Samba 4 DC for Hyper-V R2 Cluster - Kerberos prroblems
Alessandro
alexvl at tiscali.it
Fri Jan 20 06:07:57 MST 2012
Thanks Michael,
I'm going to test it.
Best,
Alessandro
On Jan 20, 2012, at 08:37 , Michael Wood wrote:
> Hi
>
> I don't know the answer, but perhaps the following patch will help
> with at least making more sense of:
>
>> Failed find a entry for (null)
>
> I have not tested it, though.
>
> From 14fb3e9dd91ba09a4bfced93d7274227431692fc Mon Sep 17 00:00:00 2001
> From: Michael Wood <esiotrot at gmail.com>
> Date: Fri, 20 Jan 2012 08:30:18 +0200
> Subject: [PATCH] Log short_princ instead of uninitialised filter.
>
> ---
> source4/kdc/db-glue.c | 11 ++++++-----
> 1 files changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
> index ae93b75..77c8430 100644
> --- a/source4/kdc/db-glue.c
> +++ b/source4/kdc/db-glue.c
> @@ -1363,7 +1363,6 @@ static krb5_error_code
> samba_kdc_lookup_server(krb5_context context,
>
> } else {
> int lret;
> - char *filter = NULL;
> char *short_princ;
> const char *realm;
> /* server as client principal case, but we must not
> lookup userPrincipalNames */
> @@ -1386,16 +1385,18 @@ static krb5_error_code
> samba_kdc_lookup_server(krb5_context context,
> DSDB_SEARCH_SHOW_EXTENDED_DN |
> DSDB_SEARCH_NO_GLOBAL_CATALOG,
>
> "(&(objectClass=user)(samAccountName=%s))",
>
> ldb_binary_encode_string(mem_ctx, short_princ));
> - free(short_princ);
> if (lret == LDB_ERR_NO_SUCH_OBJECT) {
> - DEBUG(3, ("Failed find a entry for %s\n", filter));
> + DEBUG(3, ("Failed to find an entry for %s\n",
> short_princ));
> + free(short_princ);
> return HDB_ERR_NOENTRY;
> }
> if (lret != LDB_SUCCESS) {
> - DEBUG(3, ("Failed single search for for %s - %s\n",
> - filter, ldb_errstring(kdc_db_ctx->samdb)));
> + DEBUG(3, ("Failed single search for %s - %s\n",
> + short_princ,
> ldb_errstring(kdc_db_ctx->samdb)));
> + free(short_princ);
> return HDB_ERR_NOENTRY;
> }
> + free(short_princ);
> }
>
> return 0;
> --
> 1.7.0.4
>
> On 22 December 2011 21:14, Alessandro <alexvl at tiscali.it> wrote:
>> Hi Guys,
>>
>> I'm currently creating an Hyper-V R2 SP1 Cluster using Samba 4 (alpha 17) as an external DC.
>> The main reason to do that is that virtualing the DC needed by the cluster is not a great idea and paying an extra Windows Server license just for an external simple DC scenario is something tha a lot of people find irritating, considering that for the rest the Hyper-V stack is free.
>>
>> So far I'm impressed with the features and stability of Samba 4. I managed to succeed in getting the cluster validation "green", I had to fix some Kerberos problems by creating the relevant SPNs, but nothing too dramatic.
>>
>> My problem is that by creating the cluster, the Kerberos authentication between the nodes is not working and the cluster cannot be set up.
>>
>> Samba 4 setup:
>>
>> CentOS 6.0 x64
>> Samba 4 alpha17
>> Bind 7.2.0 (the outdated one coming with CentOS 6.0)
>>
>> Dynamic DNS updates not set
>> Records for cluster name and cluster nodes statically created
>> Time synchronization between DC and nodes ok
>>
>>
>> Here are some logs from the Hyper-V R2 SP1 cluster nodes:
>>
>> Event ID 1570
>> Node 'HV2' failed to establish a communication session while joining the cluster. This was due to an authentication failure. Please verify that the nodes are running compatible versions of the cluster service software.
>>
>> Event ID 1280
>> Sponsor tried to Create Security Context using Package='Kerberos' with Context Requirement ='133122' and Timeout ='30000'
>>
>> Event ID 1281
>> Joiner tried to Create Security Context using Package='Kerberos' with Context Requirement ='83990' and Timeout ='30000' for the target = 'HV2'
>>
>>
>> And here are some logs from Samba4 using a -d 5 level:
>>
>>
>> (normal if no LDAP backend) Could not find entry to match filter: '(&(objectclass=ldapSecret)(cn=SAMDB Credentials))' base: '': No such object: (null)
>> auth_check_password_send: Checking password for unmapped user [MYDOMAIN]\[HV2$]@[HV2]
>> map_user_info: Mapping user [MYDOMAIN]\[HV2$] from workstation [HV2]
>> auth_check_password_send: mapped user is: [MYDOMAIN]\[HV2$]@[HV2]
>> auth_get_challenge: returning previous challenge by module netr_LogonSamLogonWithFlags (normal)
>> [0000] 35 7B 87 F7 C2 E6 A1 70 5{.....p
>> ntlm_password_check: Checking NTLMv2 password with domain [MYDOMAIN]
>> authsam_account_ok: Checking SMB password for user HV2$
>> logon_hours_ok: No hours restrictions for user HV2$
>> gendb_search_v: DC=MYDOMAIN,DC=local NULL -> 1
>> auth_check_password_recv: sam_ignoredomain authentication for user [MYDOMAIN\HV2$] succeeded
>> dreplsrv_notify_schedule(5) scheduled for: Thu Dec 8 00:55:13 2011 EET
>> dreplsrv_notify_schedule(5) scheduled for: Thu Dec 8 00:55:18 2011 EET
>> Kerberos: TGS-REQ HV2$@MYDOMAIN.LOCAL from ipv4:10.73.75.61:60923 for HV1 at MYDOMAIN.LOCAL [canonicalize, renewable, forwardable]
>> Failed find a entry for (null)
>> Kerberos: Searching referral for HV1
>> Kerberos: Server not found in database: HV1 at MYDOMAIN.LOCAL: No such entry in the database
>> Kerberos: Failed building TGS-REP to ipv4:10.73.75.61:60923
>> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>> imessaging: cleaning up /usr/local/samba/private/smbd.tmp/msg/msg.0:0.92
>> single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
>> Kerberos: TGS-REQ HV1$@MYDOMAIN.LOCAL from ipv4:10.73.75.60:55743 for HV2 at MYDOMAIN.LOCAL [canonicalize, renewable, forwardable]
>> Failed find a entry for (null)
>> Kerberos: Searching referral for HV2
>> Kerberos: Server not found in database: HV2 at MYDOMAIN.LOCAL: No such entry in the database
>> Kerberos: Failed building TGS-REP to ipv4:10.73.75.60:55743
>> Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
>>
>>
>> Any suggestion is highly welcome!!
>>
>>
>> Thanks,
>>
>> Alessandro Pilotti
>> MVP ASP.Net / IIS
>>
>>
>>
>>
>>
>>
>
>
>
> --
> Michael Wood <esiotrot at gmail.com>
> <0001-Log-short_princ-instead-of-uninitialised-filter.patch>
More information about the samba-technical
mailing list