[Samba] samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias uniqueness check

Kees van Vloten keesvanvloten at gmail.com
Sun Jan 16 22:11:56 UTC 2022 

On 16-01-2022 22:52, Rowland Penny via samba wrote:
> On Sun, 2022-01-16 at 22:43 +0100, Kees van Vloten via samba wrote:
>> On 16-01-2022 22:05, Rowland Penny via samba wrote:
>>> On Sun, 2022-01-16 at 21:53 +0100, Kees van Vloten via samba wrote:
>>>> On 16-01-2022 21:40, Rowland Penny via samba wrote:
>>>>> On Sun, 2022-01-16 at 21:05 +0100, Kees van Vloten via samba
>>>>> wrote:
>>>>>> Hi Team,
>>>>>>
>>>>>> I am using samba-accounts per service, when the service uses
>>>>>> kerberos
>>>>>> it
>>>>>> the account gets an SPN associated.
>>>>>>
>>>>>> It looks like something in the area of SPN verification has
>>>>>> changed
>>>>>> between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from
>>>>>> Louis'
>>>>>> repo).
>>>>>>
>>>>>> I am trying to do a domain-join on a machine (myserver) on
>>>>>> 4.15.3,
>>>>>> but
>>>>>> it fails on the client-side with:
>>>>>>
>>>>>> Failed to join domain: Failed to set machine spn: Constraint
>>>>>> violation
>>>>>> Do you have sufficient permissions to create machine
>>>>>> accounts?
>>>>>>
>>>>>> The samba.log on the DC shows the same:
>>>>>>
>>>>>> 2022/01/16 20:13:31.260393,  0]
>>>>>> ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_
>>>>>> alia
>>>>>> s_co
>>>>>> llision)
>>>>>>       check_spn_alias_collision: trying to add SPN
>>>>>> 'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member
>>>>>> Servers,DC=samdom,DC=net' when 'http/myserver.samdom.net' is
>>>>>> on
>>>>>> 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>>>>>> Users,DC=samdom,DC=net'
>>>>>> [2022/01/16 20:13:31.260465,  0]
>>>>>> ../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn
>>>>>> _uni
>>>>>> quen
>>>>>> ess_check)
>>>>>>       samldb_spn_uniqueness_check: SPN
>>>>>> HOST/myserver.samdom.net
>>>>>> failed
>>>>>> alias uniqueness check
>>>>>>
>>>>>>
>>>>>> A search for the SPN returns that a similar SPN is i use for
>>>>>> Apache's
>>>>>> service-account (but it does not have the HOST/ SPN assigned
>>>>>> (exactly
>>>>>> as
>>>>>> intended):
>>>>>>
>>>>>> samba-tool spn list svc_myserver_apache
>>>>>> svc_myserver_apache
>>>>>> User CN=svc_myserver_apache,OU=Service
>>>>>> Accounts,OU=Noninteractive
>>>>>> Users,DC=samdom,DC=net has the following
>>>>>> servicePrincipalName:
>>>>>>              HTTP/myserver.samdom.net
>>>>>>
>>>>>> samba-tool spn list svc_myserver_apache
>>>>>> svc_myserver_apache
>>>>>> User CN=svc_myserver_apache,OU=Service
>>>>>> Accounts,OU=Noninteractive
>>>>>> Users,DC=samdom,DC=net has the following
>>>>>> servicePrincipalName:
>>>>>>              HTTP/myserver.samdom.net
>>>>>> root at controller01:/var/log/samba# samba-tool user show
>>>>>> svc_myserver_apache
>>>>>> dn: CN=svc_myserver_apache,OU=Service
>>>>>> Accounts,OU=Noninteractive
>>>>>> Users,DC=samdom,DC=net
>>>>>> objectClass: top
>>>>>> objectClass: person
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: user
>>>>>> cn: svc_myserver_apache
>>>>>> name: svc_myserver_apache
>>>>>> sAMAccountName: svc_myserver_apache
>>>>>> userPrincipalName: svc_myserver_apache at samdom.net
>>>>>> servicePrincipalName: HTTP/myserver.samdom.net
>>>>>> <fields removed to reduce output>
>>>>>>
>>>>>> A final test indeed shows HOST/myserver.samdom.net and
>>>>>> HTTP/myserver.samdom.net are colliding when not they are not
>>>>>> set
>>>>>> on
>>>>>> one
>>>>>> user:
>>>>>>
>>>>>> samba-tool spn add HOST/myserver.samdom.net myserver$
>>>>>> check_spn_alias_collision: trying to add SPN
>>>>>> 'HOST/myserver.samdom.net'
>>>>>> on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when
>>>>>> 'http/myserver.samdom.net' is on
>>>>>> 'CN=svc_myserver_apache,OU=Service
>>>>>> Accounts,OU=Noninteractive Users,DC=samdom,DC=net'
>>>>>> samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net
>>>>>> failed
>>>>>> alias
>>>>>> uniqueness check
>>>>>>
>>>>>> This all happens on a pretty new domain setup on 4.15.3.
>>>>>>
>>>>>> The interesting thing is that I have this exact configuration
>>>>>> on
>>>>>> other
>>>>>> domain which was setup a while ago, probably 4.13. This
>>>>>> domain
>>>>>> was
>>>>>> upgraded to 4.14 and to 4.15.3:
>>>>>>
>>>>>> samba-tool computer show otherserver
>>>>>> dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net
>>>>>> objectClass: top
>>>>>> objectClass: person
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: user
>>>>>> objectClass: computer
>>>>>> cn: otherserver
>>>>>> sAMAccountName: otherserver$
>>>>>> servicePrincipalName: HOST/otherserver
>>>>>> servicePrincipalName: HOST/otherserver.otherdom.net
>>>>>> servicePrincipalName: nfs/otherserver.otherdom.net
>>>>>>
>>>>>> samba-tool user show svc_otherserver_apache
>>>>>> dn: CN=svc_otherserver_apache,OU=Service
>>>>>> Accounts,OU=Noninteractive
>>>>>> Users,DC=otherdom,DC=net
>>>>>> objectClass: top
>>>>>> objectClass: person
>>>>>> objectClass: organizationalPerson
>>>>>> objectClass: user
>>>>>> cn: svc_otherserver_apache
>>>>>> name: svc_otherserver_apache
>>>>>> sAMAccountName: svc_otherserver_apache
>>>>>> userPrincipalName: svc_otherserver_apache at otherdom.net
>>>>>> servicePrincipalName: HTTP/otherserver.otherdom.net
>>>>>>
>>>>>> Is there a way around the issue without elimination the
>>>>>> service-
>>>>>> account
>>>>>> and its SPN?
>>>>>>
>>>>>> Is it a new issue in 4.15?
>>>>>>
>>>>>> - Kees
>>>>> It is an AD thing, try reading this thread:
>>>>> https://lists.samba.org/archive/samba/2021-November/238694.html
>>>>>
>>>>> Basically, having an SPN starting with 'host' (or 'HOST') sets
>>>>> 'http'
>>>>> as well.
>>>>>
>>>>> Rowland
>>>>>
>>>>>
>>>>>
>>>> If I want to get to the situation in otherdom, would this
>>>> sequence
>>>> to
>>>> the trick? :
>>>>
>>>> - remove http/ spn from service-account
>>>>
>>>> - join machine
>>>>
>>>> - remove http/ spn from computer account
>>>>
>>>> - add http/ spn to service-account
>>>   From my understanding 'host' is an alias for a large number of
>>> other
>>> SPN's, 'http' being among them. From this, I actually do not think
>>> you
>>> should be setting 'http/myserver.samdom.net' on anything.
>>>
>>> Rowland
>>>
>>>
>>>
>> I think I have found the list of aliases on computer-accounts, it is
>> pretty long:
>>
>> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)#service-principal-names
>> <
>> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)#service-principal-names
>> Compared to this list it seems that Samba is checking fewer aliases.
>> As you can see both 'http' and 'www' are in Microsoft's list.
>>
>> Trying to put 'http' on my service-account fails, but doing the same
>> with 'www' works like a charm.
>>
>> And now I know how I got the 'http' spn on the service-account, look
>> at
>> this:
>>
>> samba-tool spn add 'HTTP/myserver.samdom.net' svc_myserver_apache
>> check_spn_alias_collision: trying to add SPN
>> 'HTTP/myserver.samdom.net'
>> on 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>> Users,DC=samdom,DC=net' when 'host/myserver.samdom.net' is on
>> 'CN=myserver,OU=Member Servers,DC=samdom,DC=net'
>>
>> samba-tool spn add 'WWW/myserver.samdom.net' svc_myserver_apache
>>
>> samba-tool spn list svc_myserver_apache
>> svc_myserver_apache
>> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>> Users,DC=samdom,DC=net has the following servicePrincipalName:
>>            HTTP/myserver.samdom.net
>>            WWW/myserver.samdom.net
>>
>>
>> So 'http' returns an error but does get added !
>>
>> 'www' does not return an error and also gets added.
>>
>> Then when you have 'http' on another account then the computer-
>> account
>> the domain-join fails !
> This is this list from my domain:
>
> sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,
> replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,
> fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,
> plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,
> rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,
> schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,
> iisadmin,msdtc
How did you get that list?
>> Shall I file a bug for this?
> No, because I don't think it is a bug, everything seems to be working
> as it should.
>
> Rowland

I am not so sure: I get an error on adding 'http' but then it still adds 
it, while no error is shown on 'www', which has exactly the limitation 
as 'http'.
The least to say is that this is inconsequent behaviour.

If I understand the following MS doc right, the operation of addings 
non-unique SPNs should fail unless specific settings are applied in 
dSHeuristics.
KB5008382—Verification of uniqueness for user principal name, service 
principal name, and the service principal name alias 
<https://support.microsoft.com/en-us/topic/kb5008382-verification-of-uniqueness-for-user-principal-name-service-principal-name-and-the-service-principal-name-alias-cve-2021-42282-4651b175-290c-4e59-8fcb-e4e5cd0cdb29> 



- Kees

More information about the samba mailing list