Applies to:

All versions of Centrify DirectControl on all OS platforms

Question:

Is there a way to set the machine's UserPrincipalName attribute from Unix command line instead of utilizing Windows adsiedit?

Answer:

There are several ways you can achieve this with the adkeytab command tool.  One of which is:

1.  Run adinfo --diag, at the end it will list Service Principal Names, delete the nfs SPN by running:

     -  adkeytab --delspn (-x) -P (--Principal) nfs/nfsserver.daniel-domain.com -u <aduser> -d <domain.com>, then hit enter.  Put in your AD password and it should  come back successful.  You can verify this step by executing adinfo --diag again and check nfs SPN is removed.  Please see example below:

From adinfo --diag:

Computer Account Diagnostics
  Joined as: nemo
  Key Version: 7
  Service Principal Names: nfs/nemo
                           nfs/nemo.daniel-domain.com
                           ...

Centrify DirectControl Status
  Running in connected mode

Licensed Features: Enabled

[root@nemo ~]# adkeytab --delspn -P nfs/nemo.daniel-domain.com -u daniel.luu -d daniel-domain.com
daniel.luu@DANIEL-DOMAIN.COM's password:
Success: Del SPNs: Default Key Tab

2.  Next, you need to add in a new nfs SPN and UserPrincipalName together.  Run:

    -  adkeytab --addspn -P nsf/nfsserver.daniel-domain.com -U (upn) nfs/nfsserver.daniel-domain.com@daniel-domain.com -u <aduser> -d <domain.com>, then hit enter.  Put in your password and the result should come back successful.

[root@nemo tmp]# adkeytab --addspn --principal nfs/nemo --principal nfs/nemo.daniel-domain.com -U nfs/nfs.nemo.daniel-domain.com@daniel-domain.com -u daniel.luu -d daniel-domain.com
daniel.luu@DANIEL-DOMAIN.COM's password:
Success: Add SPNs: Default Key Tab

3.  Finally, on Windows you can run adsiedit, go to Computer OU, right click on Computer -> Properties, scroll down to UserPrincipalName, and you should see the new UPN we just added.