Bug 9848 - Failed to modify SPNs on ... insufficient access rights (50)
Summary: Failed to modify SPNs on ... insufficient access rights (50)
Status: REOPENED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Nadezhda Ivanova
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 9316
Blocks:
  Show dependency treegraph
 
Reported: 2013-05-03 20:09 UTC by Nick Semenkovich
Modified: 2019-07-31 07:48 UTC (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Semenkovich 2013-05-03 20:09:36 UTC 
Using the git commit from 2013.05.05 (5f82641553), I see a lot of this error in the samba log:

[2013/05/03 11:55:41,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=AIO6,CN=Computers,DC=corp,DC=example,DC=com: error in module acl: insufficient access rights (50)
[2013/05/03 11:55:42,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
  Failed to modify SPNs on CN=AIO6,CN=Computers,DC=corp,DC=example,DC=com: error in module acl: insufficient access rights (50)

It's only occurring on this single machine (CN=AIO6), and none of the other ~15 identical machines.



Happy to provided any needed debug info.
Comment 1 Nick Semenkovich 2014-01-10 15:59:51 UTC 
FYI, I'm still seeing this, with today's latest GIT build (4.2.0pre1-GIT-0045f3b), with all Windows 8.1 clients.

The error has evolved a tiny bit, and is now:

samba[2163]: [2014/01/10 09:31:05.484968,  0] ../source4/rpc_server/drsuapi/writespn.c:237(dcesrv_drsuapi_DsWriteAccountSpn)
samba[2163]:   Failed to modify SPNs on CN=AIO6,CN=Computers,DC=corp,DC=aldinetravel,DC=com: error in module acl: insufficient access rights during LDB_MODIFY (50)


Any thoughts on tracking this down? It's again only a single machine "AIO6" -- a number of other identical machines don't show this message.
Comment 2 Stefan Metzmacher 2014-02-18 14:30:52 UTC 
Maybe related to https://bugzilla.samba.org/show_bug.cgi?id=9316
Failed to modify SPNs on ...: error in module acl: Constraint violation (19)
Comment 3 Nick Semenkovich 2014-10-17 14:57:17 UTC 
Just updating, since this is marked as a 4.2 blocker.

I still see this issue as of ~yesterday's head:

commit 71cb5749f4d7a542a1dccb250f91c58fd2bbf54c
Author: Stefan Metzmacher <metze@samba.org>
Date:   Tue Oct 7 15:59:48 2014 +0200

    libcli/smb: try to negotiate SMB2_ENCRYPTION_AES128_GCM


It seems to occur intermittently, referring to a few client machines.

Oct 17 09:53:45 runway samba[13224]:   Failed to modify SPNs on CN=AIO3,CN=Computers,DC=corp,DC=mydomainhere,DC=com: error in module acl: insufficient access rights during LDB_MODIFY (50)
Comment 4 Andreas Schneider 2014-10-28 10:47:52 UTC 
Nadya, could you look into this?
Comment 5 Nadezhda Ivanova 2014-10-28 11:32:43 UTC 
Hi Nick,
Is it possible for you to run samba with debug level 10 and attach the log (assuming it's OK to share such data publicly). Level 10 has a debug log of the access check process, it dumps the security descriptor on the modified object and the security token of the account used to modify it. It's going to be quite a big log file...
Comment 6 Nick Semenkovich 2014-12-01 23:10:17 UTC 
FWIW, haven't seen this issue in recent logs -- may have been fixed in git at some point.

Since I was the only one reporting it, closing for now.
Comment 7 Stefan Metzmacher 2014-12-02 07:30:22 UTC 
I also saw this more than once...