Rowland Penny
2022-Jan-16 20:40 UTC
[Samba] samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias uniqueness check
On Sun, 2022-01-16 at 21:05 +0100, Kees van Vloten via samba wrote:> Hi Team, > > I am using samba-accounts per service, when the service uses kerberos > it > the account gets an SPN associated. > > It looks like something in the area of SPN verification has changed > between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from Louis' > repo). > > I am trying to do a domain-join on a machine (myserver) on 4.15.3, > but > it fails on the client-side with: > > Failed to join domain: Failed to set machine spn: Constraint > violation > Do you have sufficient permissions to create machine accounts? > > The samba.log on the DC shows the same: > > 2022/01/16 20:13:31.260393, 0] > ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_alias_co > llision) > check_spn_alias_collision: trying to add SPN > 'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member > Servers,DC=samdom,DC=net' when 'http/myserver.samdom.net' is on > 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive > Users,DC=samdom,DC=net' > [2022/01/16 20:13:31.260465, 0] > ../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn_uniquen > ess_check) > samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed > alias uniqueness check > > > A search for the SPN returns that a similar SPN is i use for > Apache's > service-account (but it does not have the HOST/ SPN assigned (exactly > as > intended): > > samba-tool spn list svc_myserver_apache > svc_myserver_apache > User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive > Users,DC=samdom,DC=net has the following servicePrincipalName: > HTTP/myserver.samdom.net > > samba-tool spn list svc_myserver_apache > svc_myserver_apache > User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive > Users,DC=samdom,DC=net has the following servicePrincipalName: > HTTP/myserver.samdom.net > root at controller01:/var/log/samba# samba-tool user show > svc_myserver_apache > dn: CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive > Users,DC=samdom,DC=net > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: svc_myserver_apache > name: svc_myserver_apache > sAMAccountName: svc_myserver_apache > userPrincipalName: svc_myserver_apache at samdom.net > servicePrincipalName: HTTP/myserver.samdom.net > <fields removed to reduce output> > > A final test indeed shows HOST/myserver.samdom.net and > HTTP/myserver.samdom.net are colliding when not they are not set on > one > user: > > samba-tool spn add HOST/myserver.samdom.net myserver$ > check_spn_alias_collision: trying to add SPN > 'HOST/myserver.samdom.net' > on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when > 'http/myserver.samdom.net' is on 'CN=svc_myserver_apache,OU=Service > Accounts,OU=Noninteractive Users,DC=samdom,DC=net' > samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed > alias > uniqueness check > > This all happens on a pretty new domain setup on 4.15.3. > > The interesting thing is that I have this exact configuration on > other > domain which was setup a while ago, probably 4.13. This domain was > upgraded to 4.14 and to 4.15.3: > > samba-tool computer show otherserver > dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > objectClass: computer > cn: otherserver > sAMAccountName: otherserver$ > servicePrincipalName: HOST/otherserver > servicePrincipalName: HOST/otherserver.otherdom.net > servicePrincipalName: nfs/otherserver.otherdom.net > > samba-tool user show svc_otherserver_apache > dn: CN=svc_otherserver_apache,OU=Service Accounts,OU=Noninteractive > Users,DC=otherdom,DC=net > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: user > cn: svc_otherserver_apache > name: svc_otherserver_apache > sAMAccountName: svc_otherserver_apache > userPrincipalName: svc_otherserver_apache at otherdom.net > servicePrincipalName: HTTP/otherserver.otherdom.net > > Is there a way around the issue without elimination the service- > account > and its SPN? > > Is it a new issue in 4.15? > > - KeesIt is an AD thing, try reading this thread: https://lists.samba.org/archive/samba/2021-November/238694.html Basically, having an SPN starting with 'host' (or 'HOST') sets 'http' as well. Rowland
Kees van Vloten
2022-Jan-16 20:53 UTC
[Samba] samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias uniqueness check
On 16-01-2022 21:40, Rowland Penny via samba wrote:> On Sun, 2022-01-16 at 21:05 +0100, Kees van Vloten via samba wrote: >> Hi Team, >> >> I am using samba-accounts per service, when the service uses kerberos >> it >> the account gets an SPN associated. >> >> It looks like something in the area of SPN verification has changed >> between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from Louis' >> repo). >> >> I am trying to do a domain-join on a machine (myserver) on 4.15.3, >> but >> it fails on the client-side with: >> >> Failed to join domain: Failed to set machine spn: Constraint >> violation >> Do you have sufficient permissions to create machine accounts? >> >> The samba.log on the DC shows the same: >> >> 2022/01/16 20:13:31.260393, 0] >> ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_alias_co >> llision) >> check_spn_alias_collision: trying to add SPN >> 'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member >> Servers,DC=samdom,DC=net' when 'http/myserver.samdom.net' is on >> 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive >> Users,DC=samdom,DC=net' >> [2022/01/16 20:13:31.260465, 0] >> ../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn_uniquen >> ess_check) >> samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed >> alias uniqueness check >> >> >> A search for the SPN returns that a similar SPN is i use for >> Apache's >> service-account (but it does not have the HOST/ SPN assigned (exactly >> as >> intended): >> >> samba-tool spn list svc_myserver_apache >> svc_myserver_apache >> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive >> Users,DC=samdom,DC=net has the following servicePrincipalName: >> HTTP/myserver.samdom.net >> >> samba-tool spn list svc_myserver_apache >> svc_myserver_apache >> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive >> Users,DC=samdom,DC=net has the following servicePrincipalName: >> HTTP/myserver.samdom.net >> root at controller01:/var/log/samba# samba-tool user show >> svc_myserver_apache >> dn: CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive >> Users,DC=samdom,DC=net >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> cn: svc_myserver_apache >> name: svc_myserver_apache >> sAMAccountName: svc_myserver_apache >> userPrincipalName: svc_myserver_apache at samdom.net >> servicePrincipalName: HTTP/myserver.samdom.net >> <fields removed to reduce output> >> >> A final test indeed shows HOST/myserver.samdom.net and >> HTTP/myserver.samdom.net are colliding when not they are not set on >> one >> user: >> >> samba-tool spn add HOST/myserver.samdom.net myserver$ >> check_spn_alias_collision: trying to add SPN >> 'HOST/myserver.samdom.net' >> on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when >> 'http/myserver.samdom.net' is on 'CN=svc_myserver_apache,OU=Service >> Accounts,OU=Noninteractive Users,DC=samdom,DC=net' >> samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed >> alias >> uniqueness check >> >> This all happens on a pretty new domain setup on 4.15.3. >> >> The interesting thing is that I have this exact configuration on >> other >> domain which was setup a while ago, probably 4.13. This domain was >> upgraded to 4.14 and to 4.15.3: >> >> samba-tool computer show otherserver >> dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> objectClass: computer >> cn: otherserver >> sAMAccountName: otherserver$ >> servicePrincipalName: HOST/otherserver >> servicePrincipalName: HOST/otherserver.otherdom.net >> servicePrincipalName: nfs/otherserver.otherdom.net >> >> samba-tool user show svc_otherserver_apache >> dn: CN=svc_otherserver_apache,OU=Service Accounts,OU=Noninteractive >> Users,DC=otherdom,DC=net >> objectClass: top >> objectClass: person >> objectClass: organizationalPerson >> objectClass: user >> cn: svc_otherserver_apache >> name: svc_otherserver_apache >> sAMAccountName: svc_otherserver_apache >> userPrincipalName: svc_otherserver_apache at otherdom.net >> servicePrincipalName: HTTP/otherserver.otherdom.net >> >> Is there a way around the issue without elimination the service- >> account >> and its SPN? >> >> Is it a new issue in 4.15? >> >> - Kees > It is an AD thing, try reading this thread: > https://lists.samba.org/archive/samba/2021-November/238694.html > > Basically, having an SPN starting with 'host' (or 'HOST') sets 'http' > as well. > > Rowland > > >If I want to get to the situation in otherdom, would this sequence to the trick? : - remove http/ spn from service-account - join machine - remove http/ spn from computer account - add http/ spn to service-account - Kees