Index: univention-samba4/96univention-samba4.inst
===================================================================
--- univention-samba4/96univention-samba4.inst	(Revision 37205)
+++ univention-samba4/96univention-samba4.inst	(Arbeitskopie)
@@ -375,6 +375,43 @@
 	fi
 }
 
+create_dns_spn() {
+	spn_account_name_password=$(makepasswd --chars=18)
+
+	spn_account_name="dns-$hostname"
+
+	samba-tool user add "$spn_account_name" "$spn_account_name_password="
+
+	samba-tool user setexpiry --noexpiry "$spn_account_name"
+
+	ldbmodify -H /var/lib/samba/private/sam.ldb <<-%EOF
+	dn: CN=$spn_account_name,CN=Users,$samba4_ldap_base
+	changetype: modify
+	replace: servicePrincipalName
+	servicePrincipalName: DNS/$hostname.$domainname
+	%EOF
+
+	# get msDS-KeyVersionNumber
+	msdsKeyVersion=$(ldbsearch -H /var/lib/samba/private/sam.ldb  samAccountName="$spn_account_name" msDS-KeyVersionNumber\
+					| sed -n 's/^msDS-KeyVersionNumber: \(.*\)/\1/p')
+	if [ -z "$msdsKeyVersion" ]; then
+		echo "ERROR: Could not determine msDS-KeyVersionNumber of $spn_account_name account!"
+		msdsKeyVersion=1
+	fi
+
+	ldbadd -H /var/lib/samba/private/secrets.ldb <<-%EOF
+	dn: samAccountName=$spn_account_name,CN=Principals
+	objectClass: kerberosSecret
+	privateKeytab: dns.keytab
+	realm: $kerberos_realm
+	sAMAccountName: $spn_account_name
+	secret: $spn_account_name_password
+	servicePrincipalName: DNS/$hostname.$domainname
+	name: $spn_account_name
+	msDS-KeyVersionNumber: $msdsKeyVersion
+	%EOF
+}
+
 ### --- END helper functions ---
 
 extract_binddn_and_bindpwd_from_args "$@"
@@ -514,7 +551,7 @@
 
 	fi
 
-	/usr/share/univention-samba4/scripts/create_dns-host_spn.py
+	create_dns_spn
 
 	if [ $JS_LAST_EXECUTED_VERSION -lt 1 ]; then
 		## set default ACLs so sysvol-sync can read files and directories