Kees van Vloten
2022-Jan-16 21:43 UTC
[Samba] samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias uniqueness check
On 16-01-2022 22:05, Rowland Penny via samba wrote:> On Sun, 2022-01-16 at 21:53 +0100, Kees van Vloten via samba wrote: >> On 16-01-2022 21:40, Rowland Penny via samba wrote: >>> On Sun, 2022-01-16 at 21:05 +0100, Kees van Vloten via samba wrote: >>>> Hi Team, >>>> >>>> I am using samba-accounts per service, when the service uses >>>> kerberos >>>> it >>>> the account gets an SPN associated. >>>> >>>> It looks like something in the area of SPN verification has >>>> changed >>>> between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from >>>> Louis' >>>> repo). >>>> >>>> I am trying to do a domain-join on a machine (myserver) on >>>> 4.15.3, >>>> but >>>> it fails on the client-side with: >>>> >>>> Failed to join domain: Failed to set machine spn: Constraint >>>> violation >>>> Do you have sufficient permissions to create machine accounts? >>>> >>>> The samba.log on the DC shows the same: >>>> >>>> 2022/01/16 20:13:31.260393, 0] >>>> ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_alia >>>> s_co >>>> llision) >>>> check_spn_alias_collision: trying to add SPN >>>> 'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member >>>> Servers,DC=samdom,DC=net' when 'http/myserver.samdom.net' is on >>>> 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive >>>> Users,DC=samdom,DC=net' >>>> [2022/01/16 20:13:31.260465, 0] >>>> ../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn_uni >>>> quen >>>> ess_check) >>>> samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net >>>> failed >>>> alias uniqueness check >>>> >>>> >>>> A search for the SPN returns that a similar SPN is i use for >>>> Apache's >>>> service-account (but it does not have the HOST/ SPN assigned >>>> (exactly >>>> as >>>> intended): >>>> >>>> samba-tool spn list svc_myserver_apache >>>> svc_myserver_apache >>>> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive >>>> Users,DC=samdom,DC=net has the following servicePrincipalName: >>>> HTTP/myserver.samdom.net >>>> >>>> samba-tool spn list svc_myserver_apache >>>> svc_myserver_apache >>>> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive >>>> Users,DC=samdom,DC=net has the following servicePrincipalName: >>>> HTTP/myserver.samdom.net >>>> root at controller01:/var/log/samba# samba-tool user show >>>> svc_myserver_apache >>>> dn: CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive >>>> Users,DC=samdom,DC=net >>>> objectClass: top >>>> objectClass: person >>>> objectClass: organizationalPerson >>>> objectClass: user >>>> cn: svc_myserver_apache >>>> name: svc_myserver_apache >>>> sAMAccountName: svc_myserver_apache >>>> userPrincipalName: svc_myserver_apache at samdom.net >>>> servicePrincipalName: HTTP/myserver.samdom.net >>>> <fields removed to reduce output> >>>> >>>> A final test indeed shows HOST/myserver.samdom.net and >>>> HTTP/myserver.samdom.net are colliding when not they are not set >>>> on >>>> one >>>> user: >>>> >>>> samba-tool spn add HOST/myserver.samdom.net myserver$ >>>> check_spn_alias_collision: trying to add SPN >>>> 'HOST/myserver.samdom.net' >>>> on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when >>>> 'http/myserver.samdom.net' is on >>>> 'CN=svc_myserver_apache,OU=Service >>>> Accounts,OU=Noninteractive Users,DC=samdom,DC=net' >>>> samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed >>>> alias >>>> uniqueness check >>>> >>>> This all happens on a pretty new domain setup on 4.15.3. >>>> >>>> The interesting thing is that I have this exact configuration on >>>> other >>>> domain which was setup a while ago, probably 4.13. This domain >>>> was >>>> upgraded to 4.14 and to 4.15.3: >>>> >>>> samba-tool computer show otherserver >>>> dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net >>>> objectClass: top >>>> objectClass: person >>>> objectClass: organizationalPerson >>>> objectClass: user >>>> objectClass: computer >>>> cn: otherserver >>>> sAMAccountName: otherserver$ >>>> servicePrincipalName: HOST/otherserver >>>> servicePrincipalName: HOST/otherserver.otherdom.net >>>> servicePrincipalName: nfs/otherserver.otherdom.net >>>> >>>> samba-tool user show svc_otherserver_apache >>>> dn: CN=svc_otherserver_apache,OU=Service >>>> Accounts,OU=Noninteractive >>>> Users,DC=otherdom,DC=net >>>> objectClass: top >>>> objectClass: person >>>> objectClass: organizationalPerson >>>> objectClass: user >>>> cn: svc_otherserver_apache >>>> name: svc_otherserver_apache >>>> sAMAccountName: svc_otherserver_apache >>>> userPrincipalName: svc_otherserver_apache at otherdom.net >>>> servicePrincipalName: HTTP/otherserver.otherdom.net >>>> >>>> Is there a way around the issue without elimination the service- >>>> account >>>> and its SPN? >>>> >>>> Is it a new issue in 4.15? >>>> >>>> - Kees >>> It is an AD thing, try reading this thread: >>> https://lists.samba.org/archive/samba/2021-November/238694.html >>> >>> Basically, having an SPN starting with 'host' (or 'HOST') sets >>> 'http' >>> as well. >>> >>> Rowland >>> >>> >>> >> If I want to get to the situation in otherdom, would this sequence >> to >> the trick? : >> >> - remove http/ spn from service-account >> >> - join machine >> >> - remove http/ spn from computer account >> >> - add http/ spn to service-account > From my understanding 'host' is an alias for a large number of other > SPN's, 'http' being among them. From this, I actually do not think you > should be setting 'http/myserver.samdom.net' on anything. > > Rowland > > >I think I have found the list of aliases on computer-accounts, it is pretty long: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)#service-principal-names <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)#service-principal-names> Compared to this list it seems that Samba is checking fewer aliases. As you can see both 'http' and 'www' are in Microsoft's list. Trying to put 'http' on my service-account fails, but doing the same with 'www' works like a charm. And now I know how I got the 'http' spn on the service-account, look at this: samba-tool spn add 'HTTP/myserver.samdom.net' svc_myserver_apache check_spn_alias_collision: trying to add SPN 'HTTP/myserver.samdom.net' on 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive Users,DC=samdom,DC=net' when 'host/myserver.samdom.net' is on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' samba-tool spn add 'WWW/myserver.samdom.net' svc_myserver_apache samba-tool spn list svc_myserver_apache svc_myserver_apache User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive Users,DC=samdom,DC=net has the following servicePrincipalName: ???????? HTTP/myserver.samdom.net ???????? WWW/myserver.samdom.net So 'http' returns an error but does get added ! 'www' does not return an error and also gets added. Then when you have 'http' on another account then the computer-account the domain-join fails ! Shall I file a bug for this? - Kees
Rowland Penny
2022-Jan-16 21:52 UTC
[Samba] samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias uniqueness check
On Sun, 2022-01-16 at 22:43 +0100, Kees van Vloten via samba wrote:> On 16-01-2022 22:05, Rowland Penny via samba wrote: > > On Sun, 2022-01-16 at 21:53 +0100, Kees van Vloten via samba wrote: > > > On 16-01-2022 21:40, Rowland Penny via samba wrote: > > > > On Sun, 2022-01-16 at 21:05 +0100, Kees van Vloten via samba > > > > wrote: > > > > > Hi Team, > > > > > > > > > > I am using samba-accounts per service, when the service uses > > > > > kerberos > > > > > it > > > > > the account gets an SPN associated. > > > > > > > > > > It looks like something in the area of SPN verification has > > > > > changed > > > > > between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from > > > > > Louis' > > > > > repo). > > > > > > > > > > I am trying to do a domain-join on a machine (myserver) on > > > > > 4.15.3, > > > > > but > > > > > it fails on the client-side with: > > > > > > > > > > Failed to join domain: Failed to set machine spn: Constraint > > > > > violation > > > > > Do you have sufficient permissions to create machine > > > > > accounts? > > > > > > > > > > The samba.log on the DC shows the same: > > > > > > > > > > 2022/01/16 20:13:31.260393, 0] > > > > > ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_ > > > > > alia > > > > > s_co > > > > > llision) > > > > > check_spn_alias_collision: trying to add SPN > > > > > 'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member > > > > > Servers,DC=samdom,DC=net' when 'http/myserver.samdom.net' is > > > > > on > > > > > 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive > > > > > Users,DC=samdom,DC=net' > > > > > [2022/01/16 20:13:31.260465, 0] > > > > > ../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn > > > > > _uni > > > > > quen > > > > > ess_check) > > > > > samldb_spn_uniqueness_check: SPN > > > > > HOST/myserver.samdom.net > > > > > failed > > > > > alias uniqueness check > > > > > > > > > > > > > > > A search for the SPN returns that a similar SPN is i use for > > > > > Apache's > > > > > service-account (but it does not have the HOST/ SPN assigned > > > > > (exactly > > > > > as > > > > > intended): > > > > > > > > > > samba-tool spn list svc_myserver_apache > > > > > svc_myserver_apache > > > > > User CN=svc_myserver_apache,OU=Service > > > > > Accounts,OU=Noninteractive > > > > > Users,DC=samdom,DC=net has the following > > > > > servicePrincipalName: > > > > > HTTP/myserver.samdom.net > > > > > > > > > > samba-tool spn list svc_myserver_apache > > > > > svc_myserver_apache > > > > > User CN=svc_myserver_apache,OU=Service > > > > > Accounts,OU=Noninteractive > > > > > Users,DC=samdom,DC=net has the following > > > > > servicePrincipalName: > > > > > HTTP/myserver.samdom.net > > > > > root at controller01:/var/log/samba# samba-tool user show > > > > > svc_myserver_apache > > > > > dn: CN=svc_myserver_apache,OU=Service > > > > > Accounts,OU=Noninteractive > > > > > Users,DC=samdom,DC=net > > > > > objectClass: top > > > > > objectClass: person > > > > > objectClass: organizationalPerson > > > > > objectClass: user > > > > > cn: svc_myserver_apache > > > > > name: svc_myserver_apache > > > > > sAMAccountName: svc_myserver_apache > > > > > userPrincipalName: svc_myserver_apache at samdom.net > > > > > servicePrincipalName: HTTP/myserver.samdom.net > > > > > <fields removed to reduce output> > > > > > > > > > > A final test indeed shows HOST/myserver.samdom.net and > > > > > HTTP/myserver.samdom.net are colliding when not they are not > > > > > set > > > > > on > > > > > one > > > > > user: > > > > > > > > > > samba-tool spn add HOST/myserver.samdom.net myserver$ > > > > > check_spn_alias_collision: trying to add SPN > > > > > 'HOST/myserver.samdom.net' > > > > > on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when > > > > > 'http/myserver.samdom.net' is on > > > > > 'CN=svc_myserver_apache,OU=Service > > > > > Accounts,OU=Noninteractive Users,DC=samdom,DC=net' > > > > > samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net > > > > > failed > > > > > alias > > > > > uniqueness check > > > > > > > > > > This all happens on a pretty new domain setup on 4.15.3. > > > > > > > > > > The interesting thing is that I have this exact configuration > > > > > on > > > > > other > > > > > domain which was setup a while ago, probably 4.13. This > > > > > domain > > > > > was > > > > > upgraded to 4.14 and to 4.15.3: > > > > > > > > > > samba-tool computer show otherserver > > > > > dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net > > > > > objectClass: top > > > > > objectClass: person > > > > > objectClass: organizationalPerson > > > > > objectClass: user > > > > > objectClass: computer > > > > > cn: otherserver > > > > > sAMAccountName: otherserver$ > > > > > servicePrincipalName: HOST/otherserver > > > > > servicePrincipalName: HOST/otherserver.otherdom.net > > > > > servicePrincipalName: nfs/otherserver.otherdom.net > > > > > > > > > > samba-tool user show svc_otherserver_apache > > > > > dn: CN=svc_otherserver_apache,OU=Service > > > > > Accounts,OU=Noninteractive > > > > > Users,DC=otherdom,DC=net > > > > > objectClass: top > > > > > objectClass: person > > > > > objectClass: organizationalPerson > > > > > objectClass: user > > > > > cn: svc_otherserver_apache > > > > > name: svc_otherserver_apache > > > > > sAMAccountName: svc_otherserver_apache > > > > > userPrincipalName: svc_otherserver_apache at otherdom.net > > > > > servicePrincipalName: HTTP/otherserver.otherdom.net > > > > > > > > > > Is there a way around the issue without elimination the > > > > > service- > > > > > account > > > > > and its SPN? > > > > > > > > > > Is it a new issue in 4.15? > > > > > > > > > > - Kees > > > > It is an AD thing, try reading this thread: > > > > https://lists.samba.org/archive/samba/2021-November/238694.html > > > > > > > > Basically, having an SPN starting with 'host' (or 'HOST') sets > > > > 'http' > > > > as well. > > > > > > > > Rowland > > > > > > > > > > > > > > > If I want to get to the situation in otherdom, would this > > > sequence > > > to > > > the trick? : > > > > > > - remove http/ spn from service-account > > > > > > - join machine > > > > > > - remove http/ spn from computer account > > > > > > - add http/ spn to service-account > > From my understanding 'host' is an alias for a large number of > > other > > SPN's, 'http' being among them. From this, I actually do not think > > you > > should be setting 'http/myserver.samdom.net' on anything. > > > > Rowland > > > > > > > I think I have found the list of aliases on computer-accounts, it is > pretty long: > > https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)#service-principal-names > < > https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)#service-principal-names > > > > Compared to this list it seems that Samba is checking fewer aliases. > As you can see both 'http' and 'www' are in Microsoft's list. > > Trying to put 'http' on my service-account fails, but doing the same > with 'www' works like a charm. > > And now I know how I got the 'http' spn on the service-account, look > at > this: > > samba-tool spn add 'HTTP/myserver.samdom.net' svc_myserver_apache > check_spn_alias_collision: trying to add SPN > 'HTTP/myserver.samdom.net' > on 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive > Users,DC=samdom,DC=net' when 'host/myserver.samdom.net' is on > 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' > > samba-tool spn add 'WWW/myserver.samdom.net' svc_myserver_apache > > samba-tool spn list svc_myserver_apache > svc_myserver_apache > User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive > Users,DC=samdom,DC=net has the following servicePrincipalName: > HTTP/myserver.samdom.net > WWW/myserver.samdom.net > > > So 'http' returns an error but does get added ! > > 'www' does not return an error and also gets added. > > Then when you have 'http' on another account then the computer- > account > the domain-join fails !This is this list from my domain: sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache, replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc, fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent, plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess, rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp, schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc, iisadmin,msdtc> > Shall I file a bug for this?No, because I don't think it is a bug, everything seems to be working as it should. Rowland