samba - Jan 2022 - samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed alias uniqueness check

On 16-01-2022 21:40, Rowland Penny via samba wrote:
> On Sun, 2022-01-16 at 21:05 +0100, Kees van Vloten via samba wrote:
>> Hi Team,
>>
>> I am using samba-accounts per service, when the service uses kerberos
>> it
>> the account gets an SPN associated.
>>
>> It looks like something in the area of SPN verification has changed
>> between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from Louis'
>> repo).
>>
>> I am trying to do a domain-join on a machine (myserver) on 4.15.3,
>> but
>> it fails on the client-side with:
>>
>> Failed to join domain: Failed to set machine spn: Constraint
>> violation
>> Do you have sufficient permissions to create machine accounts?
>>
>> The samba.log on the DC shows the same:
>>
>> 2022/01/16 20:13:31.260393,  0]
>> ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_alias_co
>> llision)
>>     check_spn_alias_collision: trying to add SPN
>> 'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member
>> Servers,DC=samdom,DC=net' when 'http/myserver.samdom.net'
is on
>> 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>> Users,DC=samdom,DC=net'
>> [2022/01/16 20:13:31.260465,  0]
>> ../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn_uniquen
>> ess_check)
>>     samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed
>> alias uniqueness check
>>
>>
>> A search for the SPN returns that a similar SPN is i use for
>> Apache's
>> service-account (but it does not have the HOST/ SPN assigned (exactly
>> as
>> intended):
>>
>> samba-tool spn list svc_myserver_apache
>> svc_myserver_apache
>> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>> Users,DC=samdom,DC=net has the following servicePrincipalName:
>>            HTTP/myserver.samdom.net
>>
>> samba-tool spn list svc_myserver_apache
>> svc_myserver_apache
>> User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>> Users,DC=samdom,DC=net has the following servicePrincipalName:
>>            HTTP/myserver.samdom.net
>> root at controller01:/var/log/samba# samba-tool user show
>> svc_myserver_apache
>> dn: CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
>> Users,DC=samdom,DC=net
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: svc_myserver_apache
>> name: svc_myserver_apache
>> sAMAccountName: svc_myserver_apache
>> userPrincipalName: svc_myserver_apache at samdom.net
>> servicePrincipalName: HTTP/myserver.samdom.net
>> <fields removed to reduce output>
>>
>> A final test indeed shows HOST/myserver.samdom.net and
>> HTTP/myserver.samdom.net are colliding when not they are not set on
>> one
>> user:
>>
>> samba-tool spn add HOST/myserver.samdom.net myserver$
>> check_spn_alias_collision: trying to add SPN
>> 'HOST/myserver.samdom.net'
>> on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when
>> 'http/myserver.samdom.net' is on
'CN=svc_myserver_apache,OU=Service
>> Accounts,OU=Noninteractive Users,DC=samdom,DC=net'
>> samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed
>> alias
>> uniqueness check
>>
>> This all happens on a pretty new domain setup on 4.15.3.
>>
>> The interesting thing is that I have this exact configuration on
>> other
>> domain which was setup a while ago, probably 4.13. This domain was
>> upgraded to 4.14 and to 4.15.3:
>>
>> samba-tool computer show otherserver
>> dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> objectClass: computer
>> cn: otherserver
>> sAMAccountName: otherserver$
>> servicePrincipalName: HOST/otherserver
>> servicePrincipalName: HOST/otherserver.otherdom.net
>> servicePrincipalName: nfs/otherserver.otherdom.net
>>
>> samba-tool user show svc_otherserver_apache
>> dn: CN=svc_otherserver_apache,OU=Service Accounts,OU=Noninteractive
>> Users,DC=otherdom,DC=net
>> objectClass: top
>> objectClass: person
>> objectClass: organizationalPerson
>> objectClass: user
>> cn: svc_otherserver_apache
>> name: svc_otherserver_apache
>> sAMAccountName: svc_otherserver_apache
>> userPrincipalName: svc_otherserver_apache at otherdom.net
>> servicePrincipalName: HTTP/otherserver.otherdom.net
>>
>> Is there a way around the issue without elimination the service-
>> account
>> and its SPN?
>>
>> Is it a new issue in 4.15?
>>
>> - Kees
> It is an AD thing, try reading this thread:
> https://lists.samba.org/archive/samba/2021-November/238694.html
>
> Basically, having an SPN starting with 'host' (or 'HOST')
sets 'http'
> as well.
>
> Rowland
>
>
>
If I want to get to the situation in otherdom, would this sequence to 
the trick? :

- remove http/ spn from service-account

- join machine

- remove http/ spn from computer account

- add http/ spn to service-account


- Kees

On Sun, 2022-01-16 at 21:53 +0100, Kees van Vloten via samba
wrote:
> On 16-01-2022 21:40, Rowland Penny via samba wrote:
> > On Sun, 2022-01-16 at 21:05 +0100, Kees van Vloten via samba wrote:
> > > Hi Team,
> > > 
> > > I am using samba-accounts per service, when the service uses
> > > kerberos
> > > it
> > > the account gets an SPN associated.
> > > 
> > > It looks like something in the area of SPN verification has
> > > changed
> > > between 4.13 / 4.14 and 4.15.3 on Debian 11 (with samba from
> > > Louis'
> > > repo).
> > > 
> > > I am trying to do a domain-join on a machine (myserver) on
> > > 4.15.3,
> > > but
> > > it fails on the client-side with:
> > > 
> > > Failed to join domain: Failed to set machine spn: Constraint
> > > violation
> > > Do you have sufficient permissions to create machine accounts?
> > > 
> > > The samba.log on the DC shows the same:
> > > 
> > > 2022/01/16 20:13:31.260393,  0]
> > > ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_alia
> > > s_co
> > > llision)
> > >     check_spn_alias_collision: trying to add SPN
> > > 'HOST/myserver.samdom.net' on 'CN=myserver,OU=Member
> > > Servers,DC=samdom,DC=net' when
'http/myserver.samdom.net' is on
> > > 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
> > > Users,DC=samdom,DC=net'
> > > [2022/01/16 20:13:31.260465,  0]
> > > ../../source4/dsdb/samdb/ldb_modules/samldb.c:4028(samldb_spn_uni
> > > quen
> > > ess_check)
> > >     samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net
> > > failed
> > > alias uniqueness check
> > > 
> > > 
> > > A search for the SPN returns that a similar SPN is i use for
> > > Apache's
> > > service-account (but it does not have the HOST/ SPN assigned
> > > (exactly
> > > as
> > > intended):
> > > 
> > > samba-tool spn list svc_myserver_apache
> > > svc_myserver_apache
> > > User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
> > > Users,DC=samdom,DC=net has the following servicePrincipalName:
> > >            HTTP/myserver.samdom.net
> > > 
> > > samba-tool spn list svc_myserver_apache
> > > svc_myserver_apache
> > > User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
> > > Users,DC=samdom,DC=net has the following servicePrincipalName:
> > >            HTTP/myserver.samdom.net
> > > root at controller01:/var/log/samba# samba-tool user show
> > > svc_myserver_apache
> > > dn: CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive
> > > Users,DC=samdom,DC=net
> > > objectClass: top
> > > objectClass: person
> > > objectClass: organizationalPerson
> > > objectClass: user
> > > cn: svc_myserver_apache
> > > name: svc_myserver_apache
> > > sAMAccountName: svc_myserver_apache
> > > userPrincipalName: svc_myserver_apache at samdom.net
> > > servicePrincipalName: HTTP/myserver.samdom.net
> > > <fields removed to reduce output>
> > > 
> > > A final test indeed shows HOST/myserver.samdom.net and
> > > HTTP/myserver.samdom.net are colliding when not they are not set
> > > on
> > > one
> > > user:
> > > 
> > > samba-tool spn add HOST/myserver.samdom.net myserver$
> > > check_spn_alias_collision: trying to add SPN
> > > 'HOST/myserver.samdom.net'
> > > on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' when
> > > 'http/myserver.samdom.net' is on
> > > 'CN=svc_myserver_apache,OU=Service
> > > Accounts,OU=Noninteractive Users,DC=samdom,DC=net'
> > > samldb_spn_uniqueness_check: SPN HOST/myserver.samdom.net failed
> > > alias
> > > uniqueness check
> > > 
> > > This all happens on a pretty new domain setup on 4.15.3.
> > > 
> > > The interesting thing is that I have this exact configuration on
> > > other
> > > domain which was setup a while ago, probably 4.13. This domain
> > > was
> > > upgraded to 4.14 and to 4.15.3:
> > > 
> > > samba-tool computer show otherserver
> > > dn: CN=otherserver,OU=Member Servers,DC=otherdom,DC=net
> > > objectClass: top
> > > objectClass: person
> > > objectClass: organizationalPerson
> > > objectClass: user
> > > objectClass: computer
> > > cn: otherserver
> > > sAMAccountName: otherserver$
> > > servicePrincipalName: HOST/otherserver
> > > servicePrincipalName: HOST/otherserver.otherdom.net
> > > servicePrincipalName: nfs/otherserver.otherdom.net
> > > 
> > > samba-tool user show svc_otherserver_apache
> > > dn: CN=svc_otherserver_apache,OU=Service
> > > Accounts,OU=Noninteractive
> > > Users,DC=otherdom,DC=net
> > > objectClass: top
> > > objectClass: person
> > > objectClass: organizationalPerson
> > > objectClass: user
> > > cn: svc_otherserver_apache
> > > name: svc_otherserver_apache
> > > sAMAccountName: svc_otherserver_apache
> > > userPrincipalName: svc_otherserver_apache at otherdom.net
> > > servicePrincipalName: HTTP/otherserver.otherdom.net
> > > 
> > > Is there a way around the issue without elimination the service-
> > > account
> > > and its SPN?
> > > 
> > > Is it a new issue in 4.15?
> > > 
> > > - Kees
> > It is an AD thing, try reading this thread:
> > https://lists.samba.org/archive/samba/2021-November/238694.html
> > 
> > Basically, having an SPN starting with 'host' (or
'HOST') sets
> > 'http'
> > as well.
> > 
> > Rowland
> > 
> > 
> > 
> If I want to get to the situation in otherdom, would this sequence
> to 
> the trick? :
> 
> - remove http/ spn from service-account
> 
> - join machine
> 
> - remove http/ spn from computer account
> 
> - add http/ spn to service-account
>From my understanding 'host' is an alias for a large number of other
SPN's, 'http' being among them. From this, I actually do not think
you
should be setting 'http/myserver.samdom.net' on anything.

Rowland