[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

Markus Dellermann li-mli at gmx.net
Thu Mar 31 07:45:33 UTC 2016


Good morning...
Am Dienstag, 29. März 2016, 13:26:30 CEST schrieb mathias dufresne:
> I'm not an expert, especially when it comes to servicePrincipalName which I
> haven't understood until now but I think it is safe to give an object the
> right to modify itself.
> 
> If securing is one of your main concern, you could try to remove the
> possibility to that account to modify itself, once the servicePrincipalName
> is created. Doing that SPN should NOT be removed (no right to remove it)
> and authentication should continue to work (SPN is there). You could have
> errors into your logs if MS-SQLserv tries to remove SPN at shutdown and/or
> add it again at startup.
> 
About securing, i found this:
http://files.cnblogs.com/files/woodytu/Microsoft.SQL.Server.
2012.Security.Cookbook.Rudi.Bruchez.Packt.2012.pdf

From that the servicePrinipalName-things should work out of the box (with 
local system-account):

"...then the SQL Server instance will automatically 
register the SPN on the Active Directory when it is started, and it will 
unregister it when it is stopped. This is also the case when the service 
account is the built-in LocalSystem or the NetworkService local account. These 
accounts are shown as the machine name at the AD 
and have the rights to register the SPN."

I couldn't find a solution to disable the whole behaviour - i don't need this 
service in network.
So i have to live with registering the ServicePricipalNames or with errors in 
the logs.
Maybe i generate a serviceaccount for sqlserver, but this all isnt`t very 
related to samba...

> Anyway, I'm very glad to read I was able to help you a little bit with my
> little knowledge on that subject :)
> 
Thank you for your help
> Have a nice day!
> 
And you!
> mathias
> 
Greetings
Markus
> 2016-03-29 12:09 GMT+02:00 Markus Dellermann <li-mli at gmx.net>:
> > Hi Mathias and all.
> > 
> > Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne:
> > > Hi,
> > > 
> > > I'm glad that helped you : )
> > > 
> > > About SPN, I found that link few days ago:
> > > https://adsecurity.org/?page_id=183
> > > It tries to list the string values available usable for SPN.
> > 
> > > And it gives also that link:
> > http://social.technet.microsoft.com/wiki/contents/articles/717.service-pri
> > nc> 
> > > ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet
> > 
> > paper to
> > 
> > > explain SPNs.
> > > 
> > > I tried to read it but for now I wasn't able to fully understand it
> > > (more
> > > specifically to understand how I would re-use these concepts for my
> > 
> > needs).
> > 
> > > Anyway that second link describe SPN syntax as follow:
> > > 
> > > *serviceclass/host:port servicename*
> > > 
> > > *serviceclass* and *host* are required, but *port* and *service* name
> > > are
> > > optional. The colon between *host* and *port* is only required when a
> > 
> > *port*
> > 
> > > is present.
> > 
> > Thank you for the links & explanation
> > 
> > > According to that and because I have no idea what is DATEV_DBENGINE
> > 
> > "DATEV_DBENGINE"
> > This is from an Programm called "Datev...", installed local on this pc.
> > It`s db is stored in local Microsoft-SQL.
> > But yes, its seems curios, that this is added to the servicePrincipalname
> > If i understand it`s syntax right, there should be eventually a
> > portnumber,
> > but maybe this is the local accountname for this service.
> > 
> > > dn: CN=PCNAME,CN=Computers,DC=...
> > > changetype: modify
> > > add: servicePrincipalName
> > > servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port
> > 
> > number>
> > 
> > > And I would also add a second SPN using NETBIOS name of PCNAME rather
> > 
> > than
> > 
> > > FQDN, which gives us:
> > > 
> > > servicePrincipalName: MSSQLSvc/PCNAME:<some port number>
> > > 
> > > Adding both SPN you have two unique name for your SPN and that SPN is
> > 
> > valid
> > 
> > > when client requesting that SPN using FQDN and/or Netbios name (or short
> > > name).
> > 
> > Adding manually doesn`t work -MS-SQL seems want to modify this entry
> > during
> > it`s start.
> > 
> > > Please tell me if you were able to add mentioned SPN and if your issue
> > > is
> > > now solved (just for my information ;)
> > 
> > With ADUC i have edit extended rights from client machine
> > and assigned "SELF" rights for reading & write "servicePrincipalName"
> > This added this required line to sam.ldb:
> > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> > DATEV_DBENGIN
> > 
> >   E
> > 
> > Failures in the logs are gone, so this could be the way to fix this.
> > In terms of security i`m unsure, if it`s a good way, to give an machine
> > rights
> > to add servicePrincipalNames ?
> > 
> > 
> > I am also unclear, why local service should register himself in active-
> > directory,
> > The easiest could be to disable this behaviour complete -if possible..
> > 
> > > Best regards,
> > > 
> > > mathias
> > 
> > Greetings
> > 
> > Markus
> > 
> > > 2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>:
> > > > Hi again,
> > > > 
> > > > Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann:
> > > > > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne:
> > > > > Hi, Mathias and all
> > > > > thank you for your answer.
> > > > > 
> > > > > > Hi all,
> > > > > > 
> > > > > > SPN = servicePrincipalName
> > > > > > 
> > > > > > A simple search returning all servicePrincipalName declared in
> > > > > > your
> > > > > > AD:
> > > > > > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname
> > > > > 
> > > > > For me:
> > > > > ldbsearch -H
> > > > > /var/lib/samba/private/sam.ldb serviceprincipalname=*
> > > > 
> > > > serviceprincipalname
> > > > 
> > > > 
> > > > [...]
> > > > Thank you again for the hint!
> > > > 
> > > > With "loglevel=10" i found the affected servicePrincipalName:
> > > > 
> > > > ldb: ldb_trace_request: MODIFY
> > > > dn: CN=PCNAME,CN=Computers,DC=...
> > > > changetype: modify
> > > > add: servicePrincipalName
> > > > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> > > > DATEV_DBENGIN
> > > > 
> > > >    E
> > > >   
> > > >   -
> > > >   
> > > >    control: 1.2.840.113556.1.4.1413  crit:0  data:no
> > > > 
> > > > [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0,
> > 
> > 0)]
> > 
> > > > ../
> > > > source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
> > > > 
> > > >   ldb:acl_modify: servicePrincipalName
> > > > 
> > > > [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0,
> > 
> > 0),
> > 
> > > > class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> > > > [...]
> > > > 
> > > >   ldb: ldb_asprintf/set_errstring: error in module acl: Constraint
> > > > 
> > > > violation
> > > > during LDB_MODIFY (19)
> > > > [...]
> > > > 
> > > >   ldb: ldb_trace_next_request: (tdb)->del_transaction
> > > > 
> > > > [2016/03/24 01:01:45.077191,  0, pid=32023, effective(0, 0), real(0,
> > 
> > 0)]
> > 
> > > > ../
> > 
> > source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn
> > 
> > > > )
> > > > 
> > > >   Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...:
> > error
> > 
> > > > in
> > > > module acl: Constraint violation during LDB_MODIFY (19)
> > > > [2016/03/24 01:01:45.079992,  1, pid=32023, effective(0, 0), real(0,
> > 
> > 0)]
> > 
> > > > ../
> > > > librpc/ndr/ndr.c:439(ndr_print_function_debug)
> > > > 
> > > >        drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
> > > >        
> > > >           out: struct drsuapi_DsWriteAccountSpn
> > > >           
> > > >               level_out                : *
> > > >               
> > > >                   level_out                : 0x00000001 (1)
> > > >               
> > > >               res                      : *
> > > >               
> > > >                   res                      : union
> > > > 
> > > > drsuapi_DsWriteAccountSpnResult(case 1)
> > > > 
> > > >                   res1: struct drsuapi_DsWriteAccountSpnResult1
> > > >                   
> > > >                       status                   : WERR_ACCESS_DENIED
> > > >               
> > > >               result                   : WERR_OK
> > > > 
> > > > I have two clients with installed Datev -Software / local SQL-Server
> > 
> > with
> > 
> > > > this
> > > > Problem
> > > > 
> > > > Does SQL-Server have wrong Permissions, or is it a general Problem?
> > > > 
> > > > Greetings
> > > > 
> > > > Markus
> > > > 
> > > > --
> > > > To unsubscribe from this list go to the following URL and read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba





More information about the samba mailing list