create_dns_spn() {

	spn_account_name_password=$(makepasswd --chars=18)

	spn_account_name="dns-$hostname"

	samba-tool user add "$spn_account_name" "$spn_account_name_password="

	samba-tool user setexpiry --noexpiry "$spn_account_name"

	ldbmodify -H /var/lib/samba/private/sam.ldb <<-%EOF

	dn: CN=$spn_account_name,CN=Users,$samba4_ldap_base

	changetype: modify

	replace: servicePrincipalName

	servicePrincipalName: DNS/$hostname.$domainname

	%EOF

	# get msDS-KeyVersionNumber

	msdsKeyVersion=$(ldbsearch -H /var/lib/samba/private/sam.ldb  samAccountName="$spn_account_name" msDS-KeyVersionNumber\

					| sed -n 's/^msDS-KeyVersionNumber: \(.*\)/\1/p')

	if [ -z "$msdsKeyVersion" ]; then

		echo "ERROR: Could not determine msDS-KeyVersionNumber of $spn_account_name account!"

		msdsKeyVersion=1

	fi

	ldbadd -H /var/lib/samba/private/secrets.ldb <<-%EOF

	dn: samAccountName=$spn_account_name,CN=Principals

	objectClass: kerberosSecret

	privateKeytab: dns.keytab

	realm: $kerberos_realm

	sAMAccountName: $spn_account_name

	secret: $spn_account_name_password

	servicePrincipalName: DNS/$hostname.$domainname

	name: $spn_account_name

	msDS-KeyVersionNumber: $msdsKeyVersion

	%EOF

}