Bug 14300 - Multiple accounts can have the same SPN
Summary: Multiple accounts can have the same SPN
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.13.4
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-02-27 14:53 UTC by Björn Baumbach
Modified: 2021-08-06 03:23 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Baumbach 2020-02-27 14:53:24 UTC
In the Samba AD the same SPN can be specified for different accounts, but a SPN should be unique.

If two or more objects have the same SPN, the client can not get a ticket for this service, anymore.
This is easily reproducible by copying the SPNs from one computer object to another and try to get a ticket for the service.

The request for a ticket then fails on the DC with:
[2020/02/27 13:30:24.111645,  3, pid=7549, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Server not found in database: cifs/...: no such entry found in hdb
[2020/02/27 13:30:24.111682,  3, pid=7549, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:...


MS Windows does not allow adding the same SPN to different objects. The Windows LDAP answers the attempt with LDAP_CONSTRAINT_VIOLATION.
Comment 1 Andrew Bartlett 2020-05-21 00:34:45 UTC
The right place for restricting things like this would be the samldb module.