Kerberos: Principal may not act as server ERROR
Aggarwal, Ajay
Ajay.Aggarwal at stratus.com
Tue Aug 3 12:42:48 MDT 2010
Hi Andrew,
We updated to the latest GIT tree, compiled and reinstalled. But we still see the exact same error meesages.
-Ajay
-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at samba.org]
Sent: Monday, August 02, 2010 9:14 PM
To: Aggarwal, Ajay
Cc: samba-technical at lists.samba.org
Subject: Re: Kerberos: Principal may not act as server ERROR
On Mon, 2010-08-02 at 10:29 -0400, Aggarwal, Ajay wrote:
> Sorry if it's a duplicate. I posted this on the "samba" general
> mailing list but got no response. So I thought let me try here in this forum.
>
>
>
> We are running samba4 (alpha12) on a centos 5.4 machine and are
> experimenting with Hyper-V 2008 R2 Failover Clustering, which requires
> Active Directory. We are trying to see if samba-4 will work as the AD
> server. We are building a 2 node failover cluster. Both nodes seem to
> have joined the domain successfully (with samba-4 as the DC). But
> subsequent steps of creating the "Failover Cluster" are failing and we
> see following errors in samba log.
>
>
>
> Do these error logs indicate a mis-configuration on our part or
> interoperability issues of samba-4 with Hyper-V 2008 R2 and failover
> clustering? Any help will be much appreciated.
The logs indicate a number of things:
> Kerberos: TGS-REQ administrator at SAMBALIME.STRATUS.COM from
> ipv4:10.90.0.87:49614 for Administrator at SAMBALIME.STRATUS.COM
> [canonicalize, renewable, forwardable]
>
> Kerberos: Principal may not act as server --
> Administrator at SAMBALIME.STRATUS.COM
>
> Kerberos: Failed building TGS-REP to ipv4:10.90.0.87:49614
Could you try this with the current GIT tree?
Depending on exactly what is going on here, this is either hitting a bug I've already fixed, or a restriction that I've added, in the interests of security. I don't think it's a good idea if any user can ask for a ticket encrypted to the password of another user, particularly the administrator, as unlike machines, people tend to pick poor passwords, and this would allow an offline brute force attack.
> Terminating connection -
> 'kdc_tcp_call_loop:tstream_read_pdu_blob_recv()
> - NT_STATUS_CONNECTION_DISCONNECTED'
>
> single_terminate: reason[kdc_tcp_call_loop:
> tstream_read_pdu_blob_recv()- NT_STATUS_CONNECTION_DISCONNECTED]
>
>
>
>
>
>
>
> ------ Other significant errors that we see periodically -----
>
> Failed to modify SPNs on
> CN=NODE1-LIME,CN=Computers,DC=sambalime,DC=stratus,DC=com: error in
> module acl: insufficient access rights (50)
>
> added interface ip=10.90.0.71 nmask=255.255.255.0
>
> ldb_wrap open of sam.ldb
>
> Failed to modify SPNs on
> CN=NODE1-LIME,CN=Computers,DC=sambalime,DC=stratus,DC=com: error in
> module acl: insufficient access rights (50)
>
> ipv4:10.90.0.88:49232 closed connection to service IPC$
There has been a lot of work on the SPN modification case recently, to properly honour the ACLs at work here. This may be fixed in the current GIT tree.
> Kerberos: AS-REQ
> host/node0-lime.sambalime.stratus.com at SAMBALIME.STRATUS.COM from
> ipv4:10.90.0.87:50798 for
> krbtgt/SAMBALIME.STRATUS.COM at SAMBALIME.STRATUS.COM
>
> Kerberos: UNKNOWN --
> host/node0-lime.sambalime.stratus.com at SAMBALIME.STRATUS.COM: no such
> entry found in hdb
This has happened because of the failure to modify the SPN, or a failure to set the dnsHostName attribute somehow.
I hope this helps you understand things, and I wish you the very best with your use of Samba4!
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the samba-technical
mailing list