[Samba] samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias uniqueness check

Rowland Penny rpenny at samba.org
Sun Jan 16 21:52:54 UTC 2022 

On Sun, 2022-01-16 at 22:43 +0100, Kees van Vloten via samba wrote:
> On 16-01-2022 22:05, Rowland Penny via samba wrote:
> > On Sun, 2022-01-16 at 21:53 +0100, Kees van Vloten via samba wrote:
> > > On 16-01-2022 21:40, Rowland Penny via samba wrote:
> > > > On Sun, 2022-01-16 at 21:05 +0100, Kees van Vloten via samba
> > > > wrote:
> > > > > Hi Team,
> > > > > 
> > > > > I am using samba-accounts per service, when the service uses
> > > > > kerberos
> > > > > it
> > > > > the account gets an SPN associated.
> > > > > 
> > > > > It looks like something in the area of SPN verification has
> > > > > changed
> > > > > between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from
> > > > > Louis'
> > > > > repo).
> > > > > 
> > > > > I am trying to do a domain-join on a machine (myserver) on
> > > > > 4.15.3,
> > > > > but
> > > > > it fails on the client-side with:
> > > > > 
> > > > > Failed to join domain: Failed to set machine spn: Constraint
> > > > > violation
> > > > > Do you have sufficient permissions to create machine
> > > > > accounts?
> > > > > 
> > > > > The samba.log on the DC shows the same:
> > > > > 
> > > > > 2022/01/16 20:13:31.260393,  0]
> > > > > ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_
> > > > > alia
> > > > > s_co
> > > > > llision)
> > > > >      check_spn_alias_collision: trying to add SPN
> > > > > 'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member
> > > > > Servers,DC=samdom,DC=net' when 'http/myserver.samdom.net' is
> > > > > on
> > > > > 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
> > > > > Users,DC=samdom,DC=net'
> > > > > [2022/01/16 20:13:31.260465,  0]
> > > > > ../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn
> > > > > _uni
> > > > > quen
> > > > > ess_check)
> > > > >      samldb_spn_uniqueness_check: SPN
> > > > > HOST/myserver.samdom.net
> > > > > failed
> > > > > alias uniqueness check
> > > > > 
> > > > > 
> > > > > A search for the SPN returns that a similar SPN is i use for
> > > > > Apache's
> > > > > service-account (but it does not have the HOST/ SPN assigned
> > > > > (exactly
> > > > > as
> > > > > intended):
> > > > > 
> > > > > samba-tool spn list svc_myserver_apache
> > > > > svc_myserver_apache
> > > > > User CN=svc_myserver_apache,OU=Service
> > > > > Accounts,OU=Noninteractive
> > > > > Users,DC=samdom,DC=net has the following
> > > > > servicePrincipalName:
> > > > >             HTTP/myserver.samdom.net
> > > > > 
> > > > > samba-tool spn list svc_myserver_apache
> > > > > svc_myserver_apache
> > > > > User CN=svc_myserver_apache,OU=Service
> > > > > Accounts,OU=Noninteractive
> > > > > Users,DC=samdom,DC=net has the following
> > > > > servicePrincipalName:
> > > > >             HTTP/myserver.samdom.net
> > > > > root at controller01:/var/log/samba# samba-tool user show
> > > > > svc_myserver_apache
> > > > > dn: CN=svc_myserver_apache,OU=Service
> > > > > Accounts,OU=Noninteractive
> > > > > Users,DC=samdom,DC=net
> > > > > objectClass: top
> > > > > objectClass: person
> > > > > objectClass: organizationalPerson
> > > > > objectClass: user
> > > > > cn: svc_myserver_apache
> > > > > name: svc_myserver_apache
> > > > > sAMAccountName: svc_myserver_apache
> > > > > userPrincipalName: svc_myserver_apache at samdom.net
> > > > > servicePrincipalName: HTTP/myserver.samdom.net
> > > > > <fields removed to reduce output>
> > > > > 
> > > > > A final test indeed shows HOST/myserver.samdom.net and
> > > > > HTTP/myserver.samdom.net are colliding when not they are not
> > > > > set
> > > > > on
> > > > > one
> > > > > user:
> > > > > 
> > > > > samba-tool spn add HOST/myserver.samdom.net myserver$
> > > > > check_spn_alias_collision: trying to add SPN
> > > > > 'HOST/myserver.samdom.net'
> > > > > on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when
> > > > > 'http/myserver.samdom.net' is on
> > > > > 'CN=svc_myserver_apache,OU=Service
> > > > > Accounts,OU=Noninteractive Users,DC=samdom,DC=net'
> > > > > samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net
> > > > > failed
> > > > > alias
> > > > > uniqueness check
> > > > > 
> > > > > This all happens on a pretty new domain setup on 4.15.3.
> > > > > 
> > > > > The interesting thing is that I have this exact configuration
> > > > > on
> > > > > other
> > > > > domain which was setup a while ago, probably 4.13. This
> > > > > domain
> > > > > was
> > > > > upgraded to 4.14 and to 4.15.3:
> > > > > 
> > > > > samba-tool computer show otherserver
> > > > > dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net
> > > > > objectClass: top
> > > > > objectClass: person
> > > > > objectClass: organizationalPerson
> > > > > objectClass: user
> > > > > objectClass: computer
> > > > > cn: otherserver
> > > > > sAMAccountName: otherserver$
> > > > > servicePrincipalName: HOST/otherserver
> > > > > servicePrincipalName: HOST/otherserver.otherdom.net
> > > > > servicePrincipalName: nfs/otherserver.otherdom.net
> > > > > 
> > > > > samba-tool user show svc_otherserver_apache
> > > > > dn: CN=svc_otherserver_apache,OU=Service
> > > > > Accounts,OU=Noninteractive
> > > > > Users,DC=otherdom,DC=net
> > > > > objectClass: top
> > > > > objectClass: person
> > > > > objectClass: organizationalPerson
> > > > > objectClass: user
> > > > > cn: svc_otherserver_apache
> > > > > name: svc_otherserver_apache
> > > > > sAMAccountName: svc_otherserver_apache
> > > > > userPrincipalName: svc_otherserver_apache at otherdom.net
> > > > > servicePrincipalName: HTTP/otherserver.otherdom.net
> > > > > 
> > > > > Is there a way around the issue without elimination the
> > > > > service-
> > > > > account
> > > > > and its SPN?
> > > > > 
> > > > > Is it a new issue in 4.15?
> > > > > 
> > > > > - Kees
> > > > It is an AD thing, try reading this thread:
> > > > https://lists.samba.org/archive/samba/2021-November/238694.html
> > > > 
> > > > Basically, having an SPN starting with 'host' (or 'HOST') sets
> > > > 'http'
> > > > as well.
> > > > 
> > > > Rowland
> > > > 
> > > > 
> > > > 
> > > If I want to get to the situation in otherdom, would this
> > > sequence
> > > to
> > > the trick? :
> > > 
> > > - remove http/ spn from service-account
> > > 
> > > - join machine
> > > 
> > > - remove http/ spn from computer account
> > > 
> > > - add http/ spn to service-account
> >  From my understanding 'host' is an alias for a large number of
> > other
> > SPN's, 'http' being among them. From this, I actually do not think
> > you
> > should be setting 'http/myserver.samdom.net' on anything.
> > 
> > Rowland
> > 
> > 
> > 
> I think I have found the list of aliases on computer-accounts, it is 
> pretty long:
> 
> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)#service-principal-names 
> <
> https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)#service-principal-names
> >
> 
> Compared to this list it seems that Samba is checking fewer aliases.
> As you can see both 'http' and 'www' are in Microsoft's list.
> 
> Trying to put 'http' on my service-account fails, but doing the same 
> with 'www' works like a charm.
> 
> And now I know how I got the 'http' spn on the service-account, look
> at 
> this:
> 
> samba-tool spn add 'HTTP/myserver.samdom.net' svc_myserver_apache
> check_spn_alias_collision: trying to add SPN
> 'HTTP/myserver.samdom.net' 
> on 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive 
> Users,DC=samdom,DC=net' when 'host/myserver.samdom.net' is on 
> 'CN=myserver,OU=Member Servers,DC=samdom,DC=net'
> 
> samba-tool spn add 'WWW/myserver.samdom.net' svc_myserver_apache
> 
> samba-tool spn list svc_myserver_apache
> svc_myserver_apache
> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive 
> Users,DC=samdom,DC=net has the following servicePrincipalName:
>           HTTP/myserver.samdom.net
>           WWW/myserver.samdom.net
> 
> 
> So 'http' returns an error but does get added !
> 
> 'www' does not return an error and also gets added.
> 
> Then when you have 'http' on another account then the computer-
> account 
> the domain-join fails !

This is this list from my domain:

sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,
replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,
fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,
plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,
rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,
schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,
iisadmin,msdtc

> 
> Shall I file a bug for this?

No, because I don't think it is a bug, everything seems to be working
as it should.

Rowland

More information about the samba mailing list