Samba 4 DC for Hyper-V R2 Cluster - Kerberos prroblems

Alessandro alexvl at tiscali.it
Thu Dec 22 12:14:53 MST 2011 

Hi Guys,

I'm currently creating an Hyper-V R2 SP1 Cluster using Samba 4 (alpha 17) as an external DC. 
The main reason to do that is that virtualing the DC needed by the cluster is not a great idea and paying an extra Windows Server license just for an external simple DC scenario is something tha a lot of people find irritating, considering that for the rest the Hyper-V stack is free.

So far I'm impressed with the features and stability of Samba 4. I managed to succeed in getting the cluster validation "green", I had to fix some Kerberos problems by creating the relevant SPNs, but nothing too dramatic.

My problem is that by creating the cluster, the Kerberos authentication between the nodes is not working and the cluster cannot be set up.

Samba 4 setup:

CentOS 6.0 x64
Samba 4 alpha17
Bind 7.2.0 (the outdated one coming with CentOS 6.0)

Dynamic DNS updates not set
Records for cluster name and cluster nodes statically created 
Time synchronization between DC and nodes ok


Here are some logs from the Hyper-V R2 SP1 cluster nodes:

Event ID 1570
Node 'HV2' failed to establish a communication session while joining the cluster. This was due to an authentication failure. Please verify that the nodes are running compatible versions of the cluster service software.

Event ID 1280
Sponsor tried to Create Security Context using Package='Kerberos' with Context Requirement ='133122' and Timeout ='30000'

Event ID 1281
Joiner tried to Create Security Context using Package='Kerberos' with Context Requirement ='83990' and Timeout ='30000' for the target = 'HV2'


And here are some logs from Samba4 using a -d 5 level:


(normal if no LDAP backend) Could not find entry to match filter: '(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '': No such object: (null)
auth_check_password_send: Checking password for unmapped user [MYDOMAIN]\[HV2$]@[HV2]
map_user_info: Mapping user [MYDOMAIN]\[HV2$] from workstation [HV2]
auth_check_password_send: mapped user is: [MYDOMAIN]\[HV2$]@[HV2]
auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal)
[0000] 35 7B 87 F7 C2 E6 A1 70                            5{.....p 
ntlm_password_check: Checking NTLMv2 password with domain [MYDOMAIN]
authsam_account_ok: Checking SMB password for user HV2$
logon_hours_ok: No hours restrictions for user HV2$
gendb_search_v: DC=MYDOMAIN,DC=local NULL -> 1
auth_check_password_recv: sam_ignoredomain authentication for user [MYDOMAIN\HV2$] succeeded
dreplsrv_notify_schedule(5) scheduled for: Thu Dec  8 00:55:13 2011 EET
dreplsrv_notify_schedule(5) scheduled for: Thu Dec  8 00:55:18 2011 EET
Kerberos: TGS-REQ HV2$@MYDOMAIN.LOCAL from ipv4:10.73.75.61:60923 for HV1 at MYDOMAIN.LOCAL [canonicalize, renewable, forwardable]
Failed find a entry for (null)
Kerberos: Searching referral for HV1
Kerberos: Server not found in database: HV1 at MYDOMAIN.LOCAL: No such entry in the database
Kerberos: Failed building TGS-REP to ipv4:10.73.75.61:60923
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.0:0.92
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ HV1$@MYDOMAIN.LOCAL from ipv4:10.73.75.60:55743 for HV2 at MYDOMAIN.LOCAL [canonicalize, renewable, forwardable]
Failed find a entry for (null)
Kerberos: Searching referral for HV2
Kerberos: Server not found in database: HV2 at MYDOMAIN.LOCAL: No such entry in the database
Kerberos: Failed building TGS-REP to ipv4:10.73.75.60:55743
Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'


Any suggestion is highly welcome!!


Thanks,

Alessandro Pilotti
MVP ASP.Net / IIS

More information about the samba-technical mailing list