[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

mathias dufresne infractory at gmail.com
Tue Mar 29 11:26:30 UTC 2016 

I'm not an expert, especially when it comes to servicePrincipalName which I
haven't understood until now but I think it is safe to give an object the
right to modify itself.

If securing is one of your main concern, you could try to remove the
possibility to that account to modify itself, once the servicePrincipalName
is created. Doing that SPN should NOT be removed (no right to remove it)
and authentication should continue to work (SPN is there). You could have
errors into your logs if MS-SQLserv tries to remove SPN at shutdown and/or
add it again at startup.

Anyway, I'm very glad to read I was able to help you a little bit with my
little knowledge on that subject :)

Have a nice day!

mathias

2016-03-29 12:09 GMT+02:00 Markus Dellermann <li-mli at gmx.net>:

> Hi Mathias and all.
> Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne:
> > Hi,
> >
> > I'm glad that helped you : )
> >
> > About SPN, I found that link few days ago:
> > https://adsecurity.org/?page_id=183
> > It tries to list the string values available usable for SPN.
> >
> > And it gives also that link:
> >
> http://social.technet.microsoft.com/wiki/contents/articles/717.service-princ
> > ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet
> paper to
> > explain SPNs.
> >
> > I tried to read it but for now I wasn't able to fully understand it (more
> > specifically to understand how I would re-use these concepts for my
> needs).
> >
> > Anyway that second link describe SPN syntax as follow:
> >
> > *serviceclass/host:port servicename*
> >
> > *serviceclass* and *host* are required, but *port* and *service* name are
> > optional. The colon between *host* and *port* is only required when a
> *port*
> > is present.
> >
> Thank you for the links & explanation
> > According to that and because I have no idea what is DATEV_DBENGINE
>
> "DATEV_DBENGINE"
> This is from an Programm called "Datev...", installed local on this pc.
> It`s db is stored in local Microsoft-SQL.
> But yes, its seems curios, that this is added to the servicePrincipalname
> If i understand it`s syntax right, there should be eventually a portnumber,
> but maybe this is the local accountname for this service.
> > dn: CN=PCNAME,CN=Computers,DC=...
> > changetype: modify
> > add: servicePrincipalName
> > servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port
> number>
> >
> > And I would also add a second SPN using NETBIOS name of PCNAME rather
> than
> > FQDN, which gives us:
> >
> > servicePrincipalName: MSSQLSvc/PCNAME:<some port number>
> >
> > Adding both SPN you have two unique name for your SPN and that SPN is
> valid
> > when client requesting that SPN using FQDN and/or Netbios name (or short
> > name).
> >
>
> Adding manually doesn`t work -MS-SQL seems want to modify this entry during
> it`s start.
> > Please tell me if you were able to add mentioned SPN and if your issue is
> > now solved (just for my information ;)
> >
>
> With ADUC i have edit extended rights from client machine
> and assigned "SELF" rights for reading & write "servicePrincipalName"
> This added this required line to sam.ldb:
> servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> DATEV_DBENGIN
>   E
>
> Failures in the logs are gone, so this could be the way to fix this.
> In terms of security i`m unsure, if it`s a good way, to give an machine
> rights
> to add servicePrincipalNames ?
>
>
> I am also unclear, why local service should register himself in active-
> directory,
> The easiest could be to disable this behaviour complete -if possible..
> > Best regards,
> >
> > mathias
> >
> Greetings
>
> Markus
>
> > 2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>:
> > > Hi again,
> > >
> > > Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann:
> > > > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne:
> > > > Hi, Mathias and all
> > > > thank you for your answer.
> > > >
> > > > > Hi all,
> > > > >
> > > > > SPN = servicePrincipalName
> > > > >
> > > > > A simple search returning all servicePrincipalName declared in your
> > > > > AD:
> > > > > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname
> > > >
> > > > For me:
> > > > ldbsearch -H
> > > > /var/lib/samba/private/sam.ldb serviceprincipalname=*
> > >
> > > serviceprincipalname
> > >
> > >
> > > [...]
> > > Thank you again for the hint!
> > >
> > > With "loglevel=10" i found the affected servicePrincipalName:
> > >
> > > ldb: ldb_trace_request: MODIFY
> > > dn: CN=PCNAME,CN=Computers,DC=...
> > > changetype: modify
> > > add: servicePrincipalName
> > > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> > > DATEV_DBENGIN
> > >
> > >    E
> > >
> > >   -
> > >
> > >    control: 1.2.840.113556.1.4.1413  crit:0  data:no
> > >
> > > [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0,
> 0)]
> > > ../
> > > source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
> > >
> > >   ldb:acl_modify: servicePrincipalName
> > >
> > > [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0,
> 0),
> > > class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> > > [...]
> > >
> > >   ldb: ldb_asprintf/set_errstring: error in module acl: Constraint
> > >
> > > violation
> > > during LDB_MODIFY (19)
> > > [...]
> > >
> > >   ldb: ldb_trace_next_request: (tdb)->del_transaction
> > >
> > > [2016/03/24 01:01:45.077191,  0, pid=32023, effective(0, 0), real(0,
> 0)]
> > > ../
> > >
> source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn
> > > )
> > >
> > >   Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...:
> error
> > >
> > > in
> > > module acl: Constraint violation during LDB_MODIFY (19)
> > > [2016/03/24 01:01:45.079992,  1, pid=32023, effective(0, 0), real(0,
> 0)]
> > > ../
> > > librpc/ndr/ndr.c:439(ndr_print_function_debug)
> > >
> > >        drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
> > >
> > >           out: struct drsuapi_DsWriteAccountSpn
> > >
> > >               level_out                : *
> > >
> > >                   level_out                : 0x00000001 (1)
> > >
> > >               res                      : *
> > >
> > >                   res                      : union
> > >
> > > drsuapi_DsWriteAccountSpnResult(case 1)
> > >
> > >                   res1: struct drsuapi_DsWriteAccountSpnResult1
> > >
> > >                       status                   : WERR_ACCESS_DENIED
> > >
> > >               result                   : WERR_OK
> > >
> > > I have two clients with installed Datev -Software / local SQL-Server
> with
> > > this
> > > Problem
> > >
> > > Does SQL-Server have wrong Permissions, or is it a general Problem?
> > >
> > > Greetings
> > >
> > > Markus
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list