Setting computer SPNs with Samba 4?

Pekka L.J. Jalkanen pekka.jalkanen at vihreat.fi
Tue Dec 4 06:06:39 MST 2012


Thank you, Lukasz!

On 4.12.2012 2:10, Lukasz Zalewski wrote:
> Hi Pekka,
> On 03/12/2012 10:25, Pekka L.J. Jalkanen wrote:
>> I've got no comments to my below message, so I'm going to ask again
>> arguably the most important of my questions under a more specific
>> subject:
>>
>>> How can I add, remove and edit SPNs of the computer objects if I
>>> wouldn't have any Windows DCs (and thus couldn't run setspn) but just
>>> Samba 4 DCs (samba-tool spn only works with user objects)?
> You can add spn's to computer objects,
> 
> ...
> 
> bin/samba-tool spn add foo/bar.mydom wrkstn$

I had actually tried that, except...

> Indeed the command references users (in the output text and the help
> options) but it seems to be happy to add these to the computer objects.
> Note, that it uses samaccountname attribute as the search filter, so for
> computer object you will have to append $ at the end (list, add and
> delete should then work).

...that I didn't realise that I it uses samaccountnames, and that they
should be appended by '$'.

Perhaps I should file a documentation bug report here? What do you think?

> Alternatively if you have a Windows workstation on samba4 domain you can
> use RSAT:
> https://wiki.samba.org/index.php/Samba4/HOWTO#Viewing_Samba_4_Active_Directory_object_from_Windows

I did know about RSAT, but I had assumed that it is only useful for
connecting to remote computers via MMC snap-ins. I had thought that SPNs
should have been executed locally on a Windows DC, but after
double-checking some MS documentation I have now realised that any
domain member would do.

> HTH

Well, you did, very much. Thanks again!

(Of course I still hope that the original problems could somehow be
traced, as I'd guess that provisioning is supposed to create all the
necessary SPNs by default. But may be I'll find time to investigate and
test this further sometime in the future.)


Pekka

>>
>> The thing is that as I've got no better answer to problems I've
>> observed, I must assume that every newly provisioned Samba 4 DC
>> potentially has to be fixed by adding new SPNs manually--a procedure
>> that, to my best knowledge, can only be done in Windows...
>>
>>
>> Pekka L.J. Jalkanen
>>
>>
>> On 28.11.2012 19:57, Pekka L.J. Jalkanen wrote:
>>> On 23.11.2012 21:14, Pekka L.J. Jalkanen wrote:
>>>> Specifically, I noticed that the Samba shipped with Debian Squeeze
>>>> (version 3.5.6) always fails to connect to my Samba 4 installation.
>>>>
>>>> Symptoms are that if the DC is Windows 2003 R2, the Samba client will
>>>> successfully obtain a TGT, but if it is Samba 4, it will fail with an
>>>> error "Server not found in Kerberos database".
>>>
>>> OK, I think that I've finally got forward with this. Since I got no
>>> answers here, I started to search more information about SPNs.
>>>
>>> I finally found the setspn utility for Windows. (Documentation for
>>> W2k3 at
>>> http://technet.microsoft.com/en-us/library/cc773257%28v=ws.10%29.aspx
>>> and for W2k8 at
>>> http://technet.microsoft.com/en-us/library/cc731241%28v=ws.10%29.aspx
>>>
>>> Note that the "samba-tool spn" command can't be used to list SPNs for
>>> computer objects, so it didn't help me here.
>>>
>>> Back to my original Winbind error:
>>>
>>>> [2012/11/23 20:13:02.347555,  1] libsmb/clikrb5.c:799(ads_krb5_mk_req)
>>>>    ads_krb5_mk_req: smb_krb5_get_credentials failed for
>>>> ldap/samba4dc.mydomain.site at MYDOMAIN.SITE (Server not found in Kerberos
>>>> database)
>>>> [2012/11/23 20:13:02.347599,  0]
>>>> libads/sasl.c:821(ads_sasl_spnego_bind)
>>>>    kinit succeeded but ads_sasl_spnego_krb5_bind failed: Server not
>>>> found
>>>> in Kerberos database
>>>> [2012/11/23 20:13:02.347686,  1]
>>>> winbindd/winbindd_ads.c:126(ads_cached_connection)
>>>>    ads_connect for domain MYDOMAIN failed: Server not found in Kerberos
>>>> database
>>>
>>> I first used setspn to list the SPNs for my DCs. Below are the results
>>> for my Windows DC:
>>>
>>> PS C:\> setspn -l w2k3r2dc
>>> Registered ServicePrincipalNames for CN=W2K3R2DC,OU=Domain
>>> Controllers,DC=mydomain,DC=site:
>>>      WSMAN/w2k3r2dc.mydomain.site
>>>      WSMAN/w2k3r2dc
>>>      NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/w2k3r2dc.mydomain.site
>>>      GC/w2k3r2dc.mydomain.site/mydomain.site
>>>      HOST/w2k3r2dc.mydomain.site/MYDOMAIN
>>>      HOST/MYDOMAIN
>>>      HOST/w2k3r2dc.mydomain.site
>>>      HOST/w2k3r2dc.mydomain.site/mydomain.site
>>>
>>> E3514235-4B06-11D1-AB04-00C04FC2DCD2/b3157fd4-db4b-429d-9609-f18d7dba64fc/mydomain.site
>>>
>>>      ldap/b3157fd4-db4b-429d-9609-f18d7dba64fc._msdcs.mydomain.site
>>>      ldap/w2k3r2dc.mydomain.site/MYDOMAIN
>>>      ldap/MYDOMAIN
>>>      ldap/w2k3r2dc.mydomain.site
>>>      ldap/w2k3r2dc.mydomain.site/mydomain.site
>>>
>>> But the same command for my Samba 4 DC gave me only this:
>>>
>>> PS C:\> setspn -l ganymede
>>
>> Oops, the real hostname of my DC accidentially revealed here. Should've
>> been "samba4dc". Oh well.
>>
>>> Registered ServicePrincipalNames for CN=SAMBA4DC,OU=Domain
>>> Controllers,DC=mydomain,DC=site:
>>>
>>> E3514235-4B06-11D1-AB04-00C04FC2DCD2/06dfbcf0-1efe-4613-9fbc-4329abd5de54/mydomain.site
>>>
>>>      GC/SAMBA4DC.mydomain.site/mydomain.site
>>>      HOST/SAMBA4DC.mydomain.site
>>>      HOST/SAMBA4DC
>>>
>>> While the WSMANs are cleary unrelated and NtFrs is something that Samba
>>> isn't simply supporting just yet, the rest of the missing entries are
>>> more suspicious.
>>>
>>> Now, as soon as I ran "setspn -a ldap/samba4dc.mydomain.site samba4dc",
>>> and restarted wbinfo on my test client (where I'd set iptables rules so
>>> that it only communicates with my Samba 4 DC and not with my Windows
>>> DC), winbind got a TGT:
>>>
>>> [2012/11/28 18:07:53.579887,  3] libads/sasl.c:791(ads_sasl_spnego_bind)
>>>    ads_sasl_spnego_bind: got server principal name =
>>> not_defined_in_RFC4178 at please_ignore
>>> [2012/11/28 18:07:53.580111,  3] libsmb/clikrb5.c:787(ads_krb5_mk_req)
>>>    ads_krb5_mk_req: krb5_cc_get_principal failed (No credentials
>>> cache found)
>>> [2012/11/28 18:07:53.607052,  4] libsmb/clikrb5.c:807(ads_krb5_mk_req)
>>>    ads_krb5_mk_req: Advancing clock by 2 seconds to cope with clock skew
>>> [2012/11/28 18:07:53.607089,  3]
>>> libsmb/clikrb5.c:622(ads_cleanup_expired_creds)
>>>    ads_cleanup_expired_creds: Ticket in ccache[MEMORY:winbind_ccache]
>>> expiration Thu, 29 Nov 2012 04:07:55 EET
>>> [2012/11/28 18:07:53.607114,  3] libsmb/clikrb5.c:840(ads_krb5_mk_req)
>>>    ads_krb5_mk_req: server marked as OK to delegate to, building
>>> forwardable TGT
>>>
>>> This, however, while fixing my initial problem, raises a number of
>>> questions:
>>>
>>> 1. Why are all the ldap-SPNs and two of the four HOST-SPNs missing from
>>> my Samba 4 DC? Are there any likely reasons?
>>>
>>> 2. Should I add similar HOST and ldap SPNs for my Samba 4 DC as already
>>> exist on my Windows DC, where they don't yet exist (I'm assuming yes)?
>>>
>>> 3. Are there any adverse effects in adding new SPNs manually (provided
>>> that I'm not creating duplicates)?
>>>
>>> 4. How can I add, remove and edit SPNs of the computer objects if I
>>> wouldn't have any Windows DCs (and thus couldn't run setspn) but just
>>> Samba 4 DCs (samba-tool spn only works with user objects)?
>>>
>>> 5. If I'd provision new Samba 4 DCs in the future, is it likely that
>>> they'd also have missing SPNs?
>>>
>>> 6. In the log.samba on my Samba 4 DC (-d2) the following error is
>>> repeated every ten minutes (or so):
>>>
>>> [2012/11/28 18:59:09,  0]
>>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>>>    /usr/local/samba/sbin/samba_spnupdate: Traceback (most recent call
>>> last):
>>> [2012/11/28 18:59:09,  0]
>>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>>>    /usr/local/samba/sbin/samba_spnupdate:   File
>>> "/usr/local/samba/sbin/samba_spnupdate", line 252, in <module>
>>> [2012/11/28 18:59:09,  0]
>>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>>>    /usr/local/samba/sbin/samba_spnupdate:     local_update(add_list)
>>> [2012/11/28 18:59:09,  0]
>>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>>>    /usr/local/samba/sbin/samba_spnupdate:   File
>>> "/usr/local/samba/sbin/samba_spnupdate", line 198, in local_update
>>> [2012/11/28 18:59:09,  0]
>>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>>>    /usr/local/samba/sbin/samba_spnupdate:     res = samdb.modify(msg)
>>> [2012/11/28 18:59:09,  0]
>>> ../lib/util/util_runcmd.c:334(samba_runcmd_io_handler)
>>>    /usr/local/samba/sbin/samba_spnupdate: _ldb.LdbError: (53, 'cannot
>>> change replicated attribute on partial replica at
>>> ../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1402')
>>>
>>> How likely is it related to this problem?
>>>
>>> 7. If I run "samba-tool dbcheck --cross-ncs --fix" I get a lot of
>>> messages akin to the following:
>>>
>>> Checking 3352 objects
>>> ERROR: wrong instanceType 4 on CN=NTDS
>>> Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site,
>>>
>>> should be 0
>>> Change instanceType from 4 to 0 on CN=NTDS
>>> Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site?
>>>
>>> [y/N/all/none]
>>>
>>> But if I press "y", they won't get fixed. Instead a "not found" error is
>>> given:
>>>
>>> Failed to correct missing instanceType on CN=NTDS
>>> Settings\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=SAMBA4DC\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site
>>>
>>> by setting instanceType=0 : (32, "Base-DN
>>> '<GUID=35a8e35d-2a28-4e20-8bb6-ece963ca0ae5>;CN=NTDS
>>> Settings\\0ADEL:35a8e35d-2a28-4e20-8bb6-ece963ca0ae5,CN=GANYMEDE\\0ADEL:a9415b11-4f1b-479c-8c12-383085bb34bd,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=site'
>>>
>>> not found")
>>>
>>> There are over 80 of those instanceType failures printed every time the
>>> command "samba-tool dbcheck --cross-ncs --fix" is run. I think that most
>>> of those are referring to objects that no longer exist, but some are
>>> referring to the DC itself, though even those could be related to an
>>> earlier provision.
>>>
>>> How likely it is that those errors are related to my SPN problems?
>>>
>>> 8. Last but not least: could any of the above refer to a heretofore
>>> unreported bug? Or are these related to some already-addressed bug? (The
>>> DC was provisioned around b4, even though it is rc5 now).
>>>
>>> Thanks in advance for any answers... I hope I can get this to work on my
>>> own now, but I'm still grateful for any answers that could help me to
>>> understand things better!
>>>
>>>
>>> Pekka L.J. Jalkanen
>>
>>
> 
> 
> 
> 


-- 
Pekka L.J. Jalkanen, pekka.jalkanen at vihreat.fi, +358-44-5510534
Vihreät / De Gröna, http://www.vihreat.fi/


More information about the samba-technical mailing list