[Samba] Samba4 DC, SPNs and a complex Windows stack

Jeremy Allison jra at samba.org
Wed Dec 17 11:04:44 MST 2014 

On Wed, Dec 17, 2014 at 05:50:48PM +0000, Luke Bigum wrote:
> ----- Original Message -----
> > From: "David Bear" <dwbear75 at gmail.com>
> > To: samba at lists.samba.org
> > Sent: Wednesday, 17 December, 2014 5:25:48 PM
> > Subject: Re: [Samba] Samba4 DC, SPNs and a complex Windows stack
> > 
> > On 12/17/2014 01:35 AM, Luke Bigum wrote:
> > > Hello,
> > >
> > > We're using Samba 4.1.11 as domain controllers and over the past two weeks
> > > I've run into several issues with unrelated Windows software, the problems
> > > of which all point to Kerberos authentication and SPNs as being somehow
> > > involved. If there are many more issues it might start to get politically
> > > difficult *not* to blame the DCs, and I don't want to point fingers at
> > > Samba.
> > >
> > > Are there any known issues with running complex Windows stacks on top of
> > > Samba 4 DCs (eg: Hyper-V clusters with migration, 3rd party Windows
> > > software that uses SSPI from the MSSQL client libraries)? Perhaps some
> > > intricacies of AD that Heimdal doesn't mirror?
> > >
> > This would seem to be interesting information, but of limited value.
> > Unless you have a set of specific errors (error codes, return messages,
> > etc) that your windows programs are able to log or show somehow, how
> > would you ever be able to map the error code to the 'solution'?
> > 
> > It would be more productive to have error codes, stack traces, and
> > detailed descriptions of the symptoms of the problem rather than a
> > blanket statement -"We have never seen problems with hyperV and samba". ..
> 
> 
> I agree, that would be very useful if I was after a solution, but I'm not after a solution in this thread, I'm after a confidence boost in the product/stack :-)
> 
> I have "noise" here saying that we (our team) should not try to add more and more complexity on top of a domain controller that's not built by Microsoft. With this thread I'm more interested in some big shop (perhaps an ISP or hosting provider) saying that they've done it and it's possible. Then I can go reply back to the internal noise and say "These guys out there in the world do it, it's not impossible".
> 
> I'll post a separate thread with the specific issues I'm seeing when I've got enough information to ask for help with.

Please do. The only data point I can give
you is that Amazon has enough confidence in
the Samba DC that it used it for their new
cloud directory service.

https://aws.amazon.com/blogs/aws/new-aws-directory-service/

But really this list works best when dealing
with bugs and problems. Please tell us about them in
as much detail as possible :-).

Thanks,

	Jeremy.

More information about the samba mailing list