getuserspns.py

Enumerate Service Principal Names (SPNs)

TLDR

Enumerate user accounts with an SPN and request their Kerberos TGS tickets

$ GetUserSPNs.py [domain]/[username]:[password] -dc-ip [domain_controller_ip]

Use pass-the-hash authentication

$ GetUserSPNs.py [domain]/[username] -hashes [LM_Hash]:[NT_Hash] -dc-ip [domain_controller_ip]

Save the output to a file

$ GetUserSPNs.py [domain]/[username]:[password] -dc-ip [domain_controller_ip] -outputfile [path/to/output_file]

Request only TGS tickets

$ GetUserSPNs.py [domain]/[username]:[password] -dc-ip [domain_controller_ip] -request

Request only TGS tickets using pass-the-hash authentication

$ GetUserSPNs.py [domain]/[username] -dc-ip [domain_controller_ip] -hashes [LM_Hash]:[NT_Hash] -request

-h, --help
    Show help message and exit

-u USERNAME, --user USERNAME
    Specify username to query SPNs for

-d DOMAIN, --domain DOMAIN
    Target domain (default: current)

-s SERVER, --server SERVER
    Domain controller server

-k KEYTAB, --keytab KEYTAB
    Path to keytab file for authentication

--all
    List SPNs for all users

-o OUTPUT, --output OUTPUT
    Output file (default: stdout)

-v, --verbose
    Increase verbosity

DESCRIPTION

getuserspns.py is not a standard Linux utility but a Python script commonly used in environments with Active Directory (AD) integration on Linux, such as those using SSSD, realmd, or Samba. It queries directory services (LDAP/Kerberos) to fetch Service Principal Names (SPNs) associated with user accounts. SPNs map service instances to service accounts, essential for Kerberos authentication in AD-joined Linux systems.

The script typically connects to a domain controller via LDAP or Kerberos, authenticates, and lists SPNs for specified users or all users. It's useful for troubleshooting authentication issues, verifying service mappings, or auditing Kerberos configurations. Output includes user DN, principal name, and associated SPNs in a readable format.

Usage requires Python (usually 2.7 or 3.x), ldap libraries (python-ldap), and Kerberos credentials (keytab or ticket). Run as root or with sufficient privileges in AD-joined setups. Common in enterprise Linux deployments for hybrid AD/Linux management.

REQUIREMENTS

Requires python-ldap, gssapi, and AD enrollment. Install via pip install python-ldap gssapi or distro packages.

EXAMPLE

./getuserspns.py -u jdoe -d example.com
Outputs: User: jdoe/EXAMPLE.COM SPNs: host/server.example.com

HISTORY

Developed around 2010s for Linux AD integration tools like SSSD (System Security Services Daemon). Evolved with Samba 4.x and FreeIPA. Often found in custom scripts or contrib repos; not upstream in major distros but used in RHEL/CentOS enterprise setups.