mathias dufresne
2016-Mar-10 09:41 UTC
[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
Hi all, SPN = servicePrincipalName A simple search returning all servicePrincipalName declared in your AD: ldbsearch -H $sam serviceprincipalname=* serviceprincipalname An extract from result concerning a lambda client: # record 41 dn: CN=win-client345,OU=Machines,DC=ad,DC=domain,DC=tld servicePrincipalName: HOST/MB38W746-0009 servicePrincipalName: HOST/MB38W746-0009.ad.domain.tld servicePrincipalName: TERMSRV/MB38W746-0009.ad.domain.tld servicePrincipalName: TERMSRV/MB38W746-0009 I would start checking rights using security tab of your client machine into ADUC tool to verify "SELF" is well configured (comparing with some other machine not generating these logs). When this kind of message happens? When you add new client or when client boots or randomly? Not sure that helps, I tried ;) 2016-03-08 18:01 GMT+01:00 Adam Tauno Williams <awilliam at whitemice.org>:> On Tue, 2016-02-02 at 23:38 +0100, Markus Dellermann wrote: > > sometimes I see following in the logs: > > /source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAcco > > untSpn) > > Failed to modify SPNs on > > CN=PCNAME,CN=Computers,DC=DOMAIN,DC=NAME,DC=NAME,DC=de: error in > > module acl: > > Constraint violation during LDB_MODIFY (19) > > I am seeing a very similar message - Failed to modify SPNs on > CN=TERRINE-WHITE,OU=Terminal Servers,DC=example,DC=com: error in module > acl: Constraint violation (19) > > > In the net i found this "explanation": > > > > "LDAP_CONSTRAINT_VIOLATION > > Indicates that the attribute value specified in a modify, add, or > > modify DN > > operation violates constraints placed on the attribute. The > > constraint can be > > one of size or content (string only, no binary)." > > > > Hm, is this triggerd by dns-updates? > > I see this only with two clients > > How can I "debug" this ? > > > > I am using samba 4.3.4 with bind-dlz > > clients are win7 > > > > Thank you for your thoughts! > > > > Markus > > > -- > Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 > Systems Administrator, Python Developer, LPI / NCLA > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Markus Dellermann
2016-Mar-13 23:44 UTC
[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne: Hi, Mathias and all thank you for your answer.> Hi all, > > SPN = servicePrincipalName > > A simple search returning all servicePrincipalName declared in your AD: > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname >For me: ldbsearch -H /var/lib/samba/private/sam.ldb serviceprincipalname=* serviceprincipalname> An extract from result concerning a lambda client: > # record 41 > dn: CN=win-client345,OU=Machines,DC=ad,DC=domain,DC=tld > servicePrincipalName: HOST/MB38W746-0009 > servicePrincipalName: HOST/MB38W746-0009.ad.domain.tld > servicePrincipalName: TERMSRV/MB38W746-0009.ad.domain.tld > servicePrincipalName: TERMSRV/MB38W746-0009 >An affected client: # record 6 dn: CN=MACHINE1,CN=Computers,DC=ad,DC=domain,DC=domain,DC=tld servicePrincipalName: HOST/ MACHINE1.ad.domain.domain.tld servicePrincipalName: RestrictedKrbHost/MACHINE1.ad.domain.domain.tld servicePrincipalName: HOST/MACHINE1 servicePrincipalName: RestrictedKrbHost/MACHINE1 servicePrincipalName: TERMSRV/MACHINE1.ad.domain.domain.tld servicePrincipalName: TERMSRV/MACHINE1 Not affected: # record 19 dn: CN=MACHINE2,CN=Computers,DC=ad,DC=domain,DC=domain,DC=tld servicePrincipalName: HOST/MACHINE2 servicePrincipalName: HOST/MACHINE2.ad.domain.domain.tld servicePrincipalName: TERMSRV/MACHINE2.ad.domain.domain.tld servicePrincipalName: TERMSRV/MACHINE2 Not affected: # record 8 dn: CN=MACHINE3,CN=Computers,DC=ad,DC=domain,DC=domain,DC=tld servicePrincipalName: HOST/MACHINE3 servicePrincipalName: HOST/MACHINE3.ad.domain.domain.tld servicePrincipalName: TERMSRV/MACHINE3.ad.domain.domain.tld servicePrincipalName: TERMSRV/MACHINE3 servicePrincipalName: RestrictedKrbHost/MACHINE3.ad.domain.domain.tld servicePrincipalName: RestrictedKrbHost/MACHINE3 I see no big differences.. maybe except "servicePrincipalName: RestrictedKrbHost/MACHINE1.ad.domain.domain.tld" Does the entry order matters?> I would start checking rights using security tab of your client machine > into ADUC tool to verify "SELF" is well configured (comparing with some > other machine not generating these logs). >No differences between the rights, but in "Attribut-Editor" Affected Clients have not set: - displayName - uidNumber> When this kind of message happens? When you add new client or when client > boots or randomly? >For me it only occurs, when two of our clients boots.,> Not sure that helps, I tried ;) >Thank you! (After holiday i will try to look deeper) Markus> 2016-03-08 18:01 GMT+01:00 Adam Tauno Williams <awilliam at whitemice.org>: > > On Tue, 2016-02-02 at 23:38 +0100, Markus Dellermann wrote: > > > sometimes I see following in the logs: > > > /source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAcco > > > untSpn) > > > Failed to modify SPNs on > > > CN=PCNAME,CN=Computers,DC=DOMAIN,DC=NAME,DC=NAME,DC=de: error in > > > module acl: > > > Constraint violation during LDB_MODIFY (19) > > > > I am seeing a very similar message - Failed to modify SPNs on > > CN=TERRINE-WHITE,OU=Terminal Servers,DC=example,DC=com: error in module > > acl: Constraint violation (19) > > > > > In the net i found this "explanation": > > > > > > "LDAP_CONSTRAINT_VIOLATION > > > Indicates that the attribute value specified in a modify, add, or > > > modify DN > > > operation violates constraints placed on the attribute. The > > > constraint can be > > > one of size or content (string only, no binary)." > > > > > > Hm, is this triggerd by dns-updates? > > > I see this only with two clients > > > How can I "debug" this ? > > > > > > I am using samba 4.3.4 with bind-dlz > > > clients are win7 > > > > > > Thank you for your thoughts! > > > > > > Markus > > > > -- > > Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383 > > Systems Administrator, Python Developer, LPI / NCLA > > > > > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba
Markus Dellermann
2016-Mar-24 08:51 UTC
[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
Hi again, Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann:> Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne: > Hi, Mathias and all > thank you for your answer. > > > Hi all, > > > > SPN = servicePrincipalName > > > > A simple search returning all servicePrincipalName declared in your AD: > > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname > > For me: > ldbsearch -H > /var/lib/samba/private/sam.ldb serviceprincipalname=* serviceprincipalname >[...] Thank you again for the hint! With "loglevel=10" i found the affected servicePrincipalName: ldb: ldb_trace_request: MODIFY dn: CN=PCNAME,CN=Computers,DC=... changetype: modify add: servicePrincipalName servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:DATEV_DBENGIN E - control: 1.2.840.113556.1.4.1413 crit:0 data:no [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0, 0)] ../ source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify) ldb:acl_modify: servicePrincipalName [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0, 0), class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) [...] ldb: ldb_asprintf/set_errstring: error in module acl: Constraint violation during LDB_MODIFY (19) [...] ldb: ldb_trace_next_request: (tdb)->del_transaction [2016/03/24 01:01:45.077191, 0, pid=32023, effective(0, 0), real(0, 0)] ../ source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: error in module acl: Constraint violation during LDB_MODIFY (19) [2016/03/24 01:01:45.079992, 1, pid=32023, effective(0, 0), real(0, 0)] ../ librpc/ndr/ndr.c:439(ndr_print_function_debug) drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn out: struct drsuapi_DsWriteAccountSpn level_out : * level_out : 0x00000001 (1) res : * res : union drsuapi_DsWriteAccountSpnResult(case 1) res1: struct drsuapi_DsWriteAccountSpnResult1 status : WERR_ACCESS_DENIED result : WERR_OK I have two clients with installed Datev -Software / local SQL-Server with this Problem Does SQL-Server have wrong Permissions, or is it a general Problem? Greetings Markus
Possibly Parallel Threads
- Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
- Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
- Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
- Running just part of dovecot
- Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)