Hello,
I've got some log entries like these on our DCs:
Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: acl: spn
validation failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000] account[db1$]
hostname[(null)] nbname[mydom] ntds[(null)] forest[mydom.lan] domain[mydom.lan]
At first I thought it was about missing SPN entries, but adding these did not
resolve the problem:
# samba-tool spn list db1$
db1$
User CN=db1,CN=Computers,DC=mydom,DC=lan has the following servicePrincipalName:
TERMSRV/db1
TERMSRV/db1.mydom
TERMSRV/db1.mydom.lan
Samba is 4.7.8 and one DC with 4.8.3.
Any ideas?
KInd Regards,
Henry
On Tue, 7 Aug 2018 09:52:24 +0200 Henry Jensen via samba <samba at lists.samba.org> wrote:> Hello, > > I've got some log entries like these on our DCs: > > Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: acl: > spn validation failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000] > account[db1$] hostname[(null)] nbname[mydom] ntds[(null)] > forest[mydom.lan] domain[mydom.lan] > > At first I thought it was about missing SPN entries, but adding these > did not resolve the problem: > > # samba-tool spn list db1$ > db1$ > User CN=db1,CN=Computers,DC=mydom,DC=lan has the following > servicePrincipalName: TERMSRV/db1 > TERMSRV/db1.mydom > TERMSRV/db1.mydom.lan > > > Samba is 4.7.8 and one DC with 4.8.3. >I am fairly sure that 'TERMSRV' is coming from 'spn_update_list' and it is trying to be added by 'samba_spnupdate'. There is however a problem, this is the bottom of 'spn_update_list': # Only used on Terminal Server mode: # TERMSRV/${HOSTNAME} # TERMSRV/${NETBIOSNAME} As you can see, all the lines are commented out and should be ignored. Have you modified the 'spn_update_list' ? Rowland
Hi Rowland, On Tue, 7 Aug 2018 09:46:24 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> > Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: acl: > > spn validation failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000] > > account[db1$] hostname[(null)] nbname[mydom] ntds[(null)] > > forest[mydom.lan] domain[mydom.lan] > > > > At first I thought it was about missing SPN entries, but adding these > > did not resolve the problem: > > > > # samba-tool spn list db1$ > > db1$ > > User CN=db1,CN=Computers,DC=mydom,DC=lan has the following > > servicePrincipalName: TERMSRV/db1 > > TERMSRV/db1.mydom > > TERMSRV/db1.mydom.lan > > > > > > Samba is 4.7.8 and one DC with 4.8.3. > > > > I am fairly sure that 'TERMSRV' is coming from 'spn_update_list' and it > is trying to be added by 'samba_spnupdate'. > There is however a problem, this is the bottom of 'spn_update_list': > > # Only used on Terminal Server mode: > # TERMSRV/${HOSTNAME} > # TERMSRV/${NETBIOSNAME} > > As you can see, all the lines are commented out and should be ignored. > > Have you modified the 'spn_update_list' ?No, in /var/lib/samba/private/spn_update_list the lines you quoted are still commented out. Like I said, after the messages appeared (right after the migration fom the old NT-style domain) I added the TERMSRV entries manually with samba-tool spn add TERMSRV/db1 db1$ samba-tool spn add TERMSRV/db1.mydom db1$ samba-tool spn add TERMSRV/db1.mydom.lan db1$ thinking, this would resolve the issue, but it didn't. However, since TERMSRV is ignored, could one simply ignore these messages as well? Kind Regards, Henry