Bug 7366 - ACL module: Windows workstations/servers can't update their SPNs - Service principal name write right missing
Summary: ACL module: Windows workstations/servers can't update their SPNs - Service pr...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: Other Linux
: P3 normal (vote)
Target Milestone: ---
Assignee: Nadezhda Ivanova
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-04-16 05:48 UTC by Matthieu Patou
Modified: 2011-01-03 07:04 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2010-04-16 05:48:20 UTC
The problem appear on the reboot of a server or every 1 days.
A message like this appear in the log of samba:
Failed to modify SPNs on CN=Aresxp,CN=Computers,DC=home,DC=matws,DC=net: error in module acl: insufficient access rights (50)

It seems because we still have some bugs in the ACL module as this ACE:
(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS) 
grants write right (more or less) to the referenced object to update itself the field ServicePrincipalNames.
Comment 1 Matthias Dieter Wallnöfer 2010-04-16 08:42:05 UTC
Lets assign this to Nadia (as it seems to be related to DS ACLs).
Comment 2 Matthias Dieter Wallnöfer 2010-10-04 09:36:20 UTC
Ekacnet, still an issue?
Comment 3 Nadezhda Ivanova 2010-11-08 10:06:27 UTC
ekacnet, is this server a domain controller?
Comment 4 Matthieu Patou 2010-11-08 12:35:53 UTC
No just a plain w2k8 domain member
Comment 5 Nadezhda Ivanova 2010-11-09 02:46:54 UTC
Could you please export its computer object in AD/Samba as an ldif and send it to me? Thanks!
Comment 6 Matthias Dieter Wallnöfer 2010-12-03 07:43:17 UTC
ekacnet, it is possible for you to provide the information requested by Nadya?
Comment 7 Matthieu Patou 2010-12-03 08:04:46 UTC
dn: CN=W2K8R2,CN=Computers,DC=domain,DC=tld
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
cn: W2K8R2
instanceType: 4
whenCreated: 20081028163547.0Z
uSNCreated: 3313
name: W2K8R2
objectGUID: 8b513de1-dd0e-4c07-a693-cc036a8f7f82
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
primaryGroupID: 515
objectSid: S-1-5-21-2345624060-2068466659-3617568096-1447
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: W2K8R2$
displayName: W2K8R2$
dNSHostName: W2K8R2.domain.tld
sAMAccountType: 805306369
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=domain,DC=tld
operatingSystem:: V2luZG93cyBTZXJ2ZXLCriAyMDA4IFN0YW5kYXJk
msDS-SupportedEncryptionTypes: 31
userAccountControl: 4096
operatingSystemServicePack: Service Pack 1
operatingSystemVersion: 6.0 (6001)
servicePrincipalName: HOST/w2k8r2.domain.tld
servicePrincipalName: TERMSRV/w2k8r2.domain.tld
servicePrincipalName: TERMSRV/W2K8R2
servicePrincipalName: TERMSRV/w2k8r2
servicePrincipalName: W2K8R2$\@DOMAIN.TLD
servicePrincipalName: HOST/W2K8R2
pwdLastSet: 129338822100000000
whenChanged: 20101110170330.0Z
uSNChanged: 261038
nTSecurityDescriptor: O:DAG:DUD:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWP
 CRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPCRLCLOR
 CSDDT;;;DA)(A;IO;RPCRLCLORCSDDT;;;CO)(OA;;WP;4c164200-20c0-11d0-a768-00aa006e
 0529;;DA)(OA;IO;WP;4c164200-20c0-11d0-a768-00aa006e0529;;CO)(A;;RPLCLORC;;;AU
 )(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)(A;;CCDC;;;PS)(OA;;CCDC;bf9
 67aa8-0de6-11d0-a285-00aa003049e2;;PO)(OA;;RPWP;bf967a7f-0de6-11d0-a285-00aa0
 03049e2;;CA)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;PS)(OA;;RPWP;77b5b8
 86-944a-11d1-aebd-0000f80367c1;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5
 cd;;PS)(OA;;SW;72e39547-7b18-11d1-adef-00c04fd8d5cd;;DA)(OA;IO;SW;72e39547-7b
 18-11d1-adef-00c04fd8d5cd;;CO)(OA;;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;D
 A)(OA;IO;SW;f3a64788-5306-11d1-a9c5-0000f80367c1;;CO)(OA;;WP;3e0abfd0-126a-11
 d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;DA)(OA;IO;WP;3e0abf
 d0-126a-11d0-a060-00aa006c33ed;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;W
 P;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa003049e2;D
 A)(OA;IO;WP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967a86-0de6-11d0-a285-00aa
 003049e2;CO)(OA;;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0de6-11d0-a
 285-00aa003049e2;DA)(OA;IO;WP;bf967950-0de6-11d0-a285-00aa003049e2;bf967a86-0
 de6-11d0-a285-00aa003049e2;CO)(OA;;WP;bf967953-0de6-11d0-a285-00aa003049e2;bf
 967a86-0de6-11d0-a285-00aa003049e2;DA)(OA;IO;WP;bf967953-0de6-11d0-a285-00aa0
 03049e2;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;;RP;46a9b11d-60ae-405a-b7
 e8-ff8a58d456d2;;S-1-5-32-560)(OA;CIIOID;RP;4c164200-20c0-11d0-a768-00aa006e0
 529;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;4c164200-20c0-11d0-
 a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;5f202
 010-79a5-11d0-9020-00c04fc2d4cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;C
 IIOID;RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;bf967aba-0de6-11d0-a285-00aa003
 049e2;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;4828cc14-1437-45b
 c-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;bf9
 67aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;RP;59ba2f42-79a2-11d0-9020-00
 c04fc2d3cf;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RP;59ba2f42-79a
 2-11d0-9020-00c04fc2d3cf;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIOID;R
 P;037088f8-0ae1-11d2-b422-00a0c968f939;4828cc14-1437-45bc-9b07-ad6f015e5f28;R
 U)(OA;CIIOID;RP;037088f8-0ae1-11d2-b422-00a0c968f939;bf967aba-0de6-11d0-a285-
 00aa003049e2;RU)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0
 de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f
 608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RP;b7c69e6d-2cc7-11d2-
 854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIOID;RPLCLORC
 ;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIOID;RPLCLORC;;bf967a9c-0de6-
 11d0-a285-00aa003049e2;RU)(OA;CIIOID;RPLCLORC;;bf967aba-0de6-11d0-a285-00aa00
 3049e2;RU)(OA;CIIOID;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;CIID;
 RPWPCRCCDCLCLORCWOWDSDDTSW;;;EA)(A;CIID;LC;;;RU)(A;CIID;RPWPCRCCLCLORCWOWDSDS
 W;;;BA)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-1
 1d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;b
 f967aa5-0de6-11d0-a285-00aa003049e2;WD)
distinguishedName: CN=W2K8R2,CN=Computers,DC=domain,DC=tld
Comment 8 Nadezhda Ivanova 2011-01-03 07:04:06 UTC
Hi Matthieu,
I believe that the problem is fixed as implementation of Validated-SPN that allows setting of "HOST/" is already in master. Check if you still get these messages next time you make an upgrade.