[Samba] samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias uniqueness check

Kees van Vloten keesvanvloten at gmail.com
Sun Jan 16 21:43:56 UTC 2022


On 16-01-2022 22:05, Rowland Penny via samba wrote:
> On Sun, 2022-01-16 at 21:53 +0100, Kees van Vloten via samba wrote:
>> On 16-01-2022 21:40, Rowland Penny via samba wrote:
>>> On Sun, 2022-01-16 at 21:05 +0100, Kees van Vloten via samba wrote:
>>>> Hi Team,
>>>>
>>>> I am using samba-accounts per service, when the service uses
>>>> kerberos
>>>> it
>>>> the account gets an SPN associated.
>>>>
>>>> It looks like something in the area of SPN verification has
>>>> changed
>>>> between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from
>>>> Louis'
>>>> repo).
>>>>
>>>> I am trying to do a domain-join on a machine (myserver) on
>>>> 4.15.3,
>>>> but
>>>> it fails on the client-side with:
>>>>
>>>> Failed to join domain: Failed to set machine spn: Constraint
>>>> violation
>>>> Do you have sufficient permissions to create machine accounts?
>>>>
>>>> The samba.log on the DC shows the same:
>>>>
>>>> 2022/01/16 20:13:31.260393,  0]
>>>> ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_alia
>>>> s_co
>>>> llision)
>>>>      check_spn_alias_collision: trying to add SPN
>>>> 'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member
>>>> Servers,DC=samdom,DC=net' when 'http/myserver.samdom.net' is on
>>>> 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>>>> Users,DC=samdom,DC=net'
>>>> [2022/01/16 20:13:31.260465,  0]
>>>> ../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn_uni
>>>> quen
>>>> ess_check)
>>>>      samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net
>>>> failed
>>>> alias uniqueness check
>>>>
>>>>
>>>> A search for the SPN returns that a similar SPN is i use for
>>>> Apache's
>>>> service-account (but it does not have the HOST/ SPN assigned
>>>> (exactly
>>>> as
>>>> intended):
>>>>
>>>> samba-tool spn list svc_myserver_apache
>>>> svc_myserver_apache
>>>> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>>>> Users,DC=samdom,DC=net has the following servicePrincipalName:
>>>>             HTTP/myserver.samdom.net
>>>>
>>>> samba-tool spn list svc_myserver_apache
>>>> svc_myserver_apache
>>>> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>>>> Users,DC=samdom,DC=net has the following servicePrincipalName:
>>>>             HTTP/myserver.samdom.net
>>>> root at controller01:/var/log/samba# samba-tool user show
>>>> svc_myserver_apache
>>>> dn: CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>>>> Users,DC=samdom,DC=net
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: svc_myserver_apache
>>>> name: svc_myserver_apache
>>>> sAMAccountName: svc_myserver_apache
>>>> userPrincipalName: svc_myserver_apache at samdom.net
>>>> servicePrincipalName: HTTP/myserver.samdom.net
>>>> <fields removed to reduce output>
>>>>
>>>> A final test indeed shows HOST/myserver.samdom.net and
>>>> HTTP/myserver.samdom.net are colliding when not they are not set
>>>> on
>>>> one
>>>> user:
>>>>
>>>> samba-tool spn add HOST/myserver.samdom.net myserver$
>>>> check_spn_alias_collision: trying to add SPN
>>>> 'HOST/myserver.samdom.net'
>>>> on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when
>>>> 'http/myserver.samdom.net' is on
>>>> 'CN=svc_myserver_apache,OU=Service
>>>> Accounts,OU=Noninteractive Users,DC=samdom,DC=net'
>>>> samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed
>>>> alias
>>>> uniqueness check
>>>>
>>>> This all happens on a pretty new domain setup on 4.15.3.
>>>>
>>>> The interesting thing is that I have this exact configuration on
>>>> other
>>>> domain which was setup a while ago, probably 4.13. This domain
>>>> was
>>>> upgraded to 4.14 and to 4.15.3:
>>>>
>>>> samba-tool computer show otherserver
>>>> dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> objectClass: computer
>>>> cn: otherserver
>>>> sAMAccountName: otherserver$
>>>> servicePrincipalName: HOST/otherserver
>>>> servicePrincipalName: HOST/otherserver.otherdom.net
>>>> servicePrincipalName: nfs/otherserver.otherdom.net
>>>>
>>>> samba-tool user show svc_otherserver_apache
>>>> dn: CN=svc_otherserver_apache,OU=Service
>>>> Accounts,OU=Noninteractive
>>>> Users,DC=otherdom,DC=net
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: user
>>>> cn: svc_otherserver_apache
>>>> name: svc_otherserver_apache
>>>> sAMAccountName: svc_otherserver_apache
>>>> userPrincipalName: svc_otherserver_apache at otherdom.net
>>>> servicePrincipalName: HTTP/otherserver.otherdom.net
>>>>
>>>> Is there a way around the issue without elimination the service-
>>>> account
>>>> and its SPN?
>>>>
>>>> Is it a new issue in 4.15?
>>>>
>>>> - Kees
>>> It is an AD thing, try reading this thread:
>>> https://lists.samba.org/archive/samba/2021-November/238694.html
>>>
>>> Basically, having an SPN starting with 'host' (or 'HOST') sets
>>> 'http'
>>> as well.
>>>
>>> Rowland
>>>
>>>
>>>
>> If I want to get to the situation in otherdom, would this sequence
>> to
>> the trick? :
>>
>> - remove http/ spn from service-account
>>
>> - join machine
>>
>> - remove http/ spn from computer account
>>
>> - add http/ spn to service-account
>  From my understanding 'host' is an alias for a large number of other
> SPN's, 'http' being among them. From this, I actually do not think you
> should be setting 'http/myserver.samdom.net' on anything.
>
> Rowland
>
>
>
I think I have found the list of aliases on computer-accounts, it is 
pretty long:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)#service-principal-names 
<https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)#service-principal-names>

Compared to this list it seems that Samba is checking fewer aliases.
As you can see both 'http' and 'www' are in Microsoft's list.

Trying to put 'http' on my service-account fails, but doing the same 
with 'www' works like a charm.

And now I know how I got the 'http' spn on the service-account, look at 
this:

samba-tool spn add 'HTTP/myserver.samdom.net' svc_myserver_apache
check_spn_alias_collision: trying to add SPN 'HTTP/myserver.samdom.net' 
on 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive 
Users,DC=samdom,DC=net' when 'host/myserver.samdom.net' is on 
'CN=myserver,OU=Member Servers,DC=samdom,DC=net'

samba-tool spn add 'WWW/myserver.samdom.net' svc_myserver_apache

samba-tool spn list svc_myserver_apache
svc_myserver_apache
User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive 
Users,DC=samdom,DC=net has the following servicePrincipalName:
          HTTP/myserver.samdom.net
          WWW/myserver.samdom.net


So 'http' returns an error but does get added !

'www' does not return an error and also gets added.

Then when you have 'http' on another account then the computer-account 
the domain-join fails !

Shall I file a bug for this?

- Kees




More information about the samba mailing list