Kerberos: Principal may not act as server ERROR

Andrew Bartlett abartlet at samba.org
Mon Aug 2 19:14:10 MDT 2010 

On Mon, 2010-08-02 at 10:29 -0400, Aggarwal, Ajay wrote:
> Sorry if it's a duplicate. I posted this on the "samba" general mailing
> list but got no response. So I thought let me try here in this forum.
> 
>  
> 
> We are running samba4 (alpha12) on a centos 5.4  machine and are
> experimenting with Hyper-V 2008 R2 Failover Clustering, which requires
> Active Directory. We are trying to see if samba-4 will work as the AD
> server. We  are building a 2 node failover cluster. Both nodes seem to
> have joined the domain successfully (with samba-4 as the DC). But
> subsequent steps of creating the "Failover Cluster" are failing and we
> see following errors in samba log. 
> 
>  
> 
> Do these error logs indicate a mis-configuration on our part or
> interoperability issues of samba-4 with Hyper-V 2008 R2 and failover
> clustering? Any help will be much appreciated. 

The logs indicate a number of things:

> Kerberos: TGS-REQ administrator at SAMBALIME.STRATUS.COM from
> ipv4:10.90.0.87:49614 for Administrator at SAMBALIME.STRATUS.COM
> [canonicalize, renewable, forwardable]
> 
> Kerberos: Principal may not act as server --
> Administrator at SAMBALIME.STRATUS.COM
> 
> Kerberos: Failed building TGS-REP to ipv4:10.90.0.87:49614

Could you try this with the current GIT tree?

Depending on exactly what is going on here, this is either hitting a bug
I've already fixed, or a restriction that I've added, in the interests
of security.  I don't think it's a good idea if any user can ask for a
ticket encrypted to the password of another user, particularly the
administrator, as unlike machines, people tend to pick poor passwords,
and this would allow an offline brute force attack. 

> Terminating connection - 'kdc_tcp_call_loop:tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> 
> single_terminate: reason[kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv()- NT_STATUS_CONNECTION_DISCONNECTED]
> 
>  
> 
> 
> 
> 
> 
> ------ Other significant errors that we see periodically ----- 
> 
> Failed to modify SPNs on
> CN=NODE1-LIME,CN=Computers,DC=sambalime,DC=stratus,DC=com: error in
> module acl: insufficient access rights (50)
> 
> added interface ip=10.90.0.71 nmask=255.255.255.0 
> 
> ldb_wrap open of sam.ldb 
> 
> Failed to modify SPNs on
> CN=NODE1-LIME,CN=Computers,DC=sambalime,DC=stratus,DC=com: error in
> module acl: insufficient access rights (50)
> 
> ipv4:10.90.0.88:49232 closed connection to service IPC$

There has been a lot of work on the SPN modification case recently, to
properly honour the ACLs at work here.  This may be fixed in the current
GIT tree. 

> Kerberos: AS-REQ
> host/node0-lime.sambalime.stratus.com at SAMBALIME.STRATUS.COM from
> ipv4:10.90.0.87:50798 for
> krbtgt/SAMBALIME.STRATUS.COM at SAMBALIME.STRATUS.COM
> 
> Kerberos: UNKNOWN --
> host/node0-lime.sambalime.stratus.com at SAMBALIME.STRATUS.COM: no such
> entry found in hdb

This has happened because of the failure to modify the SPN, or a failure
to set the dnsHostName attribute somehow. 

I hope this helps you understand things, and I wish you the very best
with your use of Samba4!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100803/aaf965ac/attachment.pgp>

More information about the samba-technical mailing list