Hello, Does Validated-SPN validated write allow an account to set an object's SPN to the following values: HOST/samAccountName (without the "$") HOST/dnsDomainName if the object is a regular computer object and NOT a DC?
The algorithm described in MS-DRSR 5.5 AccessCheckWriteToSpnAttribute seems to indicate that yes, this should be allowed. Ot the other hand, MS-ADTS 3.1.1.5.3.1.1.4 servicePrincipalName leads me to believe that the object being a DC is mandatory constraint: "The SPN is a syntactically correct two-part SPN, or it is a syntactically correct three-part SPN (see Mutual Authentication (section 5.1.1.4)) and the object is a DC’s domain controller object (see sections7.1.1.3.1 and 7.1.1.3.2). " In addition, I did the following test: Gave Validated-SPN right to a user on a regular computer object, and got CONSTRAINT_VIOLATION when setting its servicePrincipalName with the above described values. Gave Validated-SPN right to a user on a DC object, and these values were set successfully. So my questions are: Is the behaviour of setting servicePrincipalName supposed to be different between LDAP and DRS? Does servicePrincipalName modification depend on things other then the syntax restrictions described in MS-DRSR and MS-ADTS? If an object does not have Validated-SPN on Principal-Self, should the account still be allowed to set the above values via DRS? Best Regards, Nadezhda Ivanova
_______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
