samba - Dec 2014 - Samba4 DC, SPNs and a complex Windows stack

Hello,

We're using Samba 4.1.11 as domain controllers and over the past two weeks
I've run into several issues with unrelated Windows software, the problems
of which all point to Kerberos authentication and SPNs as being somehow
involved. If there are many more issues it might start to get politically
difficult *not* to blame the DCs, and I don't want to point fingers at
Samba.

Are there any known issues with running complex Windows stacks on top of Samba 4
DCs (eg: Hyper-V clusters with migration, 3rd party Windows software that uses
SSPI from the MSSQL client libraries)? Perhaps some intricacies of AD that
Heimdal doesn't mirror?

Can anyone on the list give me a confidence boost, something like "Yes
Luke, I've got forests of Samba 4 DCs behind several Hyper-V Clusters with
live migration, MSSQL clients and servers all over the place, it works for me
here", in which case I'll continue investigating?

Thanks,

-Luke

--
Luke Bigum
Senior Systems Engineer

Information Systems
Ph: +44 (0) 20 3192 2520
---

LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN
http://www.LMAX.com/

2014 #1 Fastest Growing Tech Company in the UK - Sunday Times Tech Track 100
2014 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards
2014 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards
2014 Best Infrastructure/Technology Initiative - WSL Institutional Trading
Awards
2013 #15 Fastest Growing Tech Company in the UK - Sunday Times Tech Track 100
2013 Best Overall Testing Project - The European Software Testing Awards
2013 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards
2013 Best FX Trading Platform - ECN/MTF - WSL Institutional Trading Awards
2013 Best Executing Venue - Forex Magnates Awards

---

FX and CFDs are leveraged products that can result in losses exceeding
your deposit. They are not suitable for everyone so please ensure you fully
understand the risks involved.

The information on this email is not directed at residents of the United States
of America,
Australia (we will only deal with Australian clients who are "wholesale
clients" as defined
under the Corporations Act 2001), Canada (although we may deal with Canadian
residents
who meet the "Permitted Client" criteria), Singapore or any other
jurisdiction where
FX trading and/or CFD trading is restricted or prohibited by local laws or
regulations.

The information in this email and any attachment is confidential and is
intended only for the named recipient(s). The email may not be disclosed
or used by any person other than the addressee, nor may it be copied
in any way. If you are not the intended recipient please notify the sender
immediately and delete any copies of this message. Any unauthorised
copying, disclosure or distribution of the material in this e-mail
is strictly forbidden.

LMAX Limited is regulated by the Financial Conduct Authority under
the UK laws, which differ from Australian law. We are exempt from the
requirement to hold an Australian financial services licence under the
Corporations Act 2001 (Cth) (Act) in respect of the financial services
we offer to you. We only offer our services to Australian clients who are
"wholesale clients" as defined under the Act. We may provide services
in
Canada as an exempt international advisor. Consequently we may only
provide such services to clients who meet the "Permitted Client"
criteria.
We are not a dealer in Canada.

LMAX Limited operates a multilateral trading facility. LMAX Limited is
authorised and regulated by the Financial Conduct Authority (firm
registration number 509778) and is a company registered in England
and Wales (number 6505809). Our registered address is Yellow
Building, 1A Nicholas Road, London, W11 4AN.

On 12/17/2014 01:35 AM, Luke Bigum wrote:
> Hello,
>
> We're using Samba 4.1.11 as domain controllers and over the past two
weeks I've run into several issues with unrelated Windows software, the
problems of which all point to Kerberos authentication and SPNs as being somehow
involved. If there are many more issues it might start to get politically
difficult *not* to blame the DCs, and I don't want to point fingers at
Samba.
>
> Are there any known issues with running complex Windows stacks on top of
Samba 4 DCs (eg: Hyper-V clusters with migration, 3rd party Windows software
that uses SSPI from the MSSQL client libraries)? Perhaps some intricacies of AD
that Heimdal doesn't mirror?
>
This would seem to be interesting information, but of limited value. 
Unless you have a set of specific errors (error codes, return messages, 
etc) that your windows programs are able to log or show somehow, how 
would you ever be able to map the error code to the 'solution'?

It would be more productive to have error codes, stack traces, and 
detailed descriptions of the symptoms of the problem rather than a 
blanket statement -"We have never seen problems with hyperV and
samba". ..


-- 
David Bear
602-903-6476

----- Original Message -----
> From: "David Bear" <dwbear75 at gmail.com>
> To: samba at lists.samba.org
> Sent: Wednesday, 17 December, 2014 5:25:48 PM
> Subject: Re: [Samba] Samba4 DC, SPNs and a complex Windows stack
> 
> On 12/17/2014 01:35 AM, Luke Bigum wrote:
> > Hello,
> >
> > We're using Samba 4.1.11 as domain controllers and over the past
two weeks
> > I've run into several issues with unrelated Windows software, the
problems
> > of which all point to Kerberos authentication and SPNs as being
somehow
> > involved. If there are many more issues it might start to get
politically
> > difficult *not* to blame the DCs, and I don't want to point
fingers at
> > Samba.
> >
> > Are there any known issues with running complex Windows stacks on top
of
> > Samba 4 DCs (eg: Hyper-V clusters with migration, 3rd party Windows
> > software that uses SSPI from the MSSQL client libraries)? Perhaps some
> > intricacies of AD that Heimdal doesn't mirror?
> >
> This would seem to be interesting information, but of limited value.
> Unless you have a set of specific errors (error codes, return messages,
> etc) that your windows programs are able to log or show somehow, how
> would you ever be able to map the error code to the 'solution'?
> 
> It would be more productive to have error codes, stack traces, and
> detailed descriptions of the symptoms of the problem rather than a
> blanket statement -"We have never seen problems with hyperV and
samba". ..

I agree, that would be very useful if I was after a solution, but I'm not
after a solution in this thread, I'm after a confidence boost in the
product/stack :-)

I have "noise" here saying that we (our team) should not try to add
more and more complexity on top of a domain controller that's not built by
Microsoft. With this thread I'm more interested in some big shop (perhaps an
ISP or hosting provider) saying that they've done it and it's possible.
Then I can go reply back to the internal noise and say "These guys out
there in the world do it, it's not impossible".

I'll post a separate thread with the specific issues I'm seeing when
I've got enough information to ask for help with.

--
Luke Bigum
Senior Systems Engineer

Information Systems
Ph: +44 (0) 20 3192 2520
---

LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN
http://www.LMAX.com/

2014 #1 Fastest Growing Tech Company in the UK - Sunday Times Tech Track 100
2014 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards
2014 Best FX Trading Venue - ECN/MTF - WSL Institutional Trading Awards
2014 Best Infrastructure/Technology Initiative - WSL Institutional Trading
Awards
2013 #15 Fastest Growing Tech Company in the UK - Sunday Times Tech Track 100
2013 Best Overall Testing Project - The European Software Testing Awards
2013 Best Margin Sector Platform - Profit & Loss Readers' Choice Awards
2013 Best FX Trading Platform - ECN/MTF - WSL Institutional Trading Awards
2013 Best Executing Venue - Forex Magnates Awards

---

FX and CFDs are leveraged products that can result in losses exceeding
your deposit. They are not suitable for everyone so please ensure you fully
understand the risks involved.

The information on this email is not directed at residents of the United States
of America,
Australia (we will only deal with Australian clients who are "wholesale
clients" as defined
under the Corporations Act 2001), Canada (although we may deal with Canadian
residents
who meet the "Permitted Client" criteria), Singapore or any other
jurisdiction where
FX trading and/or CFD trading is restricted or prohibited by local laws or
regulations.

The information in this email and any attachment is confidential and is
intended only for the named recipient(s). The email may not be disclosed
or used by any person other than the addressee, nor may it be copied
in any way. If you are not the intended recipient please notify the sender
immediately and delete any copies of this message. Any unauthorised
copying, disclosure or distribution of the material in this e-mail
is strictly forbidden.

LMAX Limited is regulated by the Financial Conduct Authority under
the UK laws, which differ from Australian law. We are exempt from the
requirement to hold an Australian financial services licence under the
Corporations Act 2001 (Cth) (Act) in respect of the financial services
we offer to you. We only offer our services to Australian clients who are
"wholesale clients" as defined under the Act. We may provide services
in
Canada as an exempt international advisor. Consequently we may only
provide such services to clients who meet the "Permitted Client"
criteria.
We are not a dealer in Canada.

LMAX Limited operates a multilateral trading facility. LMAX Limited is
authorised and regulated by the Financial Conduct Authority (firm
registration number 509778) and is a company registered in England
and Wales (number 6505809). Our registered address is Yellow
Building, 1A Nicholas Road, London, W11 4AN.