Setting computer SPNs with Samba 4?
Lukasz Zalewski
lukas at eecs.qmul.ac.uk
Mon Dec 3 17:10:51 MST 2012
Hi Pekka,
On 03/12/2012 10:25, Pekka L.J. Jalkanen wrote:
> I've got no comments to my below message, so I'm going to ask again
> arguably the most important of my questions under a more specific subject:
>
>> How can I add, remove and edit SPNs of the computer objects if I
>> wouldn't have any Windows DCs (and thus couldn't run setspn) but just
>> Samba 4 DCs (samba-tool spn only works with user objects)?
You can add spn's to computer objects, i.e.
bin/samba-tool spn list wrkstn$
User CN=WRKSTN,OU=Domain Computers,DC=mydom has the following
servicePrincipalName:
HOST/WRKSTN.mydom
RestrictedKrbHost/WRKSTN.mydom
HOST/WRKSTN
RestrictedKrbHost/WRKSTN
TERMSRV/WRKSTN.mydom
TERMSRV/WRKSTN
then
bin/samba-tool spn add foo/bar.mydom wrkstn$
and
bin/samba-tool spn list wrkstn$
User CN=WRKSTN,OU=Domain Computers,DC=mydom has the following
servicePrincipalName:
HOST/WRKSTN.mydom
RestrictedKrbHost/WRKSTN.mydom
HOST/WRKSTN
RestrictedKrbHost/WRKSTN
TERMSRV/WRKSTN.mydom
TERMSRV/WRKSTN
foo/bar.mydom
Indeed the command references users (in the output text and the help
options) but it seems to be happy to add these to the computer objects.
Note, that it uses samaccountname attribute as the search filter, so for
computer object you will have to append $ at the end (list, add and
delete should then work).
Alternatively if you have a Windows workstation on samba4 domain you can
use RSAT:
https://wiki.samba.org/index.php/Samba4/HOWTO#Viewing_Samba_4_Active_Directory_object_from_Windows
HTH
L
>
> The thing is that as I've got no better answer to problems I've
> observed, I must assume that every newly provisioned Samba 4 DC
> potentially has to be fixed by adding new SPNs manually--a procedure
> that, to my best knowledge, can only be done in Windows...
>
>
> Pekka L.J. Jalkanen
>
>
> On 28.11.2012 19:57, Pekka L.J. Jalkanen wrote:
>> On 23.11.2012 21:14, Pekka L.J. Jalkanen wrote:
>>> Specifically, I noticed that the Samba shipped with Debian Squeeze
>>> (version 3.5.6) always fails to connect to my Samba 4 installation.
>>>
>>> Symptoms are that if the DC is Windows 2003 R2, the Samba client will
>>> successfully obtain a TGT, but if it is Samba 4, it will fail with an
>>> error "Server not found in Kerberos database".
>>
>> OK, I think that I've finally got forward with this. Since I got no
>> answers here, I started to search more information about SPNs.
>>
>> I finally found the setspn utility for Windows. (Documentation for W2k3 at
>> http://technet.microsoft.com/en-us/library/cc773257%28v=ws.10%29.aspx
>> and for W2k8 at
>> http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx
>>
>> Note that the "samba-tool spn" command can't be used to list SPNs for
>> computer objects, so it didn't help me here.
>>
>> Back to my original Winbind error:
>>
>>> [2012/11/23 20:13:02.347555, 1] libsmb/clikrb5.c:799(ads_krb5_mk_req)
>>> ads_krb5_mk_req: smb_krb5_get_credentials failed for
>>> ldap/samba4dc.mydomain.site at MYDOMAIN.SITE (Server not found in Kerberos
>>> database)
>>> [2012/11/23 20:13:02.347599, 0] libads/sasl.c:821(ads_sasl_spnego_bind)
>>> kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not found
>>> in Kerberos database
>>> [2012/11/23 20:13:02.347686, 1]
>>> winbindd/winbindd_ads.c:126(ads_cached_connection)
>>> ads_connect for domain MYDOMAIN failed: Server not found in Kerberos
>>> database
>>
>> I first used setspn to list the SPNs for my DCs. Below are the results
>> for my Windows DC:
>>
>> PS C:\> setspn -l w2k3r2dc
>> Registered ServicePrincipalNames for CN=W2K3R2DC,OU=Domain
>> Controllers,DC=mydomain,DC=site:
>> WSMAN/w2k3r2dc.mydomain.site
>> WSMAN/w2k3r2dc
>> NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/w2k3r2dc.mydomain.site
>> GC/w2k3r2dc.mydomain.site/mydomain.site
>> HOST/w2k3r2dc.mydomain.site/MYDOMAIN
>> HOST/MYDOMAIN
>> HOST/w2k3r2dc.mydomain.site
>> HOST/w2k3r2dc.mydomain.site/mydomain.site
>>
>> E3514235-4B06-11D1-AB04-00C04FC2DCD2/b3157fd4-db4b-429d-9609-f18d7dba64fc/mydomain.site
>> ldap/b3157fd4-db4b-429d-9609-f18d7dba64fc._msdcs.mydomain.site
>> ldap/w2k3r2dc.mydomain.site/MYDOMAIN
>> ldap/MYDOMAIN
>> ldap/w2k3r2dc.mydomain.site
>> ldap/w2k3r2dc.mydomain.site/mydomain.site
>>
>> But the same command for my Samba 4 DC gave me only this:
>>
>> PS C:\> setspn -l ganymede
>
> Oops, the real hostname of my DC accidentially revealed here. Should've
> been "samba4dc". Oh well.
>
>> Registered ServicePrincipalNames for CN=SAMBA4DC,OU=Domain
>> Controllers,DC=mydomain,DC=site:
>>
>> E3514235-4B06-11D1-AB04-00C04FC2DCD2/06dfbcf0-1efe-4613-9fbc-4329abd5de54/mydomain.site
>> GC/SAMBA4DC.mydomain.site/mydomain.site
>> HOST/SAMBA4DC.mydomain.site
>> HOST/SAMBA4DC
>>
>> While the WSMANs are cleary unrelated and NtFrs is something that Samba
>> isn't simply supporting just yet, the rest of the missing entries are
>> more suspicious.
>>
>> Now, as soon as I ran "setspn -a ldap/samba4dc.mydomain.site samba4dc",
>> and restarted wbinfo on my test client (where I'd set iptables rules so
>> that it only communicates with my Samba 4 DC and not with my Windows
>> DC), winbind got a TGT:
>>
>> [2012/11/28 18:07:53.579887, 3] libads/sasl.c:791(ads_sasl_spnego_bind)
>> ads_sasl_spnego_bind: got server principal name =
>> not_defined_in_RFC4178 at please_ignore
>> [2012/11/28 18:07:53.580111, 3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
>> ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials cache found)
>> [2012/11/28 18:07:53.607052, 4] libsmb/clikrb5.c:807(ads_krb5_mk_req)
>> ads_krb5_mk_req: Advancing clock by 2 seconds to cope with clock skew
>> [2012/11/28 18:07:53.607089, 3]
>> libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
>> ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
>> expiration Thu, 29 Nov 2012 04:07:55 EET
>> [2012/11/28 18:07:53.607114, 3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
>> ads_krb5_mk_req: server marked as OK to delegate to, building
>> forwardable TGT
>>
>> This, however, while fixing my initial problem, raises a number of
>> questions:
>>
>> 1. Why are all the ldap-SPNs and two of the four HOST-SPNs missing from
>> my Samba 4 DC? Are there any likely reasons?
>>
>> 2. Should I add similar HOST and ldap SPNs for my Samba 4 DC as already
>> exist on my Windows DC, where they don't yet exist (I'm assuming yes)?
>>
>> 3. Are there any adverse effects in adding new SPNs manually (provided
>> that I'm not creating duplicates)?
>>
>> 4. How can I add, remove and edit SPNs of the computer objects if I
>> wouldn't have any Windows DCs (and thus couldn't run setspn) but just
>> Samba 4 DCs (samba-tool spn only works with user objects)?
>>
>> 5. If I'd provision new Samba 4 DCs in the future, is it likely that
>> they'd also have missing SPNs?
>>
>> 6. In the log.samba on my Samba 4 DC (-d2) the following error is
>> repeated every ten minutes (or so):
>>
>> [2012/11/28 18:59:09, 0]
>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>> /usr/local/samba/sbin/samba_spnupdate: Traceback (most recent call last):
>> [2012/11/28 18:59:09, 0]
>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>> /usr/local/samba/sbin/samba_spnupdate: File
>> "/usr/local/samba/sbin/samba_spnupdate", line 252, in <module>
>> [2012/11/28 18:59:09, 0]
>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>> /usr/local/samba/sbin/samba_spnupdate: local_update(add_list)
>> [2012/11/28 18:59:09, 0]
>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>> /usr/local/samba/sbin/samba_spnupdate: File
>> "/usr/local/samba/sbin/samba_spnupdate", line 198, in local_update
>> [2012/11/28 18:59:09, 0]
>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>> /usr/local/samba/sbin/samba_spnupdate: res = samdb.modify(msg)
>> [2012/11/28 18:59:09, 0]
>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>> /usr/local/samba/sbin/samba_spnupdate: _ldb.LdbError: (53, 'cannot
>> change replicated attribute on partial replica at
>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1402')
>>
>> How likely is it related to this problem?
>>
>> 7. If I run "samba-tool dbcheck --cross-ncs --fix" I get a lot of
>> messages akin to the following:
>>
>> Checking 3352 objects
>> ERROR: wrong instanceType 4 on CN=NTDS
>> Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site,
>> should be 0
>> Change instanceType from 4 to 0 on CN=NTDS
>> Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site?
>> [y/N/all/none]
>>
>> But if I press "y", they won't get fixed. Instead a "not found" error is
>> given:
>>
>> Failed to correct missing instanceType on CN=NTDS
>> Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site
>> by setting instanceType=0 : (32, "Base-DN
>> '<GUID=35a8e35d-2a28-4e20-8bb6-ece963ca0ae5>;CN=NTDS
>> Settings\\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=GANYMEDE\\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site'
>> not found")
>>
>> There are over 80 of those instanceType failures printed every time the
>> command "samba-tool dbcheck --cross-ncs --fix" is run. I think that most
>> of those are referring to objects that no longer exist, but some are
>> referring to the DC itself, though even those could be related to an
>> earlier provision.
>>
>> How likely it is that those errors are related to my SPN problems?
>>
>> 8. Last but not least: could any of the above refer to a heretofore
>> unreported bug? Or are these related to some already-addressed bug? (The
>> DC was provisioned around b4, even though it is rc5 now).
>>
>> Thanks in advance for any answers... I hope I can get this to work on my
>> own now, but I'm still grateful for any answers that could help me to
>> understand things better!
>>
>>
>> Pekka L.J. Jalkanen
>
>
More information about the samba-technical
mailing list