The problem appear on the reboot of a server or every 1 days. A message like this appear in the log of samba: Failed to modify SPNs on CN=Aresxp,CN=Computers,DC=home,DC=matws,DC=net: error in module acl: insufficient access rights (50) It seems because we still have some bugs in the ACL module as this ACE: (OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS) grants write right (more or less) to the referenced object to update itself the field ServicePrincipalNames.
Lets assign this to Nadia (as it seems to be related to DS ACLs).
Ekacnet, still an issue?
ekacnet, is this server a domain controller?
No just a plain w2k8 domain member
Could you please export its computer object in AD/Samba as an ldif and send it to me? Thanks!
ekacnet, it is possible for you to provide the information requested by Nadya?
dn: CN=W2K8R2,CN=Computers,DC=domain,DC=tld objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user objectClass: computer cn: W2K8R2 instanceType: 4 whenCreated: 20081028163547.0Z uSNCreated: 3313 name: W2K8R2 objectGUID: 8b513de1-dd0e-4c07-a693-cc036a8f7f82 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 primaryGroupID: 515 objectSid: S-1-5-21-2345624060-2068466659-3617568096-1447 accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: W2K8R2$ displayName: W2K8R2$ dNSHostName: W2K8R2.domain.tld sAMAccountType: 805306369 objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=tld operatingSystem:: V2luZG93cyBTZXJ2ZXLCriAyMDA4IFN0YW5kYXJk msDS-SupportedEncryptionTypes: 31 userAccountControl: 4096 operatingSystemServicePack: Service Pack 1 operatingSystemVersion: 6.0 (6001) servicePrincipalName: HOST/w2k8r2.domain.tld servicePrincipalName: TERMSRV/w2k8r2.domain.tld servicePrincipalName: TERMSRV/W2K8R2 servicePrincipalName: TERMSRV/w2k8r2 servicePrincipalName: W2K8R2$\@DOMAIN.TLD servicePrincipalName: HOST/W2K8R2 pwdLastSet: 129338822100000000 whenChanged: 20101110170330.0Z uSNChanged: 261038 nTSecurityDescriptor: O:DAG:DUD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP CRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPCRLCLOR CSDDT;;;DA)(A;IO;RPCRLCLORCSDDT;;;CO)(OA;;WP;4c164200-20c0-11d0-a768-00aa006e 0529;;DA)(OA;IO;WP;4c164200-20c0-11d0-a768-00aa006e0529;;CO)(A;;RPLCLORC;;;AU )(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(A;;CCDC;;;PS)(OA;;CCDC;bf9 67aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa0 03049e2;;CA)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)(OA;;RPWP;77b5b8 86-944a-11d1-aebd-0000f80367c1;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5 cd;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;DA)(OA;IO;SW;72e39547-7b 18-11d1-adef-00c04fd8d5cd;;CO)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;D A)(OA;IO;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;CO)(OA;;WP;3e0abfd0-126a-11 d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;DA)(OA;IO;WP;3e0abf d0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;W P;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa003049e2;D A)(OA;IO;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa 003049e2;CO)(OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a 285-00aa003049e2;DA)(OA;IO;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0 de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf 967a86-0de6-11d0-a285-00aa003049e2;DA)(OA;IO;WP;bf967953-0de6-11d0-a285-00aa0 03049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;RP;46a9b11d-60ae-405a-b7 e8-ff8a58d456d2;;S-1-5-32-560)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0 529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0- a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202 010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;C IIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003 049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45b c-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf9 67aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00 c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a 2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;R P;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;R U)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285- 00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0 de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f 608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2- 854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC ;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6- 11d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa00 3049e2;RU)(OA;CIIOID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID; RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDS W;;;BA)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-1 1d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;b f967aa5-0de6-11d0-a285-00aa003049e2;WD) distinguishedName: CN=W2K8R2,CN=Computers,DC=domain,DC=tld
Hi Matthieu, I believe that the problem is fixed as implementation of Validated-SPN that allows setting of "HOST/" is already in master. Check if you still get these messages next time you make an upgrade.