Setting computer SPNs with Samba 4?

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Mon Dec 3 03:25:35 MST 2012 

I've got no comments to my below message, so I'm going to ask again
arguably the most important of my questions under a more specific subject:

> How can I add, remove and edit SPNs of the computer objects if I
> wouldn't have any Windows DCs (and thus couldn't run setspn) but just
> Samba 4 DCs (samba-tool spn only works with user objects)?

The thing is that as I've got no better answer to problems I've
observed, I must assume that every newly provisioned Samba 4 DC
potentially has to be fixed by adding new SPNs manually--a procedure
that, to my best knowledge, can only be done in Windows...


Pekka L.J. Jalkanen


On 28.11.2012 19:57, Pekka L.J. Jalkanen wrote:
> On 23.11.2012 21:14, Pekka L.J. Jalkanen wrote:
>> Specifically, I noticed that the Samba shipped with Debian Squeeze
>> (version 3.5.6) always fails to connect to my Samba 4 installation.
>>
>> Symptoms are that if the DC is Windows 2003 R2, the Samba client will
>> successfully obtain a TGT, but if it is Samba 4, it will fail with an
>> error "Server not found in Kerberos database".
> 
> OK, I think that I've finally got forward with this. Since I got no
> answers here, I started to search more information about SPNs.
> 
> I finally found the setspn utility for Windows. (Documentation for W2k3 at
> http://technet.microsoft.com/en-us/library/cc773257%28v=ws.10%29.aspx
> and for W2k8 at
> http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx
> 
> Note that the "samba-tool spn" command can't be used to list SPNs for
> computer objects, so it didn't help me here.
> 
> Back to my original Winbind error:
> 
>> [2012/11/23 20:13:02.347555,  1] libsmb/clikrb5.c:799(ads_krb5_mk_req)
>>   ads_krb5_mk_req: smb_krb5_get_credentials failed for
>> ldap/samba4dc.mydomain.site at MYDOMAIN.SITE (Server not found in Kerberos
>> database)
>> [2012/11/23 20:13:02.347599,  0] libads/sasl.c:821(ads_sasl_spnego_bind)
>>   kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found
>> in Kerberos database
>> [2012/11/23 20:13:02.347686,  1]
>> winbindd/winbindd_ads.c:126(ads_cached_connection)
>>   ads_connect for domain MYDOMAIN failed: Server not found in Kerberos
>> database
> 
> I first used setspn to list the SPNs for my DCs. Below are the results
> for my Windows DC:
> 
> PS C:\> setspn -l w2k3r2dc
> Registered ServicePrincipalNames for CN=W2K3R2DC,OU=Domain
> Controllers,DC=mydomain,DC=site:
>     WSMAN/w2k3r2dc.mydomain.site
>     WSMAN/w2k3r2dc
>     NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/w2k3r2dc.mydomain.site
>     GC/w2k3r2dc.mydomain.site/mydomain.site
>     HOST/w2k3r2dc.mydomain.site/MYDOMAIN
>     HOST/MYDOMAIN
>     HOST/w2k3r2dc.mydomain.site
>     HOST/w2k3r2dc.mydomain.site/mydomain.site
> 
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/b3157fd4-db4b-429d-9609-f18d7dba64fc/mydomain.site
>     ldap/b3157fd4-db4b-429d-9609-f18d7dba64fc._msdcs.mydomain.site
>     ldap/w2k3r2dc.mydomain.site/MYDOMAIN
>     ldap/MYDOMAIN
>     ldap/w2k3r2dc.mydomain.site
>     ldap/w2k3r2dc.mydomain.site/mydomain.site
> 
> But the same command for my Samba 4 DC gave me only this:
> 
> PS C:\> setspn -l ganymede

Oops, the real hostname of my DC accidentially revealed here. Should've
been "samba4dc". Oh well.

> Registered ServicePrincipalNames for CN=SAMBA4DC,OU=Domain
> Controllers,DC=mydomain,DC=site:
> 
> E3514235-4B06-11D1-AB04-00C04FC2DCD2/06dfbcf0-1efe-4613-9fbc-4329abd5de54/mydomain.site
>     GC/SAMBA4DC.mydomain.site/mydomain.site
>     HOST/SAMBA4DC.mydomain.site
>     HOST/SAMBA4DC
> 
> While the WSMANs are cleary unrelated and NtFrs is something that Samba
> isn't simply supporting just yet, the rest of the missing entries are
> more suspicious.
> 
> Now, as soon as I ran "setspn -a ldap/samba4dc.mydomain.site samba4dc",
> and restarted wbinfo on my test client (where I'd set iptables rules so
> that it only communicates with my Samba 4 DC and not with my Windows
> DC), winbind got a TGT:
> 
> [2012/11/28 18:07:53.579887,  3] libads/sasl.c:791(ads_sasl_spnego_bind)
>   ads_sasl_spnego_bind: got server principal name =
> not_defined_in_RFC4178 at please_ignore
> [2012/11/28 18:07:53.580111,  3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
>   ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
> [2012/11/28 18:07:53.607052,  4] libsmb/clikrb5.c:807(ads_krb5_mk_req)
>   ads_krb5_mk_req: Advancing clock by 2 seconds to cope with clock skew
> [2012/11/28 18:07:53.607089,  3]
> libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
>   ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
> expiration Thu, 29 Nov 2012 04:07:55 EET
> [2012/11/28 18:07:53.607114,  3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
>   ads_krb5_mk_req: server marked as OK to delegate to, building
> forwardable TGT
> 
> This, however, while fixing my initial problem, raises a number of
> questions:
> 
> 1. Why are all the ldap-SPNs and two of the four HOST-SPNs missing from
> my Samba 4 DC? Are there any likely reasons?
> 
> 2. Should I add similar HOST and ldap SPNs for my Samba 4 DC as already
> exist on my Windows DC, where they don't yet exist (I'm assuming yes)?
> 
> 3. Are there any adverse effects in adding new SPNs manually (provided
> that I'm not creating duplicates)?
> 
> 4. How can I add, remove and edit SPNs of the computer objects if I
> wouldn't have any Windows DCs (and thus couldn't run setspn) but just
> Samba 4 DCs (samba-tool spn only works with user objects)?
> 
> 5. If I'd provision new Samba 4 DCs in the future, is it likely that
> they'd also have missing SPNs?
> 
> 6. In the log.samba on my Samba 4 DC (-d2) the following error is
> repeated every ten minutes (or so):
> 
> [2012/11/28 18:59:09,  0]
> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_spnupdate: Traceback (most recent call last):
> [2012/11/28 18:59:09,  0]
> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_spnupdate:   File
> "/usr/local/samba/sbin/samba_spnupdate", line 252, in <module>
> [2012/11/28 18:59:09,  0]
> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_spnupdate:     local_update(add_list)
> [2012/11/28 18:59:09,  0]
> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_spnupdate:   File
> "/usr/local/samba/sbin/samba_spnupdate", line 198, in local_update
> [2012/11/28 18:59:09,  0]
> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_spnupdate:     res = samdb.modify(msg)
> [2012/11/28 18:59:09,  0]
> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>   /usr/local/samba/sbin/samba_spnupdate: _ldb.LdbError: (53, 'cannot
> change replicated attribute on partial replica at
> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1402')
> 
> How likely is it related to this problem?
> 
> 7. If I run "samba-tool dbcheck --cross-ncs --fix" I get a lot of
> messages akin to the following:
> 
> Checking 3352 objects
> ERROR: wrong instanceType 4 on CN=NTDS
> Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site,
> should be 0
> Change instanceType from 4 to 0 on CN=NTDS
> Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site?
> [y/N/all/none]
> 
> But if I press "y", they won't get fixed. Instead a "not found" error is
> given:
> 
> Failed to correct missing instanceType on CN=NTDS
> Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site
> by setting instanceType=0 : (32, "Base-DN
> '<GUID=35a8e35d-2a28-4e20-8bb6-ece963ca0ae5>;CN=NTDS
> Settings\\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=GANYMEDE\\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site'
> not found")
> 
> There are over 80 of those instanceType failures printed every time the
> command "samba-tool dbcheck --cross-ncs --fix" is run. I think that most
> of those are referring to objects that no longer exist, but some are
> referring to the DC itself, though even those could be related to an
> earlier provision.
> 
> How likely it is that those errors are related to my SPN problems?
> 
> 8. Last but not least: could any of the above refer to a heretofore
> unreported bug? Or are these related to some already-addressed bug? (The
> DC was provisioned around b4, even though it is rc5 now).
> 
> Thanks in advance for any answers... I hope I can get this to work on my
> own now, but I'm still grateful for any answers that could help me to
> understand things better!
> 
> 
> Pekka L.J. Jalkanen

More information about the samba-technical mailing list