[Samba] Failed to modify SPNs

Rowland Penny rpenny at samba.org
Tue Aug 7 11:51:33 UTC 2018 

On Tue, 7 Aug 2018 13:00:57 +0200
Henry Jensen via samba <samba at lists.samba.org> wrote:

> Hi Rowland,
> 
> 
> On Tue, 7 Aug 2018 09:46:24 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> > > Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: acl:
> > > spn validation failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000]
> > > account[db1$] hostname[(null)] nbname[mydom] ntds[(null)]
> > > forest[mydom.lan] domain[mydom.lan]
> > > 
> > > At first I thought it was about missing SPN entries, but adding
> > > these did not resolve the problem:
> > > 
> > > # samba-tool spn list db1$
> > > db1$
> > > User CN=db1,CN=Computers,DC=mydom,DC=lan has the following
> > > servicePrincipalName: TERMSRV/db1
> > >          TERMSRV/db1.mydom
> > >          TERMSRV/db1.mydom.lan
> > > 
> > > 
> > > Samba is 4.7.8 and one DC with 4.8.3.
> > >   
> > 
> > I am fairly sure that 'TERMSRV' is coming from 'spn_update_list'
> > and it is trying to be added by 'samba_spnupdate'.
> > There is however a problem, this is the bottom of 'spn_update_list':
> > 
> > # Only used on Terminal Server mode:
> > # TERMSRV/${HOSTNAME}
> > # TERMSRV/${NETBIOSNAME}
> > 
> > As you can see, all the lines are commented out and should be
> > ignored.
> > 
> > Have you modified the 'spn_update_list' ?
> 
> 
> No, in /var/lib/samba/private/spn_update_list the lines you quoted are
> still commented out.
> 
> Like I said, after the messages appeared (right after the migration
> fom the old NT-style domain) I added the TERMSRV entries manually
> with 
> 
>  samba-tool spn add TERMSRV/db1 db1$
>  samba-tool spn add TERMSRV/db1.mydom db1$
>  samba-tool spn add TERMSRV/db1.mydom.lan db1$
> 
> thinking, this would resolve the issue, but it didn't.
> 
> However, since TERMSRV is ignored, could one simply ignore these
> messages as well?
> 
> Kind Regards,
> 
> Henry
> 
> 

Well, you could, but where are they coming from ?
Do you actually use terminal servers ?

Can you post your smb.conf files.

Rowland

More information about the samba mailing list