I have just recently installed Samba as an Active Directory Domain Controller on my Linux system, and I'm still trying to sort out the details. I have never really gotten into Kerberos, and this is a good learning opportunity. One of the things you have to do to enable the use of Kerberos tickets for authentication for services is to add the Service Principal Names, sometimes called "service principals", to the computer's Kerberos account. Instructions for configuring Kerberos authentication commonly give examples using the kadmin command, but you do not use this command in this case.
A Service Principal Name is nothing more than a name chosen to represent a service. To an extent that you have to follow a particular format for an SPN, it is only because some application or daemon is expecting that format, with the exception that the format is always someservicename/someserviceinformation. The information about the service may contain further slashes, or it may not.
For example, take libvirt, which gives an example using kadmin, to install a SPN "libvirt/full.hostname@KERBEROS.REALM". First we authenticate, this part works fine:
# kinit Administrator
Password for Administrator@EXAMPLE.COM:
Warning: Your password will expire in 36 days on Sat 17 Jun 2023 09:37:01 AM PDT
So now we can do Kerberos stuff as the Administrator, right? But you can't do it with kadmin:
# kadmin
kadmin: Missing parameters in krb5.conf required for kadmin client while initializing kadmin interface
Nope, that's not a thing for AD. What does work to create a SPN is samba-tool:
samba-tool spn add nfs/backupserver1.example.com
Or in this particular case:
samba-tool spn add libvirt/machine.example.com@EXAMPLE 'MACHINE$'
samba-tool spn add libvirt/machine.example.com@example.com 'MACHINE$'
Because I don't know which name a request will come from, I used both forms, but they both point to the same thing.
You might well ask how to list machine accounts, and it turned out to be like this:
# samba-tool computer list
MACHINE$
WIN11VM$
WIN10VM$
WIN81$
In this example, machine.example.com is the AD DC for the EXAMPLE or example.com domain. We can easily get information about this machine, and we can refer to it by any of its names, or its account:
# samba-tool computer show machine
dn: CN=MACHINE,OU=Domain Controllers,DC=example,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: MACHINE
instanceType: 4
whenCreated: 20230506163700.0Z
uSNCreated: 3891
name: MACHINE
objectGUID: 97b9a431-a3d5-451e-8205-adc363acdb7b
userAccountControl: 532480
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
localPolicyFlags: 0
pwdLastSet: 133278646207021670
primaryGroupID: 516
objectSid: S-1-5-21-5212774-8465286484-1725351312-1000
accountExpires: 9223372036854775807
sAMAccountName: MACHINE$
sAMAccountType: 805306369
operatingSystem: Samba
operatingSystemVersion: 4.13.13-Debian
dNSHostName: machine.example.com
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=machine,DC=com
isCriticalSystemObject: TRUE
rIDSetReferences: CN=RID Set,CN=MACHINE,OU=Domain Controllers,DC=example,DC=com
msDS-SupportedEncryptionTypes: 28
lastLogonTimestamp: 133278811717486540
serverReferenceBL: CN=MACHINE,CN=Servers,CN=Site-Name,CN=Sites,CN=Configuration,DC=example,DC=com
lastLogon: 133283192026181410
logonCount: 20
servicePrincipalName: HOST/machine.example.com
servicePrincipalName: HOST/MACHINE
servicePrincipalName: HOST/machine.example.com/machine.example.com
servicePrincipalName: HOST/machine.example.com/EXAMPLE
servicePrincipalName: ldap/machine.example.com/EXAMPLE
servicePrincipalName: GC/machine.example.com/example.com
servicePrincipalName: ldap/machine.example.com
servicePrincipalName: HOST/machine.example.com/example.com
servicePrincipalName: ldap/machine.example.com/example.com
servicePrincipalName: E3514235-4B06-11D1-AB04-00C04FC2DCD2/f4abc65c-4a9b-42cd-9520-a2f075e4a3e3/example.com
servicePrincipalName: ldap/f4abc65c-4a9b-42cd-9520-a2f075e4a3e3._msdcs.example.com
servicePrincipalName: ldap/EXAMPLE
servicePrincipalName: RestrictedKrbHost/EXAMPLE
servicePrincipalName: RestrictedKrbHost/machine.example.com
servicePrincipalName: ldap/machine.example.com/DomainDnsZones.example.com
servicePrincipalName: ldap/machine.example.com/ForestDnsZones.example.com
servicePrincipalName: libvirt/machine.example.com@EXAMPLE
servicePrincipalName: libvirt/machine.example.com@example.com
whenChanged: 20230511232148.0Z
uSNChanged: 4326
distinguishedName: CN=MACHINE,OU=Domain Controllers,DC=example,DC=com
You could as well show MACHINE or MACHINE$. Showing the whole record shows you a lot of information about the system including any SPNs, but you could also show only SPNs; this does require using the computer account as shown in sAMAccountName above, but you need to know that to add SPNs via samba-tool anyway.
# samba-tool spn list MACHINE$
machine$
User CN=MACHINE,OU=Domain Controllers,DC=example,DC=com has the following servicePrincipalName:
HOST/machine.example.com
HOST/MACHINE
HOST/machine.example.com/machine.example.com
HOST/machine.example.com/EXAMPLE
ldap/machine.example.com/EXAMPLE
GC/machine.example.com/example.com
ldap/machine.example.com
HOST/machine.example.com/example.com
ldap/machine.example.com/example.com
E3514235-4B06-11D1-AB04-00C04FC2DCD2/f4abc65c-4a9b-42cd-9520-a2f075e4a3e3/example.com
ldap/f4abc65c-4a9b-42cd-9520-a2f075e4a3e3._msdcs.example.com
ldap/MACHINE
RestrictedKrbHost/MACHINE
RestrictedKrbHost/machine.example.com
ldap/machine.example.com/DomainDnsZones.example.com
ldap/machine.example.com/ForestDnsZones.example.com
libvirt/machine.example.com@EXAMPLE
libvirt/machine.example.com@example.com
The HOST SPNs define aliases for hosts. On Windows, SPNs are normally modified with a command called setspn. This command should be on your machine, but it can only be run by a domain administrator (i.e. a member of the Domain Administrators group.) Domain admins can run the setspn command anywhere to affect the account for any machine, but if not specified it affects the account for the machine it's run on.