Bug 15787 - samba_spnupdate fails with SPN uniqueness check when DNS SPN already exists on dns-${HOSTNAME}.
Summary: samba_spnupdate fails with SPN uniqueness check when DNS SPN already exists o...
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.3
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-21 16:23 UTC by David Holder
Modified: 2025-01-28 09:06 UTC (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description David Holder 2025-01-21 16:23:15 UTC
Greetings all! There is an issue with samba_spnupdate.

samba_spnupdate should add the HOST SPNs and all of the SPN aliases for the DC even when some already exist.

It will not add any SPNs if one or more aliases are not unique. Which is correct, but...

If the DC is using BIND, then there will be a dns SPN alias on the dns-${HOSTNAME} account. Where ${HOSTNAME} is the DC's hostname. This SPN is of the form dns/${HOSTNAME}, which is a duplicate of the one that samba_spnupdate will attempt to add to the ${HOMENAME}$ account.

This is not a problem if samba_spnupdate is run for the first time and there is no dns alias on dns-${HOSTNAME}. But if something has happened that requires samba_spnupdate to be run to create the DC's SPNs and the dns alias already exists it will fail. In this case it will also fail to add the SPNs if samba is restarted.

The file spn_update_list has a comment that is relevant:
# Only used in DNS mode: (This is added on dns-${HOSTNAME} account, should not be added here)
# DNS/${HOSTNAME}

The function find_spn_aliases() in source4/dsdb/samdb/ldb_modules/samldb.c creates a list of aliases to check for uniqueness. This list includes "dns" even when the dns alias is already on the dns-${HOSTNAME} account.

You can find the list of SPN aliases using something like:
ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Configuration,DC=erionltd,DC=example,DC=com" '(objectClass=nTDSService)' 'sPNMappings'

In the case when the dns alias is on dns-${HOSTNAME}, the aliases returned from find_spn_aliases() should have the dns alias removed. See check_spn_alias_collision().

To reproduce. On a DC with BIND DNS and with the SPNs configured (including the dns SPN on the dns-${HOSTNAME} account), remove some of the SPNs on the ${HOSTNAME}$ account and then try run samba_spnupdate. It will fail.
Comment 1 Douglas Bagnall 2025-01-22 22:13:08 UTC
Thanks David.

Do you by any chance want to express that as a patch?
Comment 2 David Holder 2025-01-28 09:06:29 UTC
Hi Douglas,

I thought about trying to create a patch, but I don't know how best to fix this. I hoped that someone in the Samba team would know :-).

Is there a "best practice" method of determining if the DC is using BIND as the DNS server? If so, do you agree that this should be checked in find_spn_aliases and that if the DC is using BIND, then the dns alias should then removed from the list?

Thanks, David