There are two reasons for this. Firstly, leaving SPNs unclaimed is
dangerous, as someone else could grab them first. Secondly, in some
circumstances (self join) we try to add a DNS/ SPN a little bit later
in provision. Under the rules we are introducing for CVE-2020-25722,
this will make our later attempts to add HOST/ fail.
This causes a few errors in samba4.blackbox.dbcheck.* tests, which
assert that revivified old domains match stored reference versions.
Now they don't, because they have servicePrincipalNames.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
--- /dev/null
+samba4.blackbox.dbcheck.release-4-0-0
+samba4.blackbox.dbcheck.release-4-0-0.quick
+samba4.blackbox.upgradeprovision.release-4-0-0
+samba4.blackbox.functionalprep.check_databases_same
operatingSystem: Samba
operatingSystemVersion: ${SAMBA_VERSION_STRING}
sAMAccountName: ${NETBIOSNAME}$
-# The "servicePrincipalName" updates are now handled by the "samba_spnupdate"
-# script
userAccountControl: 532480
clearTextPassword:: ${MACHINEPASS_B64}
objectSid: ${DOMAINSID}-${DCRID}
+# While some "servicePrincipalName" updates might be handled by the
+# "samba_spnupdate" script, we need to get the basics in here before
+# we add any others.
+servicePrincipalName: HOST/${DNSNAME}
+servicePrincipalName: HOST/${NETBIOSNAME}
+servicePrincipalName: HOST/${DNSNAME}/${DNSNAME}
+
dn: CN=RID Set,CN=${NETBIOSNAME},OU=Domain Controllers,${DOMAINDN}
objectClass: rIDSet
projects / thirdparty / samba.git / commitdiff
