[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

Markus Dellermann li-mli at gmx.net
Tue Mar 29 10:09:52 UTC 2016 

Hi Mathias and all.
Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne:
> Hi,
> 
> I'm glad that helped you : )
> 
> About SPN, I found that link few days ago:
> https://adsecurity.org/?page_id=183
> It tries to list the string values available usable for SPN.
> 
> And it gives also that link:
> http://social.technet.microsoft.com/wiki/contents/articles/717.service-princ
> ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet paper to
> explain SPNs.
> 
> I tried to read it but for now I wasn't able to fully understand it (more
> specifically to understand how I would re-use these concepts for my needs).
> 
> Anyway that second link describe SPN syntax as follow:
> 
> *serviceclass/host:port servicename*
> 
> *serviceclass* and *host* are required, but *port* and *service* name are
> optional. The colon between *host* and *port* is only required when a *port*
> is present.
> 
Thank you for the links & explanation
> According to that and because I have no idea what is DATEV_DBENGINE

"DATEV_DBENGINE"
This is from an Programm called "Datev...", installed local on this pc.
It`s db is stored in local Microsoft-SQL.
But yes, its seems curios, that this is added to the servicePrincipalname
If i understand it`s syntax right, there should be eventually a portnumber, 
but maybe this is the local accountname for this service.
> dn: CN=PCNAME,CN=Computers,DC=...
> changetype: modify
> add: servicePrincipalName
> servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port number>
> 
> And I would also add a second SPN using NETBIOS name of PCNAME rather than
> FQDN, which gives us:
> 
> servicePrincipalName: MSSQLSvc/PCNAME:<some port number>
> 
> Adding both SPN you have two unique name for your SPN and that SPN is valid
> when client requesting that SPN using FQDN and/or Netbios name (or short
> name).
> 

Adding manually doesn`t work -MS-SQL seems want to modify this entry during 
it`s start.
> Please tell me if you were able to add mentioned SPN and if your issue is
> now solved (just for my information ;)
> 

With ADUC i have edit extended rights from client machine
and assigned "SELF" rights for reading & write "servicePrincipalName"
This added this required line to sam.ldb:
servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:DATEV_DBENGIN
  E

Failures in the logs are gone, so this could be the way to fix this.
In terms of security i`m unsure, if it`s a good way, to give an machine rights 
to add servicePrincipalNames ?


I am also unclear, why local service should register himself in active-
directory,
The easiest could be to disable this behaviour complete -if possible..
> Best regards,
> 
> mathias
> 
Greetings

Markus

> 2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>:
> > Hi again,
> > 
> > Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann:
> > > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne:
> > > Hi, Mathias and all
> > > thank you for your answer.
> > > 
> > > > Hi all,
> > > > 
> > > > SPN = servicePrincipalName
> > > > 
> > > > A simple search returning all servicePrincipalName declared in your
> > > > AD:
> > > > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname
> > > 
> > > For me:
> > > ldbsearch -H
> > > /var/lib/samba/private/sam.ldb serviceprincipalname=*
> > 
> > serviceprincipalname
> > 
> > 
> > [...]
> > Thank you again for the hint!
> > 
> > With "loglevel=10" i found the affected servicePrincipalName:
> > 
> > ldb: ldb_trace_request: MODIFY
> > dn: CN=PCNAME,CN=Computers,DC=...
> > changetype: modify
> > add: servicePrincipalName
> > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> > DATEV_DBENGIN
> > 
> >    E
> >   
> >   -
> >   
> >    control: 1.2.840.113556.1.4.1413  crit:0  data:no
> > 
> > [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0, 0)]
> > ../
> > source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
> > 
> >   ldb:acl_modify: servicePrincipalName
> > 
> > [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0, 0),
> > class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> > [...]
> > 
> >   ldb: ldb_asprintf/set_errstring: error in module acl: Constraint
> > 
> > violation
> > during LDB_MODIFY (19)
> > [...]
> > 
> >   ldb: ldb_trace_next_request: (tdb)->del_transaction
> > 
> > [2016/03/24 01:01:45.077191,  0, pid=32023, effective(0, 0), real(0, 0)]
> > ../
> > source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn
> > )
> > 
> >   Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: error
> > 
> > in
> > module acl: Constraint violation during LDB_MODIFY (19)
> > [2016/03/24 01:01:45.079992,  1, pid=32023, effective(0, 0), real(0, 0)]
> > ../
> > librpc/ndr/ndr.c:439(ndr_print_function_debug)
> > 
> >        drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
> >        
> >           out: struct drsuapi_DsWriteAccountSpn
> >           
> >               level_out                : *
> >               
> >                   level_out                : 0x00000001 (1)
> >               
> >               res                      : *
> >               
> >                   res                      : union
> > 
> > drsuapi_DsWriteAccountSpnResult(case 1)
> > 
> >                   res1: struct drsuapi_DsWriteAccountSpnResult1
> >                   
> >                       status                   : WERR_ACCESS_DENIED
> >               
> >               result                   : WERR_OK
> > 
> > I have two clients with installed Datev -Software / local SQL-Server with
> > this
> > Problem
> > 
> > Does SQL-Server have wrong Permissions, or is it a general Problem?
> > 
> > Greetings
> > 
> > Markus
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list