Aggarwal, Ajay
2010-Jul-29 16:55 UTC
[Samba] Kerberos: Principal may not act as server ERROR
Our environment: samba4 (alpha12) running on centos 5.4. We are experimenting with Hyper-V 2008 R2 Failover Clustering, which requires Active Directory. We are trying to see if samba-4 will work as the AD server. We are trying to create 2 node failover cluster. Both nodes have joined the domain successfully (with samba-4 as the DC). But subsequent steps of creating the "Failover Cluster" are failing and we see following error in samba log Kerberos: TGS-REQ administrator at SAMBALIME.STRATUS.COM from ipv4:10.90.0.87:49614 for Administrator at SAMBALIME.STRATUS.COM [canonicalize, renewable, forwardable] Kerberos: Principal may not act as server -- Administrator at SAMBALIME.STRATUS.COM Kerberos: Failed building TGS-REP to ipv4:10.90.0.87:49614 Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Is something wrong with our configuration (smb.conf)? -Ajay
Aggarwal, Ajay
2010-Aug-02 13:58 UTC
[Samba] Kerberos: Principal may not act as server ERROR
Just bumping up to see if anyone else has seen this issue. Also noticed following errors in samba log. Wonder if these are related? Failed to modify SPNs on CN=NODE1-LIME,CN=Computers,DC=sambalime,DC=stratus,DC=com: error in module acl: insufficient access rights (50) ldb_wrap open of sam.ldb Failed to modify SPNs on CN=NODE1-LIME,CN=Computers,DC=sambalime,DC=stratus,DC=com: error in module acl: insufficient access rights (50) added interface ip=10.90.0.71 nmask=255.255.255.0 ldb_wrap open of sam.ldb Failed to modify SPNs on CN=NODE1-LIME,CN=Computers,DC=sambalime,DC=stratus,DC=com: error in module acl: insufficient access rights (50) ldb_wrap open of sam.ldb Failed to modify SPNs on CN=NODE1-LIME,CN=Computers,DC=sambalime,DC=stratus,DC=com: error in module acl: insufficient access rights (50) added interface ip=10.90.0.71 nmask=255.255.255.0 ldb_wrap open of sam.ldb Failed to modify SPNs on CN=NODE1-LIME,CN=Computers,DC=sambalime,DC=stratus,DC=com: error in module acl: insufficient access rights (50) ipv4:10.90.0.88:49232 closed connection to service IPC$ -Ajay -----Original Message----- From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Aggarwal, Ajay Sent: Thursday, July 29, 2010 12:55 PM To: samba at lists.samba.org Subject: [Samba] Kerberos: Principal may not act as server ERROR Our environment: samba4 (alpha12) running on centos 5.4. We are experimenting with Hyper-V 2008 R2 Failover Clustering, which requires Active Directory. We are trying to see if samba-4 will work as the AD server. We are trying to create 2 node failover cluster. Both nodes have joined the domain successfully (with samba-4 as the DC). But subsequent steps of creating the "Failover Cluster" are failing and we see following error in samba log Kerberos: TGS-REQ administrator at SAMBALIME.STRATUS.COM from ipv4:10.90.0.87:49614 for Administrator at SAMBALIME.STRATUS.COM [canonicalize, renewable, forwardable] Kerberos: Principal may not act as server -- Administrator at SAMBALIME.STRATUS.COM Kerberos: Failed building TGS-REP to ipv4:10.90.0.87:49614 Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] Is something wrong with our configuration (smb.conf)? -Ajay -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba