thr3ads.net - samba - [Samba] Different spns for primary and secondary DCs [May 2023]

If this information is useful, please help other people find it:
Share via:

Ricardo Esteves

2023-May-11 21:21 UTC

[Samba] Different spns for primary and secondary DCs

Hi,



  I have 2 domain controllers with samba4, and i realized i have some  
missing spns for the second domain controller:



  > samba-tool spn list dc1$

  dc1$

  User CN=dc1,OU=Domain Controllers,DC=test,DC=pt has the following  
servicePrincipalName:

  ?? ? HOST/dc1.test.pt

  ?? ? HOST/dc1.test.pt/test[1]

  ?? ? ldap/dc1.test.pt/test[1]

  ?? ? GC/dc1.test.pt/test.pt[2]

  ?? ? ldap/dc1.test.pt

  ?? ? HOST/dc1.test.pt/test.pt[2]

  ?? ? ldap/dc1.test.pt/test.pt[2]

  ?? ? HOST/dc1

  ?? ?  
E3514235-4B06-11D1-AB04-00C04FC2DCD2/ea763557-5bb4-4885-bf7b-239eb94f483a/test.pt

  ?? ? ldap/ea763557-5bb4-4885-bf7b-239eb94f483a._msdcs.test.pt

  ?? ? ldap/dc1

  ?? ? RestrictedKrbHost/dc1

  ?? ? RestrictedKrbHost/dc1.test.pt





  > samba-tool spn list dc2$

  dc2$

  User CN=dc2,OU=Domain Controllers,DC=test,DC=pt has the following  
servicePrincipalName:

  ?? ? HOST/dc2

  ?? ? HOST/dc2.test.pt

  ?? ? GC/dc2.test.pt/test.pt[3]

  ?? ?  
E3514235-4B06-11D1-AB04-00C04FC2DCD2/2a9b50c9-dc62-4201-b235-e72f3c36f0aa/test.pt

  ?? ? gc/dc2

  ?? ? gc/dc2.test.pt

  ?? ? e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc2

  ?? ? e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc2.test.pt



  Is this normal? Or should i create the missing ldap and  
RestrictedKrbHost spns for dc2?



Liga??es:
---------
[1] http://dc1.test.pt/test
[2] http://dc1.test.pt/test.pt
[3] http://dc2.test.pt/test.pt

Rowland Penny

2023-May-13 14:54 UTC

head link

[Samba] Different spns for DC1 and DC2

On 11/05/2023 22:21, Ricardo Esteves via samba wrote:> Hi,
>  ?I have 2 domain controllers with samba4, and i realized i have some 
> missing spns for the second domain controller:
>  ?> samba-tool spn list dc1$
>  ?dc1$
>  ?User CN=dc1,OU=Domain Controllers,DC=test,DC=pt has the following 
> servicePrincipalName:
>  ??? ? HOST/dc1.test.pt
>  ??? ? HOST/dc1.test.pt/test
>  ??? ? ldap/dc1.test.pt/test
>  ??? ? GC/dc1.test.pt/test.pt
>  ??? ? ldap/dc1.test.pt
>  ??? ? HOST/dc1.test.pt/test.pt
>  ??? ? ldap/dc1.test.pt/test.pt
>  ??? ? HOST/dc1
>
E3514235-4B06-11D1-AB04-00C04FC2DCD2/ea763557-5bb4-4885-bf7b-239eb94f483a/test.pt
>  ??? ? ldap/ea763557-5bb4-4885-bf7b-239eb94f483a._msdcs.test.pt
>  ??? ? ldap/dc1
>  ??? ? RestrictedKrbHost/dc1
>  ??? ? RestrictedKrbHost/dc1.test.pt
> 
>  ?> samba-tool spn list dc2$
>  ?dc2$
>  ?User CN=dc2,OU=Domain Controllers,DC=test,DC=pt has the following 
> servicePrincipalName:
>  ??? ? HOST/dc2
>  ??? ? HOST/dc2.test.pt
>  ??? ? GC/dc2.test.pt/test.pt
>
E3514235-4B06-11D1-AB04-00C04FC2DCD2/2a9b50c9-dc62-4201-b235-e72f3c36f0aa/test.pt
>  ??? ? gc/dc2
>  ??? ? gc/dc2.test.pt
>  ??? ? e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc2
>  ??? ? e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc2.test.pt
> 
>  ?Is this normal? Or should i create the missing ldap and 
> RestrictedKrbHost spns for dc2?
> 
> Liga??es:
I do not think this is normal and if I compare it with my two DC's, DC1 
is missing these SPN's:

	 ldap/dc1.test.pt/DomainDnsZones.test.pt
	 ldap/dc1.test.pt/ForestDnsZones.test.pt

DC2 seems to be missing these:

       HOST/dc2.test.pt/test
       ldap/dc2.test.pt/test
       ldap/dc2.test.pt
       HOST/dc2.test.pt/test.pt
       ldap/dc2.test.pt/test.pt
       ldap/ea763557-5bb4-4885-bf7b-239eb94f483a._msdcs.test.pt
       ldap/dc2
       RestrictedKrbHost/dc2
       RestrictedKrbHost/dc2.test.pt
       ldap/dc2.test.pt/DomainDnsZones.test.pt
       ldap/dc2.test.pt/ForestDnsZones.test.pt

But does have these (which I do not):

       gc/dc2
       gc/dc2.test.pt
       e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc2
       e3514235-4b06-11d1-ab04-00c04fc2dcd2/dc2.test.pt

Now I said that this isn't normal, but it could be, but from the 
information provided, who knows, all that is known is that you have two 
Samba AD DC's, no versions, no OS etc.

Rowland

Ricardo Esteves

2023-May-17 09:10 UTC

head link

[Samba] Upgrade from 4.6.7 to 4.17.4 fails with database problem (Failure during re-pack, so transaction must be aborted)

Hi,

I have an AD with samba 4.6.7 (compiled from sources) on Fedora 17,  
and i tried to upgrade to 4.17.4, but the database upgrade fails.

I executed samba-tool dbcheck --reindex --debuglevel=10 to see if i  
could find where the problem was, and seems it fails on a transaction  
regarding SID [S-1-5-18]

In attachment the output from samba-tool dbcheck --reindex --debuglevel=10.

Does any one has any idea on how to fix this?
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: samba4_reindex_error.txt
URL:
<http://lists.samba.org/pipermail/samba/attachments/20230517/f16233bb/samba4_reindex_error.txt>

Apparently Analagous Threads

Search for more apparently analagous threads

samba - May 2023 - Different spns for primary and secondary DCs

[Samba] Different spns for primary and secondary DCs

[Samba] Different spns for DC1 and DC2

[Samba] Upgrade from 4.6.7 to 4.17.4 fails with database problem (Failure during re-pack, so transaction must be aborted)

Apparently Analagous Threads