Kerberos: Principal may not act as server ERROR

Aggarwal, Ajay Ajay.Aggarwal at stratus.com
Tue Aug 3 12:42:48 MDT 2010 

Hi Andrew,

We updated to the latest GIT tree, compiled and reinstalled. But we still see the exact same error meesages.

-Ajay

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org] 
Sent: Monday, August 02, 2010 9:14 PM
To: Aggarwal, Ajay
Cc: samba-technical at lists.samba.org
Subject: Re: Kerberos: Principal may not act as server ERROR

On Mon, 2010-08-02 at 10:29 -0400, Aggarwal, Ajay wrote:
> Sorry if it's a duplicate. I posted this on the "samba" general 
> mailing list but got no response. So I thought let me try here in this forum.
> 
>  
> 
> We are running samba4 (alpha12) on a centos 5.4  machine and are 
> experimenting with Hyper-V 2008 R2 Failover Clustering, which requires 
> Active Directory. We are trying to see if samba-4 will work as the AD 
> server. We  are building a 2 node failover cluster. Both nodes seem to 
> have joined the domain successfully (with samba-4 as the DC). But 
> subsequent steps of creating the "Failover Cluster" are failing and we 
> see following errors in samba log.
> 
>  
> 
> Do these error logs indicate a mis-configuration on our part or 
> interoperability issues of samba-4 with Hyper-V 2008 R2 and failover 
> clustering? Any help will be much appreciated.

The logs indicate a number of things:

> Kerberos: TGS-REQ administrator at SAMBALIME.STRATUS.COM from
> ipv4:10.90.0.87:49614 for Administrator at SAMBALIME.STRATUS.COM
> [canonicalize, renewable, forwardable]
> 
> Kerberos: Principal may not act as server -- 
> Administrator at SAMBALIME.STRATUS.COM
> 
> Kerberos: Failed building TGS-REP to ipv4:10.90.0.87:49614

Could you try this with the current GIT tree?

Depending on exactly what is going on here, this is either hitting a bug I've already fixed, or a restriction that I've added, in the interests of security.  I don't think it's a good idea if any user can ask for a ticket encrypted to the password of another user, particularly the administrator, as unlike machines, people tend to pick poor passwords, and this would allow an offline brute force attack. 

> Terminating connection - 
> 'kdc_tcp_call_loop:tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
> 
> single_terminate: reason[kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv()- NT_STATUS_CONNECTION_DISCONNECTED]
> 
>  
> 
> 
> 
> 
> 
> ------ Other significant errors that we see periodically -----
> 
> Failed to modify SPNs on
> CN=NODE1-LIME,CN=Computers,DC=sambalime,DC=stratus,DC=com: error in 
> module acl: insufficient access rights (50)
> 
> added interface ip=10.90.0.71 nmask=255.255.255.0
> 
> ldb_wrap open of sam.ldb
> 
> Failed to modify SPNs on
> CN=NODE1-LIME,CN=Computers,DC=sambalime,DC=stratus,DC=com: error in 
> module acl: insufficient access rights (50)
> 
> ipv4:10.90.0.88:49232 closed connection to service IPC$

There has been a lot of work on the SPN modification case recently, to properly honour the ACLs at work here.  This may be fixed in the current GIT tree. 

> Kerberos: AS-REQ
> host/node0-lime.sambalime.stratus.com at SAMBALIME.STRATUS.COM from
> ipv4:10.90.0.87:50798 for
> krbtgt/SAMBALIME.STRATUS.COM at SAMBALIME.STRATUS.COM
> 
> Kerberos: UNKNOWN --
> host/node0-lime.sambalime.stratus.com at SAMBALIME.STRATUS.COM: no such 
> entry found in hdb

This has happened because of the failure to modify the SPN, or a failure to set the dnsHostName attribute somehow. 

I hope this helps you understand things, and I wish you the very best with your use of Samba4!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

More information about the samba-technical mailing list