On Tue, 7 Aug 2018 12:51:33 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> > > > Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: acl: > > > > spn validation failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000] > > > > account[db1$] hostname[(null)] nbname[mydom] ntds[(null)] > > > > forest[mydom.lan] domain[mydom.lan] > > > > > > > > At first I thought it was about missing SPN entries, but adding > > > > these did not resolve the problem: > > > > > > > > # samba-tool spn list db1$ > > > > db1$ > > > > User CN=db1,CN=Computers,DC=mydom,DC=lan has the following > > > > servicePrincipalName: TERMSRV/db1 > > > > TERMSRV/db1.mydom > > > > TERMSRV/db1.mydom.lan > > > > > > > > > > > > Samba is 4.7.8 and one DC with 4.8.3. > > > > > > > > > > I am fairly sure that 'TERMSRV' is coming from 'spn_update_list' > > > and it is trying to be added by 'samba_spnupdate'. > > > There is however a problem, this is the bottom of 'spn_update_list': > > > > > > # Only used on Terminal Server mode: > > > # TERMSRV/${HOSTNAME} > > > # TERMSRV/${NETBIOSNAME} > > > > > > As you can see, all the lines are commented out and should be > > > ignored. > > > > > > Have you modified the 'spn_update_list' ? > > > > > > No, in /var/lib/samba/private/spn_update_list the lines you quoted are > > still commented out. > > > > Like I said, after the messages appeared (right after the migration > > fom the old NT-style domain) I added the TERMSRV entries manually > > with > > > > samba-tool spn add TERMSRV/db1 db1$ > > samba-tool spn add TERMSRV/db1.mydom db1$ > > samba-tool spn add TERMSRV/db1.mydom.lan db1$ > > > > thinking, this would resolve the issue, but it didn't. > > > > However, since TERMSRV is ignored, could one simply ignore these > > messages as well? > > > > Kind Regards, > > > > Henry > > > > > > Well, you could, but where are they coming from ? > Do you actually use terminal servers ? > > Can you post your smb.conf files.Yes, we are using terminal servers and connecting to various machines via RDP. Indeed all machines regarding those TERMSRV messages are machines at which we use remote dektop services. # cat /etc/samba/smb.conf [global] netbios name = DC1 realm = MYDOM.LAN server role = active directory domain controller workgroup = MYDOM idmap_ldb:use rfc2307 = yes dns forwarder = 1.2.3.4 dsdb:schema update allowed=true [netlogon] path = /var/lib/samba/sysvol/mydom.lan/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No
On Tue, 7 Aug 2018 14:55:24 +0200 Henry Jensen via samba <samba at lists.samba.org> wrote:> On Tue, 7 Aug 2018 12:51:33 +0100 > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > > > > Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: > > > > > acl: spn validation failed for spn[TERMSRV/DB1.MYDOM] > > > > > uac[0x1000] account[db1$] hostname[(null)] nbname[mydom] > > > > > ntds[(null)] forest[mydom.lan] domain[mydom.lan] > > > > > > > > > > At first I thought it was about missing SPN entries, but > > > > > adding these did not resolve the problem: > > > > > > > > > > # samba-tool spn list db1$ > > > > > db1$ > > > > > User CN=db1,CN=Computers,DC=mydom,DC=lan has the following > > > > > servicePrincipalName: TERMSRV/db1 > > > > > TERMSRV/db1.mydom > > > > > TERMSRV/db1.mydom.lan > > > > > > > > > > > > > > > Samba is 4.7.8 and one DC with 4.8.3. > > > > > > > > > > > > > I am fairly sure that 'TERMSRV' is coming from 'spn_update_list' > > > > and it is trying to be added by 'samba_spnupdate'. > > > > There is however a problem, this is the bottom of > > > > 'spn_update_list': > > > > > > > > # Only used on Terminal Server mode: > > > > # TERMSRV/${HOSTNAME} > > > > # TERMSRV/${NETBIOSNAME} > > > > > > > > As you can see, all the lines are commented out and should be > > > > ignored. > > > > > > > > Have you modified the 'spn_update_list' ? > > > > > > > > > No, in /var/lib/samba/private/spn_update_list the lines you > > > quoted are still commented out. > > > > > > Like I said, after the messages appeared (right after the > > > migration fom the old NT-style domain) I added the TERMSRV > > > entries manually with > > > > > > samba-tool spn add TERMSRV/db1 db1$ > > > samba-tool spn add TERMSRV/db1.mydom db1$ > > > samba-tool spn add TERMSRV/db1.mydom.lan db1$ > > > > > > thinking, this would resolve the issue, but it didn't. > > > > > > However, since TERMSRV is ignored, could one simply ignore these > > > messages as well? > > > > > > Kind Regards, > > > > > > Henry > > > > > > > > > > Well, you could, but where are they coming from ? > > Do you actually use terminal servers ? > > > > Can you post your smb.conf files. > > > Yes, we are using terminal servers and connecting to various machines > via RDP. Indeed all machines regarding those TERMSRV messages are > machines at which we use remote dektop services. > > > # cat /etc/samba/smb.conf > [global] > netbios name = DC1 > realm = MYDOM.LAN > server role = active directory domain controller > workgroup = MYDOM > idmap_ldb:use rfc2307 = yes > dns forwarder = 1.2.3.4 > dsdb:schema update allowed=true > > [netlogon] > path = /var/lib/samba/sysvol/mydom.lan/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > >OK, try adding the SPN, yes I know you have already tried ;-) Try it this way samba-tool spn add TERMSRV/DB1.MYDOM db1$ Rowland
On Tue, 7 Aug 2018 14:59:56 +0100 Rowland Penny via samba <samba at lists.samba.org> wrote:> On Tue, 7 Aug 2018 14:55:24 +0200 > Henry Jensen via samba <samba at lists.samba.org> wrote: > > > On Tue, 7 Aug 2018 12:51:33 +0100 > > Rowland Penny via samba <samba at lists.samba.org> wrote: > > > > > > > > Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: > > > > > > acl: spn validation failed for spn[TERMSRV/DB1.MYDOM] > > > > > > uac[0x1000] account[db1$] hostname[(null)] nbname[mydom] > > > > > > ntds[(null)] forest[mydom.lan] domain[mydom.lan] > > > > > > > > > > > > At first I thought it was about missing SPN entries, but > > > > > > adding these did not resolve the problem: > > > > > > > > > > > > # samba-tool spn list db1$ > > > > > > db1$ > > > > > > User CN=db1,CN=Computers,DC=mydom,DC=lan has the following > > > > > > servicePrincipalName: TERMSRV/db1 > > > > > > TERMSRV/db1.mydom > > > > > > TERMSRV/db1.mydom.lan > > > > > > > > > > > > > > > > > > Samba is 4.7.8 and one DC with 4.8.3. > > > > > > > > > > > > > > > > I am fairly sure that 'TERMSRV' is coming from 'spn_update_list' > > > > > and it is trying to be added by 'samba_spnupdate'. > > > > > There is however a problem, this is the bottom of > > > > > 'spn_update_list': > > > > > > > > > > # Only used on Terminal Server mode: > > > > > # TERMSRV/${HOSTNAME} > > > > > # TERMSRV/${NETBIOSNAME} > > > > > > > > > > As you can see, all the lines are commented out and should be > > > > > ignored. > > > > > > > > > > Have you modified the 'spn_update_list' ? > > > > > > > > > > > > No, in /var/lib/samba/private/spn_update_list the lines you > > > > quoted are still commented out. > > > > > > > > Like I said, after the messages appeared (right after the > > > > migration fom the old NT-style domain) I added the TERMSRV > > > > entries manually with > > > > > > > > samba-tool spn add TERMSRV/db1 db1$ > > > > samba-tool spn add TERMSRV/db1.mydom db1$ > > > > samba-tool spn add TERMSRV/db1.mydom.lan db1$ > > > > > > > > thinking, this would resolve the issue, but it didn't. > > > > > > > > However, since TERMSRV is ignored, could one simply ignore these > > > > messages as well? > > > > > > > > Kind Regards, > > > > > > > > Henry > > > > > > > > > > > > > > Well, you could, but where are they coming from ? > > > Do you actually use terminal servers ? > > > > > > Can you post your smb.conf files. > > > > > > Yes, we are using terminal servers and connecting to various machines > > via RDP. Indeed all machines regarding those TERMSRV messages are > > machines at which we use remote dektop services. > > > > > > # cat /etc/samba/smb.conf > > [global] > > netbios name = DC1 > > realm = MYDOM.LAN > > server role = active directory domain controller > > workgroup = MYDOM > > idmap_ldb:use rfc2307 = yes > > dns forwarder = 1.2.3.4 > > dsdb:schema update allowed=true > > > > [netlogon] > > path = /var/lib/samba/sysvol/mydom.lan/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > > > > > OK, try adding the SPN, yes I know you have already tried ;-) > Try it this way > > samba-tool spn add TERMSRV/DB1.MYDOM db1$OK, I tried it with upper case: # samba-tool spn add TERMSRV/DB1.MYDOM db1$ ERROR: Service principal TERMSRV/DB1.MYDOM already affected to another user Kind Regards, Henry