High there,
despite SPN - registration of MSSQLSvc - Service my samba-log is
littered with failures...
Please have a look about it:
Samba-Version: 4.5.16-SerNet-Debian-18.jessie
User foo and machine tz115 are registered in spn:
root at tz230:~# samba-tool spn list foo
foo
User CN=foo,CN=Users,DC=testzentrum,DC=uni-frankfurt,DC=de has the
following servicePrincipalName:
host/tz115.testzentrum.uni-frankfurt.de at KerberosRealm
MSSQLSvc/tz115.testzentrum.uni-frankfurt.de:8ED4F51D-31C3-4F
MSSQLSvc/tz115.testzentrum.uni-frankfurt.de:1433
If user foo is a normal member of the domain-users, I get this failures:
[2018/05/03 14:47:28.996941, 0]
../source4/rpc_server/drsuapi/writespn.c:235(dcesrv_drsuapi_DsWriteAccountSpn)
Failed to modify SPNs on
CN=tz115,CN=Computers,DC=testzentrum,DC=uni-frankfurt,DC=de: acl: spn
validation failed for
spn[MSSQLSvc/tz115.testzentrum.uni-frankfurt.de:SQLEXPRESS] uac[0x1000]
account[tz115$] hostname[tz115.testzentrum.uni-frankfurt.de]
nbname[TESTZENTRUM] ntds[(null)] forest[testzentrum.uni-frankfurt.de]
domain[testzentrum.uni-frankfurt.de]
[2018/05/03 14:48:13.368969, 0]
../source4/rpc_server/drsuapi/writespn.c:235(dcesrv_drsuapi_DsWriteAccountSpn)
Failed to modify SPNs on
CN=foo,CN=Users,DC=testzentrum,DC=uni-frankfurt,DC=de: error in module
acl: insufficient access rights during LDB_MODIFY (50)
If foo is added to the domain-admins group and is logged in, there are
no failures with MSSQLSvc - Service in my samba-logs.
Are somebody there who are experienced with SPN on Samba?
Any thoughts?
Thanks Heinz
