Samba 4 DC for Hyper-V R2 Cluster - Kerberos prroblems
Michael Wood
esiotrot at gmail.com
Thu Jan 19 23:37:28 MST 2012
Hi
I don't know the answer, but perhaps the following patch will help
with at least making more sense of:
> Failed find a entry for (null)
I have not tested it, though.
>From 14fb3e9dd91ba09a4bfced93d7274227431692fc Mon Sep 17 00:00:00 2001
From: Michael Wood <esiotrot at gmail.com>
Date: Fri, 20 Jan 2012 08:30:18 +0200
Subject: [PATCH] Log short_princ instead of uninitialised filter.
---
source4/kdc/db-glue.c | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index ae93b75..77c8430 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1363,7 +1363,6 @@ static krb5_error_code
samba_kdc_lookup_server(krb5_context context,
} else {
int lret;
- char *filter = NULL;
char *short_princ;
const char *realm;
/* server as client principal case, but we must not
lookup userPrincipalNames */
@@ -1386,16 +1385,18 @@ static krb5_error_code
samba_kdc_lookup_server(krb5_context context,
DSDB_SEARCH_SHOW_EXTENDED_DN |
DSDB_SEARCH_NO_GLOBAL_CATALOG,
"(&(objectClass=user)(samAccountName=%s))",
ldb_binary_encode_string(mem_ctx, short_princ));
- free(short_princ);
if (lret == LDB_ERR_NO_SUCH_OBJECT) {
- DEBUG(3, ("Failed find a entry for %s\n", filter));
+ DEBUG(3, ("Failed to find an entry for %s\n",
short_princ));
+ free(short_princ);
return HDB_ERR_NOENTRY;
}
if (lret != LDB_SUCCESS) {
- DEBUG(3, ("Failed single search for for %s - %s\n",
- filter, ldb_errstring(kdc_db_ctx->samdb)));
+ DEBUG(3, ("Failed single search for %s - %s\n",
+ short_princ,
ldb_errstring(kdc_db_ctx->samdb)));
+ free(short_princ);
return HDB_ERR_NOENTRY;
}
+ free(short_princ);
}
return 0;
--
1.7.0.4
On 22 December 2011 21:14, Alessandro <alexvl at tiscali.it> wrote:
> Hi Guys,
>
> I'm currently creating an Hyper-V R2 SP1 Cluster using Samba 4 (alpha 17) as an external DC.
> The main reason to do that is that virtualing the DC needed by the cluster is not a great idea and paying an extra Windows Server license just for an external simple DC scenario is something tha a lot of people find irritating, considering that for the rest the Hyper-V stack is free.
>
> So far I'm impressed with the features and stability of Samba 4. I managed to succeed in getting the cluster validation "green", I had to fix some Kerberos problems by creating the relevant SPNs, but nothing too dramatic.
>
> My problem is that by creating the cluster, the Kerberos authentication between the nodes is not working and the cluster cannot be set up.
>
> Samba 4 setup:
>
> CentOS 6.0 x64
> Samba 4 alpha17
> Bind 7.2.0 (the outdated one coming with CentOS 6.0)
>
> Dynamic DNS updates not set
> Records for cluster name and cluster nodes statically created
> Time synchronization between DC and nodes ok
>
>
> Here are some logs from the Hyper-V R2 SP1 cluster nodes:
>
> Event ID 1570
> Node 'HV2' failed to establish a communication session while joining the cluster. This was due to an authentication failure. Please verify that the nodes are running compatible versions of the cluster service software.
>
> Event ID 1280
> Sponsor tried to Create Security Context using Package='Kerberos' with Context Requirement ='133122' and Timeout ='30000'
>
> Event ID 1281
> Joiner tried to Create Security Context using Package='Kerberos' with Context Requirement ='83990' and Timeout ='30000' for the target = 'HV2'
>
>
> And here are some logs from Samba4 using a -d 5 level:
>
>
> (normal if no LDAP backend) Could not find entry to match filter: '(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '': No such object: (null)
> auth_check_password_send: Checking password for unmapped user [MYDOMAIN]\[HV2$]@[HV2]
> map_user_info: Mapping user [MYDOMAIN]\[HV2$] from workstation [HV2]
> auth_check_password_send: mapped user is: [MYDOMAIN]\[HV2$]@[HV2]
> auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal)
> [0000] 35 7B 87 F7 C2 E6 A1 70 5{.....p
> ntlm_password_check: Checking NTLMv2 password with domain [MYDOMAIN]
> authsam_account_ok: Checking SMB password for user HV2$
> logon_hours_ok: No hours restrictions for user HV2$
> gendb_search_v: DC=MYDOMAIN,DC=local NULL -> 1
> auth_check_password_recv: sam_ignoredomain authentication for user [MYDOMAIN\HV2$] succeeded
> dreplsrv_notify_schedule(5) scheduled for: Thu Dec 8 00:55:13 2011 EET
> dreplsrv_notify_schedule(5) scheduled for: Thu Dec 8 00:55:18 2011 EET
> Kerberos: TGS-REQ HV2$@MYDOMAIN.LOCAL from ipv4:10.73.75.61:60923 for HV1 at MYDOMAIN.LOCAL [canonicalize, renewable, forwardable]
> Failed find a entry for (null)
> Kerberos: Searching referral for HV1
> Kerberos: Server not found in database: HV1 at MYDOMAIN.LOCAL: No such entry in the database
> Kerberos: Failed building TGS-REP to ipv4:10.73.75.61:60923
> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
> imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.0:0.92
> single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
> Kerberos: TGS-REQ HV1$@MYDOMAIN.LOCAL from ipv4:10.73.75.60:55743 for HV2 at MYDOMAIN.LOCAL [canonicalize, renewable, forwardable]
> Failed find a entry for (null)
> Kerberos: Searching referral for HV2
> Kerberos: Server not found in database: HV2 at MYDOMAIN.LOCAL: No such entry in the database
> Kerberos: Failed building TGS-REP to ipv4:10.73.75.60:55743
> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>
>
> Any suggestion is highly welcome!!
>
>
> Thanks,
>
> Alessandro Pilotti
> MVP ASP.Net / IIS
>
>
>
>
>
>
--
Michael Wood <esiotrot at gmail.com>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Log-short_princ-instead-of-uninitialised-filter.patch
Type: text/x-diff
Size: 1604 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120120/59ec5a0e/attachment.patch>
More information about the samba-technical
mailing list