[Samba] samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias uniqueness check

Rowland Penny rpenny at samba.org
Sun Jan 16 20:40:01 UTC 2022 

On Sun, 2022-01-16 at 21:05 +0100, Kees van Vloten via samba wrote:
> Hi Team,
> 
> I am using samba-accounts per service, when the service uses kerberos
> it 
> the account gets an SPN associated.
> 
> It looks like something in the area of SPN verification has changed 
> between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from Louis'
> repo).
> 
> I am trying to do a domain-join on a machine (myserver) on 4.15.3,
> but 
> it fails on the client-side with:
> 
> Failed to join domain: Failed to set machine spn: Constraint
> violation
> Do you have sufficient permissions to create machine accounts?
> 
> The samba.log on the DC shows the same:
> 
> 2022/01/16 20:13:31.260393,  0] 
> ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_alias_co
> llision)
>    check_spn_alias_collision: trying to add SPN 
> 'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member 
> Servers,DC=samdom,DC=net' when 'http/myserver.samdom.net' is on 
> 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive 
> Users,DC=samdom,DC=net'
> [2022/01/16 20:13:31.260465,  0] 
> ../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn_uniquen
> ess_check)
>    samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed 
> alias uniqueness check
> 
> 
> A search for the SPN returns that a similar SPN is i use for
> Apache's 
> service-account (but it does not have the HOST/ SPN assigned (exactly
> as 
> intended):
> 
> samba-tool spn list svc_myserver_apache
> svc_myserver_apache
> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive 
> Users,DC=samdom,DC=net has the following servicePrincipalName:
>           HTTP/myserver.samdom.net
> 
> samba-tool spn list svc_myserver_apache
> svc_myserver_apache
> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive 
> Users,DC=samdom,DC=net has the following servicePrincipalName:
>           HTTP/myserver.samdom.net
> root at controller01:/var/log/samba# samba-tool user show
> svc_myserver_apache
> dn: CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive 
> Users,DC=samdom,DC=net
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: svc_myserver_apache
> name: svc_myserver_apache
> sAMAccountName: svc_myserver_apache
> userPrincipalName: svc_myserver_apache at samdom.net
> servicePrincipalName: HTTP/myserver.samdom.net
> <fields removed to reduce output>
> 
> A final test indeed shows HOST/myserver.samdom.net and 
> HTTP/myserver.samdom.net are colliding when not they are not set on
> one 
> user:
> 
> samba-tool spn add HOST/myserver.samdom.net myserver$
> check_spn_alias_collision: trying to add SPN
> 'HOST/myserver.samdom.net' 
> on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when 
> 'http/myserver.samdom.net' is on 'CN=svc_myserver_apache,OU=Service 
> Accounts,OU=Noninteractive Users,DC=samdom,DC=net'
> samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed
> alias 
> uniqueness check
> 
> This all happens on a pretty new domain setup on 4.15.3.
> 
> The interesting thing is that I have this exact configuration on
> other 
> domain which was setup a while ago, probably 4.13. This domain was 
> upgraded to 4.14 and to 4.15.3:
> 
> samba-tool computer show otherserver
> dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> objectClass: computer
> cn: otherserver
> sAMAccountName: otherserver$
> servicePrincipalName: HOST/otherserver
> servicePrincipalName: HOST/otherserver.otherdom.net
> servicePrincipalName: nfs/otherserver.otherdom.net
> 
> samba-tool user show svc_otherserver_apache
> dn: CN=svc_otherserver_apache,OU=Service Accounts,OU=Noninteractive 
> Users,DC=otherdom,DC=net
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: user
> cn: svc_otherserver_apache
> name: svc_otherserver_apache
> sAMAccountName: svc_otherserver_apache
> userPrincipalName: svc_otherserver_apache at otherdom.net
> servicePrincipalName: HTTP/otherserver.otherdom.net
> 
> Is there a way around the issue without elimination the service-
> account 
> and its SPN?
> 
> Is it a new issue in 4.15?
> 
> - Kees

It is an AD thing, try reading this thread:
https://lists.samba.org/archive/samba/2021-November/238694.html

Basically, having an SPN starting with 'host' (or 'HOST') sets 'http'
as well.

Rowland

More information about the samba mailing list