samba - Aug 2018 - Failed to modify SPNs

On Tue, 7 Aug 2018 14:59:56 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Tue, 7 Aug 2018 14:55:24 +0200
> Henry Jensen via samba <samba at lists.samba.org> wrote:
> 
> > On Tue, 7 Aug 2018 12:51:33 +0100
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >   
> > > > > > Failed to modify SPNs on
CN=db1,CN=Computers,DC=mydom,DC=lan:
> > > > > > acl: spn validation failed for
spn[TERMSRV/DB1.MYDOM]
> > > > > > uac[0x1000] account[db1$] hostname[(null)]
nbname[mydom]
> > > > > > ntds[(null)] forest[mydom.lan] domain[mydom.lan]
> > > > > > 
> > > > > > At first I thought it was about missing SPN
entries, but
> > > > > > adding these did not resolve the problem:
> > > > > > 
> > > > > > # samba-tool spn list db1$
> > > > > > db1$
> > > > > > User CN=db1,CN=Computers,DC=mydom,DC=lan has the
following
> > > > > > servicePrincipalName: TERMSRV/db1
> > > > > >          TERMSRV/db1.mydom
> > > > > >          TERMSRV/db1.mydom.lan
> > > > > > 
> > > > > > 
> > > > > > Samba is 4.7.8 and one DC with 4.8.3.
> > > > > >       
> > > > > 
> > > > > I am fairly sure that 'TERMSRV' is coming from
'spn_update_list'
> > > > > and it is trying to be added by
'samba_spnupdate'.
> > > > > There is however a problem, this is the bottom of
> > > > > 'spn_update_list':
> > > > > 
> > > > > # Only used on Terminal Server mode:
> > > > > # TERMSRV/${HOSTNAME}
> > > > > # TERMSRV/${NETBIOSNAME}
> > > > > 
> > > > > As you can see, all the lines are commented out and
should be
> > > > > ignored.
> > > > > 
> > > > > Have you modified the 'spn_update_list' ?    
> > > > 
> > > > 
> > > > No, in /var/lib/samba/private/spn_update_list the lines you
> > > > quoted are still commented out.
> > > > 
> > > > Like I said, after the messages appeared (right after the
> > > > migration fom the old NT-style domain) I added the TERMSRV
> > > > entries manually with 
> > > > 
> > > >  samba-tool spn add TERMSRV/db1 db1$
> > > >  samba-tool spn add TERMSRV/db1.mydom db1$
> > > >  samba-tool spn add TERMSRV/db1.mydom.lan db1$
> > > > 
> > > > thinking, this would resolve the issue, but it didn't.
> > > > 
> > > > However, since TERMSRV is ignored, could one simply ignore
these
> > > > messages as well?
> > > > 
> > > > Kind Regards,
> > > > 
> > > > Henry
> > > > 
> > > >     
> > > 
> > > Well, you could, but where are they coming from ?
> > > Do you actually use terminal servers ?
> > > 
> > > Can you post your smb.conf files.  
> > 
> > 
> > Yes, we are using terminal servers and connecting to various machines
> > via RDP. Indeed all machines regarding those TERMSRV messages are
> > machines at which we use remote dektop services.
> > 
> > 
> > # cat /etc/samba/smb.conf 
> > [global]
> >         netbios name = DC1
> >         realm = MYDOM.LAN
> >         server role = active directory domain controller
> >         workgroup = MYDOM
> >         idmap_ldb:use rfc2307 = yes
> >         dns forwarder = 1.2.3.4
> >         dsdb:schema update allowed=true
> > 
> > [netlogon]
> >         path = /var/lib/samba/sysvol/mydom.lan/scripts
> >         read only = No
> > 
> > [sysvol]
> >         path = /var/lib/samba/sysvol
> >         read only = No
> > 
> > 
> >   
> 
> OK, try adding the SPN, yes I know you have already tried ;-)
> Try it this way 
> 
> samba-tool spn add TERMSRV/DB1.MYDOM db1$

OK, I tried it with upper case: 

# samba-tool spn add TERMSRV/DB1.MYDOM db1$
ERROR: Service principal TERMSRV/DB1.MYDOM already affected to another user


Kind Regards,

Henry

On Tue, 7 Aug 2018 17:13:02 +0200
Henry Jensen via samba <samba at lists.samba.org> wrote:
> On Tue, 7 Aug 2018 14:59:56 +0100
> Rowland Penny via samba <samba at lists.samba.org> wrote:
> 
> > On Tue, 7 Aug 2018 14:55:24 +0200
> > Henry Jensen via samba <samba at lists.samba.org> wrote:
> > 
> > > On Tue, 7 Aug 2018 12:51:33 +0100
> > > Rowland Penny via samba <samba at lists.samba.org> wrote:
> > >   
> > > > > > > Failed to modify SPNs on
> > > > > > > CN=db1,CN=Computers,DC=mydom,DC=lan: acl: spn
validation
> > > > > > > failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000]
> > > > > > > account[db1$] hostname[(null)] nbname[mydom]
ntds[(null)]
> > > > > > > forest[mydom.lan] domain[mydom.lan]
> > > > > > > 
> > > > > > > At first I thought it was about missing SPN
entries, but
> > > > > > > adding these did not resolve the problem:
> > > > > > > 
> > > > > > > # samba-tool spn list db1$
> > > > > > > db1$
> > > > > > > User CN=db1,CN=Computers,DC=mydom,DC=lan has
the following
> > > > > > > servicePrincipalName: TERMSRV/db1
> > > > > > >          TERMSRV/db1.mydom
> > > > > > >          TERMSRV/db1.mydom.lan
> > > > > > > 
> > > > > > > 
> > > > > > > Samba is 4.7.8 and one DC with 4.8.3.
> > > > > > >       
> > > > > > 
> > > > > > I am fairly sure that 'TERMSRV' is coming
from
> > > > > > 'spn_update_list' and it is trying to be
added by
> > > > > > 'samba_spnupdate'. There is however a
problem, this is the
> > > > > > bottom of 'spn_update_list':
> > > > > > 
> > > > > > # Only used on Terminal Server mode:
> > > > > > # TERMSRV/${HOSTNAME}
> > > > > > # TERMSRV/${NETBIOSNAME}
> > > > > > 
> > > > > > As you can see, all the lines are commented out
and should
> > > > > > be ignored.
> > > > > > 
> > > > > > Have you modified the 'spn_update_list' ?
> > > > > 
> > > > > 
> > > > > No, in /var/lib/samba/private/spn_update_list the lines
you
> > > > > quoted are still commented out.
> > > > > 
> > > > > Like I said, after the messages appeared (right after
the
> > > > > migration fom the old NT-style domain) I added the
TERMSRV
> > > > > entries manually with 
> > > > > 
> > > > >  samba-tool spn add TERMSRV/db1 db1$
> > > > >  samba-tool spn add TERMSRV/db1.mydom db1$
> > > > >  samba-tool spn add TERMSRV/db1.mydom.lan db1$
> > > > > 
> > > > > thinking, this would resolve the issue, but it
didn't.
> > > > > 
> > > > > However, since TERMSRV is ignored, could one simply
ignore
> > > > > these messages as well?
> > > > > 
> > > > > Kind Regards,
> > > > > 
> > > > > Henry
> > > > > 
> > > > >     
> > > > 
> > > > Well, you could, but where are they coming from ?
> > > > Do you actually use terminal servers ?
> > > > 
> > > > Can you post your smb.conf files.  
> > > 
> > > 
> > > Yes, we are using terminal servers and connecting to various
> > > machines via RDP. Indeed all machines regarding those TERMSRV
> > > messages are machines at which we use remote dektop services.
> > > 
> > > 
> > > # cat /etc/samba/smb.conf 
> > > [global]
> > >         netbios name = DC1
> > >         realm = MYDOM.LAN
> > >         server role = active directory domain controller
> > >         workgroup = MYDOM
> > >         idmap_ldb:use rfc2307 = yes
> > >         dns forwarder = 1.2.3.4
> > >         dsdb:schema update allowed=true
> > > 
> > > [netlogon]
> > >         path = /var/lib/samba/sysvol/mydom.lan/scripts
> > >         read only = No
> > > 
> > > [sysvol]
> > >         path = /var/lib/samba/sysvol
> > >         read only = No
> > > 
> > > 
> > >   
> > 
> > OK, try adding the SPN, yes I know you have already tried ;-)
> > Try it this way 
> > 
> > samba-tool spn add TERMSRV/DB1.MYDOM db1$
> 
> 
> OK, I tried it with upper case: 
> 
> # samba-tool spn add TERMSRV/DB1.MYDOM db1$
> ERROR: Service principal TERMSRV/DB1.MYDOM already affected to
> another user
> 
> 
> Kind Regards,
> 
> Henry
> 
> 
> 
> 
The error message seems to be trying to set the SPN in uppercase, you
added it in lowercase. Try deleting the lowercase SPN
'TERMSRV/db1.mydom' and then add it again but all in uppercase.

Rowland

On Tue, 7 Aug 2018 16:26:36 +0100
Rowland Penny via samba <samba at lists.samba.org> wrote:
> On Tue, 7 Aug 2018 17:13:02 +0200
> Henry Jensen via samba <samba at lists.samba.org> wrote:
> 
> > On Tue, 7 Aug 2018 14:59:56 +0100
> > Rowland Penny via samba <samba at lists.samba.org> wrote:
> >   
> > > On Tue, 7 Aug 2018 14:55:24 +0200
> > > Henry Jensen via samba <samba at lists.samba.org> wrote:
> > >   
> > > > On Tue, 7 Aug 2018 12:51:33 +0100
> > > > Rowland Penny via samba <samba at lists.samba.org>
wrote:
> > > >     
> > > > > > > > Failed to modify SPNs on
> > > > > > > > CN=db1,CN=Computers,DC=mydom,DC=lan:
acl: spn validation
> > > > > > > > failed for spn[TERMSRV/DB1.MYDOM]
uac[0x1000]
> > > > > > > > account[db1$] hostname[(null)]
nbname[mydom] ntds[(null)]
> > > > > > > > forest[mydom.lan] domain[mydom.lan]
> > > > > > > > 
> > > > > > > > At first I thought it was about missing
SPN entries, but
> > > > > > > > adding these did not resolve the
problem:
> > > > > > > > 
> > > > > > > > # samba-tool spn list db1$
> > > > > > > > db1$
> > > > > > > > User CN=db1,CN=Computers,DC=mydom,DC=lan
has the following
> > > > > > > > servicePrincipalName: TERMSRV/db1
> > > > > > > >          TERMSRV/db1.mydom
> > > > > > > >          TERMSRV/db1.mydom.lan
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Samba is 4.7.8 and one DC with 4.8.3.
> > > > > > > >         
> > > > > > > 
> > > > > > > I am fairly sure that 'TERMSRV' is
coming from
> > > > > > > 'spn_update_list' and it is trying to
be added by
> > > > > > > 'samba_spnupdate'. There is however a
problem, this is the
> > > > > > > bottom of 'spn_update_list':
> > > > > > > 
> > > > > > > # Only used on Terminal Server mode:
> > > > > > > # TERMSRV/${HOSTNAME}
> > > > > > > # TERMSRV/${NETBIOSNAME}
> > > > > > > 
> > > > > > > As you can see, all the lines are commented
out and should
> > > > > > > be ignored.
> > > > > > > 
> > > > > > > Have you modified the
'spn_update_list' ?
> > > > > > 
> > > > > > 
> > > > > > No, in /var/lib/samba/private/spn_update_list the
lines you
> > > > > > quoted are still commented out.
> > > > > > 
> > > > > > Like I said, after the messages appeared (right
after the
> > > > > > migration fom the old NT-style domain) I added the
TERMSRV
> > > > > > entries manually with 
> > > > > > 
> > > > > >  samba-tool spn add TERMSRV/db1 db1$
> > > > > >  samba-tool spn add TERMSRV/db1.mydom db1$
> > > > > >  samba-tool spn add TERMSRV/db1.mydom.lan db1$
> > > > > > 
> > > > > > thinking, this would resolve the issue, but it
didn't.
> > > > > > 
> > > > > > However, since TERMSRV is ignored, could one
simply ignore
> > > > > > these messages as well?
> > > > > > 
> > > > > > Kind Regards,
> > > > > > 
> > > > > > Henry
> > > > > > 
> > > > > >       
> > > > > 
> > > > > Well, you could, but where are they coming from ?
> > > > > Do you actually use terminal servers ?
> > > > > 
> > > > > Can you post your smb.conf files.    
> > > > 
> > > > 
> > > > Yes, we are using terminal servers and connecting to various
> > > > machines via RDP. Indeed all machines regarding those
TERMSRV
> > > > messages are machines at which we use remote dektop
services.
> > > > 
> > > > 
> > > > # cat /etc/samba/smb.conf 
> > > > [global]
> > > >         netbios name = DC1
> > > >         realm = MYDOM.LAN
> > > >         server role = active directory domain controller
> > > >         workgroup = MYDOM
> > > >         idmap_ldb:use rfc2307 = yes
> > > >         dns forwarder = 1.2.3.4
> > > >         dsdb:schema update allowed=true
> > > > 
> > > > [netlogon]
> > > >         path = /var/lib/samba/sysvol/mydom.lan/scripts
> > > >         read only = No
> > > > 
> > > > [sysvol]
> > > >         path = /var/lib/samba/sysvol
> > > >         read only = No
> > > > 
> > > > 
> > > >     
> > > 
> > > OK, try adding the SPN, yes I know you have already tried ;-)
> > > Try it this way 
> > > 
> > > samba-tool spn add TERMSRV/DB1.MYDOM db1$  
> > 
> > 
> > OK, I tried it with upper case: 
> > 
> > # samba-tool spn add TERMSRV/DB1.MYDOM db1$
> > ERROR: Service principal TERMSRV/DB1.MYDOM already affected to
> > another user
> > 
> > 
> > Kind Regards,
> > 
> > Henry
> > 
> > 
> > 
> >   
> 
> The error message seems to be trying to set the SPN in uppercase, you
> added it in lowercase. Try deleting the lowercase SPN
> 'TERMSRV/db1.mydom' and then add it again but all in uppercase.
All right, I did so. Then I established a RDP session to db1 in order
to trigger the message. So far, it didn't appear again. Thank you very
much, Rowland.

Kind Regards, 
Henry