Bug 9977 - Missing SPNs on DC after joining it to a domain
Summary: Missing SPNs on DC after joining it to a domain
Status: NEW
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.6
Hardware: All All
: P5 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-29 06:09 UTC by CS
Modified: 2021-08-06 03:22 UTC (History)
1 user (show)

See Also:

Attachments
Output from domain join (5.75 KB, text/plain)
2013-06-29 06:09 UTC, CS 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description CS 2013-06-29 06:09:29 UTC 
Created attachment 9005 [details]
Output from domain join

After joining a DC to a domain, it a number of SPNs are missing which in turn causes it to not function properly.

e.g.
Host with missing SPNs after joining it to a domain:

[root@c64]/usr/local/samba/bin# ./samba-tool spn list c64-2$
c64-2$
User CN=C64-2,OU=Domain Controllers,DC=test,DC=la has the following servicePrincipalName:
         HOST/C64-2
         HOST/C64-2.test.la
         GC/C64-2.test.la/test.la
         E3514235-4B06-11D1-AB04-00C04FC2DCD2/c3914caf-1b99-4cd5-aeec-19ce459ba970/test.la

Host with expected SPNs:
root@c64]/usr/local/samba/bin# ./samba-tool spn list c64$
c64$
User CN=C64,OU=Domain Controllers,DC=test,DC=la has the following servicePrincipalName:
         HOST/c64.test.la
         HOST/c64.test.la/COVE
         ldap/c64.test.la/COVE
         GC/c64.test.la/test.la
         ldap/c64.test.la
         HOST/c64.test.la/test.la
         ldap/c64.test.la/test.la
         HOST/C64
         E3514235-4B06-11D1-AB04-00C04FC2DCD2/f20e506a-f56e-41f7-93eb-dcaaf73155d2/test.la
         ldap/f20e506a-f56e-41f7-93eb-dcaaf73155d2._msdcs.test.la
         ldap/C64
         RestrictedKrbHost/C64
         RestrictedKrbHost/c64.test.la
         ldap/c64.test.la/DomainDnsZones.test.la
         ldap/c64.test.la/ForestDnsZones.test.la

Domain join command used:
samba-tool domain join test.la DC --realm=TEST.LA -Uadministrator
Comment 1 Pinja-Liina Jalkanen 2015-07-06 18:15:35 UTC 
(In reply to CS from comment #0)

Hi, I believe it's worth noting this might happen if the df4bdd8c-abc7-4779-b01e-4dd4553ca3e9._msdcs.samdom.example.com, i.e. the objectGUID CNAME record is missing or points to a wrong host. See:
https://wiki.samba.org/index.php/Check_and_fix_DNS_entries_on_DC_joins

That record often has to be created manually due to bug #10928. I had exactly this problem after I accidentially pointed that entry to the _existing_ DC's hostname while creating it, but nevertheless using the newly joined DC's objectGUID. The SPNs are only created on the newly joined DC after Samba is started on it for the first time and are replicated over to the old DC shortly afterwards. But if the aforementioned DNS record is missing or erroneus, this replication fails.

(In my case I only realised my mistake after taking the newly added DC offline, deleting from the directory, and cleaning its metadata. After I rejoined it, but this time checking its syntax carefully, and afterwards everything worked.)