[Samba] ODP: Re: SAMBA 4 as Active Direcotry and Hyper-V
Kacper Wirski
kacper.wirski at gmail.com
Thu Aug 2 18:42:15 UTC 2018
I actually posted about this here on samba list about it last year, but
nobody caught interest.
I used to have logs from samba and wireshark, which very nicely showed
what's wrong (kerberos request was for SPN eg. "Hyper-V Replication
Service/Servername.mydomain.com" and in samba log there was an error
with something like "Hyper-V\ Replication \Service.. not found".
I read my last year's post, and I see that samba was adding by itself
those "escape" signs, so that's why as a workaround I added straight up
SPN with backslashes.
Some log "snippets" can be found in my previous entry in the list:
https://lists.samba.org/archive/samba/2017-March/207145.html
If something more detailed is needed I can probably arrange some
additional logs.
I'm not sure what's the proper way to "fix it", cam samba be made
somehow "aware" of those 3 special hyper-v SPN's and rewrite requests?
W dniu 02.08.2018 o 20:19, Andrew Bartlett via samba pisze:
> On Thu, 2018-08-02 at 17:32 +0200, Kacper Wirski via samba wrote:
>> I have a suspicion that it is related to the specific SPNs that hyperv uses. Hyper-v tries to register 3 spn (typing from memory so I might be a bit off):
>> Microsoft hyper-v console/HOST.FQDN
>> Hyper-V Replication Servive/HOST.FQDN
>> Microsoft Hyper-V Live Migration Service/HOST.FQDN.
>>
>> This fails because of the spaces, that is samba being on linux, not seeing escape characters, messes up the request it up and just fails with registering.
> It is more about how we handle the linearised SPN in the directory, but
> yes, escaping sounds like a key here.
>
>> Im hyper-v log you should see errors with failure to register spn.
>> Without SPN there might be some authentication failures e.g. With live migration kerberos based replication and probably console. As workaround You can try manually adding SPN with escape characters as in e.g.:
>>
>> Microsoft\ hyper-v\ Management\ Console/HOST.FQDN etc. (And again without FQDN)
>>
>> Also doublecheck correct SPN names for hyper-v I'm not 100% sure if I typed them correctly.
>>
>> That used to work for 100% for kerberos based hyper-v vm replication (for hyperv 2012 at least).
>> Regards,
>> Kacper
> Can you (perhaps with the OP) file a bug please? This we can fix.
>
> Andrew Bartlett
More information about the samba
mailing list