attribute modification: problem comming soon

Nadezhda Ivanova nadezhda.ivanova at
Tue Aug 18 02:54:47 MDT 2009

Hi Matthieu,
Well, this is certainly not a security (ACL) issue :). What kind of error do you get? Perhaps if we get a wireshark of your LDAP request we can see for ourselves.

Also, I am not sure I understand what you write about Windows behavior and why this is a problem. As far as I know, when you join a computer to a domain windows automatically assigns a SPN with two values HOST/netbiosName, and HOST/, and I read somewhere that it is not recommended to change then via LDAP. 

So, what are you trying to achieve against windows, how do you do it and what does Samba 4 do?

Sorry if my questions are irrelevant to your problem...


> -----Original Message-----
> From: Andrew Bartlett [mailto:abartlet at]
> Sent: Tuesday, August 18, 2009 11:43 AM
> To: Matthieu Patou
> Cc: Nadezhda Ivanova; samba-technical
> Subject: Re: attribute modification: problem comming soon
> On Tue, 2009-08-18 at 12:38 +0400, Matthieu Patou wrote:
> > Hi andrew and nadezhda,
> >
> > A couple of weeks ago I tweaked my S4 in tests to get rid of the
> > verification in kludge_acl.
> >
> > I found that windows 2008 is willing to modify some of his attributes
> > and for at least one of them: servicePrincipalName it keeps modifying it
> > willing to put again and again the same values ie.
> >
> > servicePrincipalName: TERMSRV/smbtstvz01.smb4.tst
> > servicePrincipalName: TERMSRV/SMBTSTVZ01
> >
> > Currently samba4 do not appreciate this and return an error maybe the
> > behavior should be modified to manage this behavior ?
> What does windows do?  What controls are present on the request
> (permissive modify in particular).
> Thanks,
> Andrew Bartlett
> --
> Andrew Bartlett
> Authentication Developer, Samba Team 
> Samba Developer, Cisco Inc.

More information about the samba-technical mailing list