Univention Bugzilla – Bug 54736
Error message when Backup with Samba/AD and Squid-Kerberos attempts to re-join
Last modified: 2022-07-20 18:10:26 CEST
While fixing Bug 52758 for UCS@school we saw this error message in log.samba: ``` [2022/05/09 13:42:13.088180, 0, pid=25745] ../../source4/dsdb/samdb/ldb_modules/samldb.c:3841(check_spn_alias_collision) check_spn_alias_collision: trying to add SPN 'HOST/ucsbackup.autotest201.local' on 'CN=UCSBACKUP,OU=Domain Controllers,DC=autotest201,DC=local' when 'http/ucsbackup.autotest201.local' is on 'CN=http-proxy-ucsBackup,CN=Users,DC=autotest201,DC=local' [2022/05/09 13:42:13.088229, 0, pid=25745] ../../source4/dsdb/samdb/ldb_modules/samldb.c:4022(samldb_spn_uniqueness_check) samldb_spn_uniqueness_check: SPN HOST/ucsbackup.autotest201.local failed alias uniqueness check ``` I guess this would affect all joining UCS systems with Samba/AD and univention-squid-kerberos installed. I assume that this error message occurs, because the "HOST/" service in the SPN is also an alias for several other services in Active Directory, http being one of them: ``` root@master201:~# univention-s4search --cross-ncs sPNMappings=* sPNMappings \ | ldapsearch-wrapper | grep http sPNMappings: host=alerter,appmgmt,cisvc,clipsrv,browser,dhcp,dnscache,replicator,eventlog,eventsystem,policyagent,oakley,dmserver,dns,mcsvc,fax,msiserver,ias,messenger,netlogon,netman,netdde,netddedsm,nmagent,plugplay,protectedstorage,rasman,rpclocator,rpc,rpcss,remoteaccess,rsvp,samss,scardsvr,scesrv,seclogon,scm,dcom,cifs,spooler,snmp,schedule,tapisrv,trksvr,trkwks,ups,time,wins,www,http,w3svc,iisadmin,msdtc ```
Maybe it's just a non-fatal error message: The SPN HTTP/ucsBackup.autotest201.local was assigned to the account http-proxy-ucsBackup before the join and log.samba showed the error message above. So I temporarily renamed the SPN to HTTP2 and the join worked. Afterwards the SPN was again "HTTP/". When I use ldbedit to toggle the name, then I receive: ## Change SPN to to HTTP2/ root@master201:~# ldbedit -H /var/lib/samba/private/sam.ldb # 0 adds 1 modifies 0 deletes ## And back to HTTP/ root@master201:~# ldbedit -H /var/lib/samba/private/sam.ldb check_spn_alias_collision: trying to add SPN 'HTTP/ucsBackup.autotest201.local' on 'CN=http-proxy-ucsBackup,CN=Users,DC=autotest201,DC=local' when 'host/ucsBackup.autotest201.local' is on 'CN=UCSBACKUP,OU=Domain Controllers,DC=autotest201,DC=local' # 0 adds 1 modifies 0 deletes But Samba never the less does the modify. So maybe this error message was not the issue that caused the join to fail after all.
Similar during initial join of a Backup directory node. From the join.log: ``` [...] Configure 62ucs-school-singlemaster.inst Mon May 9 20:56:55 CEST 2022 [...] RUNNING 98univention-squid-samba4.inst 2022-05-09 21:06:54.050914323+02:00 (in joinscript_init) Object created: uid=http-proxy-ucsBackup,cn=users,dc=autotest201,dc=local looking for spn account "http-proxy-ucsBackup" in local samba looking for spn account "http-proxy-ucsBackup" in local samba looking for spn account "http-proxy-ucsBackup" in local samba looking for spn account "http-proxy-ucsBackup" in local samba looking for spn account "http-proxy-ucsBackup" in local samba looking for spn account "http-proxy-ucsBackup" in local samba looking for spn account "http-proxy-ucsBackup" in local samba [...] looking for spn account "http-proxy-ucsBackup" in local samba ERROR: samAccountName not found for service account http-proxy-ucsBackup ERROR: cannot add attribute "servicePrincipalName: HTTP/ucsBackup.autotest201.local" EXITCODE=1 4ff2e946-5865-4a00-9b3f-096c945a67c7 RUNNING 98univention-samba4-dns.inst [...] RUNNING 98univention-squid-samba4.inst 2022-05-09 22:04:38.475494481+02:00 (in joinscript_init) Object created: uid=http-proxy-ucsBackup,cn=users,dc=autotest201,dc=local looking for spn account "http-proxy-ucsBackup" in local samba looking for spn account "http-proxy-ucsBackup" in local samba check_spn_alias_collision: trying to add SPN 'HTTP/ucsBackup.autotest201.local' on 'CN=http-proxy-ucsBackup,CN=Users,DC=autotest201,DC=local' when 'host/ucsBackup.autotest201.local' is on 'CN=UCSBACKUP,OU=Domain Controllers,DC=autotest201,DC=local' Modified 1 records successfully Added 1 records successfully 2022-05-09 22:04:52.746093833+02:00 (in joinscript_save_current_version) EXITCODE=0 ``` The end result looks ok: ``` root@ucsBackup:~# univention-s4search "serviceprincipalname=HTTP/$(hostname -f)" 1.1 # record 1 dn: CN=http-proxy-ucsBackup,CN=Users,DC=autotest201,DC=local ``` So finally this seems to get fixed by the second run of 98univention-squid-samba4.inst, but it doesn't look optimal, also regarding the delay in the first run. Also, it's remarkable that the SPN resolution in Samba/AD then works as intended by us, overriding the sPNMappings alias mechanism.