[Samba] SPN problem after update 4.13.8 to 4.13.14

Tue Nov 16 11:18:42 UTC 2021

Hi!

I'm use FreeBSD 12.2 and samba 4.13.8 as DC. All worked fine many years, 
but after update to version 4.13.14, I have some troubles with issuing 
kerberos tickets for ldap service at my DC. When I downgrades samba 
back, all work fine again.

Some strings from log.samba:

[2021/11/16 09:22:47.366807,  3] 
./../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: TGS-REQ SERVER$@SAMDOM.LOCAL from ipv4:10.110.2.4:55018 for 
LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL [renewable, forwardable]
[2021/11/16 09:22:47.367805,  3] 
./../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: samba_kdc_fetch: message2entry failed
[2021/11/16 09:22:47.367864,  3] 
./../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Server not found in database: 
LDAP/dc.samdom.local/samdom.local at SAMDOM.LOCAL: no such entry found in hdb
[2021/11/16 09:22:47.367900,  3] 
./../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed building TGS-REP to ipv4:10.110.2.4:55018
[2021/11/16 09:22:47.368163,  3] 
./../source4/smbd/service_stream.c:67(stream_terminate_connection)
   stream_terminate_connection: Terminating connection - 
'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - 
NT_STATUS_CONNECTION_DISCONNECTED'

When I check SPNs for my DC:

# samba-tool spn list dc$
dc$
User CN=dc,OU=Domain Controllers,DC=samdom,DC=local has the following 
servicePrincipalName:
          HOST/DC
          HOST/dc.samdom.local
          GC/dc.samdom.local/samdom.local
E3512235-4B66-1531-A004-00C02D98DCD2/eaa984a7-cbbf-4d33-894f-6e838dc29369/samdom.local
          HOST/dc.samdom.local/SAMDOM
          ldap/dc.samdom.local/SAMDOM
          ldap/dc.samdom.local
          HOST/dc.samdom.local/samdom.local
          ldap/dc.samdom.local/samdom.local
ldap/eaa984a7-cbbf-4d33-894f-6e838dc29369._msdcs.samdom.local
          ldap/DC
          RestrictedKrbHost/DC
          RestrictedKrbHost/dc.samdom.local
          ldap/dc.samdom.local/DomainDnsZones.samdom.local
          ldap/dc.samdom.local/ForestDnsZones.samdom.local

What is wrong in my case?

Tnax in advance.