[Samba] Failed to modify SPNs
Rowland Penny
rpenny at samba.org
Tue Aug 7 08:46:24 UTC 2018
On Tue, 7 Aug 2018 09:52:24 +0200
Henry Jensen via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I've got some log entries like these on our DCs:
>
> Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: acl:
> spn validation failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000]
> account[db1$] hostname[(null)] nbname[mydom] ntds[(null)]
> forest[mydom.lan] domain[mydom.lan]
>
> At first I thought it was about missing SPN entries, but adding these
> did not resolve the problem:
>
> # samba-tool spn list db1$
> db1$
> User CN=db1,CN=Computers,DC=mydom,DC=lan has the following
> servicePrincipalName: TERMSRV/db1
> TERMSRV/db1.mydom
> TERMSRV/db1.mydom.lan
>
>
> Samba is 4.7.8 and one DC with 4.8.3.
>
I am fairly sure that 'TERMSRV' is coming from 'spn_update_list' and it
is trying to be added by 'samba_spnupdate'.
There is however a problem, this is the bottom of 'spn_update_list':
# Only used on Terminal Server mode:
# TERMSRV/${HOSTNAME}
# TERMSRV/${NETBIOSNAME}
As you can see, all the lines are commented out and should be ignored.
Have you modified the 'spn_update_list' ?
Rowland
More information about the samba
mailing list