samba - Mar 2016 - Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)

Hi Mathias and all.
Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias
dufresne:
> Hi,
> 
> I'm glad that helped you : )
> 
> About SPN, I found that link few days ago:
> https://adsecurity.org/?page_id=183
> It tries to list the string values available usable for SPN.
> 
> And it gives also that link:
>
http://social.technet.microsoft.com/wiki/contents/articles/717.service-princ
> ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet paper
to
> explain SPNs.
> 
> I tried to read it but for now I wasn't able to fully understand it
(more
> specifically to understand how I would re-use these concepts for my needs).
> 
> Anyway that second link describe SPN syntax as follow:
> 
> *serviceclass/host:port servicename*
> 
> *serviceclass* and *host* are required, but *port* and *service* name are
> optional. The colon between *host* and *port* is only required when a
*port*
> is present.
> 
Thank you for the links & explanation
> According to that and because I have no idea what is DATEV_DBENGINE
"DATEV_DBENGINE"
This is from an Programm called "Datev...", installed local on this
pc.
It`s db is stored in local Microsoft-SQL.
But yes, its seems curios, that this is added to the servicePrincipalname
If i understand it`s syntax right, there should be eventually a portnumber, 
but maybe this is the local accountname for this
service.
> dn: CN=PCNAME,CN=Computers,DC=...
> changetype: modify
> add: servicePrincipalName
> servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port
number>
> 
> And I would also add a second SPN using NETBIOS name of PCNAME rather than
> FQDN, which gives us:
> 
> servicePrincipalName: MSSQLSvc/PCNAME:<some port number>
> 
> Adding both SPN you have two unique name for your SPN and that SPN is valid
> when client requesting that SPN using FQDN and/or Netbios name (or short
> name).
> 
Adding manually doesn`t work -MS-SQL seems want to modify this entry during 
it`s start.
> Please tell me if you were able to add mentioned SPN and if your issue is
> now solved (just for my information ;)
> 
With ADUC i have edit extended rights from client machine
and assigned "SELF" rights for reading & write
"servicePrincipalName"
This added this required line to sam.ldb:
servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:DATEV_DBENGIN
  E

Failures in the logs are gone, so this could be the way to fix this.
In terms of security i`m unsure, if it`s a good way, to give an machine rights 
to add servicePrincipalNames ?


I am also unclear, why local service should register himself in active-
directory,
The easiest could be to disable this behaviour complete -if
possible..
> Best regards,
> 
> mathias
> 
Greetings

Markus
> 2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>:
> > Hi again,
> > 
> > Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann:
> > > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias
dufresne:
> > > Hi, Mathias and all
> > > thank you for your answer.
> > > 
> > > > Hi all,
> > > > 
> > > > SPN = servicePrincipalName
> > > > 
> > > > A simple search returning all servicePrincipalName declared
in your
> > > > AD:
> > > > ldbsearch -H $sam serviceprincipalname=*
serviceprincipalname
> > > 
> > > For me:
> > > ldbsearch -H
> > > /var/lib/samba/private/sam.ldb serviceprincipalname=*
> > 
> > serviceprincipalname
> > 
> > 
> > [...]
> > Thank you again for the hint!
> > 
> > With "loglevel=10" i found the affected
servicePrincipalName:
> > 
> > ldb: ldb_trace_request: MODIFY
> > dn: CN=PCNAME,CN=Computers,DC=...
> > changetype: modify
> > add: servicePrincipalName
> > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> > DATEV_DBENGIN
> > 
> >    E
> >   
> >   -
> >   
> >    control: 1.2.840.113556.1.4.1413  crit:0  data:no
> > 
> > [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0,
0)]
> > ../
> > source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
> > 
> >   ldb:acl_modify: servicePrincipalName
> > 
> > [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0,
0),
> > class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> > [...]
> > 
> >   ldb: ldb_asprintf/set_errstring: error in module acl: Constraint
> > 
> > violation
> > during LDB_MODIFY (19)
> > [...]
> > 
> >   ldb: ldb_trace_next_request: (tdb)->del_transaction
> > 
> > [2016/03/24 01:01:45.077191,  0, pid=32023, effective(0, 0), real(0,
0)]
> > ../
> >
source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn
> > )
> > 
> >   Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...:
error
> > 
> > in
> > module acl: Constraint violation during LDB_MODIFY (19)
> > [2016/03/24 01:01:45.079992,  1, pid=32023, effective(0, 0), real(0,
0)]
> > ../
> > librpc/ndr/ndr.c:439(ndr_print_function_debug)
> > 
> >        drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn
> >        
> >           out: struct drsuapi_DsWriteAccountSpn
> >           
> >               level_out                : *
> >               
> >                   level_out                : 0x00000001 (1)
> >               
> >               res                      : *
> >               
> >                   res                      : union
> > 
> > drsuapi_DsWriteAccountSpnResult(case 1)
> > 
> >                   res1: struct drsuapi_DsWriteAccountSpnResult1
> >                   
> >                       status                   : WERR_ACCESS_DENIED
> >               
> >               result                   : WERR_OK
> > 
> > I have two clients with installed Datev -Software / local SQL-Server
with
> > this
> > Problem
> > 
> > Does SQL-Server have wrong Permissions, or is it a general Problem?
> > 
> > Greetings
> > 
> > Markus
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba

I'm not an expert, especially when it comes to servicePrincipalName which I
haven't understood until now but I think it is safe to give an object the
right to modify itself.

If securing is one of your main concern, you could try to remove the
possibility to that account to modify itself, once the servicePrincipalName
is created. Doing that SPN should NOT be removed (no right to remove it)
and authentication should continue to work (SPN is there). You could have
errors into your logs if MS-SQLserv tries to remove SPN at shutdown and/or
add it again at startup.

Anyway, I'm very glad to read I was able to help you a little bit with my
little knowledge on that subject :)

Have a nice day!

mathias

2016-03-29 12:09 GMT+02:00 Markus Dellermann <li-mli at gmx.net>:
> Hi Mathias and all.
> Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne:
> > Hi,
> >
> > I'm glad that helped you : )
> >
> > About SPN, I found that link few days ago:
> > https://adsecurity.org/?page_id=183
> > It tries to list the string values available usable for SPN.
> >
> > And it gives also that link:
> >
>
http://social.technet.microsoft.com/wiki/contents/articles/717.service-princ
> > ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet
> paper to
> > explain SPNs.
> >
> > I tried to read it but for now I wasn't able to fully understand
it (more
> > specifically to understand how I would re-use these concepts for my
> needs).
> >
> > Anyway that second link describe SPN syntax as follow:
> >
> > *serviceclass/host:port servicename*
> >
> > *serviceclass* and *host* are required, but *port* and *service* name
are
> > optional. The colon between *host* and *port* is only required when a
> *port*
> > is present.
> >
> Thank you for the links & explanation
> > According to that and because I have no idea what is DATEV_DBENGINE
>
> "DATEV_DBENGINE"
> This is from an Programm called "Datev...", installed local on
this pc.
> It`s db is stored in local Microsoft-SQL.
> But yes, its seems curios, that this is added to the servicePrincipalname
> If i understand it`s syntax right, there should be eventually a portnumber,
> but maybe this is the local accountname for this service.
> > dn: CN=PCNAME,CN=Computers,DC=...
> > changetype: modify
> > add: servicePrincipalName
> > servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port
> number>
> >
> > And I would also add a second SPN using NETBIOS name of PCNAME rather
> than
> > FQDN, which gives us:
> >
> > servicePrincipalName: MSSQLSvc/PCNAME:<some port number>
> >
> > Adding both SPN you have two unique name for your SPN and that SPN is
> valid
> > when client requesting that SPN using FQDN and/or Netbios name (or
short
> > name).
> >
>
> Adding manually doesn`t work -MS-SQL seems want to modify this entry during
> it`s start.
> > Please tell me if you were able to add mentioned SPN and if your issue
is
> > now solved (just for my information ;)
> >
>
> With ADUC i have edit extended rights from client machine
> and assigned "SELF" rights for reading & write
"servicePrincipalName"
> This added this required line to sam.ldb:
> servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> DATEV_DBENGIN
>   E
>
> Failures in the logs are gone, so this could be the way to fix this.
> In terms of security i`m unsure, if it`s a good way, to give an machine
> rights
> to add servicePrincipalNames ?
>
>
> I am also unclear, why local service should register himself in active-
> directory,
> The easiest could be to disable this behaviour complete -if possible..
> > Best regards,
> >
> > mathias
> >
> Greetings
>
> Markus
>
> > 2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>:
> > > Hi again,
> > >
> > > Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann:
> > > > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias
dufresne:
> > > > Hi, Mathias and all
> > > > thank you for your answer.
> > > >
> > > > > Hi all,
> > > > >
> > > > > SPN = servicePrincipalName
> > > > >
> > > > > A simple search returning all servicePrincipalName
declared in your
> > > > > AD:
> > > > > ldbsearch -H $sam serviceprincipalname=*
serviceprincipalname
> > > >
> > > > For me:
> > > > ldbsearch -H
> > > > /var/lib/samba/private/sam.ldb serviceprincipalname=*
> > >
> > > serviceprincipalname
> > >
> > >
> > > [...]
> > > Thank you again for the hint!
> > >
> > > With "loglevel=10" i found the affected
servicePrincipalName:
> > >
> > > ldb: ldb_trace_request: MODIFY
> > > dn: CN=PCNAME,CN=Computers,DC=...
> > > changetype: modify
> > > add: servicePrincipalName
> > > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> > > DATEV_DBENGIN
> > >
> > >    E
> > >
> > >   -
> > >
> > >    control: 1.2.840.113556.1.4.1413  crit:0  data:no
> > >
> > > [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0),
real(0,
> 0)]
> > > ../
> > > source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
> > >
> > >   ldb:acl_modify: servicePrincipalName
> > >
> > > [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0),
real(0,
> 0),
> > > class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> > > [...]
> > >
> > >   ldb: ldb_asprintf/set_errstring: error in module acl:
Constraint
> > >
> > > violation
> > > during LDB_MODIFY (19)
> > > [...]
> > >
> > >   ldb: ldb_trace_next_request: (tdb)->del_transaction
> > >
> > > [2016/03/24 01:01:45.077191,  0, pid=32023, effective(0, 0),
real(0,
> 0)]
> > > ../
> > >
> source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn
> > > )
> > >
> > >   Failed to modify SPNs on
CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...:
> error
> > >
> > > in
> > > module acl: Constraint violation during LDB_MODIFY (19)
> > > [2016/03/24 01:01:45.079992,  1, pid=32023, effective(0, 0),
real(0,
> 0)]
> > > ../
> > > librpc/ndr/ndr.c:439(ndr_print_function_debug)
> > >
> > >        drsuapi_DsWriteAccountSpn: struct
drsuapi_DsWriteAccountSpn
> > >
> > >           out: struct drsuapi_DsWriteAccountSpn
> > >
> > >               level_out                : *
> > >
> > >                   level_out                : 0x00000001 (1)
> > >
> > >               res                      : *
> > >
> > >                   res                      : union
> > >
> > > drsuapi_DsWriteAccountSpnResult(case 1)
> > >
> > >                   res1: struct drsuapi_DsWriteAccountSpnResult1
> > >
> > >                       status                   :
WERR_ACCESS_DENIED
> > >
> > >               result                   : WERR_OK
> > >
> > > I have two clients with installed Datev -Software / local
SQL-Server
> with
> > > this
> > > Problem
> > >
> > > Does SQL-Server have wrong Permissions, or is it a general
Problem?
> > >
> > > Greetings
> > >
> > > Markus
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read
the
> > > instructions:  https://lists.samba.org/mailman/options/samba
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Good morning...
Am Dienstag, 29. März 2016, 13:26:30 CEST schrieb mathias
dufresne:
> I'm not an expert, especially when it comes to servicePrincipalName
which I
> haven't understood until now but I think it is safe to give an object
the
> right to modify itself.
> 
> If securing is one of your main concern, you could try to remove the
> possibility to that account to modify itself, once the servicePrincipalName
> is created. Doing that SPN should NOT be removed (no right to remove it)
> and authentication should continue to work (SPN is there). You could have
> errors into your logs if MS-SQLserv tries to remove SPN at shutdown and/or
> add it again at startup.
> 
About securing, i found this:
http://files.cnblogs.com/files/woodytu/Microsoft.SQL.Server.
2012.Security.Cookbook.Rudi.Bruchez.Packt.2012.pdf

From that the servicePrinipalName-things should work out of the box (with 
local system-account):

"...then the SQL Server instance will automatically 
register the SPN on the Active Directory when it is started, and it will 
unregister it when it is stopped. This is also the case when the service 
account is the built-in LocalSystem or the NetworkService local account. These 
accounts are shown as the machine name at the AD 
and have the rights to register the SPN."

I couldn't find a solution to disable the whole behaviour - i don't need
this
service in network.
So i have to live with registering the ServicePricipalNames or with errors in 
the logs.
Maybe i generate a serviceaccount for sqlserver, but this all isnt`t very 
related to samba...
> Anyway, I'm very glad to read I was able to help you a little bit with
my
> little knowledge on that subject :)
> 
Thank you for your help
> Have a nice day!
> 
And you!
> mathias
> 
Greetings
Markus
> 2016-03-29 12:09 GMT+02:00 Markus Dellermann <li-mli at gmx.net>:
> > Hi Mathias and all.
> > 
> > Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne:
> > > Hi,
> > > 
> > > I'm glad that helped you : )
> > > 
> > > About SPN, I found that link few days ago:
> > > https://adsecurity.org/?page_id=183
> > > It tries to list the string values available usable for SPN.
> > 
> > > And it gives also that link:
> >
http://social.technet.microsoft.com/wiki/contents/articles/717.service-pri
> > nc> 
> > > ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a
technet
> > 
> > paper to
> > 
> > > explain SPNs.
> > > 
> > > I tried to read it but for now I wasn't able to fully
understand it
> > > (more
> > > specifically to understand how I would re-use these concepts for
my
> > 
> > needs).
> > 
> > > Anyway that second link describe SPN syntax as follow:
> > > 
> > > *serviceclass/host:port servicename*
> > > 
> > > *serviceclass* and *host* are required, but *port* and *service*
name
> > > are
> > > optional. The colon between *host* and *port* is only required
when a
> > 
> > *port*
> > 
> > > is present.
> > 
> > Thank you for the links & explanation
> > 
> > > According to that and because I have no idea what is
DATEV_DBENGINE
> > 
> > "DATEV_DBENGINE"
> > This is from an Programm called "Datev...", installed local
on this pc.
> > It`s db is stored in local Microsoft-SQL.
> > But yes, its seems curios, that this is added to the
servicePrincipalname
> > If i understand it`s syntax right, there should be eventually a
> > portnumber,
> > but maybe this is the local accountname for this service.
> > 
> > > dn: CN=PCNAME,CN=Computers,DC=...
> > > changetype: modify
> > > add: servicePrincipalName
> > > servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some
port
> > 
> > number>
> > 
> > > And I would also add a second SPN using NETBIOS name of PCNAME
rather
> > 
> > than
> > 
> > > FQDN, which gives us:
> > > 
> > > servicePrincipalName: MSSQLSvc/PCNAME:<some port number>
> > > 
> > > Adding both SPN you have two unique name for your SPN and that
SPN is
> > 
> > valid
> > 
> > > when client requesting that SPN using FQDN and/or Netbios name
(or short
> > > name).
> > 
> > Adding manually doesn`t work -MS-SQL seems want to modify this entry
> > during
> > it`s start.
> > 
> > > Please tell me if you were able to add mentioned SPN and if your
issue
> > > is
> > > now solved (just for my information ;)
> > 
> > With ADUC i have edit extended rights from client machine
> > and assigned "SELF" rights for reading & write
"servicePrincipalName"
> > This added this required line to sam.ldb:
> > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:
> > DATEV_DBENGIN
> > 
> >   E
> > 
> > Failures in the logs are gone, so this could be the way to fix this.
> > In terms of security i`m unsure, if it`s a good way, to give an
machine
> > rights
> > to add servicePrincipalNames ?
> > 
> > 
> > I am also unclear, why local service should register himself in
active-
> > directory,
> > The easiest could be to disable this behaviour complete -if possible..
> > 
> > > Best regards,
> > > 
> > > mathias
> > 
> > Greetings
> > 
> > Markus
> > 
> > > 2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at
gmx.net>:
> > > > Hi again,
> > > > 
> > > > Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus
Dellermann:
> > > > > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb
mathias dufresne:
> > > > > Hi, Mathias and all
> > > > > thank you for your answer.
> > > > > 
> > > > > > Hi all,
> > > > > > 
> > > > > > SPN = servicePrincipalName
> > > > > > 
> > > > > > A simple search returning all servicePrincipalName
declared in
> > > > > > your
> > > > > > AD:
> > > > > > ldbsearch -H $sam serviceprincipalname=*
serviceprincipalname
> > > > > 
> > > > > For me:
> > > > > ldbsearch -H
> > > > > /var/lib/samba/private/sam.ldb serviceprincipalname=*
> > > > 
> > > > serviceprincipalname
> > > > 
> > > > 
> > > > [...]
> > > > Thank you again for the hint!
> > > > 
> > > > With "loglevel=10" i found the affected
servicePrincipalName:
> > > > 
> > > > ldb: ldb_trace_request: MODIFY
> > > > dn: CN=PCNAME,CN=Computers,DC=...
> > > > changetype: modify
> > > > add: servicePrincipalName
> > > > servicePrincipalName:
MSSQLSvc/PCNAME.domain.domain.domain.de:
> > > > DATEV_DBENGIN
> > > > 
> > > >    E
> > > >   
> > > >   -
> > > >   
> > > >    control: 1.2.840.113556.1.4.1413  crit:0  data:no
> > > > 
> > > > [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0),
real(0,
> > 
> > 0)]
> > 
> > > > ../
> > > > source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify)
> > > > 
> > > >   ldb:acl_modify: servicePrincipalName
> > > > 
> > > > [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0),
real(0,
> > 
> > 0),
> > 
> > > > class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug)
> > > > [...]
> > > > 
> > > >   ldb: ldb_asprintf/set_errstring: error in module acl:
Constraint
> > > > 
> > > > violation
> > > > during LDB_MODIFY (19)
> > > > [...]
> > > > 
> > > >   ldb: ldb_trace_next_request: (tdb)->del_transaction
> > > > 
> > > > [2016/03/24 01:01:45.077191,  0, pid=32023, effective(0, 0),
real(0,
> > 
> > 0)]
> > 
> > > > ../
> > 
> >
source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn
> > 
> > > > )
> > > > 
> > > >   Failed to modify SPNs on
CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...:
> > error
> > 
> > > > in
> > > > module acl: Constraint violation during LDB_MODIFY (19)
> > > > [2016/03/24 01:01:45.079992,  1, pid=32023, effective(0, 0),
real(0,
> > 
> > 0)]
> > 
> > > > ../
> > > > librpc/ndr/ndr.c:439(ndr_print_function_debug)
> > > > 
> > > >        drsuapi_DsWriteAccountSpn: struct
drsuapi_DsWriteAccountSpn
> > > >        
> > > >           out: struct drsuapi_DsWriteAccountSpn
> > > >           
> > > >               level_out                : *
> > > >               
> > > >                   level_out                : 0x00000001 (1)
> > > >               
> > > >               res                      : *
> > > >               
> > > >                   res                      : union
> > > > 
> > > > drsuapi_DsWriteAccountSpnResult(case 1)
> > > > 
> > > >                   res1: struct
drsuapi_DsWriteAccountSpnResult1
> > > >                   
> > > >                       status                   :
WERR_ACCESS_DENIED
> > > >               
> > > >               result                   : WERR_OK
> > > > 
> > > > I have two clients with installed Datev -Software / local
SQL-Server
> > 
> > with
> > 
> > > > this
> > > > Problem
> > > > 
> > > > Does SQL-Server have wrong Permissions, or is it a general
Problem?
> > > > 
> > > > Greetings
> > > > 
> > > > Markus
> > > > 
> > > > --
> > > > To unsubscribe from this list go to the following URL and
read the
> > > > instructions:  https://lists.samba.org/mailman/options/samba
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba