11 April,19 at 09:20 PM
Question:
Is there a way to set the machine's UserPrincipalName attribute from Unix command line instead of utilizing Windows adsiedit?
Answer:
There are several ways you can achieve this with the adkeytab command tool. One of which is:
1. Run adinfo --diag, at the end it will list Service Principal Names, delete the nfs SPN by running:
- adkeytab --delspn (-x) -P (--Principal) nfs/nfsserver.daniel-domain.com -u <aduser> -d <domain.com>, then hit enter. Put in your AD password and it should come back successful. You can verify this step by executing adinfo --diag again and check nfs SPN is removed. Please see example below:
From adinfo --diag:
Computer Account Diagnostics
Joined as: nemo
Key Version: 7
Service Principal Names: nfs/nemo
nfs/nemo.daniel-domain.com
...
Centrify DirectControl Status
Running in connected mode
Licensed Features: Enabled
[root@nemo ~]# adkeytab --delspn -P nfs/nemo.daniel-domain.com -u daniel.luu -d daniel-domain.com
daniel.luu@DANIEL-DOMAIN.COM's password:
Success: Del SPNs: Default Key Tab
2. Next, you need to add in a new nfs SPN and UserPrincipalName together. Run:
- adkeytab --addspn -P nsf/nfsserver.daniel-domain.com -U (upn) nfs/nfsserver.daniel-domain.com@daniel-domain.com -u <aduser> -d <domain.com>, then hit enter. Put in your password and the result should come back successful.
[root@nemo tmp]# adkeytab --addspn --principal nfs/nemo --principal nfs/nemo.daniel-domain.com -U nfs/nfs.nemo.daniel-domain.com@daniel-domain.com -u daniel.luu -d daniel-domain.com
daniel.luu@DANIEL-DOMAIN.COM's password:
Success: Add SPNs: Default Key Tab
3. Finally, on Windows you can run adsiedit, go to Computer OU, right click on Computer -> Properties, scroll down to UserPrincipalName, and you should see the new UPN we just added.