[Samba] samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias uniqueness check
Kees van Vloten
keesvanvloten at gmail.com
Sun Jan 16 20:05:38 UTC 2022
Hi Team,
I am using samba-accounts per service, when the service uses kerberos it
the account gets an SPN associated.
It looks like something in the area of SPN verification has changed
between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from Louis' repo).
I am trying to do a domain-join on a machine (myserver) on 4.15.3, but
it fails on the client-side with:
Failed to join domain: Failed to set machine spn: Constraint violation
Do you have sufficient permissions to create machine accounts?
The samba.log on the DC shows the same:
2022/01/16 20:13:31.260393, 0]
../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_alias_collision)
check_spn_alias_collision: trying to add SPN
'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member
Servers,DC=samdom,DC=net' when 'http/myserver.samdom.net' is on
'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
Users,DC=samdom,DC=net'
[2022/01/16 20:13:31.260465, 0]
../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn_uniqueness_check)
samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed
alias uniqueness check
A search for the SPN returns that a similar SPN is i use for Apache's
service-account (but it does not have the HOST/ SPN assigned (exactly as
intended):
samba-tool spn list svc_myserver_apache
svc_myserver_apache
User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
Users,DC=samdom,DC=net has the following servicePrincipalName:
HTTP/myserver.samdom.net
samba-tool spn list svc_myserver_apache
svc_myserver_apache
User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
Users,DC=samdom,DC=net has the following servicePrincipalName:
HTTP/myserver.samdom.net
root at controller01:/var/log/samba# samba-tool user show svc_myserver_apache
dn: CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
Users,DC=samdom,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: svc_myserver_apache
name: svc_myserver_apache
sAMAccountName: svc_myserver_apache
userPrincipalName: svc_myserver_apache at samdom.net
servicePrincipalName: HTTP/myserver.samdom.net
<fields removed to reduce output>
A final test indeed shows HOST/myserver.samdom.net and
HTTP/myserver.samdom.net are colliding when not they are not set on one
user:
samba-tool spn add HOST/myserver.samdom.net myserver$
check_spn_alias_collision: trying to add SPN 'HOST/myserver.samdom.net'
on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when
'http/myserver.samdom.net' is on 'CN=svc_myserver_apache,OU=Service
Accounts,OU=Noninteractive Users,DC=samdom,DC=net'
samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias
uniqueness check
This all happens on a pretty new domain setup on 4.15.3.
The interesting thing is that I have this exact configuration on other
domain which was setup a while ago, probably 4.13. This domain was
upgraded to 4.14 and to 4.15.3:
samba-tool computer show otherserver
dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: otherserver
sAMAccountName: otherserver$
servicePrincipalName: HOST/otherserver
servicePrincipalName: HOST/otherserver.otherdom.net
servicePrincipalName: nfs/otherserver.otherdom.net
samba-tool user show svc_otherserver_apache
dn: CN=svc_otherserver_apache,OU=Service Accounts,OU=Noninteractive
Users,DC=otherdom,DC=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: svc_otherserver_apache
name: svc_otherserver_apache
sAMAccountName: svc_otherserver_apache
userPrincipalName: svc_otherserver_apache at otherdom.net
servicePrincipalName: HTTP/otherserver.otherdom.net
Is there a way around the issue without elimination the service-account
and its SPN?
Is it a new issue in 4.15?
- Kees
More information about the samba
mailing list