Web lists-archives.com

Re: [Samba] Failed to modify SPNs




On Tue, 7 Aug 2018 16:26:36 +0100
Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:

> On Tue, 7 Aug 2018 17:13:02 +0200
> Henry Jensen via samba <samba@xxxxxxxxxxxxxxx> wrote:
> 
> > On Tue, 7 Aug 2018 14:59:56 +0100
> > Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
> >   
> > > On Tue, 7 Aug 2018 14:55:24 +0200
> > > Henry Jensen via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > >   
> > > > On Tue, 7 Aug 2018 12:51:33 +0100
> > > > Rowland Penny via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > > >     
> > > > > > > > Failed to modify SPNs on
> > > > > > > > CN=db1,CN=Computers,DC=mydom,DC=lan: acl: spn validation
> > > > > > > > failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000]
> > > > > > > > account[db1$] hostname[(null)] nbname[mydom] ntds[(null)]
> > > > > > > > forest[mydom.lan] domain[mydom.lan]
> > > > > > > > 
> > > > > > > > At first I thought it was about missing SPN entries, but
> > > > > > > > adding these did not resolve the problem:
> > > > > > > > 
> > > > > > > > # samba-tool spn list db1$
> > > > > > > > db1$
> > > > > > > > User CN=db1,CN=Computers,DC=mydom,DC=lan has the following
> > > > > > > > servicePrincipalName: TERMSRV/db1
> > > > > > > >          TERMSRV/db1.mydom
> > > > > > > >          TERMSRV/db1.mydom.lan
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Samba is 4.7.8 and one DC with 4.8.3.
> > > > > > > >         
> > > > > > > 
> > > > > > > I am fairly sure that 'TERMSRV' is coming from
> > > > > > > 'spn_update_list' and it is trying to be added by
> > > > > > > 'samba_spnupdate'. There is however a problem, this is the
> > > > > > > bottom of 'spn_update_list':
> > > > > > > 
> > > > > > > # Only used on Terminal Server mode:
> > > > > > > # TERMSRV/${HOSTNAME}
> > > > > > > # TERMSRV/${NETBIOSNAME}
> > > > > > > 
> > > > > > > As you can see, all the lines are commented out and should
> > > > > > > be ignored.
> > > > > > > 
> > > > > > > Have you modified the 'spn_update_list' ?      
> > > > > > 
> > > > > > 
> > > > > > No, in /var/lib/samba/private/spn_update_list the lines you
> > > > > > quoted are still commented out.
> > > > > > 
> > > > > > Like I said, after the messages appeared (right after the
> > > > > > migration fom the old NT-style domain) I added the TERMSRV
> > > > > > entries manually with 
> > > > > > 
> > > > > >  samba-tool spn add TERMSRV/db1 db1$
> > > > > >  samba-tool spn add TERMSRV/db1.mydom db1$
> > > > > >  samba-tool spn add TERMSRV/db1.mydom.lan db1$
> > > > > > 
> > > > > > thinking, this would resolve the issue, but it didn't.
> > > > > > 
> > > > > > However, since TERMSRV is ignored, could one simply ignore
> > > > > > these messages as well?
> > > > > > 
> > > > > > Kind Regards,
> > > > > > 
> > > > > > Henry
> > > > > > 
> > > > > >       
> > > > > 
> > > > > Well, you could, but where are they coming from ?
> > > > > Do you actually use terminal servers ?
> > > > > 
> > > > > Can you post your smb.conf files.    
> > > > 
> > > > 
> > > > Yes, we are using terminal servers and connecting to various
> > > > machines via RDP. Indeed all machines regarding those TERMSRV
> > > > messages are machines at which we use remote dektop services.
> > > > 
> > > > 
> > > > # cat /etc/samba/smb.conf 
> > > > [global]
> > > >         netbios name = DC1
> > > >         realm = MYDOM.LAN
> > > >         server role = active directory domain controller
> > > >         workgroup = MYDOM
> > > >         idmap_ldb:use rfc2307 = yes
> > > >         dns forwarder = 1.2.3.4
> > > >         dsdb:schema update allowed=true
> > > > 
> > > > [netlogon]
> > > >         path = /var/lib/samba/sysvol/mydom.lan/scripts
> > > >         read only = No
> > > > 
> > > > [sysvol]
> > > >         path = /var/lib/samba/sysvol
> > > >         read only = No
> > > > 
> > > > 
> > > >     
> > > 
> > > OK, try adding the SPN, yes I know you have already tried ;-)
> > > Try it this way 
> > > 
> > > samba-tool spn add TERMSRV/DB1.MYDOM db1$  
> > 
> > 
> > OK, I tried it with upper case: 
> > 
> > # samba-tool spn add TERMSRV/DB1.MYDOM db1$
> > ERROR: Service principal TERMSRV/DB1.MYDOM already affected to
> > another user
> > 
> > 
> > Kind Regards,
> > 
> > Henry
> > 
> > 
> > 
> >   
> 
> The error message seems to be trying to set the SPN in uppercase, you
> added it in lowercase. Try deleting the lowercase SPN
> 'TERMSRV/db1.mydom' and then add it again but all in uppercase.

All right, I did so. Then I established a RDP session to db1 in order
to trigger the message. So far, it didn't appear again. Thank you very
much, Rowland.

Kind Regards, 
Henry

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba