thr3ads.net - samba - [Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB

If this information is useful, please help other people find it:
Share via:

mathias dufresne

2016-Mar-10 09:41 UTC

[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

Hi all,

SPN = servicePrincipalName

A simple search returning all servicePrincipalName declared in your AD:
ldbsearch -H $sam serviceprincipalname=* serviceprincipalname

An extract from result concerning a lambda client:
# record 41
dn: CN=win-client345,OU=Machines,DC=ad,DC=domain,DC=tld
servicePrincipalName: HOST/MB38W746-0009
servicePrincipalName: HOST/MB38W746-0009.ad.domain.tld
servicePrincipalName: TERMSRV/MB38W746-0009.ad.domain.tld
servicePrincipalName: TERMSRV/MB38W746-0009

I would start checking rights using security tab of your client machine
into ADUC tool to verify "SELF" is well configured (comparing with
some
other machine not generating these logs).

When this kind of message happens? When you add new client or when client
boots or randomly?

Not sure that helps, I tried ;)


2016-03-08 18:01 GMT+01:00 Adam Tauno Williams <awilliam at
whitemice.org>:
> On Tue, 2016-02-02 at 23:38 +0100, Markus Dellermann wrote:
> > sometimes I see following in the logs:
> > /source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAcco
> > untSpn)
> > Failed to modify SPNs on
> > CN=PCNAME,CN=Computers,DC=DOMAIN,DC=NAME,DC=NAME,DC=de: error in
> > module acl:
> > Constraint violation during LDB_MODIFY (19)
>
> I am seeing a very similar message - Failed to modify SPNs on
> CN=TERRINE-WHITE,OU=Terminal Servers,DC=example,DC=com: error in module
> acl: Constraint violation (19)
>
> > In the net i found this "explanation":
> >
> > "LDAP_CONSTRAINT_VIOLATION
> > Indicates that the attribute value specified in a modify, add, or
> > modify DN
> > operation violates constraints placed on the attribute. The
> > constraint can be
> > one of size or content (string only, no binary)."
> >
> > Hm, is this triggerd by dns-updates?
> > I see this only with two clients
> > How can I "debug" this ?
> >
> > I am using samba 4.3.4 with bind-dlz
> > clients are win7
> >
> > Thank you for your thoughts!
> >
> > Markus
> >
> --
> Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
> Systems Administrator, Python Developer, LPI / NCLA
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Markus Dellermann

2016-Mar-13 23:44 UTC

head link

[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne:
Hi, Mathias and all
thank you for your answer.> Hi all,
> 
> SPN = servicePrincipalName
> 
> A simple search returning all servicePrincipalName declared in your AD:
> ldbsearch -H $sam serviceprincipalname=* serviceprincipalname
>For me:
ldbsearch -H
/var/lib/samba/private/sam.ldb serviceprincipalname=* serviceprincipalname
> An extract from result concerning a lambda client:
> # record 41
> dn: CN=win-client345,OU=Machines,DC=ad,DC=domain,DC=tld
> servicePrincipalName: HOST/MB38W746-0009
> servicePrincipalName: HOST/MB38W746-0009.ad.domain.tld
> servicePrincipalName: TERMSRV/MB38W746-0009.ad.domain.tld
> servicePrincipalName: TERMSRV/MB38W746-0009
> 
An affected client:
# record 6
dn: CN=MACHINE1,CN=Computers,DC=ad,DC=domain,DC=domain,DC=tld
servicePrincipalName: HOST/ MACHINE1.ad.domain.domain.tld
servicePrincipalName: RestrictedKrbHost/MACHINE1.ad.domain.domain.tld
servicePrincipalName: HOST/MACHINE1
servicePrincipalName: RestrictedKrbHost/MACHINE1
servicePrincipalName: TERMSRV/MACHINE1.ad.domain.domain.tld
servicePrincipalName: TERMSRV/MACHINE1

Not affected:
# record 19
dn: CN=MACHINE2,CN=Computers,DC=ad,DC=domain,DC=domain,DC=tld
servicePrincipalName: HOST/MACHINE2
servicePrincipalName: HOST/MACHINE2.ad.domain.domain.tld
servicePrincipalName: TERMSRV/MACHINE2.ad.domain.domain.tld
servicePrincipalName: TERMSRV/MACHINE2

Not affected:
# record 8
dn: CN=MACHINE3,CN=Computers,DC=ad,DC=domain,DC=domain,DC=tld
servicePrincipalName: HOST/MACHINE3
servicePrincipalName: HOST/MACHINE3.ad.domain.domain.tld
servicePrincipalName: TERMSRV/MACHINE3.ad.domain.domain.tld
servicePrincipalName: TERMSRV/MACHINE3
servicePrincipalName: RestrictedKrbHost/MACHINE3.ad.domain.domain.tld
servicePrincipalName: RestrictedKrbHost/MACHINE3

I see no big differences..
maybe except
"servicePrincipalName:
RestrictedKrbHost/MACHINE1.ad.domain.domain.tld"

Does the entry order matters?> I would start checking rights using security tab of your client machine
> into ADUC tool to verify "SELF" is well configured (comparing
with some
> other machine not generating these logs).
> No differences between the rights, but in "Attribut-Editor" 
Affected Clients have not set:
- displayName
- uidNumber
> When this kind of message happens? When you add new client or when client
> boots or randomly?
> 
For me it only occurs, when two of our clients boots.,> Not sure that helps, I tried ;)
> Thank  you!
(After holiday i will try to look deeper)

Markus
> 2016-03-08 18:01 GMT+01:00 Adam Tauno Williams <awilliam at
whitemice.org>:
> > On Tue, 2016-02-02 at 23:38 +0100, Markus Dellermann wrote:
> > > sometimes I see following in the logs:
> > >
/source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAcco
> > > untSpn)
> > > Failed to modify SPNs on
> > > CN=PCNAME,CN=Computers,DC=DOMAIN,DC=NAME,DC=NAME,DC=de: error in
> > > module acl:
> > > Constraint violation during LDB_MODIFY (19)
> > 
> > I am seeing a very similar message - Failed to modify SPNs on
> > CN=TERRINE-WHITE,OU=Terminal Servers,DC=example,DC=com: error in
module
> > acl: Constraint violation (19)
> > 
> > > In the net i found this "explanation":
> > > 
> > > "LDAP_CONSTRAINT_VIOLATION
> > > Indicates that the attribute value specified in a modify, add, or
> > > modify DN
> > > operation violates constraints placed on the attribute. The
> > > constraint can be
> > > one of size or content (string only, no binary)."
> > > 
> > > Hm, is this triggerd by dns-updates?
> > > I see this only with two clients
> > > How can I "debug" this ?
> > > 
> > > I am using samba 4.3.4 with bind-dlz
> > > clients are win7
> > > 
> > > Thank you for your thoughts!
> > > 
> > > Markus
> > 
> > --
> > Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG
D95ED383
> > Systems Administrator, Python Developer, LPI / NCLA
> > 
> > 
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba

Markus Dellermann

2016-Mar-24 08:51 UTC

head link

[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

Hi again,
Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus
Dellermann:> Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne:
> Hi, Mathias and all
> thank you for your answer.
> 
> > Hi all,
> > 
> > SPN = servicePrincipalName
> > 
> > A simple search returning all servicePrincipalName declared in your
AD:
> > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname
> 
> For me:
> ldbsearch -H
> /var/lib/samba/private/sam.ldb serviceprincipalname=* serviceprincipalname
> 
[...]
Thank you again for the hint!

With "loglevel=10" i found the affected servicePrincipalName:

ldb: ldb_trace_request: MODIFY
dn: CN=PCNAME,CN=Computers,DC=...
changetype: modify
add: servicePrincipalName
servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:DATEV_DBENGIN
   E
  - 
   control: 1.2.840.113556.1.4.1413  crit:0  data:no

[2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0, 0)] ../
source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
  ldb:acl_modify: servicePrincipalName

[2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
[...]
  ldb: ldb_asprintf/set_errstring: error in module acl: Constraint violation 
during LDB_MODIFY (19)
[...]
  ldb: ldb_trace_next_request: (tdb)->del_transaction
[2016/03/24 01:01:45.077191,  0, pid=32023, effective(0, 0), real(0, 0)] ../
source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: error in 
module acl: Constraint violation during LDB_MODIFY (19)
[2016/03/24 01:01:45.079992,  1, pid=32023, effective(0, 0), real(0, 0)] ../
librpc/ndr/ndr.c:439(ndr_print_function_debug)
       drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
          out: struct drsuapi_DsWriteAccountSpn
              level_out                : *
                  level_out                : 0x00000001 (1)
              res                      : *
                  res                      : union 
drsuapi_DsWriteAccountSpnResult(case 1)
                  res1: struct drsuapi_DsWriteAccountSpnResult1
                      status                   : WERR_ACCESS_DENIED
              result                   : WERR_OK

I have two clients with installed Datev -Software / local SQL-Server with this 
Problem

Does SQL-Server have wrong Permissions, or is it a general Problem?

Greetings

Markus

Apparently Analagous Threads

Search for more maybe matching threads

samba - Mar 2016 - Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

Apparently Analagous Threads