[Samba] samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias uniqueness check
Kees van Vloten
keesvanvloten at gmail.com
Sun Jan 16 21:18:29 UTC 2022
On 16-01-2022 22:05, Rowland Penny via samba wrote:
> On Sun, 2022-01-16 at 21:53 +0100, Kees van Vloten via samba wrote:
>> On 16-01-2022 21:40, Rowland Penny via samba wrote:
>>> On Sun, 2022-01-16 at 21:05 +0100, Kees van Vloten via samba wrote:
>>>> Hi Team,
>>>>
>>>> I am using samba-accounts per service, when the service uses
>>>> kerberos
>>>> it
>>>> the account gets an SPN associated.
>>>>
>>>> It looks like something in the area of SPN verification has
>>>> changed
>>>> between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from
>>>> Louis'
>>>> repo).
>>>>
>>>> I am trying to do a domain-join on a machine (myserver) on
>>>> 4.15.3,
>>>> but
>>>> it fails on the client-side with:
>>>>
>>>> Failed to join domain: Failed to set machine spn: Constraint
>>>> violation
>>>> Do you have sufficient permissions to create machine accounts?
>>>>
>>>> The samba.log on the DC shows the same:
>>>>
>>>> 2022/01/16 20:13:31.260393, 0]
>>>> ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_alia
>>>> s_co
>>>> llision)
>>>> check_spn_alias_collision: trying to add SPN
>>>> 'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member
>>>> Servers,DC=samdom,DC=net' when 'http/myserver.samdom.net' is on
>>>> 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>>>> Users,DC=samdom,DC=net'
>>>> [2022/01/16 20:13:31.260465, 0]
>>>> ../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn_uni
>>>> quen
>>>> ess_check)
>>>> samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net
>>>> failed
>>>> alias uniqueness check
>>>>
>>>>
>>>> A search for the SPN returns that a similar SPN is i use for
>>>> Apache's
>>>> service-account (but it does not have the HOST/ SPN assigned
>>>> (exactly
>>>> as
>>>> intended):
>>>>
>>>> samba-tool spn list svc_myserver_apache
>>>> svc_myserver_apache
>>>> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>>>> Users,DC=samdom,DC=net has the following servicePrincipalName:
>>>> HTTP/myserver.samdom.net
>>>>
>>>> samba-tool spn list svc_myserver_apache
>>>> svc_myserver_apache
>>>> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>>>> Users,DC=samdom,DC=net has the following servicePrincipalName:
>>>> HTTP/myserver.samdom.net
>>>> root at controller01:/var/log/samba# samba-tool user show
>>>> svc_myserver_apache
>>>> dn: CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>>>> Users,DC=samdom,DC=net
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: svc_myserver_apache
>>>> name: svc_myserver_apache
>>>> sAMAccountName: svc_myserver_apache
>>>> userPrincipalName: svc_myserver_apache at samdom.net
>>>> servicePrincipalName: HTTP/myserver.samdom.net
>>>> <fields removed to reduce output>
>>>>
>>>> A final test indeed shows HOST/myserver.samdom.net and
>>>> HTTP/myserver.samdom.net are colliding when not they are not set
>>>> on
>>>> one
>>>> user:
>>>>
>>>> samba-tool spn add HOST/myserver.samdom.net myserver$
>>>> check_spn_alias_collision: trying to add SPN
>>>> 'HOST/myserver.samdom.net'
>>>> on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when
>>>> 'http/myserver.samdom.net' is on
>>>> 'CN=svc_myserver_apache,OU=Service
>>>> Accounts,OU=Noninteractive Users,DC=samdom,DC=net'
>>>> samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed
>>>> alias
>>>> uniqueness check
>>>>
>>>> This all happens on a pretty new domain setup on 4.15.3.
>>>>
>>>> The interesting thing is that I have this exact configuration on
>>>> other
>>>> domain which was setup a while ago, probably 4.13. This domain
>>>> was
>>>> upgraded to 4.14 and to 4.15.3:
>>>>
>>>> samba-tool computer show otherserver
>>>> dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> objectClass: computer
>>>> cn: otherserver
>>>> sAMAccountName: otherserver$
>>>> servicePrincipalName: HOST/otherserver
>>>> servicePrincipalName: HOST/otherserver.otherdom.net
>>>> servicePrincipalName: nfs/otherserver.otherdom.net
>>>>
>>>> samba-tool user show svc_otherserver_apache
>>>> dn: CN=svc_otherserver_apache,OU=Service
>>>> Accounts,OU=Noninteractive
>>>> Users,DC=otherdom,DC=net
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: svc_otherserver_apache
>>>> name: svc_otherserver_apache
>>>> sAMAccountName: svc_otherserver_apache
>>>> userPrincipalName: svc_otherserver_apache at otherdom.net
>>>> servicePrincipalName: HTTP/otherserver.otherdom.net
>>>>
>>>> Is there a way around the issue without elimination the service-
>>>> account
>>>> and its SPN?
>>>>
>>>> Is it a new issue in 4.15?
>>>>
>>>> - Kees
>>> It is an AD thing, try reading this thread:
>>> https://lists.samba.org/archive/samba/2021-November/238694.html
>>>
>>> Basically, having an SPN starting with 'host' (or 'HOST') sets
>>> 'http'
>>> as well.
>>>
>>> Rowland
>>>
>>>
>>>
>> If I want to get to the situation in otherdom, would this sequence
>> to
>> the trick? :
>>
>> - remove http/ spn from service-account
>>
>> - join machine
>>
>> - remove http/ spn from computer account
>>
>> - add http/ spn to service-account
> From my understanding 'host' is an alias for a large number of other
> SPN's, 'http' being among them. From this, I actually do not think you
> should be setting 'http/myserver.samdom.net' on anything.
>
> Rowland
>
>
>
I can confirm the following:
- remove spn from service-account and then join the machine succeeds
- http/ spn is not visible on the joined computer-account, nor can it be
removed from this account
- http/ spn cannot be added to the service-account:
samba-tool spn add 'HTTP/myserver.samdom.net' svc_myserver_apache
check_spn_alias_collision: trying to add SPN 'HTTP/myserver.samdom.net'
on 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
Users,DC=samdom,DC=net' when 'host/myserver.samdom.net' is on
'CN=myserver,OU=Member Servers,DC=samdom,DC=net'
- Kees
More information about the samba
mailing list