samba - Mar 2016 - Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

Hi again,
Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus
Dellermann:
> Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne:
> Hi, Mathias and all
> thank you for your answer.
> 
> > Hi all,
> > 
> > SPN = servicePrincipalName
> > 
> > A simple search returning all servicePrincipalName declared in your
AD:
> > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname
> 
> For me:
> ldbsearch -H
> /var/lib/samba/private/sam.ldb serviceprincipalname=* serviceprincipalname
> 
[...]
Thank you again for the hint!

With "loglevel=10" i found the affected servicePrincipalName:

ldb: ldb_trace_request: MODIFY
dn: CN=PCNAME,CN=Computers,DC=...
changetype: modify
add: servicePrincipalName
servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:DATEV_DBENGIN
   E
  - 
   control: 1.2.840.113556.1.4.1413  crit:0  data:no

[2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0, 0)] ../
source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
  ldb:acl_modify: servicePrincipalName

[2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0, 0), 
class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
[...]
  ldb: ldb_asprintf/set_errstring: error in module acl: Constraint violation 
during LDB_MODIFY (19)
[...]
  ldb: ldb_trace_next_request: (tdb)->del_transaction
[2016/03/24 01:01:45.077191,  0, pid=32023, effective(0, 0), real(0, 0)] ../
source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: error in 
module acl: Constraint violation during LDB_MODIFY (19)
[2016/03/24 01:01:45.079992,  1, pid=32023, effective(0, 0), real(0, 0)] ../
librpc/ndr/ndr.c:439(ndr_print_function_debug)
       drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
          out: struct drsuapi_DsWriteAccountSpn
              level_out                : *
                  level_out                : 0x00000001 (1)
              res                      : *
                  res                      : union 
drsuapi_DsWriteAccountSpnResult(case 1)
                  res1: struct drsuapi_DsWriteAccountSpnResult1
                      status                   : WERR_ACCESS_DENIED
              result                   : WERR_OK

I have two clients with installed Datev -Software / local SQL-Server with this 
Problem

Does SQL-Server have wrong Permissions, or is it a general Problem?

Greetings

Markus

Hi,

I'm glad that helped you : )

About SPN, I found that link few days ago:
https://adsecurity.org/?page_id=183
It tries to list the string values available usable for SPN.

And it gives also that link:
http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
That one is a technet paper to explain SPNs.

I tried to read it but for now I wasn't able to fully understand it (more
specifically to understand how I would re-use these concepts for my needs).

Anyway that second link describe SPN syntax as follow:

*serviceclass/host:port servicename*

*serviceclass* and *host* are required, but *port* and *service* name are
optional. The colon between *host* and *port* is only required when a *port*
is present.

According to that and because I have no idea what is DATEV_DBENGINE
dn: CN=PCNAME,CN=Computers,DC=...
changetype: modify
add: servicePrincipalName
servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port number>

And I would also add a second SPN using NETBIOS name of PCNAME rather than
FQDN, which gives us:

servicePrincipalName: MSSQLSvc/PCNAME:<some port number>

Adding both SPN you have two unique name for your SPN and that SPN is valid
when client requesting that SPN using FQDN and/or Netbios name (or short
name).

Please tell me if you were able to add mentioned SPN and if your issue is
now solved (just for my information ;)

Best regards,

mathias



2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>:
> Hi again,
> Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann:
> > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne:
> > Hi, Mathias and all
> > thank you for your answer.
> >
> > > Hi all,
> > >
> > > SPN = servicePrincipalName
> > >
> > > A simple search returning all servicePrincipalName declared in
your AD:
> > > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname
> >
> > For me:
> > ldbsearch -H
> > /var/lib/samba/private/sam.ldb serviceprincipalname=*
> serviceprincipalname
> >
>
> [...]
> Thank you again for the hint!
>
> With "loglevel=10" i found the affected servicePrincipalName:
>
> ldb: ldb_trace_request: MODIFY
> dn: CN=PCNAME,CN=Computers,DC=...
> changetype: modify
> add: servicePrincipalName
> servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> DATEV_DBENGIN
>    E
>   -
>    control: 1.2.840.113556.1.4.1413  crit:0  data:no
>
> [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0, 0)]
> ../
> source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
>   ldb:acl_modify: servicePrincipalName
>
> [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0, 0),
> class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> [...]
>   ldb: ldb_asprintf/set_errstring: error in module acl: Constraint
> violation
> during LDB_MODIFY (19)
> [...]
>   ldb: ldb_trace_next_request: (tdb)->del_transaction
> [2016/03/24 01:01:45.077191,  0, pid=32023, effective(0, 0), real(0, 0)]
> ../
> source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn)
>   Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: error
> in
> module acl: Constraint violation during LDB_MODIFY (19)
> [2016/03/24 01:01:45.079992,  1, pid=32023, effective(0, 0), real(0, 0)]
> ../
> librpc/ndr/ndr.c:439(ndr_print_function_debug)
>        drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
>           out: struct drsuapi_DsWriteAccountSpn
>               level_out                : *
>                   level_out                : 0x00000001 (1)
>               res                      : *
>                   res                      : union
> drsuapi_DsWriteAccountSpnResult(case 1)
>                   res1: struct drsuapi_DsWriteAccountSpnResult1
>                       status                   : WERR_ACCESS_DENIED
>               result                   : WERR_OK
>
> I have two clients with installed Datev -Software / local SQL-Server with
> this
> Problem
>
> Does SQL-Server have wrong Permissions, or is it a general Problem?
>
> Greetings
>
> Markus
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Hi Mathias and all.
Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias
dufresne:
> Hi,
> 
> I'm glad that helped you : )
> 
> About SPN, I found that link few days ago:
> https://adsecurity.org/?page_id=183
> It tries to list the string values available usable for SPN.
> 
> And it gives also that link:
>
http://social.technet.microsoft.com/wiki/contents/articles/717.service-princ
> ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet paper
to
> explain SPNs.
> 
> I tried to read it but for now I wasn't able to fully understand it
(more
> specifically to understand how I would re-use these concepts for my needs).
> 
> Anyway that second link describe SPN syntax as follow:
> 
> *serviceclass/host:port servicename*
> 
> *serviceclass* and *host* are required, but *port* and *service* name are
> optional. The colon between *host* and *port* is only required when a
*port*
> is present.
> 
Thank you for the links & explanation
> According to that and because I have no idea what is DATEV_DBENGINE
"DATEV_DBENGINE"
This is from an Programm called "Datev...", installed local on this
pc.
It`s db is stored in local Microsoft-SQL.
But yes, its seems curios, that this is added to the servicePrincipalname
If i understand it`s syntax right, there should be eventually a portnumber, 
but maybe this is the local accountname for this
service.
> dn: CN=PCNAME,CN=Computers,DC=...
> changetype: modify
> add: servicePrincipalName
> servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port
number>
> 
> And I would also add a second SPN using NETBIOS name of PCNAME rather than
> FQDN, which gives us:
> 
> servicePrincipalName: MSSQLSvc/PCNAME:<some port number>
> 
> Adding both SPN you have two unique name for your SPN and that SPN is valid
> when client requesting that SPN using FQDN and/or Netbios name (or short
> name).
> 
Adding manually doesn`t work -MS-SQL seems want to modify this entry during 
it`s start.
> Please tell me if you were able to add mentioned SPN and if your issue is
> now solved (just for my information ;)
> 
With ADUC i have edit extended rights from client machine
and assigned "SELF" rights for reading & write
"servicePrincipalName"
This added this required line to sam.ldb:
servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:DATEV_DBENGIN
  E

Failures in the logs are gone, so this could be the way to fix this.
In terms of security i`m unsure, if it`s a good way, to give an machine rights 
to add servicePrincipalNames ?


I am also unclear, why local service should register himself in active-
directory,
The easiest could be to disable this behaviour complete -if
possible..
> Best regards,
> 
> mathias
> 
Greetings

Markus
> 2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>:
> > Hi again,
> > 
> > Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann:
> > > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias
dufresne:
> > > Hi, Mathias and all
> > > thank you for your answer.
> > > 
> > > > Hi all,
> > > > 
> > > > SPN = servicePrincipalName
> > > > 
> > > > A simple search returning all servicePrincipalName declared
in your
> > > > AD:
> > > > ldbsearch -H $sam serviceprincipalname=*
serviceprincipalname
> > > 
> > > For me:
> > > ldbsearch -H
> > > /var/lib/samba/private/sam.ldb serviceprincipalname=*
> > 
> > serviceprincipalname
> > 
> > 
> > [...]
> > Thank you again for the hint!
> > 
> > With "loglevel=10" i found the affected
servicePrincipalName:
> > 
> > ldb: ldb_trace_request: MODIFY
> > dn: CN=PCNAME,CN=Computers,DC=...
> > changetype: modify
> > add: servicePrincipalName
> > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> > DATEV_DBENGIN
> > 
> >    E
> >   
> >   -
> >   
> >    control: 1.2.840.113556.1.4.1413  crit:0  data:no
> > 
> > [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0,
0)]
> > ../
> > source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
> > 
> >   ldb:acl_modify: servicePrincipalName
> > 
> > [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0,
0),
> > class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> > [...]
> > 
> >   ldb: ldb_asprintf/set_errstring: error in module acl: Constraint
> > 
> > violation
> > during LDB_MODIFY (19)
> > [...]
> > 
> >   ldb: ldb_trace_next_request: (tdb)->del_transaction
> > 
> > [2016/03/24 01:01:45.077191,  0, pid=32023, effective(0, 0), real(0,
0)]
> > ../
> >
source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn
> > )
> > 
> >   Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...:
error
> > 
> > in
> > module acl: Constraint violation during LDB_MODIFY (19)
> > [2016/03/24 01:01:45.079992,  1, pid=32023, effective(0, 0), real(0,
0)]
> > ../
> > librpc/ndr/ndr.c:439(ndr_print_function_debug)
> > 
> >        drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
> >        
> >           out: struct drsuapi_DsWriteAccountSpn
> >           
> >               level_out                : *
> >               
> >                   level_out                : 0x00000001 (1)
> >               
> >               res                      : *
> >               
> >                   res                      : union
> > 
> > drsuapi_DsWriteAccountSpnResult(case 1)
> > 
> >                   res1: struct drsuapi_DsWriteAccountSpnResult1
> >                   
> >                       status                   : WERR_ACCESS_DENIED
> >               
> >               result                   : WERR_OK
> > 
> > I have two clients with installed Datev -Software / local SQL-Server
with
> > this
> > Problem
> > 
> > Does SQL-Server have wrong Permissions, or is it a general Problem?
> > 
> > Greetings
> > 
> > Markus
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba