Bug 7605 - Kerberos: Principal may not act as server ERROR
Summary: Kerberos: Principal may not act as server ERROR
Status: NEEDINFO
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: x64 Linux
: P3 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-08-05 10:48 UTC by ajay aggarwal (553 Invalid recipient)
Modified: 2023-10-10 13:34 UTC (History)
6 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description ajay aggarwal (553 Invalid recipient) 2010-08-05 10:48:38 UTC
We are running samba4 (alpha12) on a centos 5.4  machine and are experimenting with Hyper-V 2008 R2 Failover Clustering, which requires Active Directory. We are trying to see if samba-4 will work as the AD server. We  are building a 2 node failover cluster. Both nodes seem to have joined the domain successfully (with samba-4 as the DC). But subsequent steps of creating the "Failover Cluster" are failing and we see following errors in samba log. 


------- Errors at the time we try to create 1008 R2 failover clusrter ------
Kerberos: TGS-REQ administrator@SAMBALIME.STRATUS.COM from ipv4:10.90.0.87:49614 for Administrator@SAMBALIME.STRATUS.COM [canonicalize, renewable, forwardable]
Kerberos: Principal may not act as server -- Administrator@SAMBALIME.STRATUS.COM
Kerberos: Failed building TGS-REP to ipv4:10.90.0.87:49614
Terminating connection - 'kdc_tcp_call_loop:tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv()- NT_STATUS_CONNECTION_DISCONNECTED]
Comment 1 Matthias Dieter Wallnöfer 2011-03-05 22:15:28 UTC
Is this still an issue?
Comment 2 maxilee 2012-11-27 14:56:17 UTC
Hello.

I'm trying to do the same : hyper-v cluster od samba4 DC. But I'm also stucked on this error.
"Terminating connection - 'kdc_tcp_call_loop:tstream_read_pdu_blob_recv() -
NT_STATUS_CONNECTION_DISCONNECTED'".

I'm using latest version of samba 4.0rc5.

If someone need logs or test ( maybe patch :) I can do that.

BR
--
maxilee
Comment 3 Jeff Leung 2013-05-11 07:22:13 UTC
I'm also running into this issue. As it stands right now, what kind of "moreinfo" do the developers need at this time to resolve this issue?

The version of Samba 4 I'm using right now is right off from the git tree. Currently I have the following errors right at debug level 4:

Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED'
single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED]
Kerberos: TGS-REQ Administrator@CLSTEST.V10NETWORKS.CA from ipv4:10.0.8.143:62746 for Administrator@CLSTEST.V10NETWORKS.CA [canonicalize, renewable, forwardable]
Kerberos: Principal may not act as server -- Administrator@CLSTEST.V10NETWORKS.CA
Comment 4 Jeff Leung 2013-05-11 07:29:59 UTC
Never mind, I found a temporary workaround as documented by Andrew Bartlett:

http://permalink.gmane.org/gmane.network.samba.internals/50056

Use the dsa.msc and give the user that's creating the cluster any servicePrincipalName in the attributes section. Creating that will allow the cluster to be created and it should hopefully start up.
Comment 5 Andrew Bartlett 2013-05-11 08:21:45 UTC
Essentially what I need is an understanding of why this isn't a security issue with Microsoft's AD, because as I understand the crypto it would allow offline password attacks against user accounts, rather than just service accounts with presumably more random passwords. 

So, either MS AD has some other way of doing this safely, or has a security vulnerability that I've not yet chased down.  I need someone to do this research.
Comment 6 Jeff Leung 2013-05-13 06:40:34 UTC
(In reply to comment #5)
> Essentially what I need is an understanding of why this isn't a security issue
> with Microsoft's AD, because as I understand the crypto it would allow offline
> password attacks against user accounts, rather than just service accounts with
> presumably more random passwords. 
> 
> So, either MS AD has some other way of doing this safely, or has a security
> vulnerability that I've not yet chased down.  I need someone to do this
> research.

Apart from the workaround above, do you think it's possible to add in a temporary config option that would allow the principal to act as a server in the meantime or would you recommend manually adding any arbitrary servicePrincipalName attribute to the user that's performing the validation for now?
Comment 7 Andrew Bartlett 2013-05-13 06:44:19 UTC
You could do either (the config option doesn't exist right now, but probably should, patches welcome, git format-patch preferred)