[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
Markus Dellermann
li-mli at gmx.net
Tue Mar 29 10:09:52 UTC 2016
Hi Mathias and all.
Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne:
> Hi,
>
> I'm glad that helped you : )
>
> About SPN, I found that link few days ago:
> https://adsecurity.org/?page_id=183
> It tries to list the string values available usable for SPN.
>
> And it gives also that link:
> http://social.technet.microsoft.com/wiki/contents/articles/717.service-princ
> ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet paper to
> explain SPNs.
>
> I tried to read it but for now I wasn't able to fully understand it (more
> specifically to understand how I would re-use these concepts for my needs).
>
> Anyway that second link describe SPN syntax as follow:
>
> *serviceclass/host:port servicename*
>
> *serviceclass* and *host* are required, but *port* and *service* name are
> optional. The colon between *host* and *port* is only required when a *port*
> is present.
>
Thank you for the links & explanation
> According to that and because I have no idea what is DATEV_DBENGINE
"DATEV_DBENGINE"
This is from an Programm called "Datev...", installed local on this pc.
It`s db is stored in local Microsoft-SQL.
But yes, its seems curios, that this is added to the servicePrincipalname
If i understand it`s syntax right, there should be eventually a portnumber,
but maybe this is the local accountname for this service.
> dn: CN=PCNAME,CN=Computers,DC=...
> changetype: modify
> add: servicePrincipalName
> servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port number>
>
> And I would also add a second SPN using NETBIOS name of PCNAME rather than
> FQDN, which gives us:
>
> servicePrincipalName: MSSQLSvc/PCNAME:<some port number>
>
> Adding both SPN you have two unique name for your SPN and that SPN is valid
> when client requesting that SPN using FQDN and/or Netbios name (or short
> name).
>
Adding manually doesn`t work -MS-SQL seems want to modify this entry during
it`s start.
> Please tell me if you were able to add mentioned SPN and if your issue is
> now solved (just for my information ;)
>
With ADUC i have edit extended rights from client machine
and assigned "SELF" rights for reading & write "servicePrincipalName"
This added this required line to sam.ldb:
servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:DATEV_DBENGIN
E
Failures in the logs are gone, so this could be the way to fix this.
In terms of security i`m unsure, if it`s a good way, to give an machine rights
to add servicePrincipalNames ?
I am also unclear, why local service should register himself in active-
directory,
The easiest could be to disable this behaviour complete -if possible..
> Best regards,
>
> mathias
>
Greetings
Markus
> 2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>:
> > Hi again,
> >
> > Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann:
> > > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne:
> > > Hi, Mathias and all
> > > thank you for your answer.
> > >
> > > > Hi all,
> > > >
> > > > SPN = servicePrincipalName
> > > >
> > > > A simple search returning all servicePrincipalName declared in your
> > > > AD:
> > > > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname
> > >
> > > For me:
> > > ldbsearch -H
> > > /var/lib/samba/private/sam.ldb serviceprincipalname=*
> >
> > serviceprincipalname
> >
> >
> > [...]
> > Thank you again for the hint!
> >
> > With "loglevel=10" i found the affected servicePrincipalName:
> >
> > ldb: ldb_trace_request: MODIFY
> > dn: CN=PCNAME,CN=Computers,DC=...
> > changetype: modify
> > add: servicePrincipalName
> > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> > DATEV_DBENGIN
> >
> > E
> >
> > -
> >
> > control: 1.2.840.113556.1.4.1413 crit:0 data:no
> >
> > [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0, 0)]
> > ../
> > source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
> >
> > ldb:acl_modify: servicePrincipalName
> >
> > [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0, 0),
> > class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> > [...]
> >
> > ldb: ldb_asprintf/set_errstring: error in module acl: Constraint
> >
> > violation
> > during LDB_MODIFY (19)
> > [...]
> >
> > ldb: ldb_trace_next_request: (tdb)->del_transaction
> >
> > [2016/03/24 01:01:45.077191, 0, pid=32023, effective(0, 0), real(0, 0)]
> > ../
> > source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn
> > )
> >
> > Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: error
> >
> > in
> > module acl: Constraint violation during LDB_MODIFY (19)
> > [2016/03/24 01:01:45.079992, 1, pid=32023, effective(0, 0), real(0, 0)]
> > ../
> > librpc/ndr/ndr.c:439(ndr_print_function_debug)
> >
> > drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
> >
> > out: struct drsuapi_DsWriteAccountSpn
> >
> > level_out : *
> >
> > level_out : 0x00000001 (1)
> >
> > res : *
> >
> > res : union
> >
> > drsuapi_DsWriteAccountSpnResult(case 1)
> >
> > res1: struct drsuapi_DsWriteAccountSpnResult1
> >
> > status : WERR_ACCESS_DENIED
> >
> > result : WERR_OK
> >
> > I have two clients with installed Datev -Software / local SQL-Server with
> > this
> > Problem
> >
> > Does SQL-Server have wrong Permissions, or is it a general Problem?
> >
> > Greetings
> >
> > Markus
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list