalName: TERMSRV/MB38W746-0009.ad.domain.tld > servicePrincipalName: TERMSRV/MB38W746-0009 > An affected client: # record 6 dn: CN=MACHINE1,CN=Computers,DC=ad,DC=domain,DC=domain,DC=tld servicePrincipalName: HOST/ MACHINE1.ad.domain.domain.tld servicePrincipalName: RestrictedKrbHost/MACHINE1.ad.domain.domain.tld servicePrincipalName: HOST/MACHINE1 servicePrincipalName: RestrictedKrbHost/MACHINE1 servicePrincipalName: TERMSRV/MACHINE1.ad.domain.domain.tld servicePrincipalName: TERMSRV/MACHINE1 Not affected: # record 19 dn: CN=MACHINE2,CN=Computers,DC=ad,DC=domain,DC=domain,DC=...

...ce replication does not work between windows DC and samba DC, as the samba DC has 2 identical WSMAN records samba-tool  spn list m7-arhiv$ m7-arhiv$ User CN=M7-ARHIV,OU=Computers M07,DC=example,DC=ru has the following servicePrincipalName:      HOST/M7-ARHIV      HOST/m7-arhiv.example.ru      RestrictedKrbHost/M7-ARHIV      RestrictedKrbHost/m7-arhiv.example.ru      TERMSRV/M7-ARHIV      TERMSRV/m7-arhiv.example.ru      WSMAN/M7-ARHIV      WSMAN/m7-arhiv.example.ru      WSMAN/m7-arhiv 10.10.2018 11:16, Andrew Bartlett пишет: > On Wed, 2018-10-10 at 10:42 +0500, Шигапов Денис Вильданович via sa...

...4/55555555-6666-7777-8888-9999999999/mydomain.org.uk HOST/dc1.mydomain.org.uk/MYDOMAIN ldap/dc1.mydomain.org.uk/MYDOMAIN ldap/dc1.mydomain.org.uk HOST/dc1.mydomain.org.uk/mydomain.org.uk ldap/dc1.mydomain.org.uk/mydomain.org.uk ldap/55555555-6666-7777-8888-9999999999._msdcs.mydomain.org.uk ldap/DC1 RestrictedKrbHost/DC1 RestrictedKrbHost/dc1.mydomain.org.uk ldap/dc1.mydomain.org.uk/DomainDnsZones.mydomain.org.uk ldap/dc1.mydomain.org.uk/ForestDnsZones.mydomain.org.uk However, before I was able to join DC1 successfully (when I was having the issues described in the original post), I finally spotted that DC2 ha...

...en the additional names added AFTER the > join - should I ask the domain admin to do this, or can samba do it > from the samba host side? When I join domain members, the domain member gets 4 SPNs: servicePrincipalName: HOST/UPPERCASE_SHORT_HOSTNAME.lowercase_dns_domain servicePrincipalName: RestrictedKrbHost/UPPERCASE_SHORT_HOSTNAME.lowercase_dns_domain servicePrincipalName: HOST/UPPERCASE_SHORT_HOSTNAME servicePrincipalName: RestrictedKrbHost/UPPERCASE_SHORT_HOSTNAME > > And in particular, in this specific case, how to add the SPN for the > full name for the host. Isn't the first of th...

...UPN (with the realm appended) on the user? > > > In my environment (where samba + freeradius + wifi connect with > machine account works), there is no UPN set on the machine account, > just a set of SPNs: > servicePrincipalName: HOST/myhost.example.com > servicePrincipalName: RestrictedKrbHost/myhost.example.com > servicePrincipalName: HOST/MYHOST > servicePrincipalName: RestrictedKrbHost/BARTOK > servicePrincipalName: WSMAN/myhost.example.com > servicePrincipalName: WSMAN/myhost > servicePrincipalName: TERMSRV/myhost.example.com > servicePrincipalName: TERMSRV/MYHOST &...

Hi all, SPN = servicePrincipalName A simple search returning all servicePrincipalName declared in your AD: ldbsearch -H $sam serviceprincipalname=* serviceprincipalname An extract from result concerning a lambda client: # record 41 dn: CN=win-client345,OU=Machines,DC=ad,DC=domain,DC=tld servicePrincipalName: HOST/MB38W746-0009 servicePrincipalName: HOST/MB38W746-0009.ad.domain.tld

Today's episode of "why is AD break", brought to you by: > [2017/09/05 10:17:06.015617, 3] ../source4/auth/gensec/gensec_gssapi.c:613(gensec_gssapi_update) > Server GC/graz-dc-1b.ad.tao.at/ad.tao.at is not registered with our KDC: Miscellaneous failure (see text): Server (GC/graz-dc-1b.ad.tao.at/ad.tao.at at AD.TAO.AT) unknown > [2017/09/05 10:17:06.015717, 0]

...t$ User CN=adtest,CN=Computers,DC=foobar,DC=ca has the following servicePrincipalName: HOST/ADTEST HOST/adtest.foobar.ca # samba-tool spn list windows81-vm$ windows81-vm$ User CN=WINDOWS81-VM,CN=Computers,DC=foobar,DC=ca has the following servicePrincipalName: HOST/Windows81-VM.foobar.ca RestrictedKrbHost/Windows81-VM.foobar.ca HOST/WINDOWS81-VM RestrictedKrbHost/WINDOWS81-VM TERMSRV/Windows81-VM.foobar.ca TERMSRV/WINDOWS81-VM Could it be that I somehow need to give permissions to my "adtest" Debian host to be able to connect via Kerberos? 5) Is it actually necessary to kinit as...

...a Service/BMSRV-WIN10.mydomain.com.xyz Microsoft Virtual Console Service/BMSRV-WIN10 Microsoft Virtual Console Service/BMSRV-WIN10.mydomain.com.xyz Microsoft Virtual System Migration Service/BMSRV-WIN10 Microsoft Virtual System Migration Service/BMSRV-WIN10.mydomain.com.xyz RestrictedKrbHost/BMSRV-WIN10 RestrictedKrbHost/BMSRV-WIN10.mydomain.com.xyz TERMSRV/BMSRV-WIN10 TERMSRV/BMSRV-WIN10.mydomain.com.xyz WSMAN/BMSRV-WIN10 WSMAN/BMSRV-WIN10.mydomain.com.xyz output of samba-tool query: samba-tool spn list BMSRV-WIN10$ samba-tool spn list BMSRV-WIN10$ schema_fs...

21.01.2025 13:55, Rowland Penny via samba wrote: > On Tue, 21 Jan 2025 12:51:26 +0300 > Michael Tokarev via samba <samba at lists.samba.org> wrote: > >> Hi! >> >> I'm not sure I understand how SPNs are registered in the AD domain. >> I know when a regular samba server is joined to an AD domain, a few >> SPNs are registered - namely,

...> ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in > > CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for > > index on servicePrincipalName, duplicate of objectGUID > > 00000000-1111-2222-3333-444444444444 in > > @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC > > [lots of these] > > I think you may be running into this bug: > > https://bugzilla.samba.org/show_bug.cgi?id=8929 > > You may have duplicate SPN's e.g. one 'HOST/somePC' and another > 'host/somepc' You could well be right, thank you. It'...

...ter object in Active Directory failed. The updated value was 'DC8.us.dignitastech.com'. The following error occurred: > Access is denied. > ----- > Attempt to update HOST Service Principal Names (SPNs) of the computer object in Active Directory failed. The updated values were 'RestrictedKrbHost/DC8.us.dignitastech.com' and 'RestrictedKrbHost/DC8'. The following error occurred: > Access is denied. > ----- > Internal error: An Active Directory Domain Services error has occurred. > > Additional Data > Error value (decimal): > 8374 > Error value (hex): &g...

Hi, In samba role DC, is the issue of duplicate SPN records fixed?

...when joining my > DC: ../lib/ldb/ldb_tdb/ldb_index.c:2352: duplicate attribute value in > CN=somePC,OU=someOU,OU=Computers,OU=mysite,DC=mydomain,DC=org for > index on servicePrincipalName, duplicate of objectGUID > 00000000-1111-2222-3333-444444444444 in > @INDEX:SERVICEPRINCIPALNAME:RESTRICTEDKRBHOST/SOMEPC > > Cheers > > Jonathan > Try this to search for computers: ldbsearch -k yes -P -H ldap://dc1 -b 'dc=samdom,dc=example,dc=com' -s sub '(objectclass=computer)' servicePrincipalName > /tmp/computer.ldif Replace 'dc1' with your DC short hostname a...

...t; > It is possible that you have a duplicate SPN. I am not sure. If I do: (vdc1 pts9) # samba-tool spn list SHOPOFFICE-20$ shopoffice-20$ User CN=SHOPOFFICE-20,CN=Computers,DC=kmg,DC=mydomain,DC=com has the following servicePrincipalName: HOST/ShopOffice-20.kmg.mydomain.com RestrictedKrbHost/ShopOffice-20.kmg.mydomain.com HOST/SHOPOFFICE-20 RestrictedKrbHost/SHOPOFFICE-20 TERMSRV/ShopOffice-20.kmg.mydomain.com TERMSRV/SHOPOFFICE-20 TERMSRV/SHOPOFFICE-20.kmg.mydomain.com (vdc1 pts9) # The above is what I get. Is this the correct way ch...