Need to delete or overwrite SPNs

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 3
Registered: ‎03-09-2015
#1 of 5 2,061

Need to delete or overwrite SPNs

[ Edited ]

Running a samba server that users access via a CNAME. In order to use SMB3 via CNAME, SPNs must exist for that CNAME. I have no trouble creating those SPNs with 

    adkeytab --addspn --principal cifs/thecname.domain.com -u ouadmin
    adkeytab --addspn --principal cifs/thecname -u ouadmin

 

But when I fail the service over to another server, I want/need to update the SPNs. As expected, running the same commands result in this error

    Error: You cannot add a SPN that already exists: The SPN cifs/thecname....

I tried to force it, but it seems force doesn't work for SPNs.

    Unneeded parameter(s): 'Force'. Please remove them and try again.

 

I could delete it from the original host first, but there are two issues:

1) If the original host completely failed, this isn't an option

2) I want to keep this operation to the new host if possible

 

I can delete the SPNs from my Windows computer using

    setspn -D cifs/thecname therealname

 

Is there an adkeytab or adedit command that lets me do the same from the Samba server? Or maybe there's a better way to use SMB3 with a CNAME?

Participant II
Posts: 3
Registered: ‎03-09-2015
#2 of 5 2,050

Re: Need to delete or overwrite SPNs

I've made some progress with adedit.

 

First, I bind to the domain (not shown) then I find the dn for the computer(s) with the SPNs I want to update:

set COMP_LIST [get_objects -depth one -limit 10 "ou=servers,ou=centrify,dc=xxxx,dc=xxxxx,dc=xxx" (servicePrincipalName=*thecname*)]

Then, for each computer (should only be one, but I want to build this to clean up anywhere the CNAME is found if something got misconfigured) get the SPN list and replace it with a list that doesn't include the CNAME SPNs

foreach COMPUTER $COMP_LIST { 
    select_object $COMPUTER
    set SPN_LIST [get_object_field servicePrincipalName]
    puts "Current SPN List for $COMPUTER: $SPN_LIST"
    set NEW_SPN_LIST [lsearch -all -inline -not $SPN_LIST *thecname*] 
    puts "Updating SPN list for $COMPUTER to: $NEW_SPN_LIST" 
    sof servicePrincipalName $NEW_SPN_LIST
save_object }

The problem is that whenever I use 

sof servicePrincipalName $<somevariable>

The output of 

get_object_field servicePrincipalName

always has braces and save_object throws an error. 

 

I've tried using 

sof servicePrincipalName [join $NEW_SPN_LIST]

but it makes no difference. The only way that I seem to be able to get 'sof servicePrincipalName' is with a literal string after. I think I must be doing something wrong because the example in the adedit manual uses a variable with sof.

 

I'm going to try nesting another loop using remove_object_value to see if I can get that to behave better.

Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#3 of 5 2,033

Re: Need to delete or overwrite SPNs

[ Edited ]

@MadScientist,

 

Welcome to the Centrify forums.

// Caveat:  I have never tested what I'm about to propose, however I've done it/seen it done in the context of Apache, Java and DB2.

 

I want to step back a bit instead of going through what it seems to be a complex path.  I want to focus on this which is closer to the problem:

 

"Running a samba server that users access via a CNAME. In order to use SMB3 via CNAME, SPNs must exist for that CNAME"... But when I fail the service over to another server, I want/need to update the SPNs. As expected, running the same commands result in this error

    Error: You cannot add a SPN that already exists: The SPN cifs/thecname....

I tried to force it, but it seems force doesn't work for SPNs.

    Unneeded parameter(s): 'Force'. Please remove them and try again."

 

Looks to me like your main problem is to maintain high-availability of your Samba services.  In a Kerberos environment, the approach you're taking will definitely have that issue (because SPNs are supposed to be unique - that is a Kerberos constraint).

 

Why not use a different approach? 

Kerberos key table files (keytab files) are better for a scenario in which you need to achieve load balancing or high-availability. 

Like I said above, I have never done this, but it looks like this is supported by the smb.conf file:

In this case, you can still use a CNAME for the SMB service (e.g. smb.example.com) even if the load balancing/failover cluster has different host names (host1.example.com, host2.example.com);  for user convenience I'd make sure that also the short names are added as SPNs.

 

The high-level implementation is:

  1. Request/create an Active Directory user without any privileges whatsoever.  Set the password to never expire.
  2. Create a new keytab for this account and add the corresponding SPNs (if you do this correctly, the AD account password will be changed to an unknown string).
  3. Secure the keytabs in the corresponding hosts (make sure only the required accounts can read it).
  4. Configure your samba server to have a dedicated keytab file and start it.
  5. Try to access the service by using the SPNs for the service.  <= profit.

 

Moving forward, based on your password rotation policy (e.g. every 90 days), you can

a) Schedule downtime for your SMB services.

b) Use the adkeytab command to reset the password (randomize again)

c) Re-distribute the keytab file to your hosts.

d) Restart your SMB services.

 

I just think this is a better approach, but it may require that you do a POC first.

 

R.P

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify:
Participant II
Posts: 3
Registered: ‎03-09-2015
#4 of 5 1,328

Re: Need to delete or overwrite SPNs

@Robertson,

I tried going down the path you mentioned using a non-priviledged user and dedicated keytabs in Samba. It's been a while, so I can't remember where I ran amock with that, but I did have some trouble. Certainly not saying it's impossible, but I ended up finding another solution. I've come here to share it in case anyone else finds use in it.

 

However, I will say that this adds SPNs to the system keytab which generally isn't a problem, but I did have an issue where I had to re-join a machine and I couldn't without deleting the old object from AD because it was trying to join with a number of SPNs including the CNAME for which is was not currenlt primary. That being said, things seem to boe working right now, but I may be back to righing this at some point. 

 

In my second post, I was finding the computers with the SPNs I wanted to take over, and trying to update their SPN lists by replacing it with a list that didn't inlcude the CNAME SPNs. That wasn't working. What I was able to do is find the computers and forcibly remove the individual SPNs. 

 

Here's the loop from the tcl script that does that:

foreach COMPUTER $COMP_LIST {

        # Set the current object to the computer
        select_object $COMPUTER

        # Put all the SPNS for that computer in a variable
        set SPN_LIST [get_object_field servicePrincipalName]

        # Debugging output
        puts "Current SPN List for $COMPUTER: $SPN_LIST"
        puts ""

        # Make a new variable of the SPNs we want to delete
        set DEL_SPN_LIST [lsearch -all -inline $SPN_LIST *$CNAME*]

        # Debugging output
        puts "Removing these SPNs from $COMPUTER: $DEL_SPN_LIST"

        # Remove the SPNs, this command can only do one at a time
        foreach SPN $DEL_SPN_LIST {
                remove_object_value $COMPUTER servicePrincipalName $SPN
        }

        # The remove command works directly against the domain object
        # so we don't need to save
        # also, you'll need to reload the object if you wanted to view
        # the updated configuration
}

The next step I do that's beyond the scope of my original question is take over those SPNs using adkeytab.

echo "$AD_ADMIN_PASS" | adkeytab --addspn --principal cifs/$CNAME.sub.domain.com --user $AD_ADMIN_USER
echo "$AD_ADMIN_PASS" | adkeytab --addspn --principal cifs/$CNAME --user $AD_ADMIN_USER

 

 

Highlighted
Centrify Guru I
Posts: 2,430
Registered: ‎07-26-2012
#5 of 5 1,265

Re: Need to delete or overwrite SPNs

@MadScientist

 

We appreciate your contribution to the community.

 

Kudos!

Want to learn more about practical Centrify examples? Check out my blog at http://centrifying.blogspot.com
Follow Centrify: