[Samba] kerberos issue (SPN not found) with windows Hyper-V (samba 4.5.3 AD)

Kacper Wirski k.wirski at babkamedica.pl
Thu Mar 16 10:35:52 UTC 2017 

Hello,

I've setup over 6 months ago samba 4 AD on centos 7.3 (self compiled 
from source). Up until now I didn't encounter any undocumented errors. I 
have 3 DC's (all samba 4.5.3) which are working pretty nice with over 60 
windows clients.

The issue I've stumbled upon is when I added Windows server Hyper-V 
hosts to the domain. Tried with Hyper-V from 2012, 2012r2 and new 2016 - 
all exact same problem.

I've searched and googled and found one old topic with the same issue in 
samba lists, but no help was given, but also - not enough info was supplied.

The main issue is that Hyper-v Hosts are unable to authenticate each 
other using kerberos for live migration and replication (only two 
features that require kerberos) - windows host gives well documented 
error, that it's unable to authenticate using kerberos.

I've gathered all the logs, which I think explain the issue quite 
clearly and hopefully someone will be able to give a viable solution.

domain/realm let's call it:
mydomain.com.xyz @ MYDOMAIN.COM.XYZ
hyper-v hosts:
BM-SRV-5 and BMSRV-WIN10 (both with windows server 2016 standard with 
hyper-v host role installed)
DC1, DC2, DC3 are my 3 domain controllers (names not really original :) )

Microsoft Hyper-V requires specific SPN's registered for hosts:

*Microsoft Virtual Console Service**
**Hyper-V Replica Service**
**Microsoft Virtual System Migration Service*

The SPN's should be automatically registered in the AD machine account 
by the windows, but this fails with windows error 14050. This error is 
well documented, but none of the solutions helped, and I think the error 
is with samba AD as I'll try to explain.

I added the  SPN's manually via windows setpsn (for both hyper-v hosts 
of course, mydomain.com.xyz is of course bogus name, real domain is 
something different)

/setspn -S "Hyper-V Replica Service/BMSRV-WIN10" BMSRV-WIN10//
//setspn -S "Hyper-V Replica Service/BMSRV-WIN10.mydomain.com.xyz" 
BMSRV-WIN10//
//
//setspn -S "Microsoft Virtual System Migration Service/BMSRV-WIN10" 
BMSRV-WIN10//
//setspn -S "Microsoft Virtual System Migration 
Service/BMSRV-WIN10.mydomain.com.xyz" BMSRV-WIN10//
//
//setspn -S "Microsoft Virtual Console Service/BMSRV-WIN10" BMSRV-WIN10"//
//setspn -S "Microsoft Virtual Console 
Service/BMSRV-WIN10.mydomain.com.xyz" BMSRV-WIN10//
/
Both windows and samba when queried show correct SPN's:
output of windows query:

spn -l BMSRV-WIN10

Registered ServicePrincipalNames for 
CN=BMSRV-WIN10,CN=Computers,DC=mydomain,DC=com,DC=xyz:
     HOST/BMSRV-WIN10
     HOST/BMSRV-WIN10.mydomain.com.xyz
     Hyper-V Replica Service/BMSRV-WIN10
     Hyper-V Replica Service/BMSRV-WIN10.mydomain.com.xyz
     Microsoft Virtual Console Service/BMSRV-WIN10
     Microsoft Virtual Console Service/BMSRV-WIN10.mydomain.com.xyz
     Microsoft Virtual System Migration Service/BMSRV-WIN10
     Microsoft Virtual System Migration Service/BMSRV-WIN10.mydomain.com.xyz
     RestrictedKrbHost/BMSRV-WIN10
     RestrictedKrbHost/BMSRV-WIN10.mydomain.com.xyz
     TERMSRV/BMSRV-WIN10
     TERMSRV/BMSRV-WIN10.mydomain.com.xyz
     WSMAN/BMSRV-WIN10
     WSMAN/BMSRV-WIN10.mydomain.com.xyz

output of samba-tool query:
samba-tool spn list BMSRV-WIN10$

samba-tool spn list BMSRV-WIN10$
schema_fsmo_init: we are master[no] updates allowed[no]
User CN=BMSRV-WIN10,CN=Computers,DC=mydomain,DC=com,DC=xyz has the 
following servicePrincipalName:
          HOST/BMSRV-WIN10
          HOST/BMSRV-WIN10.mydomain.com.xyz
          Hyper-V Replica Service/BMSRV-WIN10
          Hyper-V Replica Service/BMSRV-WIN10.mydomain.com.xyz
          Microsoft Virtual Console Service/BMSRV-WIN10
          Microsoft Virtual Console Service/BMSRV-WIN10.mydomain.com.xyz
          Microsoft Virtual System Migration Service/BMSRV-WIN10
          Microsoft Virtual System Migration 
Service/BMSRV-WIN10.mydomain.com.xyz
          RestrictedKrbHost/BMSRV-WIN10
          RestrictedKrbHost/BMSRV-WIN10.mydomain.com.xyz
          TERMSRV/BMSRV-WIN10
          TERMSRV/BMSRV-WIN10.mydomain.com.xyz
          WSMAN/BMSRV-WIN10
          WSMAN/BMSRV-WIN10.mydomain.com.xyz

It looks all fine and well (the SPN names are 100% correct verified).

For the hyper-v features to work (replica and live migration) with 
kerberos I need to setup delegation (it's set - verified it a milion 
times over it's set the right way, just like MS wants it).

I know that I can obtain tickets to other SPN
(from windows: *klist cifs/BMSRV-WIN10* grants me a valid ticket for 
example)

Now cometh the error:
When I try to run hyper-v replica it fails with error concerning 
kerberos and SPN  not being there

Log from samba DC3 (when trying to start Hyper-V replica from BM-SRV-5 
to BMSRV-WIN.10)

  Kerberos: TGS-REQ BM-SRV-5$@MYDOMAIN.COM.XYZ from 
ipv4:192.168.1.10:56993 for Hyper-V\ Replica\ 
Service/BMSRV-WIN10.mydomain.com.xyz at MYDOMAIN.COM.XYZ [canonicalize, 
renewable, forwardable]
[2017/03/16 10:55:07.246904,  4] 
../source4/dsdb/samdb/cracknames.c:169(LDB_lookup_spn_alias)
   LDB_lookup_spn_alias: no alias for service Hyper-V Replica Service 
applicable
[2017/03/16 10:55:07.246971,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Searching referral for BMSRV-WIN10.mydomain.com.xyz
[2017/03/16 10:55:07.247028,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Server not found in database: Hyper-V\ Replica\ 
Service/BMSRV-WIN10.mydomain.com.xyz at MYDOMAIN.COM.XYZ: no such entry 
found in hdb
[2017/03/16 10:55:07.247053,  3] 
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed building TGS-REP to ipv4:192.168.1.10:56993

log from wireshark (earlier attempt but same issue, this time when 
trying to start live migration from BM-SRV-5 to BMSRV-WIN10):

req-body
     Padding: 0
     kdc-options: 40810000 (forwardable, renewable, canonicalize)
     realm: MYDOMAIN.COM.XYZ
     sname
         name-type: kRB5-NT-SRV-INST (2)
         sname-string: 2 items
             SNameString: Microsoft Virtual System Migration Service
             SNameString: BMSRV-WIN10
     till: 2037-09-13 02:48:05 (UTC)
     nonce: 17847174
     etype: 5 items
     enc-authorization-data


error:
krb-error
     pvno: 5
     msg-type: krb-error (30)
     ctime: 2017-03-16 08:01:23 (UTC)
     cusec: 128
     stime: 2017-03-16 08:01:23 (UTC)
     susec: 66964
     error-code: eRR-S-PRINCIPAL-UNKNOWN (7)
     realm: <unspecified realm>
     sname
         name-type: kRB5-NT-UNKNOWN (0)
         sname-string: 0 items

Same errors are when going the other way round,

So the SPN's are clearly there (both setspn -l and samba-tool spn list 
outputs confirm that), the client sends correct request (as seen by 
wireshark and/or samba log), but suddenly samba is unable to find the SPN.
I'm a complete newbie (well, sort-of) when it comes to kerberos and 
samba, but maybe because the SPN is with spaces, as it's pretty unusual, 
but that's what Microsoft wants/needs?
I don't know, just a guess :-) . The features offered by hyper-v in AD 
are obviously beneficial and I would love to get them working.
Any help, workaround or tip - I will be very, very thankful. If more 
info is needed I'll gladly supply logs/whatever is needed.

Kacper Wirski

More information about the samba mailing list