[Samba] Failed to modify SPNs

Adam Xu adam_xu at adagene.com.cn
Wed Jul 22 08:33:25 UTC 2020 

Hi Louis

what SPN value sould I add according to the error.

[2020/07/22 16:04:20.924562,  0] 
../../source4/rpc_server/drsuapi/writespn.c:240(dcesrv_drsuapi_DsWriteAccountSpn)
   Failed to modify SPNs on CN=SEC-CON02,CN=Computers,DC=domain,DC=com: 
acl: spn validation failed for 
spn[E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/SEC-CON02:389]
uac[0x1000] account[SEC-CON02$] hostname[SEC-Con02.domain.com] 
nbname[DOMAIN] ntds[(null)] forest[domain.com] domain[domain.com]
[2020/07/22 16:04:20.925005,  1] 
../../librpc/ndr/ndr.c:482(ndr_print_function_debug)
        drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
           in: struct drsuapi_DsWriteAccountSpn
               bind_handle              : *
                   bind_handle: struct policy_handle
                       handle_type              : 0x00000000 (0)
                       uuid                     : 
c162a03a-1078-4908-8a25-af036b8d443f
               level                    : 0x00000001 (1)
               req                      : *
                   req                      : union 
drsuapi_DsWriteAccountSpnRequest(case 1)
                   req1: struct drsuapi_DsWriteAccountSpnRequest1
                       operation                : 
DRSUAPI_DS_SPN_OPERATION_ADD (0)
                       unknown1                 : 0x00000000 (0)
                       object_dn                : *
                           object_dn                : 
'CN=SEC-CON02,CN=Computers,DC=domain,DC=com'
                       count                    : 0x00000006 (6)
                       spn_names                : *
                           spn_names: ARRAY(6)
                               spn_names: struct drsuapi_DsNameString
                                   str                      : *
                                       str                      : 
'E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/SEC-CON02:389'
                               spn_names: struct drsuapi_DsNameString
                                   str                      : *
                                       str                      : 
'E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/SEC-Con02.domain.com:389'
                               spn_names: struct drsuapi_DsNameString
                                   str                      : *
                                       str                      : 
'ldap/SEC-CON02:389'
                               spn_names: struct drsuapi_DsNameString
                                   str                      : *
                                       str                      : 
'ldap/SEC-CON02'
                               spn_names: struct drsuapi_DsNameString
                                   str                      : *
                                       str                      : 
'ldap/SEC-Con02.domain.com:389'
                               spn_names: struct drsuapi_DsNameString
                                   str                      : *
                                       str                      : 
'ldap/SEC-Con02.domain.com'


在 2020/7/22 16:18, L. van Belle via samba 写道:
> Adam, you already tried my suggestions?
>
> What do you see here:
>> Failed to modify SPNs on CN=SEC-CON03,CN=Computers,DC=domain,DC=com:
>> acl: spn validation failed for ...
> ^^^^^^
> So read the links below and post your results
> The event id you showed, for now can be ignored. Inrelevant (for now).
> And mostlikly wil disapear when you added/fixed the "correct" spn's
>
> On topic for that event id you showed.
> https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-i
> n-windows-server
> The fix.
>
>
> Greetz,
>
> Louis
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens
>> L.P.H. van Belle via samba
>> Verzonden: woensdag 22 juli 2020 8:55
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Failed to modify SPNs
>>
>> Hai,
>>
>> Any windows event ID's related to this? These might be handy.
>> I suggest you read : http://www.scomgod.com/?p=155
>>
>> On the SQL server, to add the SPN, use:
>> setspn -A <SPN> <Account>
>> Example: setspn -A MSSQLSvc/SCMVPSCOM01.test.COM:1433 TEST\SVCACCOUNT
>>
>> Does the SQL server has an A and PTR record in the DNS? Do
>> verify that.
>>
>> And there is bit more explained .
>> https://thoughtsonopsmgr.blogspot.com/2012/04/scom-r2-alert-sq
>> l-server-cannot.html
>>
>> I think these should help you to fix this.
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Adam
>>> Xu via samba
>>> Verzonden: woensdag 22 juli 2020 4:33
>>> Aan: sambalist
>>> Onderwerp: [Samba] Failed to modify SPNs
>>>
>>> Hi all
>>>
>>> my samba version is 4.12.5 and when a sql server windows
>> machine join
>>> the domain, It shows error in samba :
>>>
>>> Failed to modify SPNs on
>> CN=SEC-CON03,CN=Computers,DC=domain,DC=com:
>>> acl: spn validation failed for
>>> spn[E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/SEC-CON03:389]
>>> uac[0x1000]
>>> account[SEC-CON03$] hostname[SEC-Con03.domain.com] nbname[DOMAIN]
>>> ntds[(null)] forest[domain.com] domain[domain.com]
>>>
>>> There was a discussion on this issue in 2018, but no
>>> conclusion was given.
>>>
>>> https://lists.samba.org/archive/samba/2018-August/217570.html
>>>
>>> Is there any solution to this problem now?
>>>
>>> -- 
>>> yours Adam
>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>>
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
-- 
Adam Xu
Phone: 86-512-8777-3585
Adagene (Suzhou) Limited
C14, No. 218, Xinghu Street, Suzhou Industrial Park

More information about the samba mailing list