[Samba] ODP: Re: SAMBA 4 as Active Direcotry and Hyper-V

[Andrew Bartlett]

On Thu, 2018-08-02 at 17:32 +0200, Kacper Wirski via samba wrote:
> I have a suspicion that it is related to the specific SPNs that hyperv uses. Hyper-v tries to register 3 spn (typing from memory so I might be a bit off):
> Microsoft hyper-v console/HOST.FQDN
> Hyper-V Replication Servive/HOST.FQDN
> Microsoft Hyper-V Live Migration Service/HOST.FQDN.
> 
> This fails because of the spaces, that is samba being on linux, not seeing escape characters, messes up the request it up and just fails with registering.

It is more about how we handle the linearised SPN in the directory, but
yes, escaping sounds like a key here.

> Im hyper-v log you should see errors with failure to register spn.
>  Without SPN there might be some authentication failures e.g. With live migration kerberos based replication and probably console. As workaround You can try manually adding SPN with escape characters as in e.g.:
> 
> Microsoft\ hyper-v\ Management\ Console/HOST.FQDN etc. (And again without FQDN)
> 
> Also doublecheck correct SPN names for hyper-v I'm not 100% sure if I typed them correctly.
> 
> That used to work for 100% for kerberos based hyper-v vm replication (for hyperv 2012 at least).
> Regards,
> Kacper

Can you (perhaps with the OP) file a bug please?  This we can fix.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba