[Samba] Failed to modify SPNs

[Henry Jensen]

Hi Rowland,


On Tue, 7 Aug 2018 09:46:24 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:

> > Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: acl:
> > spn validation failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000]
> > account[db1$] hostname[(null)] nbname[mydom] ntds[(null)]
> > forest[mydom.lan] domain[mydom.lan]
> > 
> > At first I thought it was about missing SPN entries, but adding these
> > did not resolve the problem:
> > 
> > # samba-tool spn list db1$
> > db1$
> > User CN=db1,CN=Computers,DC=mydom,DC=lan has the following
> > servicePrincipalName: TERMSRV/db1
> >          TERMSRV/db1.mydom
> >          TERMSRV/db1.mydom.lan
> > 
> > 
> > Samba is 4.7.8 and one DC with 4.8.3.
> >   
> 
> I am fairly sure that 'TERMSRV' is coming from 'spn_update_list' and it
> is trying to be added by 'samba_spnupdate'.
> There is however a problem, this is the bottom of 'spn_update_list':
> 
> # Only used on Terminal Server mode:
> # TERMSRV/${HOSTNAME}
> # TERMSRV/${NETBIOSNAME}
> 
> As you can see, all the lines are commented out and should be ignored.
> 
> Have you modified the 'spn_update_list' ?


No, in /var/lib/samba/private/spn_update_list the lines you quoted are
still commented out.

Like I said, after the messages appeared (right after the migration fom
the old NT-style domain) I added the TERMSRV entries manually with 

 samba-tool spn add TERMSRV/db1 db1$
 samba-tool spn add TERMSRV/db1.mydom db1$
 samba-tool spn add TERMSRV/db1.mydom.lan db1$

thinking, this would resolve the issue, but it didn't.

However, since TERMSRV is ignored, could one simply ignore these
messages as well?

Kind Regards,

Henry