[Samba] Samba4 DC, SPNs and a complex Windows stack

Wed Dec 17 10:50:48 MST 2014

----- Original Message -----
> From: "David Bear" <dwbear75 at gmail.com>
> To: samba at lists.samba.org
> Sent: Wednesday, 17 December, 2014 5:25:48 PM
> Subject: Re: [Samba] Samba4 DC, SPNs and a complex Windows stack
> 
> On 12/17/2014 01:35 AM, Luke Bigum wrote:
> > Hello,
> >
> > We're using Samba 4.1.11 as domain controllers and over the past two weeks
> > I've run into several issues with unrelated Windows software, the problems
> > of which all point to Kerberos authentication and SPNs as being somehow
> > involved. If there are many more issues it might start to get politically
> > difficult *not* to blame the DCs, and I don't want to point fingers at
> > Samba.
> >
> > Are there any known issues with running complex Windows stacks on top of
> > Samba 4 DCs (eg: Hyper-V clusters with migration, 3rd party Windows
> > software that uses SSPI from the MSSQL client libraries)? Perhaps some
> > intricacies of AD that Heimdal doesn't mirror?
> >
> This would seem to be interesting information, but of limited value.
> Unless you have a set of specific errors (error codes, return messages,
> etc) that your windows programs are able to log or show somehow, how
> would you ever be able to map the error code to the 'solution'?
> 
> It would be more productive to have error codes, stack traces, and
> detailed descriptions of the symptoms of the problem rather than a
> blanket statement -"We have never seen problems with hyperV and samba". ..

I agree, that would be very useful if I was after a solution, but I'm not after a solution in this thread, I'm after a confidence boost in the product/stack :-)

I have "noise" here saying that we (our team) should not try to add more and more complexity on top of a domain controller that's not built by Microsoft. With this thread I'm more interested in some big shop (perhaps an ISP or hosting provider) saying that they've done it and it's possible. Then I can go reply back to the internal noise and say "These guys out there in the world do it, it's not impossible".

I'll post a separate thread with the specific issues I'm seeing when I've got enough information to ask for help with.

--
Luke Bigum
Senior Systems Engineer

Information Systems
Ph: +44 (0) 20 3192 2520
---

LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN
http://www.LMAX.com/

2014 #1 Fastest Growing Tech Company in the UK - Sunday Times Tech Track 100
2014 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards
2014 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards
2014 Best Infrastructure/Technology Initiative - WSL Institutional Trading Awards
2013 #15 Fastest Growing Tech Company in the UK - Sunday Times Tech Track 100
2013 Best Overall Testing Project - The European Software Testing Awards
2013 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards
2013 Best FX Trading Platform - ECN/MTF - WSL Institutional Trading Awards
2013 Best Executing Venue - Forex Magnates Awards

---

FX and CFDs are leveraged products that can result in losses exceeding
your deposit. They are not suitable for everyone so please ensure you fully
understand the risks involved.

The information on this email is not directed at residents of the United States of America,
Australia (we will only deal with Australian clients who are "wholesale clients" as defined
under the Corporations Act 2001), Canada (although we may deal with Canadian residents
who meet the "Permitted Client" criteria), Singapore or any other jurisdiction where
FX trading and/or CFD trading is restricted or prohibited by local laws or regulations. 

The information in this email and any attachment is confidential and is
intended only for the named recipient(s). The email may not be disclosed
or used by any person other than the addressee, nor may it be copied
in any way. If you are not the intended recipient please notify the sender
immediately and delete any copies of this message. Any unauthorised
copying, disclosure or distribution of the material in this e-mail
is strictly forbidden.

LMAX Limited is regulated by the Financial Conduct Authority under
the UK laws, which differ from Australian law. We are exempt from the
requirement to hold an Australian financial services licence under the
Corporations Act 2001 (Cth) (Act) in respect of the financial services
we offer to you. We only offer our services to Australian clients who are
"wholesale clients" as defined under the Act. We may provide services in
Canada as an exempt international advisor. Consequently we may only
provide such services to clients who meet the "Permitted Client" criteria.
We are not a dealer in Canada.

LMAX Limited operates a multilateral trading facility. LMAX Limited is
authorised and regulated by the Financial Conduct Authority (firm
registration number 509778) and is a company registered in England
and Wales (number 6505809). Our registered address is Yellow
Building, 1A Nicholas Road, London, W11 4AN.