[Samba] Failed to modify SPNs
Henry Jensen
hjensen at mailbox.org
Tue Aug 7 15:13:02 UTC 2018
On Tue, 7 Aug 2018 14:59:56 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Tue, 7 Aug 2018 14:55:24 +0200
> Henry Jensen via samba <samba at lists.samba.org> wrote:
>
> > On Tue, 7 Aug 2018 12:51:33 +0100
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >
> > > > > > Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan:
> > > > > > acl: spn validation failed for spn[TERMSRV/DB1.MYDOM]
> > > > > > uac[0x1000] account[db1$] hostname[(null)] nbname[mydom]
> > > > > > ntds[(null)] forest[mydom.lan] domain[mydom.lan]
> > > > > >
> > > > > > At first I thought it was about missing SPN entries, but
> > > > > > adding these did not resolve the problem:
> > > > > >
> > > > > > # samba-tool spn list db1$
> > > > > > db1$
> > > > > > User CN=db1,CN=Computers,DC=mydom,DC=lan has the following
> > > > > > servicePrincipalName: TERMSRV/db1
> > > > > > TERMSRV/db1.mydom
> > > > > > TERMSRV/db1.mydom.lan
> > > > > >
> > > > > >
> > > > > > Samba is 4.7.8 and one DC with 4.8.3.
> > > > > >
> > > > >
> > > > > I am fairly sure that 'TERMSRV' is coming from 'spn_update_list'
> > > > > and it is trying to be added by 'samba_spnupdate'.
> > > > > There is however a problem, this is the bottom of
> > > > > 'spn_update_list':
> > > > >
> > > > > # Only used on Terminal Server mode:
> > > > > # TERMSRV/${HOSTNAME}
> > > > > # TERMSRV/${NETBIOSNAME}
> > > > >
> > > > > As you can see, all the lines are commented out and should be
> > > > > ignored.
> > > > >
> > > > > Have you modified the 'spn_update_list' ?
> > > >
> > > >
> > > > No, in /var/lib/samba/private/spn_update_list the lines you
> > > > quoted are still commented out.
> > > >
> > > > Like I said, after the messages appeared (right after the
> > > > migration fom the old NT-style domain) I added the TERMSRV
> > > > entries manually with
> > > >
> > > > samba-tool spn add TERMSRV/db1 db1$
> > > > samba-tool spn add TERMSRV/db1.mydom db1$
> > > > samba-tool spn add TERMSRV/db1.mydom.lan db1$
> > > >
> > > > thinking, this would resolve the issue, but it didn't.
> > > >
> > > > However, since TERMSRV is ignored, could one simply ignore these
> > > > messages as well?
> > > >
> > > > Kind Regards,
> > > >
> > > > Henry
> > > >
> > > >
> > >
> > > Well, you could, but where are they coming from ?
> > > Do you actually use terminal servers ?
> > >
> > > Can you post your smb.conf files.
> >
> >
> > Yes, we are using terminal servers and connecting to various machines
> > via RDP. Indeed all machines regarding those TERMSRV messages are
> > machines at which we use remote dektop services.
> >
> >
> > # cat /etc/samba/smb.conf
> > [global]
> > netbios name = DC1
> > realm = MYDOM.LAN
> > server role = active directory domain controller
> > workgroup = MYDOM
> > idmap_ldb:use rfc2307 = yes
> > dns forwarder = 1.2.3.4
> > dsdb:schema update allowed=true
> >
> > [netlogon]
> > path = /var/lib/samba/sysvol/mydom.lan/scripts
> > read only = No
> >
> > [sysvol]
> > path = /var/lib/samba/sysvol
> > read only = No
> >
> >
> >
>
> OK, try adding the SPN, yes I know you have already tried ;-)
> Try it this way
>
> samba-tool spn add TERMSRV/DB1.MYDOM db1$
OK, I tried it with upper case:
# samba-tool spn add TERMSRV/DB1.MYDOM db1$
ERROR: Service principal TERMSRV/DB1.MYDOM already affected to another user
Kind Regards,
Henry
More information about the samba
mailing list