[Samba] Failed to modify SPNs

[Henry Jensen]

On Tue, 7 Aug 2018 17:55:27 +0200
Henry Jensen via samba <samba at lists.samba.org> wrote:


> > > > > # cat /etc/samba/smb.conf 
> > > > > [global]
> > > > >         netbios name = DC1
> > > > >         realm = MYDOM.LAN
> > > > >         server role = active directory domain controller
> > > > >         workgroup = MYDOM
> > > > >         idmap_ldb:use rfc2307 = yes
> > > > >         dns forwarder = 1.2.3.4
> > > > >         dsdb:schema update allowed=true
> > > > > 
> > > > > [netlogon]
> > > > >         path = /var/lib/samba/sysvol/mydom.lan/scripts
> > > > >         read only = No
> > > > > 
> > > > > [sysvol]
> > > > >         path = /var/lib/samba/sysvol
> > > > >         read only = No
> > > > > 
> > > > > 
> > > > >       
> > > > 

> > The error message seems to be trying to set the SPN in uppercase, you
> > added it in lowercase. Try deleting the lowercase SPN
> > 'TERMSRV/db1.mydom' and then add it again but all in uppercase.  
> 
> All right, I did so. Then I established a RDP session to db1 in order
> to trigger the message. So far, it didn't appear again. Thank you very
> much, Rowland.


I'm sorry, but the issue seems not to be solved after all. Today the error message appeared again.

dc1 samba[742]: Failed to modify SPNs on CN=ts5,CN=Computers,DC=mydom,DC=lan: acl: spn validation failed for spn[TERMSRV/TS5.MYDOM] uac[0x1000] account[ts5$] hostname[(null)] nbname[MYDOM] ntds[(null)] forest[mydom.lan] domain[mydom.lan]

~#  samba-tool spn list ts5$                                                                                                                                                                                                                                                  
ts5$
User CN=ts5,CN=Computers,DC=mydom,DC=lan has the following servicePrincipalName: 
         TERMSRV/TS5
         TERMSRV/TS5.MYDOM
         TERMSRV/TS5.MYDOM.LAN