14300 – Multiple accounts can have the same SPN

Bug 14300 - Multiple accounts can have the same SPN

Summary: Multiple accounts can have the same SPN

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.13.4
Hardware:	All All

Importance:	P5 major (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-02-27 14:53 UTC by Björn Baumbach
Modified:	2021-08-06 03:23 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Björn Baumbach 2020-02-27 14:53:24 UTC

In the Samba AD the same SPN can be specified for different accounts, but a SPN should be unique.

If two or more objects have the same SPN, the client can not get a ticket for this service, anymore.
This is easily reproducible by copying the SPNs from one computer object to another and try to get a ticket for the service.

The request for a ticket then fails on the DC with:
[2020/02/27 13:30:24.111645,  3, pid=7549, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Server not found in database: cifs/...: no such entry found in hdb
[2020/02/27 13:30:24.111682,  3, pid=7549, effective(0, 0), real(0, 0), class=kerberos] ../../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:...


MS Windows does not allow adding the same SPN to different objects. The Windows LDAP answers the attempt with LDAP_CONSTRAINT_VIOLATION.

Comment 1 Andrew Bartlett 2020-05-21 00:34:45 UTC

The right place for restricting things like this would be the samldb module.