[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

Sun Mar 13 23:44:47 UTC 2016

Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne:
Hi, Mathias and all
thank you for your answer.
> Hi all,
> 
> SPN = servicePrincipalName
> 
> A simple search returning all servicePrincipalName declared in your AD:
> ldbsearch -H $sam serviceprincipalname=* serviceprincipalname
>
For me:
ldbsearch -H
/var/lib/samba/private/sam.ldb serviceprincipalname=* serviceprincipalname

> An extract from result concerning a lambda client:
> # record 41
> dn: CN=win-client345,OU=Machines,DC=ad,DC=domain,DC=tld
> servicePrincipalName: HOST/MB38W746-0009
> servicePrincipalName: HOST/MB38W746-0009.ad.domain.tld
> servicePrincipalName: TERMSRV/MB38W746-0009.ad.domain.tld
> servicePrincipalName: TERMSRV/MB38W746-0009
> 

An affected client:
# record 6
dn: CN=MACHINE1,CN=Computers,DC=ad,DC=domain,DC=domain,DC=tld
servicePrincipalName: HOST/ MACHINE1.ad.domain.domain.tld
servicePrincipalName: RestrictedKrbHost/MACHINE1.ad.domain.domain.tld
servicePrincipalName: HOST/MACHINE1
servicePrincipalName: RestrictedKrbHost/MACHINE1
servicePrincipalName: TERMSRV/MACHINE1.ad.domain.domain.tld
servicePrincipalName: TERMSRV/MACHINE1

Not affected:
# record 19
dn: CN=MACHINE2,CN=Computers,DC=ad,DC=domain,DC=domain,DC=tld
servicePrincipalName: HOST/MACHINE2
servicePrincipalName: HOST/MACHINE2.ad.domain.domain.tld
servicePrincipalName: TERMSRV/MACHINE2.ad.domain.domain.tld
servicePrincipalName: TERMSRV/MACHINE2

Not affected:
# record 8
dn: CN=MACHINE3,CN=Computers,DC=ad,DC=domain,DC=domain,DC=tld
servicePrincipalName: HOST/MACHINE3
servicePrincipalName: HOST/MACHINE3.ad.domain.domain.tld
servicePrincipalName: TERMSRV/MACHINE3.ad.domain.domain.tld
servicePrincipalName: TERMSRV/MACHINE3
servicePrincipalName: RestrictedKrbHost/MACHINE3.ad.domain.domain.tld
servicePrincipalName: RestrictedKrbHost/MACHINE3

I see no big differences..
maybe except
"servicePrincipalName: RestrictedKrbHost/MACHINE1.ad.domain.domain.tld"

Does the entry order matters?
> I would start checking rights using security tab of your client machine
> into ADUC tool to verify "SELF" is well configured (comparing with some
> other machine not generating these logs).
> 
No differences between the rights, but in "Attribut-Editor" 
Affected Clients have not set:
- displayName
- uidNumber

> When this kind of message happens? When you add new client or when client
> boots or randomly?
> 
For me it only occurs, when two of our clients boots.,
> Not sure that helps, I tried ;)
> 
Thank  you!
(After holiday i will try to look deeper)

Markus

> 2016-03-08 18:01 GMT+01:00 Adam Tauno Williams <awilliam at whitemice.org>:
> > On Tue, 2016-02-02 at 23:38 +0100, Markus Dellermann wrote:
> > > sometimes I see following in the logs:
> > > /source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAcco
> > > untSpn)
> > > Failed to modify SPNs on
> > > CN=PCNAME,CN=Computers,DC=DOMAIN,DC=NAME,DC=NAME,DC=de: error in
> > > module acl:
> > > Constraint violation during LDB_MODIFY (19)
> > 
> > I am seeing a very similar message - Failed to modify SPNs on
> > CN=TERRINE-WHITE,OU=Terminal Servers,DC=example,DC=com: error in module
> > acl: Constraint violation (19)
> > 
> > > In the net i found this "explanation":
> > > 
> > > "LDAP_CONSTRAINT_VIOLATION
> > > Indicates that the attribute value specified in a modify, add, or
> > > modify DN
> > > operation violates constraints placed on the attribute. The
> > > constraint can be
> > > one of size or content (string only, no binary)."
> > > 
> > > Hm, is this triggerd by dns-updates?
> > > I see this only with two clients
> > > How can I "debug" this ?
> > > 
> > > I am using samba 4.3.4 with bind-dlz
> > > clients are win7
> > > 
> > > Thank you for your thoughts!
> > > 
> > > Markus
> > 
> > --
> > Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
> > Systems Administrator, Python Developer, LPI / NCLA
> > 
> > 
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba