Bug 54736 – Error message when Backup with Samba/AD and Squid-Kerberos attempts to re-join

Bug 54736 - Error message when Backup with Samba/AD and Squid-Kerberos attempts to re-join


Summary:	Error message when Backup with Samba/AD and Squid-Kerberos attempts to re-join

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 minor (vote)
Target Milestone:	---
Assigned To:	Samba maintainers
QA Contact:	Samba maintainers

URL:
Keywords:

Depends on:
Blocks:	52758
	Show dependency tree / graph

Reported:	2022-05-09 15:50 CEST by Arvid Requate
Modified:	2022-07-20 18:10 CEST (History)
CC List:	1 user (show)

See Also:	52758 54715
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2022-05-09 15:50:22 CEST

While fixing Bug 52758 for UCS@school we saw this error message in log.samba:

```
[2022/05/09 13:42:13.088180,  0, pid=25745] ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_alias_collision)
  check_spn_alias_collision: trying to add SPN 'HOST/ucsbackup.autotest201.local' on 'CN=UCSBACKUP,OU=Domain Controllers,DC=autotest201,DC=local' when 'http/ucsbackup.autotest201.local' is on 'CN=http-proxy-ucsBackup,CN=Users,DC=autotest201,DC=local'
[2022/05/09 13:42:13.088229,  0, pid=25745] ../../source4/dsdb/samdb/ldb_modules/samldb.c:4022(samldb_spn_uniqueness_check)
  samldb_spn_uniqueness_check: SPN HOST/ucsbackup.autotest201.local failed alias uniqueness check
```

I guess this would affect all joining UCS systems with Samba/AD and univention-squid-kerberos installed. I assume that this error message occurs, because the "HOST/" service in the SPN is also an alias for several other services in Active Directory, http being one of them:

```
root@master201:~# univention-s4search --cross-ncs sPNMappings=* sPNMappings \
                            | ldapsearch-wrapper  | grep http
sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc
```

Comment 1 Arvid Requate

2022-05-09 15:58:57 CEST

Maybe it's just a non-fatal error message:

The SPN HTTP/ucsBackup.autotest201.local was assigned to the account http-proxy-ucsBackup before the join
and log.samba showed the error message above. So I temporarily renamed the SPN to HTTP2 and the join
worked. Afterwards the SPN was again "HTTP/". When I use ldbedit to toggle the name, then I receive:

## Change SPN to to HTTP2/
root@master201:~# ldbedit -H /var/lib/samba/private/sam.ldb
# 0 adds  1 modifies  0 deletes

## And back to HTTP/
root@master201:~# ldbedit -H /var/lib/samba/private/sam.ldb
check_spn_alias_collision: trying to add SPN 'HTTP/ucsBackup.autotest201.local' on 'CN=http-proxy-ucsBackup,CN=Users,DC=autotest201,DC=local' when 'host/ucsBackup.autotest201.local' is on 'CN=UCSBACKUP,OU=Domain Controllers,DC=autotest201,DC=local'
# 0 adds  1 modifies  0 deletes

But Samba never the less does the modify.

So maybe this error message was not the issue that caused the join to fail after all.

Comment 2 Arvid Requate

2022-05-10 10:33:15 CEST

Similar during initial join of a Backup directory node.

From the join.log:

```
[...]
Configure 62ucs-school-singlemaster.inst Mon May  9 20:56:55 CEST 2022
[...]
RUNNING 98univention-squid-samba4.inst
2022-05-09 21:06:54.050914323+02:00 (in joinscript_init)
Object created: uid=http-proxy-ucsBackup,cn=users,dc=autotest201,dc=local
looking for spn account "http-proxy-ucsBackup" in local samba
looking for spn account "http-proxy-ucsBackup" in local samba
looking for spn account "http-proxy-ucsBackup" in local samba
looking for spn account "http-proxy-ucsBackup" in local samba
looking for spn account "http-proxy-ucsBackup" in local samba
looking for spn account "http-proxy-ucsBackup" in local samba
looking for spn account "http-proxy-ucsBackup" in local samba
[...]
looking for spn account "http-proxy-ucsBackup" in local samba
ERROR: samAccountName not found for service account http-proxy-ucsBackup
ERROR: cannot add attribute "servicePrincipalName: HTTP/ucsBackup.autotest201.local"
EXITCODE=1
4ff2e946-5865-4a00-9b3f-096c945a67c7
RUNNING 98univention-samba4-dns.inst
[...]
RUNNING 98univention-squid-samba4.inst
2022-05-09 22:04:38.475494481+02:00 (in joinscript_init)
Object created: uid=http-proxy-ucsBackup,cn=users,dc=autotest201,dc=local
looking for spn account "http-proxy-ucsBackup" in local samba
looking for spn account "http-proxy-ucsBackup" in local samba
check_spn_alias_collision: trying to add SPN 'HTTP/ucsBackup.autotest201.local' on 'CN=http-proxy-ucsBackup,CN=Users,DC=autotest201,DC=local' when 'host/ucsBackup.autotest201.local' is on 'CN=UCSBACKUP,OU=Domain Controllers,DC=autotest201,DC=local'
Modified 1 records successfully
Added 1 records successfully
2022-05-09 22:04:52.746093833+02:00 (in joinscript_save_current_version)
EXITCODE=0
```

The end result looks ok:
```
root@ucsBackup:~# univention-s4search "serviceprincipalname=HTTP/$(hostname -f)" 1.1
# record 1
dn: CN=http-proxy-ucsBackup,CN=Users,DC=autotest201,DC=local
```

So finally this seems to get fixed by the second run of 98univention-squid-samba4.inst,
but it doesn't look optimal, also regarding the delay in the first run.

Also, it's remarkable that the SPN resolution in Samba/AD then works as intended by us,
overriding the sPNMappings alias mechanism.