search for: spns

Hi! I'm not sure I understand how SPNs are registered in the AD domain. I know when a regular samba server is joined to an AD domain, a few SPNs are registered - namely, CIFS/$netbios_name and each for CIFS/$netbios_aliases (where netbios name and netbios aliases are the parameters in smb.conf - yes I know these are obsolete, but in thi...

...ba at lists.samba.org> wrote: > 21.01.2025 13:55, Rowland Penny via samba wrote: > > On Tue, 21 Jan 2025 12:51:26 +0300 > > Michael Tokarev via samba <samba at lists.samba.org> wrote: > > > >> Hi! > >> > >> I'm not sure I understand how SPNs are registered in the AD domain. > >> I know when a regular samba server is joined to an AD domain, a few > >> SPNs are registered - namely, CIFS/$netbios_name and each for > >> CIFS/$netbios_aliases (where netbios name and netbios aliases are > >> the parameters...

On Tue, 21 Jan 2025 12:51:26 +0300 Michael Tokarev via samba <samba at lists.samba.org> wrote: > Hi! > > I'm not sure I understand how SPNs are registered in the AD domain. > I know when a regular samba server is joined to an AD domain, a few > SPNs are registered - namely, CIFS/$netbios_name and each for > CIFS/$netbios_aliases (where netbios name and netbios aliases are > the parameters in smb.conf - yes I know these are...

...a wrote: > 31.01.2023 08:55, Matt Savin via samba ?????: > > In group policies use DNS aliases, then you'll need to change only > > DNS > > entries for these aliases to point to a new host(s). > > I'd say don't use simple dns aliases (cnames) in a DC, but use SPNs > instead > (see samba-tool spn). This will manage CNAMEs too, and also manages > the KRB > tickets and proper autentication of the server to the client. > (After changing SPNs for a host, one needs to re-generate keytab). > > /mjt To be clear, you need both the CNAME or alte...

21.01.2025 13:55, Rowland Penny via samba wrote: > On Tue, 21 Jan 2025 12:51:26 +0300 > Michael Tokarev via samba <samba at lists.samba.org> wrote: > >> Hi! >> >> I'm not sure I understand how SPNs are registered in the AD domain. >> I know when a regular samba server is joined to an AD domain, a few >> SPNs are registered - namely, CIFS/$netbios_name and each for >> CIFS/$netbios_aliases (where netbios name and netbios aliases are >> the parameters in smb.conf - yes I...

Please I getting some erros about SPNs and main process ended respawing, bellow the erros that ia m getting at messages log 5 or more machines are getting "Failed to modify SPNs on CN=PC-2902194,OU=XXXXX ,DC=ABC,DC=com,DC=br: error in module acl: Constraint violation (19)" another problem is more serious ... I really need...

Hi all my samba version is 4.12.5 and when a sql server windows machine join the domain, It shows error in samba : Failed to modify SPNs on CN=SEC-CON03,CN=Computers,DC=domain,DC=com: acl: spn validation failed for spn[E3514235-4B06-11D1-AB04-00C04FC2DCD2-ADAM/SEC-CON03:389] uac[0x1000] account[SEC-CON03$] hostname[SEC-Con03.domain.com] nbname[DOMAIN] ntds[(null)] forest[domain.com] domain[domain.com] There was a discussion on...

Adam, you already tried my suggestions? What do you see here: > Failed to modify SPNs on CN=SEC-CON03,CN=Computers,DC=domain,DC=com: > acl: spn validation failed for ... ^^^^^^ So read the links below and post your results The event id you showed, for now can be ignored. Inrelevant (for now). And mostlikly wil disapear when you added/fixed the "correct" spn's...

31.01.2023 08:55, Matt Savin via samba ?????: > In group policies use DNS aliases, then you'll need to change only DNS > entries for these aliases to point to a new host(s). I'd say don't use simple dns aliases (cnames) in a DC, but use SPNs instead (see samba-tool spn). This will manage CNAMEs too, and also manages the KRB tickets and proper autentication of the server to the client. (After changing SPNs for a host, one needs to re-generate keytab). /mjt

Hi, sometimes I see following in the logs: /source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=NAME,DC=NAME,DC=de: error in module acl: Constraint violation during LDB_MODIFY (19) In the net i found this "explanation": "LDAP_CONSTRAINT_VIOLATION Indicates that the attribute value specified in a modify, add, or modify DN operation vi...

...t; You used samba-tool to add the SPN with 'NFS', yet the SPN's are shown > with 'nfs'. > This could just be down to using 'net to create the keytab, try > 'samba-tool domain exportkeytab /etc/krb5.keytab' instead Since AD comes from the Win-World I thought SPNs might not be case-sensitive and this shouldn't be a problem. > > And there seems something missing again. > > Not sure there is anything missing, you first use 'net' to add an SPN > and everything seems okay, you then use samba-tool to list the SPNs for > the Unix d...

Hi, I have 2 domain controllers with samba4, and i realized i have some missing spns for the second domain controller: > samba-tool spn list dc1$ dc1$ User CN=dc1,OU=Domain Controllers,DC=test,DC=pt has the following servicePrincipalName: ?? ? HOST/dc1.test.pt ?? ? HOST/dc1.test.pt/test[1] ?? ? ldap/dc1.test.pt/test[1] ?? ? GC/dc1.test.pt/test.pt[2] ?...

Hello, I've got some log entries like these on our DCs: Failed to modify SPNs on CN=db1,CN=Computers,DC=mydom,DC=lan: acl: spn validation failed for spn[TERMSRV/DB1.MYDOM] uac[0x1000] account[db1$] hostname[(null)] nbname[mydom] ntds[(null)] forest[mydom.lan] domain[mydom.lan] At first I thought it was about missing SPN entries, but adding these did not resolve the problem:...

On Tue, 2016-02-02 at 23:38 +0100, Markus Dellermann wrote: > sometimes I see following in the logs: > /source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAcco > untSpn) > Failed to modify SPNs on > CN=PCNAME,CN=Computers,DC=DOMAIN,DC=NAME,DC=NAME,DC=de: error in > module acl: > Constraint violation during LDB_MODIFY (19) I am seeing a very similar message - Failed to modify SPNs on CN=TERRINE-WHITE,OU=Terminal Servers,DC=example,DC=com: error in module acl: Constraint violati...

Hello List, i have a general question. What SPNs should a member file server have? Mine only have "HOST/" Is this correct? Regards Christian -- Dr. Christian Naumer Unit Head Bioprocess Development B.R.A.I.N Aktiengesellschaft Darmstaedter Str. 34-36, D-64673 Zwingenberg e-mail cn at brain-biotech.com, homepage www.brain-biotech.co...

...ml I think these should help you to fix this. Greetz, Louis > -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Adam > Xu via samba > Verzonden: woensdag 22 juli 2020 4:33 > Aan: sambalist > Onderwerp: [Samba] Failed to modify SPNs > > Hi all > > my samba version is 4.12.5 and when a sql server windows machine join > the domain, It shows error in samba : > > Failed to modify SPNs on CN=SEC-CON03,CN=Computers,DC=domain,DC=com: > acl: spn validation failed for > spn[E3514235-4B06-11D1-AB04-00C04...

Hi, I'm glad that helped you : ) About SPN, I found that link few days ago: https://adsecurity.org/?page_id=183 It tries to list the string values available usable for SPN. And it gives also that link: http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx That one is a technet paper to explain SPNs. I tried to read it but for now I wasn't able to fully understand it (more specifically to understand how I would re-use these concepts for my needs). Anyway that second link describe SPN syntax as follow: *serviceclas...

Hi! I think I ran into the same Problem. What I tried so far: 1) * Adopt SPNs on the DC with samba-tool spn * Create keytab on Member with net ads keytab create * Result: ** klist and net ads keytab list on Member match ** samba-tool spn list on DC doesn't 2) * Clear SPNs from Member via net ads keytab flush * Result: ** net ads keytab list on Member is empty ** samba-t...

...rror in module acl: Constraint violation during LDB_MODIFY (19) [...] ldb: ldb_trace_next_request: (tdb)->del_transaction [2016/03/24 01:01:45.077191, 0, pid=32023, effective(0, 0), real(0, 0)] ../ source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=PCNAME,CN=Computers,DC=DOMAIN,DC=...: error in module acl: Constraint violation during LDB_MODIFY (19) [2016/03/24 01:01:45.079992, 1, pid=32023, effective(0, 0), real(0, 0)] ../ librpc/ndr/ndr.c:439(ndr_print_function_debug) drsuapi_DsWriteAccountSpn: struct drsuapi_DsWriteAccountSp...

...1:00 Adam Tauno Williams <awilliam at whitemice.org>: > On Tue, 2016-02-02 at 23:38 +0100, Markus Dellermann wrote: > > sometimes I see following in the logs: > > /source4/rpc_server/drsuapi/writespn.c:234(dcesrv_drsuapi_DsWriteAcco > > untSpn) > > Failed to modify SPNs on > > CN=PCNAME,CN=Computers,DC=DOMAIN,DC=NAME,DC=NAME,DC=de: error in > > module acl: > > Constraint violation during LDB_MODIFY (19) > > I am seeing a very similar message - Failed to modify SPNs on > CN=TERRINE-WHITE,OU=Terminal Servers,DC=example,DC=com: error in mod...