[Samba] kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
Luke Bigum
luke.bigum at lmax.com
Sun Mar 19 20:18:45 UTC 2017
Hello,
This won't be a very helpful reply, but I can confirm I've had the exact same issue. I ran into this a few years ago and could not get HyperV migrations to work with a Samba DC. I even went so far as to install a Windows DC just to prove to myself that it is supposed to work, and it does, perfectly (with ADDC it even creates all the SPNs for you auto-magically).
Unfortunately at the time I was focused on a Windows VM Disaster Recovery problem, so ended up dropping HyperV entirely in favour of KVM and DRBD. As such, I never raised a bug with Samba or Catalyst about this - I probably should have :-/ Sorry I can't be of more help other than to add my voice to "there is a bug somewhere in Samba".
--
Luke Bigum
Lead Engineer
Information Systems
----- Original Message -----
From: "Kacper Wirski via samba" <samba at lists.samba.org>
To: samba at lists.samba.org
Sent: Saturday, 18 March, 2017 22:10:01
Subject: Re: [Samba] kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
After reviewing logs I found that my previous assumption was wrong.
Situation: - i'm trying to start live migration from hyper-v host A
(BMSRV4-HYPERV) to hyper-v host B (BM-SRV-5) from host B (logged in as
user from DOMAIN ADMINS group).
Kerberos constrained delegation is set in accordnance to microsoft
instructions with proper SPN's set (well, proper as in with the
workaround I wrote earlier).
Below logs from wireshark and Samba 4 DC (the one that handled request).
kacper_wirski user, that belongs to DOMAIN ADMINS group is the one
"giving" the command. I tried already with different user, also tried
the other way round (from host B -> to host A when logged into host B).
Same errors. Tried with different Hyper-V host C, same error
I have bar to none experience with troubleshooting kerberos (up untli
now everything was working flawlessly) but reading from the logs I
understand that generated ticket request from Host A seems ok: it wants
to "impersonate" kacper_wirski in order to get to SPN on Host B, but
request fails.
I admit that I already googled this error and wasted a lot of hours,
but I really don't know how to handle this situation - wether it's
kerberos error, or samba error, or microsoft Hyper-V was just built
that way that it simply will work ONLY with microsoft AD?
Every bit of advice/tip is greatly appreciated, as I feel i'm running
out of ideas or options.
/etc/krb5.conf is basic generated ad DC promo. Overall no issues in the
domain using kerberos so far (over 6 months now), also used SSO for
apache so kerberos overall seems ok.
Logs below (tried my best to trim down).
Samba 4 log from DC that Host A contacted (one of 3 DC's in domain):
Log level 5
Kerberos: TGS-REQ BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ from
ipv4:192.168.1.14:64931 for bmsrv4-hyperv$@MYDOMAIN.COM.XYZ
[canonicalize, renewable, forwardable]
[2017/03/18 22:00:03.656232, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: s4u2self BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ impersonating
kacper_wirski at MYDOMAIN.COM.XYZ to service
bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [forwardable]
[2017/03/18 22:00:03.656262, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: TGS-REQ authtime: 2017-03-18T21:39:30 starttime:
2017-03-18T22:00:03 endtime: 2017-03-18T22:15:03 renew till:
2017-03-25T21:39:30
[2017/03/18 22:00:03.657328, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
[2017/03/18 22:00:03.657340, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[kdc_tcp_call_loop:
tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
[2017/03/18 22:00:03.658763, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed to decrypt enc-authorization-data
[2017/03/18 22:00:03.658776, 3]
../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
Kerberos: Failed parsing TGS-REQ from ipv4:192.168.1.14:64932
[2017/03/18 22:00:03.658911, 3]
../source4/smbd/service_stream.c:66(stream_terminate_connection)
Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED'
[2017/03/18 22:00:03.658920, 3]
../source4/smbd/process_single.c:114(single_terminate)
single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED]
Wireshark relevant output:
TGS-REQ (host A -> Samba 4 AD DC):
Kerberos
msg-type: krb-ap-req (14)
ticket
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: krbtgt
SNameString: MYDOMAIN.COM.XYZ
enc-part
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
authenticator
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
PA-DATA PA-FOR-USER
padata-type: kRB5-PADATA-S4U2SELF (129)
name
name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10)
name-string: 1 item
KerberosString: kacper_wirski
realm: MYDOMAIN.COM.XYZ
cksum
cksumtype: cKSUMTYPE-HMAC-MD5 (-138)
auth: Kerberos
req-body
Padding: 0
kdc-options: 40810000 (forwardable, renewable, canonicalize)
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-PRINCIPAL (1)
sname-string: 1 item
SNameString: bmsrv4-hyperv$
etype: 5 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
TGS-REP KDC -> HOST A
tgs-rep
msg-type: krb-tgs-rep (13)
crealm: MYDOMAIN.COM.XYZ
cname
name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10)
cname-string: 1 item
CNameString: kacper_wirski
ticket
tkt-vno: 5
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-PRINCIPAL (1)
sname-string: 1 item
SNameString: bmsrv4-hyperv$
enc-part
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
kvno: 1
enc-part
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
TGS-REQ (Host A -> KDC)
tgs-req
pvno: 5
msg-type: krb-tgs-req (12)
padata: 2 items
PA-DATA PA-TGS-REQ
padata-type: kRB5-PADATA-TGS-REQ (1)
ticket
tkt-vno: 5
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: krbtgt
SNameString: MYDOMAIN.COM.XYZ
enc-part
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
kvno: 1
authenticator
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
PA-DATA Unknown:167
padata-type: Unknown (167)
padata-value: 3009a00703050010000000
req-body
Padding: 0
kdc-options: 40830000 (forwardable, renewable,
request-anonymous, canonicalize)
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-SRV-INST (2)
sname-string: 2 items
SNameString: Microsoft Virtual System Migration Service
SNameString: BM-SRV-5
till: 2017-03-18 21:15:03 (UTC)
nonce: 478023267
etype: 5 items
ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18)
ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23)
ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24)
ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135)
enc-authorization-data
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
cipher: 0fa4ee9a7e16003266d7566c12c2f50748e50435090ee9e2...
additional-tickets: 1 item
Ticket
realm: MYDOMAIN.COM.XYZ
sname
name-type: kRB5-NT-PRINCIPAL (1)
SNameString: bmsrv4-hyperv$
enc-part
etype: eTYPE-ARCFOUR-HMAC-MD5 (23)
kvno:
and final TGS-REP (KDC -> HOST A)
krb-error
pvno: 5
msg-type: krb-error (30)
ctime: 2017-03-18 21:00:03 (UTC)
cusec: 481
stime: 2017-03-18 21:00:03 (UTC)
susec: 658781
error-code: eRR-BAD-INTEGRITY (31)
realm: <unspecified realm>
sname
name-type: kRB5-NT-UNKNOWN (0)
sname-string: 0 items
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
---
LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN
http://www.LMAX.com/
Recognised by the most prestigious business and technology awards
2016 Best Trading & Execution, HFM US Technology Awards
2016, 2015, 2014, 2013 Best FX Trading Venue - ECN/MTF, WSL Institutional Trading Awards
2016, 2015 Winner, Deloitte UK Technology Fast 50
2015, 2014, 2013, One of the UK's fastest growing technology firms, The Sunday Times Tech Track 100
2016, 2015 Winner, Deloitte EMEA Technology Fast 500
2015, 2014, 2013 Best Margin Sector Platform, Profit & Loss Readers' Choice Awards
---
FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved.
This message and its attachments are confidential, may not be disclosed or used by any person other than the addressee and are intended only for the named recipient(s). This message is not intended for any recipient(s) who based on their nationality, place of business, domicile or for any other reason, is/are subject to local laws or regulations which prohibit the provision of such products and services. This message is subject to the following terms (http://lmax.com/pdf/general-disclaimers.pdf), if you cannot access these, please notify us by replying to this email and we will send you the terms. If you are not the intended recipient, please notify the sender immediately and delete any copies of this message.
LMAX Exchange is the trading name of LMAX Limited. LMAX Limited operates a multilateral trading facility. LMAX Limited is authorised and regulated by the Financial Conduct Authority (firm registration number 509778) and is a company registered in England and Wales (number 6505809).
LMAX Hong Kong Limited is a wholly-owned subsidiary of LMAX Limited. LMAX Hong Kong is licensed by the Securities and Futures Commission in Hong Kong to conduct Type 3 (leveraged foreign exchange trading) regulated activity with CE Number BDV088.
More information about the samba
mailing list