[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
mathias dufresne
infractory at gmail.com
Thu Mar 24 12:26:12 UTC 2016
Hi,
I'm glad that helped you : )
About SPN, I found that link few days ago:
https://adsecurity.org/?page_id=183
It tries to list the string values available usable for SPN.
And it gives also that link:
http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
That one is a technet paper to explain SPNs.
I tried to read it but for now I wasn't able to fully understand it (more
specifically to understand how I would re-use these concepts for my needs).
Anyway that second link describe SPN syntax as follow:
*serviceclass/host:port servicename*
*serviceclass* and *host* are required, but *port* and *service* name are
optional. The colon between *host* and *port* is only required when a *port*
is present.
According to that and because I have no idea what is DATEV_DBENGINE
dn: CN=PCNAME,CN=Computers,DC=...
changetype: modify
add: servicePrincipalName
servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port number>
And I would also add a second SPN using NETBIOS name of PCNAME rather than
FQDN, which gives us:
servicePrincipalName: MSSQLSvc/PCNAME:<some port number>
Adding both SPN you have two unique name for your SPN and that SPN is valid
when client requesting that SPN using FQDN and/or Netbios name (or short
name).
Please tell me if you were able to add mentioned SPN and if your issue is
now solved (just for my information ;)
Best regards,
mathias
2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>:
> Hi again,
> Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann:
> > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne:
> > Hi, Mathias and all
> > thank you for your answer.
> >
> > > Hi all,
> > >
> > > SPN = servicePrincipalName
> > >
> > > A simple search returning all servicePrincipalName declared in your AD:
> > > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname
> >
> > For me:
> > ldbsearch -H
> > /var/lib/samba/private/sam.ldb serviceprincipalname=*
> serviceprincipalname
> >
>
> [...]
> Thank you again for the hint!
>
> With "loglevel=10" i found the affected servicePrincipalName:
>
> ldb: ldb_trace_request: MODIFY
> dn: CN=PCNAME,CN=Computers,DC=...
> changetype: modify
> add: servicePrincipalName
> servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> DATEV_DBENGIN
> E
> -
> control: 1.2.840.113556.1.4.1413 crit:0 data:no
>
> [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0, 0)]
> ../
> source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
> ldb:acl_modify: servicePrincipalName
>
> [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0, 0),
> class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> [...]
> ldb: ldb_asprintf/set_errstring: error in module acl: Constraint
> violation
> during LDB_MODIFY (19)
> [...]
> ldb: ldb_trace_next_request: (tdb)->del_transaction
> [2016/03/24 01:01:45.077191, 0, pid=32023, effective(0, 0), real(0, 0)]
> ../
> source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn)
> Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: error
> in
> module acl: Constraint violation during LDB_MODIFY (19)
> [2016/03/24 01:01:45.079992, 1, pid=32023, effective(0, 0), real(0, 0)]
> ../
> librpc/ndr/ndr.c:439(ndr_print_function_debug)
> drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
> out: struct drsuapi_DsWriteAccountSpn
> level_out : *
> level_out : 0x00000001 (1)
> res : *
> res : union
> drsuapi_DsWriteAccountSpnResult(case 1)
> res1: struct drsuapi_DsWriteAccountSpnResult1
> status : WERR_ACCESS_DENIED
> result : WERR_OK
>
> I have two clients with installed Datev -Software / local SQL-Server with
> this
> Problem
>
> Does SQL-Server have wrong Permissions, or is it a general Problem?
>
> Greetings
>
> Markus
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list