Background: Separate from the computer-accounts I am using service-user-accounts for services like like apache (svc_<hostname>_apache. Until now apache used HTTP/<host_fqdn> as its SPN. The HTTP SPN is in the list of host-spn-aliases, found here: 'CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=samdom,DC=example,DC=com' It contains: sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache, replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc, fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent, plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess, rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp, schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc, iisadmin,msdtc There is also a thread on the mail-list: https://lists.samba.org/archive/samba/2022-January/239245.html Issues: Depending on the order of things (different) problems arise. 1) The HTTP principal is assigned to the SVC-account before the computer joins the domain, then the join fails with: "Failed to join domain: Failed to set machine spn: Constraint violation". The computer is does not join and an error is displayed, this is correct behavior. The error could be better: it does not point at the SPN-alias (so still unclear how this happened and caused me starting a thread on the mailing-list). 2) The computer is joined before HTTP SPN is set on the SVC-account. An error is displayed, but the principal is still assigned: samba-tool spn add 'HTTP/myserver.samdom.net' svc_myserver_apache check_spn_alias_collision: trying to add SPN 'HTTP/myserver.samdom.net' on 'CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive Users,DC=samdom,DC=net' when 'host/myserver.samdom.net' is on 'CN=myserver,OU=Member Servers,DC=samdom,DC=net' samba-tool spn list svc_myserver_apache svc_myserver_apache User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive Users,DC=samdom,DC=net has the following servicePrincipalName: HTTP/myserver.samdom.net It would expect the action to fail (i.e. no HTTP SPN assigned) and a clear error mentioning the host alias list. 3) Same as 2) but now we use WWW as the SPN for the SVC-account instead of HTTP. No error is shown and the action succeeds. samba-tool spn add 'WWW/myserver.samdom.net' svc_myserver_apache samba-tool spn list svc_myserver_apache svc_myserver_apache User CN=svc_myserver_apache,OU=Service Accounts,OU=Noninteractive Users,DC=samdom,DC=net has the following servicePrincipalName: WWW/myserver.samdom.net It would expect the action to fail (i.e. no HTTP SPN assigned and a clear error mentioning the host alias list. Having different behavior than in 2) for the same kind of issue is inconsistent. 4) Numbers 2) en 3) violate the behavior described in CVE-2021-42282 in: https://support.microsoft.com/en-us/topic/kb5008382-verification-of-uniqueness-for-user-principal-name-service-principal-name-and-the-service-principal-name-alias-cve-2021-42282-4651b175-290c-4e59-8fcb-e4e5cd0cdb29 MS states there specific settings in dSHeuristics to allow for non-unique SPNs. Either these settings are enabled by default in Samba, or the current behavior differs from the docs. If uniqueness is guaranteed then it should not be possible to add the SPNs in 2) and 3) on the SVC-account at all because they are already claimed by the host account. - Kees
The error message received in case 2) is not actually an error, but just a debugging message that is displayed when the SPN collision check is performed. Case 3) should have also displayed this message, but it did not due to https://bugzilla.samba.org/show_bug.cgi?id=14950. For security reasons, we chose to always observe these restrictions and not allow them to be disabled via dSHeuristics. However, conflicting SPNs can still be added if you also have the rights to edit the SPNs on the first account. This is why it was possible to add the SPNs in cases 2) and 3).
https://bugzilla.samba.org/show_bug.cgi?id=14950 has also solved case 1). With that there is no reason to keep this bug open, i.e. closing it.