Bug 9316 - Failed to modify SPNs on ...: error in module acl: Constraint violation (19)
Summary: Failed to modify SPNs on ...: error in module acl: Constraint violation (19)
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.1.7
Hardware: x64 Windows 7
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
: 10080 10421 (view as bug list)
Depends on:
Blocks: 9848 10421
  Show dependency treegraph
 
Reported: 2012-10-22 14:24 UTC by Marc Muehlfeld
Modified: 2024-10-17 22:20 UTC (History)
14 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marc Muehlfeld 2012-10-22 14:24:30 UTC
On my s4 rc3 DC I saw in the samba log from time to time:

[2012/10/22 07:59:47,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=immun-23,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19)
[2012/10/22 08:25:15,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=immun-12,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19)
[2012/10/22 08:37:26,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=imgm-16,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19)
[2012/10/22 08:42:36,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=immun-06,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19)
[2012/10/22 09:03:45,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=imgm-10,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19)
[2012/10/22 16:18:32,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=immun-07,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19)



I can't say when this always happen. But it happens to rarely to run on debug level 10 and wait. Let me know if I can do anything better for providing you with additional information.
Comment 1 Manfred Odenstein 2012-11-20 11:53:57 UTC
I've the same issue, only with a windows 2000 terminal server, samba4rc5 on 64bit ubuntu 12.04.1

...
[2012/11/18 13:09:26,  0] ../source4/smbd/server.c:475(binary_smbd_main)
  samba: using 'standard' process model
[2012/11/18 14:56:10,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error in module acl: insufficient access rights (50)
[2012/11/18 14:56:19,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/11/18 15:04:41,  0] ../auth/ntlmssp/ntlmssp_sign.c:236(ntlmssp_check_packet)
  NTLMSSP NTLM2 packet check failed due to invalid signature!
[2012/11/18 15:07:05,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=W2000,CN=Computers,DC=xxx,DC=lan: error in module acl: Constraint violation (19)
[2012/11/18 15:59:47,  0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
  ../source4/rpc_server/handles.c:102: Attempt to use invalid sid S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7
[2012/11/18 15:59:47,  0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
  ../source4/rpc_server/handles.c:102: Attempt to use invalid sid S-1-5-21-123456789-14442762-398547282-1077 - S-1-5-7
[2012/11/18 15:59:47,  0] ../source4/rpc_server/handles.c:102(dcesrv_handle_fetch)
...

also failed to update dns entry:
Nov 18 17:52:56 sambadc named[752]: client 192.168.12.34#57038: request has invalid signature: TSIG 1236950581266-2 (w2000\$\@XXX.LAN): tsig verify failure (BADSIG)
Comment 2 Björn Baumbach 2014-02-18 11:46:43 UTC
*** Bug 10080 has been marked as a duplicate of this bug. ***
Comment 3 Marc Muehlfeld 2014-05-02 15:54:09 UTC
Just an update:
This still exists unchanged in 4.1.7:

May  2 16:14:34 exon samba[63829]: [2014/05/02 16:14:34.787053,  0, pid=63829] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
May  2 16:14:34 exon samba[63829]:   Failed to modify SPNs on CN=IMMUN-10,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module acl: Constraint violation (19)
Comment 4 Rainer Emrich 2014-05-14 15:52:11 UTC
(In reply to comment #3)
> Just an update:
> This still exists unchanged in 4.1.7:
> 
> May  2 16:14:34 exon samba[63829]: [2014/05/02 16:14:34.787053,  0, pid=63829]
> ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
> May  2 16:14:34 exon samba[63829]:   Failed to modify SPNs on
> CN=IMMUN-10,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module
> acl: Constraint violation (19)

Same here!
Comment 5 Claudio Cardoso 2014-08-15 18:28:23 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > Just an update:
> > This still exists unchanged in 4.1.7:
> > 
> > May  2 16:14:34 exon samba[63829]: [2014/05/02 16:14:34.787053,  0, pid=63829]
> > ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
> > May  2 16:14:34 exon samba[63829]:   Failed to modify SPNs on
> > CN=IMMUN-10,CN=Computers,DC=muc,DC=medizinische-genetik,DC=de: error in module
> > acl: Constraint violation (19)
> 
> Same here!

I am having the same errors here, my samba is a 4.1.4 compilation, and some machines are giving the same error when users try to log on: "failed to modify spn on ... constraint violation (19)", I noted that these machines are from the same brand, a local brand called "DATEM Computers". I have 100 machines on Samba4 and these erros are only from "Datem Computers" brand.
Comment 6 piotrektt 2014-12-13 20:08:41 UTC
I have the same issue. Samba 4.1.6 ubuntu 14.04 server. 

The issue is generated by windows virtual machinces which run Vmware servers (vcenter and view connection server).
Comment 7 Roy 2015-06-17 14:17:07 UTC
I am also receiving this error on FreeBSD 10.1 samba42 compiled from ports collection on 6/12/2015.

  samba version 4.2.2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2014
[2015/06/15 22:01:43.680515,  0] ../source4/smbd/server.c:488(binary_smbd_main)
  samba: using 'standard' process model
[2015/06/15 22:01:43.759498,  0] ../lib/util/become_daemon.c:124(daemon_ready)
  STATUS=daemon 'samba' finished starting up and ready to serve connections
[2015/06/17 01:33:23.580035,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=WIN7LABIF,CN=Computers,DC=nwa,DC=local: error in module acl: Constraint violation during LDB_MODIFY (19)
[2015/06/17 01:35:05.981984,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=DELLPC11,CN=Computers,DC=nwa,DC=local: error in module acl: Constraint violation during LDB_MODIFY (19)
[2015/06/17 01:49:29.917183,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=PC-GW2-04052010,CN=Computers,DC=nwa,DC=local: error in module acl: Constraint violation during LDB_MODIFY (19)
[2015/06/17 02:12:50.499246,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=WIN711102011,CN=Computers,DC=nwa,DC=local: error in module acl: Constraint violation during LDB_MODIFY (19)

There are more (40 or so) machines in the domain and I think I am just seeing it specific to certain ones ... I am thinking of removing one from the domain and then rejoining as this domain has been migrated from Win2003 SBS to Samba 42

I should mention the domain in this case really provides nothing other than a login and the desktops the users have become accustomed to (they are not roaming, users are consistent at a specific machine).

I did not manually copy over the sysvol and I really don't know what, if any, group policies are in place. The good news is they have been running for two days without issue...
Comment 8 Miguel Medalha 2016-05-06 19:11:02 UTC
I am seeing the same error with a single client on a network of about 30 computers. This is a Windows 7 machine of the exact same type as several others and only this one keeps producing this error daily.
Comment 9 Miguel Medalha 2016-05-06 19:14:48 UTC
I already joined this computer to the domain again but the error is still there. It occurs when the computer is turned on every morning.
Comment 10 Stefan Metzmacher 2016-05-24 12:39:38 UTC
Is someone able to reproduce this in a test environment where "log level = 10"
can be used?
Comment 11 Stefan Metzmacher 2016-05-25 07:46:39 UTC
https://msdn.microsoft.com/en-us/library/ms191153.aspx
indicates that it's common to use spn in a form of:

MSSQLSvc/host.domain.example.com:port

I guess acl_validate_spn_value() needs to ignore the ':port' part,
e.g. everthing starting from ':'
Comment 12 Björn Jacke 2018-06-25 10:42:42 UTC
yes, for reference here are the SPNs of a SQL server in a native MS AD:

servicePrincipalName: MSSQLSvc/MS-SQL01.exchange.example.de:1433
servicePrincipalName: MSSQLSvc/MS-SQL01.exchange.example.de
servicePrincipalName: MSSQLSvc/MS-SQL01.exchange.example.de:60448
servicePrincipalName: MSSQLSvc/MS-SQL01.exchange.example.de:AUTODESKVAULT
servicePrincipalName: TERMSRV/MS-SQL01.exchange.example.de
servicePrincipalName: TERMSRV/MS-SQL01
servicePrincipalName: WSMAN/MS-SQL01
servicePrincipalName: WSMAN/MS-SQL01.exchange.example.de
servicePrincipalName: RestrictedKrbHost/MS-SQL01
servicePrincipalName: HOST/MS-SQL01
servicePrincipalName: RestrictedKrbHost/MS-SQL01.exchange.example.de
servicePrincipalName: HOST/MS-SQL01.exchange.example.de
Comment 13 Björn Jacke 2018-06-25 10:58:56 UTC
*** Bug 10421 has been marked as a duplicate of this bug. ***