On my s4 rc3 DC I saw in the samba log from time to time: [2012/10/22 07:59:47, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=immun-23,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19) [2012/10/22 08:25:15, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=immun-12,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19) [2012/10/22 08:37:26, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=imgm-16,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19) [2012/10/22 08:42:36, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=immun-06,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19) [2012/10/22 09:03:45, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=imgm-10,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19) [2012/10/22 16:18:32, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=immun-07,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19) I can't say when this always happen. But it happens to rarely to run on debug level 10 and wait. Let me know if I can do anything better for providing you with additional information.
I've the same issue, only with a windows 2000 terminal server, samba4rc5 on 64bit ubuntu 12.04.1 ... [2012/11/18 13:09:26, 0] ../source4/smbd/server.c:475(binary_smbd_main) samba: using 'standard' process model [2012/11/18 14:56:10, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error in module acl: insufficient access rights (50) [2012/11/18 14:56:19, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid signature! [2012/11/18 15:04:41, 0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet) NTLMSSP NTLM2 packet check failed due to invalid signature! [2012/11/18 15:07:05, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error in module acl: Constraint violation (19) [2012/11/18 15:59:47, 0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) ../source4/rpc_server/handles.c:102: Attempt to use invalid sid S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7 [2012/11/18 15:59:47, 0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) ../source4/rpc_server/handles.c:102: Attempt to use invalid sid S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7 [2012/11/18 15:59:47, 0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch) ... also failed to update dns entry: Nov 18 17:52:56 sambadc named[752]: client 192.168.12.34#57038: request has invalid signature: TSIG 1236950581266-2 (w2000\$\@XXX.LAN): tsig verify failure (BADSIG)
*** Bug 10080 has been marked as a duplicate of this bug. ***
Just an update: This still exists unchanged in 4.1.7: May 2 16:14:34 exon samba[63829]: [2014/05/02 16:14:34.787053, 0, pid=63829] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) May 2 16:14:34 exon samba[63829]: Failed to modify SPNs on CN=IMMUN-10,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19)
(In reply to comment #3) > Just an update: > This still exists unchanged in 4.1.7: > > May 2 16:14:34 exon samba[63829]: [2014/05/02 16:14:34.787053, 0, pid=63829] > ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) > May 2 16:14:34 exon samba[63829]: Failed to modify SPNs on > CN=IMMUN-10,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module > acl: Constraint violation (19) Same here!
(In reply to comment #4) > (In reply to comment #3) > > Just an update: > > This still exists unchanged in 4.1.7: > > > > May 2 16:14:34 exon samba[63829]: [2014/05/02 16:14:34.787053, 0, pid=63829] > > ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) > > May 2 16:14:34 exon samba[63829]: Failed to modify SPNs on > > CN=IMMUN-10,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module > > acl: Constraint violation (19) > > Same here! I am having the same errors here, my samba is a 4.1.4 compilation, and some machines are giving the same error when users try to log on: "failed to modify spn on ... constraint violation (19)", I noted that these machines are from the same brand, a local brand called "DATEM Computers". I have 100 machines on Samba4 and these erros are only from "Datem Computers" brand.
I have the same issue. Samba 4.1.6 ubuntu 14.04 server. The issue is generated by windows virtual machinces which run Vmware servers (vcenter and view connection server).
I am also receiving this error on FreeBSD 10.1 samba42 compiled from ports collection on 6/12/2015. samba version 4.2.2 started. Copyright Andrew Tridgell and the Samba Team 1992-2014 [2015/06/15 22:01:43.680515, 0] ../source4/smbd/server.c:488(binary_smbd_main) samba: using 'standard' process model [2015/06/15 22:01:43.759498, 0] ../lib/util/become_daemon.c:124(daemon_ready) STATUS=daemon 'samba' finished starting up and ready to serve connections [2015/06/17 01:33:23.580035, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=WIN7LABIF,CN=Computers,DC=nwa,DC=local: error in module acl: Constraint violation during LDB_MODIFY (19) [2015/06/17 01:35:05.981984, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=DELLPC11,CN=Computers,DC=nwa,DC=local: error in module acl: Constraint violation during LDB_MODIFY (19) [2015/06/17 01:49:29.917183, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=PC-GW2-04052010,CN=Computers,DC=nwa,DC=local: error in module acl: Constraint violation during LDB_MODIFY (19) [2015/06/17 02:12:50.499246, 0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn) Failed to modify SPNs on CN=WIN711102011,CN=Computers,DC=nwa,DC=local: error in module acl: Constraint violation during LDB_MODIFY (19) There are more (40 or so) machines in the domain and I think I am just seeing it specific to certain ones ... I am thinking of removing one from the domain and then rejoining as this domain has been migrated from Win2003 SBS to Samba 42 I should mention the domain in this case really provides nothing other than a login and the desktops the users have become accustomed to (they are not roaming, users are consistent at a specific machine). I did not manually copy over the sysvol and I really don't know what, if any, group policies are in place. The good news is they have been running for two days without issue...
I am seeing the same error with a single client on a network of about 30 computers. This is a Windows 7 machine of the exact same type as several others and only this one keeps producing this error daily.
I already joined this computer to the domain again but the error is still there. It occurs when the computer is turned on every morning.
Is someone able to reproduce this in a test environment where "log level = 10" can be used?
https://msdn.microsoft.com/en-us/library/ms191153.aspx indicates that it's common to use spn in a form of: MSSQLSvc/host.domain.example.com:port I guess acl_validate_spn_value() needs to ignore the ':port' part, e.g. everthing starting from ':'
yes, for reference here are the SPNs of a SQL server in a native MS AD: servicePrincipalName: MSSQLSvc/MS-SQL01.exchange.example.de:1433 servicePrincipalName: MSSQLSvc/MS-SQL01.exchange.example.de servicePrincipalName: MSSQLSvc/MS-SQL01.exchange.example.de:60448 servicePrincipalName: MSSQLSvc/MS-SQL01.exchange.example.de:AUTODESKVAULT servicePrincipalName: TERMSRV/MS-SQL01.exchange.example.de servicePrincipalName: TERMSRV/MS-SQL01 servicePrincipalName: WSMAN/MS-SQL01 servicePrincipalName: WSMAN/MS-SQL01.exchange.example.de servicePrincipalName: RestrictedKrbHost/MS-SQL01 servicePrincipalName: HOST/MS-SQL01 servicePrincipalName: RestrictedKrbHost/MS-SQL01.exchange.example.de servicePrincipalName: HOST/MS-SQL01.exchange.example.de
*** Bug 10421 has been marked as a duplicate of this bug. ***