Re: [Samba] net ads keytab add has no visible effects
- Date: Sun, 26 Feb 2017 17:15:47 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] net ads keytab add has no visible effects
On Sun, 26 Feb 2017 17:13:28 +0100
Max Ober <max@xxxxxxxx> wrote:
> Since AD comes from the Win-World I thought SPNs might not be
> case-sensitive and this shouldn't be a problem.
Possibly not on Windows but, Unix is case sensitive.
> Sorry, but I can't follow.
> I thought the user member$ represents the computer account of the
> machine member? And therefore samba-tool spn list member$ should list
> all SPNs of that computer?
Yes, this is true
> And I also thought "net ads" lets me do some stuff while working on
> the member that I otherwise would do with samba-tool on the dc. So
> for my understanding it should make no difference whether I use "net
> ads keytab add" on the member to add an spn or use "samba-tool spn
> add" on the dc to do the same thing? Both should end up adding an SPN
> to the computer account,
> what I should be able to check with samba-tool spn list?
'samba tool spn list' will only show the SPNs in the machines AD,
this is the search it does:
res = sam.search(
expression="samaccountname=%s" % ldb.binary_encode(cleaneduser),
The SPN you add to the keytab is not one of 'member$' SPNs, hence it
isn't shown by samba-tool.
If you want to know what is a keytab, use ktutil.
To unsubscribe from this list go to the following URL and read the