[Samba] spn validation failed for spn MSSQLSvc

Heinz Allerberger allerberger at em.uni-frankfurt.de
Mon May 7 12:40:04 UTC 2018

High there,

despite SPN - registration of MSSQLSvc - Service my samba-log is 
littered with failures...
Please have a look about it:

Samba-Version: 4.5.16-SerNet-Debian-18.jessie

User foo and machine tz115 are registered in spn:
root at tz230:~# samba-tool spn list foo
User CN=foo,CN=Users,DC=testzentrum,DC=uni-frankfurt,DC=de has the 
following servicePrincipalName:
          host/tz115.testzentrum.uni-frankfurt.de at KerberosRealm

If user foo is a normal member of the domain-users, I get this failures:
[2018/05/03 14:47:28.996941,  0] 
   Failed to modify SPNs on 
CN=tz115,CN=Computers,DC=testzentrum,DC=uni-frankfurt,DC=de: acl: spn 
validation failed for 
spn[MSSQLSvc/tz115.testzentrum.uni-frankfurt.de:SQLEXPRESS] uac[0x1000] 
account[tz115$] hostname[tz115.testzentrum.uni-frankfurt.de] 
nbname[TESTZENTRUM] ntds[(null)] forest[testzentrum.uni-frankfurt.de] 

[2018/05/03 14:48:13.368969,  0] 
   Failed to modify SPNs on 
CN=foo,CN=Users,DC=testzentrum,DC=uni-frankfurt,DC=de: error in module 
acl: insufficient access rights during LDB_MODIFY (50)

If foo is added to the domain-admins group and is logged in, there are 
no failures with MSSQLSvc - Service in my samba-logs.

Are somebody there who are experienced with SPN on Samba?

Any thoughts?
Thanks Heinz

More information about the samba mailing list