[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

mathias dufresne infractory at gmail.com
Thu Mar 24 12:26:12 UTC 2016 

Hi,

I'm glad that helped you : )

About SPN, I found that link few days ago:
https://adsecurity.org/?page_id=183
It tries to list the string values available usable for SPN.

And it gives also that link:
http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
That one is a technet paper to explain SPNs.

I tried to read it but for now I wasn't able to fully understand it (more
specifically to understand how I would re-use these concepts for my needs).

Anyway that second link describe SPN syntax as follow:

*serviceclass/host:port servicename*

*serviceclass* and *host* are required, but *port* and *service* name are
optional. The colon between *host* and *port* is only required when a *port*
is present.

According to that and because I have no idea what is DATEV_DBENGINE
dn: CN=PCNAME,CN=Computers,DC=...
changetype: modify
add: servicePrincipalName
servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port number>

And I would also add a second SPN using NETBIOS name of PCNAME rather than
FQDN, which gives us:

servicePrincipalName: MSSQLSvc/PCNAME:<some port number>

Adding both SPN you have two unique name for your SPN and that SPN is valid
when client requesting that SPN using FQDN and/or Netbios name (or short
name).

Please tell me if you were able to add mentioned SPN and if your issue is
now solved (just for my information ;)

Best regards,

mathias



2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>:

> Hi again,
> Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann:
> > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne:
> > Hi, Mathias and all
> > thank you for your answer.
> >
> > > Hi all,
> > >
> > > SPN = servicePrincipalName
> > >
> > > A simple search returning all servicePrincipalName declared in your AD:
> > > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname
> >
> > For me:
> > ldbsearch -H
> > /var/lib/samba/private/sam.ldb serviceprincipalname=*
> serviceprincipalname
> >
>
> [...]
> Thank you again for the hint!
>
> With "loglevel=10" i found the affected servicePrincipalName:
>
> ldb: ldb_trace_request: MODIFY
> dn: CN=PCNAME,CN=Computers,DC=...
> changetype: modify
> add: servicePrincipalName
> servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> DATEV_DBENGIN
>    E
>   -
>    control: 1.2.840.113556.1.4.1413  crit:0  data:no
>
> [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0, 0)]
> ../
> source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
>   ldb:acl_modify: servicePrincipalName
>
> [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0, 0),
> class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> [...]
>   ldb: ldb_asprintf/set_errstring: error in module acl: Constraint
> violation
> during LDB_MODIFY (19)
> [...]
>   ldb: ldb_trace_next_request: (tdb)->del_transaction
> [2016/03/24 01:01:45.077191,  0, pid=32023, effective(0, 0), real(0, 0)]
> ../
> source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn)
>   Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: error
> in
> module acl: Constraint violation during LDB_MODIFY (19)
> [2016/03/24 01:01:45.079992,  1, pid=32023, effective(0, 0), real(0, 0)]
> ../
> librpc/ndr/ndr.c:439(ndr_print_function_debug)
>        drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
>           out: struct drsuapi_DsWriteAccountSpn
>               level_out                : *
>                   level_out                : 0x00000001 (1)
>               res                      : *
>                   res                      : union
> drsuapi_DsWriteAccountSpnResult(case 1)
>                   res1: struct drsuapi_DsWriteAccountSpnResult1
>                       status                   : WERR_ACCESS_DENIED
>               result                   : WERR_OK
>
> I have two clients with installed Datev -Software / local SQL-Server with
> this
> Problem
>
> Does SQL-Server have wrong Permissions, or is it a general Problem?
>
> Greetings
>
> Markus
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list