[Samba] Failed to join domain: failed to set machine spn: Constraint violation

[Alex Green]

Hi,

I'm seeing this error on 3.0.24, 3.0.28, 3.0.32 and 3.2.6:

Failed to join domain: failed to set machine spn: Constraint violation

[Sanitised]

First Run:

net ads join createupn=HOST/FQ...@DOM.REALM.DOMAIN.COM createcomputer="OU/OU/OU/Services" -U username -d1
Enter username's password:
[2008/12/11 17:02:32, 1] libnet/libnet_join.c:libnet_Join(1770)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'HOSTNAME'
domain_name : *
domain_name : 'DOM.REALM.DOMAIN.COM'
account_ou : 'OU/OU/OU/Services'
admin_account : 'username'
admin_password : *
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x01 (1)
upn : 'HOST/FQ...@DOM.REALM.DOMAIN.COM'
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
secure_channel_type : SEC_CHAN_WKSTA (2)
[2008/12/11 17:02:33, 1] libnet/libnet_join.c:libnet_join_precreate_machine_acct(235)
machine account creation created
[2008/12/11 17:02:33, 1] libnet/libnet_join.c:libnet_Join(1801)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'DOM'
dns_domain_name : 'DOM.REALM.DOMAIN.COM'
dn : 'CN=HOSTNAME,OU=Services,OU=OU,OU=OU,OU=OU,DC=DOM,DC=REALM,DC=DOMAIN,DC=com'
domain_sid : *
domain_sid : S-1-5-21-1606980848-1965331169-1417001333
modified_config : 0x00 (0)
error_string : 'failed to set machine spn: Constraint violation'
domain_is_ad : 0x01 (1)
result : WERR_GENERAL_FAILURE
Failed to join domain: failed to set machine spn: Constraint violation

SPN Created - but errors!!!

Second Run:

net ads join createupn=HOST/FQ...@DOM.REALM.DOMAIN.COM createcomputer="OU/OU/OU/Services" -U username -d1
Enter username's password:
[2008/12/11 16:54:40, 1] libnet/libnet_join.c:libnet_Join(1770)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
in: struct libnet_JoinCtx
dc_name : NULL
machine_name : 'HOSTNAME'
domain_name : *
domain_name : 'DOM.REALM.DOMAIN.COM'
account_ou : 'OU/OU/OU/Services'
admin_account : 'username'
admin_password : *
machine_password : NULL
join_flags : 0x00000023 (35)
0: WKSSVC_JOIN_FLAGS_JOIN_WITH_NEW_NAME
0: WKSSVC_JOIN_FLAGS_JOIN_DC_ACCOUNT
0: WKSSVC_JOIN_FLAGS_DEFER_SPN
0: WKSSVC_JOIN_FLAGS_MACHINE_PWD_PASSED
0: WKSSVC_JOIN_FLAGS_JOIN_UNSECURE
1: WKSSVC_JOIN_FLAGS_DOMAIN_JOIN_IF_JOINED
0: WKSSVC_JOIN_FLAGS_WIN9X_UPGRADE
0: WKSSVC_JOIN_FLAGS_ACCOUNT_DELETE
1: WKSSVC_JOIN_FLAGS_ACCOUNT_CREATE
1: WKSSVC_JOIN_FLAGS_JOIN_TYPE
os_version : NULL
os_name : NULL
create_upn : 0x01 (1)
upn : 'HOST/FQ...@DOM.REALM.DOMAIN.COM'
modify_config : 0x00 (0)
ads : NULL
debug : 0x01 (1)
secure_channel_type : SEC_CHAN_WKSTA (2)
[2008/12/11 16:54:41, 1] libnet/libnet_join.c:libnet_join_precreate_machine_acct(258)
The machine account already exists in the specified OU.
[2008/12/11 16:54:41, 1] libnet/libnet_join.c:libnet_Join(1801)
libnet_Join:
libnet_JoinCtx: struct libnet_JoinCtx
out: struct libnet_JoinCtx
account_name : NULL
netbios_domain_name : 'DOM'
dns_domain_name : 'DOM.REALM.DOMAIN.COM'
dn : 'CN=HOSTNAME,OU=Services,OU=OU,OU=OU,OU=OU,DC=DOM,DC=REALM,DC=DOMAIN,DC=com'
domain_sid : *
domain_sid : S-1-5-21-1606980848-1965331169-1417001333
modified_config : 0x00 (0)
error_string : 'failed to set machine spn: Constraint violation'
domain_is_ad : 0x01 (1)
result : WERR_GENERAL_FAILURE
Failed to join domain: failed to set machine spn: Constraint violation

Is this a bug?

Thanks,
Alex

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

[Alex Green]

Anyone?.... any ideas?

[Guenther Deschner]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Green wrote:
> Anyone?.... any ideas?

Can you open a bug on this and upload a network trace as well ?

Thanks,
Guenther

- --
Günther Deschner GPG-ID: 8EE11688
Red Hat gdes...@redhat.com
Samba Team g...@samba.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklCO+cACgkQSOk3aI7hFoiTLgCeJkjEOkx13ob9j7glt663YmJp
Pr0An2flu3aPZvFeFlfjdDtYQpaFrPHm
=Iz61
-----END PGP SIGNATURE-----

[Alex Green]

Sure, however the trace will take a bit to santitise.

[Alex Green]

Found the issue:

Validate Write for DNS and SPN were not set.

However it now fails on DNS Update; I'm presuming this is because we're not using AD Integrated DNS (MS-DNS). Could this not be an option flag to disable DNS updates in this scenario?

-----Original Message-----
From: samba-bounces+alex.green=db....@lists.samba.org [mailto:samba-bounces+alex.green=db....@lists.samba.org] On Behalf Of Alex Green

[Gerald (Jerry) Carter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Green wrote:
> Found the issue:
>
> Validate Write for DNS and SPN were not set.
>
> However it now fails on DNS Update; I'm presuming
> this is because we're not using AD Integrated DNS (MS-DNS).
> Could this not be an option flag to disable DNS updates
> in this scenario?

Those attributes and perms have nothing to do with DNS. You
need full access rights to the computer object to join a machine
with a DNS name outside of the AD realm name. That's what the
"validated write" means.

cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJRoS5IR7qMdg1EfYRAq/nAKDa3GwgMI1SzbyuU6UBAKR/r2X/7ACdFAaj
Y5yzmHfOBD89pu0YXA5Y3fg=
=J1Lb

[Alex Green]

Hey Jerry,

I'm aware of that. Due the restrictions placed within our AD environment, even users who have access to create computer objects don't have access to update the SPN or the host DNS name (AD record).

Additionally, my point was more; would it be possible to turn off the DNS update process by means of flag, rather than compile time option.

Regards,
Alex

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:je...@samba.org]
Sent: 15 December 2008 16:50
To: Alex Green
Cc: Guenther Deschner; sa...@lists.samba.org
Subject: Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation

[Gerald (Jerry) Carter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Green wrote:
> Hey Jerry,
>
> I'm aware of that. Due the restrictions placed within our AD
> environment, even users who have access to create computer
> objects don't have access to update the SPN or the
> host DNS name (AD record).
>
> Additionally, my point was more; would it be possible to turn
> off the DNS update process by means of flag, rather than
> compile time option.

Youu confused me by saying "DNS update". Assuming now you mean
just updating the dNSHostName and SPN attributes. This is always
required in order to support Krb5 authentication. This is exactly
what Windows XP does.

The DDNS update you are asking about (i.e. the--with-dnsupdate option)
has nothing to do with setting the attributes. If the DDNS update fails,
it is not fatal. You only get a warning.

cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJRp7FIR7qMdg1EfYRAp/rAKC5IVsTNBNzIxE62FL5QaYfqMKzWQCfQxW8
GxpmNokZm3stFwqgHrFiC8g=
=SEGF

[Alex Green]

:)... it's this non-fatal error that our uses are getting confused about and it's this that I was asking for the cli option for...

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:je...@samba.org]
Sent: 15 December 2008 18:16
To: Alex Green
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation

[Gerald (Jerry) Carter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Green wrote:
> :)... it's this non-fatal error that our uses are getting
> confused about and it's this that I was asking for the cli
> option for...

For the DDNS update we can add a disable run time option.
For setting the attributes, failing is the right thing to do I believe.

What version of Samba are you running?

cheers, jerry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJRqXTIR7qMdg1EfYRAjlhAKDxjq2msUYQG6o4lKET78J55XpmpgCdFS9K
Ttlu3rVaEVLz4AYEO1nqltA=
=2cVK

[Alex Green]

3.0.28 and 3.0.32 - Native OS version shipped by Novell(Linux) and Sun(Solaris)

Failing is the right thing to do in an MS-DNS/AD-Integrated environment, however for non-MS DNS environments disabling is going to be cleaner.

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:je...@samba.org]
Sent: 15 December 2008 18:46
To: Alex Green
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation

[Alex Green]

Cross-wires (.....)

AD record update (SPN or DNS) failing absolutely the right thing to do ... no question.

DDNS Fail - disable option would be good ... only talking about this... not the AD bit...

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:je...@samba.org]
Sent: 16 December 2008 12:36
To: Alex Green
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex,

> 3.0.28 and 3.0.32 - Native OS version shipped by Novell(Linux) and Sun(Solaris)
>
> Failing is the right thing to do in an MS-DNS/AD-Integrated
> environment, however for non-MS DNS environments disabling is
> going to be cleaner.

Failing is the right thing to do period because without setting
the attributes you can't do Krb5 auth. Maybe you should be using
"security = domain" instead.

cheers, jerry
-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.4.2.2 (Darwin)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJR6DIIR7qMdg1EfYRAgIMAKC6kaIxLU+v7jwWKK4UEOF/CS+dSgCg2qTh
a2Ni1L3EkpPweglM5p1gG2g=
=ifuH

[Gerald (Jerry) Carter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex,

> 3.0.28 and 3.0.32 - Native OS version shipped by Novell(Linux) and Sun(Solaris)
>
> Failing is the right thing to do in an MS-DNS/AD-Integrated
> environment, however for non-MS DNS environments disabling is
> going to be cleaner.

Failing is the right thing to do period because without setting

the attributes you can't do Krb5 auth. Maybe you should be using
"security = domain" instead.

cheers, jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJR6DIIR7qMdg1EfYRAgIMAKC6kaIxLU+v7jwWKK4UEOF/CS+dSgCg2qTh
a2Ni1L3EkpPweglM5p1gG2g=
=ifuH

[Volker Lendecke]

On Tue, Dec 16, 2008 at 06:36:24AM -0600, Gerald (Jerry) Carter wrote:
> > Failing is the right thing to do in an MS-DNS/AD-Integrated
> > environment, however for non-MS DNS environments disabling is
> > going to be cleaner.
>
> Failing is the right thing to do period because without setting
> the attributes you can't do Krb5 auth. Maybe you should be using
> "security = domain" instead.

That together with "winbind rpc only = yes" from 3.2. I can
provide a patch for earlier versions if needed.

Volker

[Alex Green]

:)... so command-line or config option do'able?

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:je...@samba.org]
Sent: 16 December 2008 13:02
To: Alex Green
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Green wrote:
> Cross-wires (.....)
>
> AD record update (SPN or DNS) failing absolutely the right thing to do ... no question.
>
> DDNS Fail - disable option would be good ... only
> talking about this... not the AD bit...

Ahh..ok. gotcha. Sorry for the misfire.

jerry
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJR6a0IR7qMdg1EfYRAq2KAJ9t02IzDFmKrFZMWCLZ1HJ5VBv3+gCgmLXm
2NC0Ro4ZNnZxa+lZ2rlWHTg=
=fs9X

[Gerald (Jerry) Carter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Green wrote:
> Cross-wires (.....)
>
> AD record update (SPN or DNS) failing absolutely the right thing to do ... no question.
>
> DDNS Fail - disable option would be good ... only
> talking about this... not the AD bit...

Ahh..ok. gotcha. Sorry for the misfire.

jerry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJR6a0IR7qMdg1EfYRAq2KAJ9t02IzDFmKrFZMWCLZ1HJ5VBv3+gCgmLXm
2NC0Ro4ZNnZxa+lZ2rlWHTg=
=fs9X

[Alex Green]

Looks fine... :)... chances this makes it into the main stream for vendor adoption?

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:je...@samba.org]
Sent: 16 December 2008 13:53
To: Alex Green
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Green wrote:
> :)... so command-line or config option do'able?

Yeah. I'll see what I can do. Command line option probably.

$ net ads join --disable-dns-update

Look ok ? If so, I'll see if I can find some time real soon now.

cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJR7KmIR7qMdg1EfYRAssTAKCgx2OqfjhnpJnbIwC1fu1tZJ9wVQCfT5Sc
ZnickQA8ime2Xe6WN0Fozcc=
=PvJ5

[Gerald (Jerry) Carter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Green wrote:
> :)... so command-line or config option do'able?

Yeah. I'll see what I can do. Command line option probably.

$ net ads join --disable-dns-update

Look ok ? If so, I'll see if I can find some time real soon now.

cheers, jerry
- --
=====================================================================
Samba ------- http://www.samba.org
Likewise Software --------- http://www.likewisesoftware.com
"What man is a man who does not make the world better?" --Balian

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJR7KmIR7qMdg1EfYRAssTAKCgx2OqfjhnpJnbIwC1fu1tZJ9wVQCfT5Sc
ZnickQA8ime2Xe6WN0Fozcc=
=PvJ5

[Gerald (Jerry) Carter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alex Green wrote:
> Looks fine... :)... chances this makes it into the main stream
> for vendor adoption?

Yeah. I don't do anything that doesn't go upstream. Unless it is
really ugly.

cheers, jerry

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJR7QtIR7qMdg1EfYRAipNAJ9LYaQJH0/CqPOpiWyadWjx2/xWvwCfSjkN
ziAIVy4R/wsC/w7Wj03CwvY=
=Q/R3

[Alex Green]

Cool.. wasn't being impertinent.. just curious :)...

-----Original Message-----
From: Gerald (Jerry) Carter [mailto:je...@samba.org]
Sent: 16 December 2008 13:59
To: Alex Green
Cc: sa...@lists.samba.org
Subject: Re: [Samba] Failed to join domain: failed to set machine spn: Constraint violation