Web lists-archives.com

[Samba] spn validation failed for spn MSSQLSvc




High there,

despite SPN - registration of MSSQLSvc - Service my samba-log is littered with failures...
Please have a look about it:

Samba-Version: 4.5.16-SerNet-Debian-18.jessie

User foo and machine tz115 are registered in spn:
root@tz230:~# samba-tool spn list foo
foo
User CN=foo,CN=Users,DC=testzentrum,DC=uni-frankfurt,DC=de has the following servicePrincipalName:
         host/tz115.testzentrum.uni-frankfurt.de@KerberosRealm
MSSQLSvc/tz115.testzentrum.uni-frankfurt.de:8ED4F51D-31C3-4F
         MSSQLSvc/tz115.testzentrum.uni-frankfurt.de:1433


If user foo is a normal member of the domain-users, I get this failures:
[2018/05/03 14:47:28.996941,  0] ../source4/rpc_server/drsuapi/writespn.c:235(dcesrv_drsuapi_DsWriteAccountSpn)   Failed to modify SPNs on CN=tz115,CN=Computers,DC=testzentrum,DC=uni-frankfurt,DC=de: acl: spn validation failed for spn[MSSQLSvc/tz115.testzentrum.uni-frankfurt.de:SQLEXPRESS] uac[0x1000] account[tz115$] hostname[tz115.testzentrum.uni-frankfurt.de] nbname[TESTZENTRUM] ntds[(null)] forest[testzentrum.uni-frankfurt.de] domain[testzentrum.uni-frankfurt.de]

[2018/05/03 14:48:13.368969,  0] ../source4/rpc_server/drsuapi/writespn.c:235(dcesrv_drsuapi_DsWriteAccountSpn)   Failed to modify SPNs on CN=foo,CN=Users,DC=testzentrum,DC=uni-frankfurt,DC=de: error in module acl: insufficient access rights during LDB_MODIFY (50)


If foo is added to the domain-admins group and is logged in, there are no failures with MSSQLSvc - Service in my samba-logs.

Are somebody there who are experienced with SPN on Samba?

Any thoughts?
Thanks Heinz














--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba