[Samba] Failed to modify SPNs
Rowland Penny
rpenny at samba.org
Tue Aug 7 15:26:36 UTC 2018
On Tue, 7 Aug 2018 17:13:02 +0200
Henry Jensen via samba <samba at lists.samba.org> wrote:
> On Tue, 7 Aug 2018 14:59:56 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
>
> > On Tue, 7 Aug 2018 14:55:24 +0200
> > Henry Jensen via samba <samba at lists.samba.org> wrote:
> >
> > > On Tue, 7 Aug 2018 12:51:33 +0100
> > > Rowland Penny via samba <samba at lists.samba.org> wrote:
> > >
> > > > > > > Failed to modify SPNs on
> > > > > > > CN=db1,CN=Computers,DC=mydom,DC=lan: acl: spn validation
> > > > > > > failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000]
> > > > > > > account[db1$] hostname[(null)] nbname[mydom] ntds[(null)]
> > > > > > > forest[mydom.lan] domain[mydom.lan]
> > > > > > >
> > > > > > > At first I thought it was about missing SPN entries, but
> > > > > > > adding these did not resolve the problem:
> > > > > > >
> > > > > > > # samba-tool spn list db1$
> > > > > > > db1$
> > > > > > > User CN=db1,CN=Computers,DC=mydom,DC=lan has the following
> > > > > > > servicePrincipalName: TERMSRV/db1
> > > > > > > TERMSRV/db1.mydom
> > > > > > > TERMSRV/db1.mydom.lan
> > > > > > >
> > > > > > >
> > > > > > > Samba is 4.7.8 and one DC with 4.8.3.
> > > > > > >
> > > > > >
> > > > > > I am fairly sure that 'TERMSRV' is coming from
> > > > > > 'spn_update_list' and it is trying to be added by
> > > > > > 'samba_spnupdate'. There is however a problem, this is the
> > > > > > bottom of 'spn_update_list':
> > > > > >
> > > > > > # Only used on Terminal Server mode:
> > > > > > # TERMSRV/${HOSTNAME}
> > > > > > # TERMSRV/${NETBIOSNAME}
> > > > > >
> > > > > > As you can see, all the lines are commented out and should
> > > > > > be ignored.
> > > > > >
> > > > > > Have you modified the 'spn_update_list' ?
> > > > >
> > > > >
> > > > > No, in /var/lib/samba/private/spn_update_list the lines you
> > > > > quoted are still commented out.
> > > > >
> > > > > Like I said, after the messages appeared (right after the
> > > > > migration fom the old NT-style domain) I added the TERMSRV
> > > > > entries manually with
> > > > >
> > > > > samba-tool spn add TERMSRV/db1 db1$
> > > > > samba-tool spn add TERMSRV/db1.mydom db1$
> > > > > samba-tool spn add TERMSRV/db1.mydom.lan db1$
> > > > >
> > > > > thinking, this would resolve the issue, but it didn't.
> > > > >
> > > > > However, since TERMSRV is ignored, could one simply ignore
> > > > > these messages as well?
> > > > >
> > > > > Kind Regards,
> > > > >
> > > > > Henry
> > > > >
> > > > >
> > > >
> > > > Well, you could, but where are they coming from ?
> > > > Do you actually use terminal servers ?
> > > >
> > > > Can you post your smb.conf files.
> > >
> > >
> > > Yes, we are using terminal servers and connecting to various
> > > machines via RDP. Indeed all machines regarding those TERMSRV
> > > messages are machines at which we use remote dektop services.
> > >
> > >
> > > # cat /etc/samba/smb.conf
> > > [global]
> > > netbios name = DC1
> > > realm = MYDOM.LAN
> > > server role = active directory domain controller
> > > workgroup = MYDOM
> > > idmap_ldb:use rfc2307 = yes
> > > dns forwarder = 1.2.3.4
> > > dsdb:schema update allowed=true
> > >
> > > [netlogon]
> > > path = /var/lib/samba/sysvol/mydom.lan/scripts
> > > read only = No
> > >
> > > [sysvol]
> > > path = /var/lib/samba/sysvol
> > > read only = No
> > >
> > >
> > >
> >
> > OK, try adding the SPN, yes I know you have already tried ;-)
> > Try it this way
> >
> > samba-tool spn add TERMSRV/DB1.MYDOM db1$
>
>
> OK, I tried it with upper case:
>
> # samba-tool spn add TERMSRV/DB1.MYDOM db1$
> ERROR: Service principal TERMSRV/DB1.MYDOM already affected to
> another user
>
>
> Kind Regards,
>
> Henry
>
>
>
>
The error message seems to be trying to set the SPN in uppercase, you
added it in lowercase. Try deleting the lowercase SPN
'TERMSRV/db1.mydom' and then add it again but all in uppercase.
Rowland
More information about the samba
mailing list