[Samba] ODP: Re: SAMBA 4 as Active Direcotry and Hyper-V

Andrew Bartlett abartlet at samba.org
Thu Aug 2 18:49:05 UTC 2018 

On Thu, 2018-08-02 at 20:42 +0200, Kacper Wirski via samba wrote:
> I actually posted about this here on samba list about it last year, but 
> nobody caught interest.

That happens.

> I used to have logs from samba and wireshark, which very nicely showed 
> what's wrong (kerberos request was for SPN  eg. "Hyper-V Replication 
> Service/Servername.mydomain.com" and in samba log there was an error 
> with something like "Hyper-V\ Replication \Service.. not found".
> 
> I read my last year's post, and I see that samba was adding by itself 
> those "escape" signs, so that's why as a workaround I added straight up 
> SPN with backslashes.
> 
> Some log "snippets" can be found in my previous entry in the list:
> 
> https://lists.samba.org/archive/samba/2017-March/207145.html
> 
> If something more detailed is needed I can probably arrange some 
> additional logs.
> 
> I'm not sure what's the proper way to "fix it", cam samba be made 
> somehow "aware" of those 3 special hyper-v SPN's and rewrite requests?

Yes.  We control the DB interface, this is likely just a matter of SPN
escaping (or not escaping).

Can we please have a bug filed to track this?

Andrew Bartlett

> 
> W dniu 02.08.2018 o 20:19, Andrew Bartlett via samba pisze:
> > On Thu, 2018-08-02 at 17:32 +0200, Kacper Wirski via samba wrote:
> > > I have a suspicion that it is related to the specific SPNs that hyperv uses. Hyper-v tries to register 3 spn (typing from memory so I might be a bit off):
> > > Microsoft hyper-v console/HOST.FQDN
> > > Hyper-V Replication Servive/HOST.FQDN
> > > Microsoft Hyper-V Live Migration Service/HOST.FQDN.
> > > 
> > > This fails because of the spaces, that is samba being on linux, not seeing escape characters, messes up the request it up and just fails with registering.
> > 
> > It is more about how we handle the linearised SPN in the directory, but
> > yes, escaping sounds like a key here.
> > 
> > > Im hyper-v log you should see errors with failure to register spn.
> > >   Without SPN there might be some authentication failures e.g. With live migration kerberos based replication and probably console. As workaround You can try manually adding SPN with escape characters as in e.g.:
> > > 
> > > Microsoft\ hyper-v\ Management\ Console/HOST.FQDN etc. (And again without FQDN)
> > > 
> > > Also doublecheck correct SPN names for hyper-v I'm not 100% sure if I typed them correctly.
> > > 
> > > That used to work for 100% for kerberos based hyper-v vm replication (for hyperv 2012 at least).
> > > Regards,
> > > Kacper
> > 
> > Can you (perhaps with the OP) file a bug please?  This we can fix.
> > 
> > Andrew Bartlett
> 
> 
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list