Markus Dellermann
2016-Mar-29 10:09 UTC
[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
Hi Mathias and all. Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne:> Hi, > > I'm glad that helped you : ) > > About SPN, I found that link few days ago: > https://adsecurity.org/?page_id=183 > It tries to list the string values available usable for SPN. > > And it gives also that link: > http://social.technet.microsoft.com/wiki/contents/articles/717.service-princ > ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet paper to > explain SPNs. > > I tried to read it but for now I wasn't able to fully understand it (more > specifically to understand how I would re-use these concepts for my needs). > > Anyway that second link describe SPN syntax as follow: > > *serviceclass/host:port servicename* > > *serviceclass* and *host* are required, but *port* and *service* name are > optional. The colon between *host* and *port* is only required when a *port* > is present. >Thank you for the links & explanation> According to that and because I have no idea what is DATEV_DBENGINE"DATEV_DBENGINE" This is from an Programm called "Datev...", installed local on this pc. It`s db is stored in local Microsoft-SQL. But yes, its seems curios, that this is added to the servicePrincipalname If i understand it`s syntax right, there should be eventually a portnumber, but maybe this is the local accountname for this service.> dn: CN=PCNAME,CN=Computers,DC=... > changetype: modify > add: servicePrincipalName > servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port number> > > And I would also add a second SPN using NETBIOS name of PCNAME rather than > FQDN, which gives us: > > servicePrincipalName: MSSQLSvc/PCNAME:<some port number> > > Adding both SPN you have two unique name for your SPN and that SPN is valid > when client requesting that SPN using FQDN and/or Netbios name (or short > name). >Adding manually doesn`t work -MS-SQL seems want to modify this entry during it`s start.> Please tell me if you were able to add mentioned SPN and if your issue is > now solved (just for my information ;) >With ADUC i have edit extended rights from client machine and assigned "SELF" rights for reading & write "servicePrincipalName" This added this required line to sam.ldb: servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de:DATEV_DBENGIN E Failures in the logs are gone, so this could be the way to fix this. In terms of security i`m unsure, if it`s a good way, to give an machine rights to add servicePrincipalNames ? I am also unclear, why local service should register himself in active- directory, The easiest could be to disable this behaviour complete -if possible..> Best regards, > > mathias >Greetings Markus> 2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>: > > Hi again, > > > > Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann: > > > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne: > > > Hi, Mathias and all > > > thank you for your answer. > > > > > > > Hi all, > > > > > > > > SPN = servicePrincipalName > > > > > > > > A simple search returning all servicePrincipalName declared in your > > > > AD: > > > > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname > > > > > > For me: > > > ldbsearch -H > > > /var/lib/samba/private/sam.ldb serviceprincipalname=* > > > > serviceprincipalname > > > > > > [...] > > Thank you again for the hint! > > > > With "loglevel=10" i found the affected servicePrincipalName: > > > > ldb: ldb_trace_request: MODIFY > > dn: CN=PCNAME,CN=Computers,DC=... > > changetype: modify > > add: servicePrincipalName > > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de: > > DATEV_DBENGIN > > > > E > > > > - > > > > control: 1.2.840.113556.1.4.1413 crit:0 data:no > > > > [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0, 0)] > > ../ > > source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify) > > > > ldb:acl_modify: servicePrincipalName > > > > [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0, 0), > > class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) > > [...] > > > > ldb: ldb_asprintf/set_errstring: error in module acl: Constraint > > > > violation > > during LDB_MODIFY (19) > > [...] > > > > ldb: ldb_trace_next_request: (tdb)->del_transaction > > > > [2016/03/24 01:01:45.077191, 0, pid=32023, effective(0, 0), real(0, 0)] > > ../ > > source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn > > ) > > > > Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: error > > > > in > > module acl: Constraint violation during LDB_MODIFY (19) > > [2016/03/24 01:01:45.079992, 1, pid=32023, effective(0, 0), real(0, 0)] > > ../ > > librpc/ndr/ndr.c:439(ndr_print_function_debug) > > > > drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn > > > > out: struct drsuapi_DsWriteAccountSpn > > > > level_out : * > > > > level_out : 0x00000001 (1) > > > > res : * > > > > res : union > > > > drsuapi_DsWriteAccountSpnResult(case 1) > > > > res1: struct drsuapi_DsWriteAccountSpnResult1 > > > > status : WERR_ACCESS_DENIED > > > > result : WERR_OK > > > > I have two clients with installed Datev -Software / local SQL-Server with > > this > > Problem > > > > Does SQL-Server have wrong Permissions, or is it a general Problem? > > > > Greetings > > > > Markus > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba
mathias dufresne
2016-Mar-29 11:26 UTC
[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
I'm not an expert, especially when it comes to servicePrincipalName which I haven't understood until now but I think it is safe to give an object the right to modify itself. If securing is one of your main concern, you could try to remove the possibility to that account to modify itself, once the servicePrincipalName is created. Doing that SPN should NOT be removed (no right to remove it) and authentication should continue to work (SPN is there). You could have errors into your logs if MS-SQLserv tries to remove SPN at shutdown and/or add it again at startup. Anyway, I'm very glad to read I was able to help you a little bit with my little knowledge on that subject :) Have a nice day! mathias 2016-03-29 12:09 GMT+02:00 Markus Dellermann <li-mli at gmx.net>:> Hi Mathias and all. > Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne: > > Hi, > > > > I'm glad that helped you : ) > > > > About SPN, I found that link few days ago: > > https://adsecurity.org/?page_id=183 > > It tries to list the string values available usable for SPN. > > > > And it gives also that link: > > > http://social.technet.microsoft.com/wiki/contents/articles/717.service-princ > > ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet > paper to > > explain SPNs. > > > > I tried to read it but for now I wasn't able to fully understand it (more > > specifically to understand how I would re-use these concepts for my > needs). > > > > Anyway that second link describe SPN syntax as follow: > > > > *serviceclass/host:port servicename* > > > > *serviceclass* and *host* are required, but *port* and *service* name are > > optional. The colon between *host* and *port* is only required when a > *port* > > is present. > > > Thank you for the links & explanation > > According to that and because I have no idea what is DATEV_DBENGINE > > "DATEV_DBENGINE" > This is from an Programm called "Datev...", installed local on this pc. > It`s db is stored in local Microsoft-SQL. > But yes, its seems curios, that this is added to the servicePrincipalname > If i understand it`s syntax right, there should be eventually a portnumber, > but maybe this is the local accountname for this service. > > dn: CN=PCNAME,CN=Computers,DC=... > > changetype: modify > > add: servicePrincipalName > > servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port > number> > > > > And I would also add a second SPN using NETBIOS name of PCNAME rather > than > > FQDN, which gives us: > > > > servicePrincipalName: MSSQLSvc/PCNAME:<some port number> > > > > Adding both SPN you have two unique name for your SPN and that SPN is > valid > > when client requesting that SPN using FQDN and/or Netbios name (or short > > name). > > > > Adding manually doesn`t work -MS-SQL seems want to modify this entry during > it`s start. > > Please tell me if you were able to add mentioned SPN and if your issue is > > now solved (just for my information ;) > > > > With ADUC i have edit extended rights from client machine > and assigned "SELF" rights for reading & write "servicePrincipalName" > This added this required line to sam.ldb: > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de: > DATEV_DBENGIN > E > > Failures in the logs are gone, so this could be the way to fix this. > In terms of security i`m unsure, if it`s a good way, to give an machine > rights > to add servicePrincipalNames ? > > > I am also unclear, why local service should register himself in active- > directory, > The easiest could be to disable this behaviour complete -if possible.. > > Best regards, > > > > mathias > > > Greetings > > Markus > > > 2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>: > > > Hi again, > > > > > > Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann: > > > > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne: > > > > Hi, Mathias and all > > > > thank you for your answer. > > > > > > > > > Hi all, > > > > > > > > > > SPN = servicePrincipalName > > > > > > > > > > A simple search returning all servicePrincipalName declared in your > > > > > AD: > > > > > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname > > > > > > > > For me: > > > > ldbsearch -H > > > > /var/lib/samba/private/sam.ldb serviceprincipalname=* > > > > > > serviceprincipalname > > > > > > > > > [...] > > > Thank you again for the hint! > > > > > > With "loglevel=10" i found the affected servicePrincipalName: > > > > > > ldb: ldb_trace_request: MODIFY > > > dn: CN=PCNAME,CN=Computers,DC=... > > > changetype: modify > > > add: servicePrincipalName > > > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de: > > > DATEV_DBENGIN > > > > > > E > > > > > > - > > > > > > control: 1.2.840.113556.1.4.1413 crit:0 data:no > > > > > > [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0, > 0)] > > > ../ > > > source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify) > > > > > > ldb:acl_modify: servicePrincipalName > > > > > > [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0, > 0), > > > class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) > > > [...] > > > > > > ldb: ldb_asprintf/set_errstring: error in module acl: Constraint > > > > > > violation > > > during LDB_MODIFY (19) > > > [...] > > > > > > ldb: ldb_trace_next_request: (tdb)->del_transaction > > > > > > [2016/03/24 01:01:45.077191, 0, pid=32023, effective(0, 0), real(0, > 0)] > > > ../ > > > > source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn > > > ) > > > > > > Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: > error > > > > > > in > > > module acl: Constraint violation during LDB_MODIFY (19) > > > [2016/03/24 01:01:45.079992, 1, pid=32023, effective(0, 0), real(0, > 0)] > > > ../ > > > librpc/ndr/ndr.c:439(ndr_print_function_debug) > > > > > > drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn > > > > > > out: struct drsuapi_DsWriteAccountSpn > > > > > > level_out : * > > > > > > level_out : 0x00000001 (1) > > > > > > res : * > > > > > > res : union > > > > > > drsuapi_DsWriteAccountSpnResult(case 1) > > > > > > res1: struct drsuapi_DsWriteAccountSpnResult1 > > > > > > status : WERR_ACCESS_DENIED > > > > > > result : WERR_OK > > > > > > I have two clients with installed Datev -Software / local SQL-Server > with > > > this > > > Problem > > > > > > Does SQL-Server have wrong Permissions, or is it a general Problem? > > > > > > Greetings > > > > > > Markus > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Markus Dellermann
2016-Mar-31 07:45 UTC
[Samba] Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
Good morning... Am Dienstag, 29. März 2016, 13:26:30 CEST schrieb mathias dufresne:> I'm not an expert, especially when it comes to servicePrincipalName which I > haven't understood until now but I think it is safe to give an object the > right to modify itself. > > If securing is one of your main concern, you could try to remove the > possibility to that account to modify itself, once the servicePrincipalName > is created. Doing that SPN should NOT be removed (no right to remove it) > and authentication should continue to work (SPN is there). You could have > errors into your logs if MS-SQLserv tries to remove SPN at shutdown and/or > add it again at startup. >About securing, i found this: http://files.cnblogs.com/files/woodytu/Microsoft.SQL.Server. 2012.Security.Cookbook.Rudi.Bruchez.Packt.2012.pdf From that the servicePrinipalName-things should work out of the box (with local system-account): "...then the SQL Server instance will automatically register the SPN on the Active Directory when it is started, and it will unregister it when it is stopped. This is also the case when the service account is the built-in LocalSystem or the NetworkService local account. These accounts are shown as the machine name at the AD and have the rights to register the SPN." I couldn't find a solution to disable the whole behaviour - i don't need this service in network. So i have to live with registering the ServicePricipalNames or with errors in the logs. Maybe i generate a serviceaccount for sqlserver, but this all isnt`t very related to samba...> Anyway, I'm very glad to read I was able to help you a little bit with my > little knowledge on that subject :) >Thank you for your help> Have a nice day! >And you!> mathias >Greetings Markus> 2016-03-29 12:09 GMT+02:00 Markus Dellermann <li-mli at gmx.net>: > > Hi Mathias and all. > > > > Am Donnerstag, 24. März 2016, 13:26:12 CEST schrieb mathias dufresne: > > > Hi, > > > > > > I'm glad that helped you : ) > > > > > > About SPN, I found that link few days ago: > > > https://adsecurity.org/?page_id=183 > > > It tries to list the string values available usable for SPN. > > > > > And it gives also that link: > > http://social.technet.microsoft.com/wiki/contents/articles/717.service-pri > > nc> > > > ipal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet > > > > paper to > > > > > explain SPNs. > > > > > > I tried to read it but for now I wasn't able to fully understand it > > > (more > > > specifically to understand how I would re-use these concepts for my > > > > needs). > > > > > Anyway that second link describe SPN syntax as follow: > > > > > > *serviceclass/host:port servicename* > > > > > > *serviceclass* and *host* are required, but *port* and *service* name > > > are > > > optional. The colon between *host* and *port* is only required when a > > > > *port* > > > > > is present. > > > > Thank you for the links & explanation > > > > > According to that and because I have no idea what is DATEV_DBENGINE > > > > "DATEV_DBENGINE" > > This is from an Programm called "Datev...", installed local on this pc. > > It`s db is stored in local Microsoft-SQL. > > But yes, its seems curios, that this is added to the servicePrincipalname > > If i understand it`s syntax right, there should be eventually a > > portnumber, > > but maybe this is the local accountname for this service. > > > > > dn: CN=PCNAME,CN=Computers,DC=... > > > changetype: modify > > > add: servicePrincipalName > > > servicePrincipalName: MSSQLSvc/PCNAME.ad-dom.domain.tld:<some port > > > > number> > > > > > And I would also add a second SPN using NETBIOS name of PCNAME rather > > > > than > > > > > FQDN, which gives us: > > > > > > servicePrincipalName: MSSQLSvc/PCNAME:<some port number> > > > > > > Adding both SPN you have two unique name for your SPN and that SPN is > > > > valid > > > > > when client requesting that SPN using FQDN and/or Netbios name (or short > > > name). > > > > Adding manually doesn`t work -MS-SQL seems want to modify this entry > > during > > it`s start. > > > > > Please tell me if you were able to add mentioned SPN and if your issue > > > is > > > now solved (just for my information ;) > > > > With ADUC i have edit extended rights from client machine > > and assigned "SELF" rights for reading & write "servicePrincipalName" > > This added this required line to sam.ldb: > > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de: > > DATEV_DBENGIN > > > > E > > > > Failures in the logs are gone, so this could be the way to fix this. > > In terms of security i`m unsure, if it`s a good way, to give an machine > > rights > > to add servicePrincipalNames ? > > > > > > I am also unclear, why local service should register himself in active- > > directory, > > The easiest could be to disable this behaviour complete -if possible.. > > > > > Best regards, > > > > > > mathias > > > > Greetings > > > > Markus > > > > > 2016-03-24 9:51 GMT+01:00 Markus Dellermann <li-mli at gmx.net>: > > > > Hi again, > > > > > > > > Am Montag, 14. März 2016, 00:44:47 CET schrieb Markus Dellermann: > > > > > Am Donnerstag, 10. März 2016, 10:41:34 CET schrieb mathias dufresne: > > > > > Hi, Mathias and all > > > > > thank you for your answer. > > > > > > > > > > > Hi all, > > > > > > > > > > > > SPN = servicePrincipalName > > > > > > > > > > > > A simple search returning all servicePrincipalName declared in > > > > > > your > > > > > > AD: > > > > > > ldbsearch -H $sam serviceprincipalname=* serviceprincipalname > > > > > > > > > > For me: > > > > > ldbsearch -H > > > > > /var/lib/samba/private/sam.ldb serviceprincipalname=* > > > > > > > > serviceprincipalname > > > > > > > > > > > > [...] > > > > Thank you again for the hint! > > > > > > > > With "loglevel=10" i found the affected servicePrincipalName: > > > > > > > > ldb: ldb_trace_request: MODIFY > > > > dn: CN=PCNAME,CN=Computers,DC=... > > > > changetype: modify > > > > add: servicePrincipalName > > > > servicePrincipalName: MSSQLSvc/PCNAME.domain.domain.domain.de: > > > > DATEV_DBENGIN > > > > > > > > E > > > > > > > > - > > > > > > > > control: 1.2.840.113556.1.4.1413 crit:0 data:no > > > > > > > > [2016/03/24 01:01:45.075853, 10, pid=32023, effective(0, 0), real(0, > > > > 0)] > > > > > > ../ > > > > source4/dsdb/samdb/ldb_modules/acl.c:1055(acl_modify) > > > > > > > > ldb:acl_modify: servicePrincipalName > > > > > > > > [2016/03/24 01:01:45.076866, 10, pid=32023, effective(0, 0), real(0, > > > > 0), > > > > > > class=ldb] ../lib/ldb-samba/ldb_wrap.c:76(ldb_wrap_debug) > > > > [...] > > > > > > > > ldb: ldb_asprintf/set_errstring: error in module acl: Constraint > > > > > > > > violation > > > > during LDB_MODIFY (19) > > > > [...] > > > > > > > > ldb: ldb_trace_next_request: (tdb)->del_transaction > > > > > > > > [2016/03/24 01:01:45.077191, 0, pid=32023, effective(0, 0), real(0, > > > > 0)] > > > > > > ../ > > > > source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn > > > > > > ) > > > > > > > > Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: > > error > > > > > > in > > > > module acl: Constraint violation during LDB_MODIFY (19) > > > > [2016/03/24 01:01:45.079992, 1, pid=32023, effective(0, 0), real(0, > > > > 0)] > > > > > > ../ > > > > librpc/ndr/ndr.c:439(ndr_print_function_debug) > > > > > > > > drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSpn > > > > > > > > out: struct drsuapi_DsWriteAccountSpn > > > > > > > > level_out : * > > > > > > > > level_out : 0x00000001 (1) > > > > > > > > res : * > > > > > > > > res : union > > > > > > > > drsuapi_DsWriteAccountSpnResult(case 1) > > > > > > > > res1: struct drsuapi_DsWriteAccountSpnResult1 > > > > > > > > status : WERR_ACCESS_DENIED > > > > > > > > result : WERR_OK > > > > > > > > I have two clients with installed Datev -Software / local SQL-Server > > > > with > > > > > > this > > > > Problem > > > > > > > > Does SQL-Server have wrong Permissions, or is it a general Problem? > > > > > > > > Greetings > > > > > > > > Markus > > > > > > > > -- > > > > To unsubscribe from this list go to the following URL and read the > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba
Seemingly Similar Threads
- Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
- Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
- Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
- Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)
- Failed to modify SPNs on error in module acl: Constraint violation during LDB_MODIFY (19)