We are running samba4 (alpha12) on a centos 5.4 machine and are experimenting with Hyper-V 2008 R2 Failover Clustering, which requires Active Directory. We are trying to see if samba-4 will work as the AD server. We are building a 2 node failover cluster. Both nodes seem to have joined the domain successfully (with samba-4 as the DC). But subsequent steps of creating the "Failover Cluster" are failing and we see following errors in samba log. ------- Errors at the time we try to create 1008 R2 failover clusrter ------ Kerberos: TGS-REQ administrator@SAMBALIME.STRATUS.COM from ipv4:10.90.0.87:49614 for Administrator@SAMBALIME.STRATUS.COM [canonicalize, renewable, forwardable] Kerberos: Principal may not act as server -- Administrator@SAMBALIME.STRATUS.COM Kerberos: Failed building TGS-REP to ipv4:10.90.0.87:49614 Terminating connection - 'kdc_tcp_call_loop:tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()- NT_STATUS_CONNECTION_DISCONNECTED]
Is this still an issue?
Hello. I'm trying to do the same : hyper-v cluster od samba4 DC. But I'm also stucked on this error. "Terminating connection - 'kdc_tcp_call_loop:tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'". I'm using latest version of samba 4.0rc5. If someone need logs or test ( maybe patch :) I can do that. BR -- maxilee
I'm also running into this issue. As it stands right now, what kind of "moreinfo" do the developers need at this time to resolve this issue? The version of Samba 4 I'm using right now is right off from the git tree. Currently I have the following errors right at debug level 4: Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Kerberos: TGS-REQ Administrator@CLSTEST.V10NETWORKS.CA from ipv4:10.0.8.143:62746 for Administrator@CLSTEST.V10NETWORKS.CA [canonicalize, renewable, forwardable] Kerberos: Principal may not act as server -- Administrator@CLSTEST.V10NETWORKS.CA
Never mind, I found a temporary workaround as documented by Andrew Bartlett: http://permalink.gmane.org/gmane.network.samba.internals/50056 Use the dsa.msc and give the user that's creating the cluster any servicePrincipalName in the attributes section. Creating that will allow the cluster to be created and it should hopefully start up.
Essentially what I need is an understanding of why this isn't a security issue with Microsoft's AD, because as I understand the crypto it would allow offline password attacks against user accounts, rather than just service accounts with presumably more random passwords. So, either MS AD has some other way of doing this safely, or has a security vulnerability that I've not yet chased down. I need someone to do this research.
(In reply to comment #5) > Essentially what I need is an understanding of why this isn't a security issue > with Microsoft's AD, because as I understand the crypto it would allow offline > password attacks against user accounts, rather than just service accounts with > presumably more random passwords. > > So, either MS AD has some other way of doing this safely, or has a security > vulnerability that I've not yet chased down. I need someone to do this > research. Apart from the workaround above, do you think it's possible to add in a temporary config option that would allow the principal to act as a server in the meantime or would you recommend manually adding any arbitrary servicePrincipalName attribute to the user that's performing the validation for now?
You could do either (the config option doesn't exist right now, but probably should, patches welcome, git format-patch preferred)