Kacper Wirski
2017-Mar-18 13:03 UTC
[Samba] kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
I made some progress with the issue, but didn't solve it completely It's basically a kind of bug (i'm not sure if it's on kerberos side or samba, I think samba is the culprit here (?). Microsoft uses kind of weird SPN for Hyper-V. Weird as there are "spaces" in the string - which is kind of unique as far as SPN's go, usually SPN form a complete string. So I kind of just tried the simplest solution: The workaround/fix is this: In AD for each Hyper-V host account (machine account that is) in servicePrincipalName attribute as such: Hyper-V\ Replica\ Service/<NetbiosName> Hyper-V\ Replica\ Service/<FQDN> Microsoft\ Virtual\ Console\ Service/<NetbiosName> Microsoft\ Virtual\ Console\ Service/FQDN> Microsoft\ Virtual\ System\ Migration\ Service/<NetbiosName> Microsoft \Virtual\ System\ Migration\ Service/FQDN> I edited with ADUC from RSAT suite, but I guess any method will work (samba-tool add spn or windows "setspn -S". So basically just add \ after each part of SPN which precedes " ". With this settings hyper-v replica and live migration from SOURCE HOST work, but i'm stuck at Constrained Delegation. I moved my test setup to windows server 2016 and windows server 2016 hyper-v (free). Constrained delegation is setup (with SPN's set as above), protocol in hyper-v is set to Kerberos, constrained delegations are used in accord to WIndow sserver 2016 specific (in ADUC -> machine account -> delegation -> use specific services with ANY PROTOCOL / in pre-2016 it was Kerberos Only/ -> choose hosts and SPN's as set above). When I'm doing live migration for VM, when logged in at source host it works perfectly When i'm trying to live migrate VM from remote hyper-v to the one i'm logged in I get authentication error. The weirdest thing is the samba log, it boggles my mind and if anyone has any idea I'll be very thankful notes: BMSRV2$ is machine added to domain with Hyper-V with all spn's and settings kacper_wirski is DOMAIN USER account and in the log there is clearly: " /Kerberos: Server not found in database: kacper_wirski at MYDOMAIN.COM.XYZ: No such entry in the database/* *Which is absurd, as obviously this account exists and is all well and fine. Relevant samba log below. When i do from console kinit kacper_wirski at MYDOMAIN.COM.XYZ i have no trouble obtaining ticket etc. Maybe constrained delegation should be setup differently (i.e. microsoft guidelines should be implemented differently for samba AD?). I tried with different DOMAIN ADMIN account on different host and exact same issue with same error in log (root at MYDOMAIN.COM.XYZ: No such entry in the database) * * Kerberos: TGS-REQ BMSRV2$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.8:57775 for kacper_wirski at MYDOMAIN.COM.XYZ [canonicalize, renewable, forwardable] [2017/03/18 13:24:37.782732, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: samba_kdc_fetch: message2entry failed [2017/03/18 13:24:37.782776, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Searching referral for kacper_wirski [2017/03/18 13:24:37.782800, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Server not found in database: kacper_wirski at MYDOMAIN.COM.XYZ: No such entry in the database [2017/03/18 13:24:37.782819, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed building TGS-REP to ipv4:192.168.1.8:57775 [2017/03/18 13:24:37.784201, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ BMSRV2$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.8:57776 for kacper_wirski at MYDOMAIN.COM.XYZ [canonicalize, renewable, forwardable] [2017/03/18 13:24:37.785264, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: samba_kdc_fetch: message2entry failed [2017/03/18 13:24:37.785308, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Searching referral for kacper_wirski [2017/03/18 13:24:37.785332, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Server not found in database: kacper_wirski at MYDOMAIN.COM.XYZ: No such entry in the database [2017/03/18 13:24:37.785352, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed building TGS-REP to ipv4:192.168.1.8:57776 Dnia 2017-03-16 12:17 Kacper Wirski via samba napisał(a): Hello, I've setup over 6 months ago samba 4 AD on centos 7.3 (self compiled from source). Up until now I didn't encounter any undocumented errors. I have 3 DC's (all samba 4.5.3) which are working pretty nice with over 60 windows clients. The issue I've stumbled upon is when I added Windows server Hyper-V hosts to the domain. Tried with Hyper-V from 2012, 2012r2 and new 2016 - all exact same problem. I've searched and googled and found one old topic with the same issue in samba lists, but no help was given, but also - not enough info was supplied. The main issue is that Hyper-v Hosts are unable to authenticate each other using kerberos for live migration and replication (only two features that require kerberos) - windows host gives well documented error, that it's unable to authenticate using kerberos. I've gathered all the logs, which I think explain the issue quite clearly and hopefully someone will be able to give a viable solution. domain/realm let's call it: mydomain.com.xyz @ MYDOMAIN.COM.XYZ hyper-v hosts: BM-SRV-5 and BMSRV-WIN10 (both with windows server 2016 standard with hyper-v host role installed) DC1, DC2, DC3 are my 3 domain controllers (names not really original :) ) Microsoft Hyper-V requires specific SPN's registered for hosts: *Microsoft Virtual Console Service** **Hyper-V Replica Service** **Microsoft Virtual System Migration Service* The SPN's should be automatically registered in the AD machine account by the windows, but this fails with windows error 14050. This error is well documented, but none of the solutions helped, and I think the error is with samba AD as I'll try to explain. I added the SPN's manually via windows setpsn (for both hyper-v hosts of course, mydomain.com.xyz is of course bogus name, real domain is something different) /setspn -S "Hyper-V Replica Service/BMSRV-WIN10" BMSRV-WIN10// //setspn -S "Hyper-V Replica Service/BMSRV-WIN10.mydomain.com.xyz" BMSRV-WIN10// // //setspn -S "Microsoft Virtual System Migration Service/BMSRV-WIN10" BMSRV-WIN10// //setspn -S "Microsoft Virtual System Migration Service/BMSRV-WIN10.mydomain.com.xyz" BMSRV-WIN10// // //setspn -S "Microsoft Virtual Console Service/BMSRV-WIN10" BMSRV-WIN10"// //setspn -S "Microsoft Virtual Console Service/BMSRV-WIN10.mydomain.com.xyz" BMSRV-WIN10// / Both windows and samba when queried show correct SPN's: output of windows query: spn -l BMSRV-WIN10 Registered ServicePrincipalNames for CN=BMSRV-WIN10,CN=Computers,DC=mydomain,DC=com,DC=xyz: HOST/BMSRV-WIN10 HOST/BMSRV-WIN10.mydomain.com.xyz Hyper-V Replica Service/BMSRV-WIN10 Hyper-V Replica Service/BMSRV-WIN10.mydomain.com.xyz Microsoft Virtual Console Service/BMSRV-WIN10 Microsoft Virtual Console Service/BMSRV-WIN10.mydomain.com.xyz Microsoft Virtual System Migration Service/BMSRV-WIN10 Microsoft Virtual System Migration Service/BMSRV-WIN10.mydomain.com.xyz RestrictedKrbHost/BMSRV-WIN10 RestrictedKrbHost/BMSRV-WIN10.mydomain.com.xyz TERMSRV/BMSRV-WIN10 TERMSRV/BMSRV-WIN10.mydomain.com.xyz WSMAN/BMSRV-WIN10 WSMAN/BMSRV-WIN10.mydomain.com.xyz output of samba-tool query: samba-tool spn list BMSRV-WIN10$ samba-tool spn list BMSRV-WIN10$ schema_fsmo_init: we are master[no] updates allowed[no] User CN=BMSRV-WIN10,CN=Computers,DC=mydomain,DC=com,DC=xyz has the following servicePrincipalName: HOST/BMSRV-WIN10 HOST/BMSRV-WIN10.mydomain.com.xyz Hyper-V Replica Service/BMSRV-WIN10 Hyper-V Replica Service/BMSRV-WIN10.mydomain.com.xyz Microsoft Virtual Console Service/BMSRV-WIN10 Microsoft Virtual Console Service/BMSRV-WIN10.mydomain.com.xyz Microsoft Virtual System Migration Service/BMSRV-WIN10 Microsoft Virtual System Migration Service/BMSRV-WIN10.mydomain.com.xyz RestrictedKrbHost/BMSRV-WIN10 RestrictedKrbHost/BMSRV-WIN10.mydomain.com.xyz TERMSRV/BMSRV-WIN10 TERMSRV/BMSRV-WIN10.mydomain.com.xyz WSMAN/BMSRV-WIN10 WSMAN/BMSRV-WIN10.mydomain.com.xyz It looks all fine and well (the SPN names are 100% correct verified). For the hyper-v features to work (replica and live migration) with kerberos I need to setup delegation (it's set - verified it a milion times over it's set the right way, just like MS wants it). I know that I can obtain tickets to other SPN (from windows: *klist cifs/BMSRV-WIN10* grants me a valid ticket for example) Now cometh the error: When I try to run hyper-v replica it fails with error concerning kerberos and SPN not being there Log from samba DC3 (when trying to start Hyper-V replica from BM-SRV-5 to BMSRV-WIN.10) Kerberos: TGS-REQ BM-SRV-5$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.10:56993 for Hyper-V\ Replica\ Service/BMSRV-WIN10.mydomain.com.xyz at MYDOMAIN.COM.XYZ [canonicalize, renewable, forwardable] [2017/03/16 10:55:07.246904, 4] ../source4/dsdb/samdb/cracknames.c:169(LDB_lookup_spn_alias) LDB_lookup_spn_alias: no alias for service Hyper-V Replica Service applicable [2017/03/16 10:55:07.246971, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Searching referral for BMSRV-WIN10.mydomain.com.xyz [2017/03/16 10:55:07.247028, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Server not found in database: Hyper-V\ Replica\ Service/BMSRV-WIN10.mydomain.com.xyz at MYDOMAIN.COM.XYZ: no such entry found in hdb [2017/03/16 10:55:07.247053, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed building TGS-REP to ipv4:192.168.1.10:56993 log from wireshark (earlier attempt but same issue, this time when trying to start live migration from BM-SRV-5 to BMSRV-WIN10): req-body Padding: 0 kdc-options: 40810000 (forwardable, renewable, canonicalize) realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-SRV-INST (2) sname-string: 2 items SNameString: Microsoft Virtual System Migration Service SNameString: BMSRV-WIN10 till: 2037-09-13 02:48:05 (UTC) nonce: 17847174 etype: 5 items enc-authorization-data error: krb-error pvno: 5 msg-type: krb-error (30) ctime: 2017-03-16 08:01:23 (UTC) cusec: 128 stime: 2017-03-16 08:01:23 (UTC) susec: 66964 error-code: eRR-S-PRINCIPAL-UNKNOWN (7) realm: <unspecified realm> sname name-type: kRB5-NT-UNKNOWN (0) sname-string: 0 items Same errors are when going the other way round, So the SPN's are clearly there (both setspn -l and samba-tool spn list outputs confirm that), the client sends correct request (as seen by wireshark and/or samba log), but suddenly samba is unable to find the SPN. I'm a complete newbie (well, sort-of) when it comes to kerberos and samba, but maybe because the SPN is with spaces, as it's pretty unusual, but that's what Microsoft wants/needs? I don't know, just a guess :-) . The features offered by hyper-v in AD are obviously beneficial and I would love to get them working. Any help, workaround or tip - I will be very, very thankful. If more info is needed I'll gladly supply logs/whatever is needed. Kacper Wirski -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- Z poważaniem, Kacper Wirski tel: + 48 608 421 424 Babka Medica Sp. z o.o. Sp. k. ul. Słomińskiego 19/517, 00-195 Warszawa Sąd Rejonowy dla M.St. Warszawy w Warszawie XII Wydział Gospodarczy KRS 0000298042 NIP 525-234-00-28 www.babkamedica.pl ---------------------------------------------------------------------------- Informacja zawarta w niniejszej korespondencji jest poufna. Korespondencja skierowana jest wyłącznie do osoby (firmy) wymienionej wyżej. Rozpowszechnianie, kopiowanie, ujawnianie lub przekazywanie osobom trzecim w jakiejkolwiek formie informacji zawartych w niniejszym dokumencie w całości lub w części jest zakazane bez uprzedniej pisemnej (pod rygorem nieważności) zgody Babka Medica Sp. z o.o. Sp. k.
Kacper Wirski
2017-Mar-18 22:10 UTC
[Samba] kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
After reviewing logs I found that my previous assumption was wrong. Situation: - i'm trying to start live migration from hyper-v host A (BMSRV4-HYPERV) to hyper-v host B (BM-SRV-5) from host B (logged in as user from DOMAIN ADMINS group). Kerberos constrained delegation is set in accordnance to microsoft instructions with proper SPN's set (well, proper as in with the workaround I wrote earlier). Below logs from wireshark and Samba 4 DC (the one that handled request). kacper_wirski user, that belongs to DOMAIN ADMINS group is the one "giving" the command. I tried already with different user, also tried the other way round (from host B -> to host A when logged into host B). Same errors. Tried with different Hyper-V host C, same error I have bar to none experience with troubleshooting kerberos (up untli now everything was working flawlessly) but reading from the logs I understand that generated ticket request from Host A seems ok: it wants to "impersonate" kacper_wirski in order to get to SPN on Host B, but request fails. I admit that I already googled this error and wasted a lot of hours, but I really don't know how to handle this situation - wether it's kerberos error, or samba error, or microsoft Hyper-V was just built that way that it simply will work ONLY with microsoft AD? Every bit of advice/tip is greatly appreciated, as I feel i'm running out of ideas or options. /etc/krb5.conf is basic generated ad DC promo. Overall no issues in the domain using kerberos so far (over 6 months now), also used SSO for apache so kerberos overall seems ok. Logs below (tried my best to trim down). Samba 4 log from DC that Host A contacted (one of 3 DC's in domain): Log level 5 Kerberos: TGS-REQ BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.14:64931 for bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [canonicalize, renewable, forwardable] [2017/03/18 22:00:03.656232, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: s4u2self BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ impersonating kacper_wirski at MYDOMAIN.COM.XYZ to service bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [forwardable] [2017/03/18 22:00:03.656262, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ authtime: 2017-03-18T21:39:30 starttime: 2017-03-18T22:00:03 endtime: 2017-03-18T22:15:03 renew till: 2017-03-25T21:39:30 [2017/03/18 22:00:03.657328, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2017/03/18 22:00:03.657340, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2017/03/18 22:00:03.658763, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt enc-authorization-data [2017/03/18 22:00:03.658776, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed parsing TGS-REQ from ipv4:192.168.1.14:64932 [2017/03/18 22:00:03.658911, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2017/03/18 22:00:03.658920, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] Wireshark relevant output: TGS-REQ (host A -> Samba 4 AD DC): Kerberos msg-type: krb-ap-req (14) ticket realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-SRV-INST (2) sname-string: 2 items SNameString: krbtgt SNameString: MYDOMAIN.COM.XYZ enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) authenticator etype: eTYPE-ARCFOUR-HMAC-MD5 (23) PA-DATA PA-FOR-USER padata-type: kRB5-PADATA-S4U2SELF (129) name name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10) name-string: 1 item KerberosString: kacper_wirski realm: MYDOMAIN.COM.XYZ cksum cksumtype: cKSUMTYPE-HMAC-MD5 (-138) auth: Kerberos req-body Padding: 0 kdc-options: 40810000 (forwardable, renewable, canonicalize) realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-PRINCIPAL (1) sname-string: 1 item SNameString: bmsrv4-hyperv$ etype: 5 items ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24) ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135) TGS-REP KDC -> HOST A tgs-rep msg-type: krb-tgs-rep (13) crealm: MYDOMAIN.COM.XYZ cname name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10) cname-string: 1 item CNameString: kacper_wirski ticket tkt-vno: 5 realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-PRINCIPAL (1) sname-string: 1 item SNameString: bmsrv4-hyperv$ enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) kvno: 1 enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) TGS-REQ (Host A -> KDC) tgs-req pvno: 5 msg-type: krb-tgs-req (12) padata: 2 items PA-DATA PA-TGS-REQ padata-type: kRB5-PADATA-TGS-REQ (1) ticket tkt-vno: 5 realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-SRV-INST (2) sname-string: 2 items SNameString: krbtgt SNameString: MYDOMAIN.COM.XYZ enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) kvno: 1 authenticator etype: eTYPE-ARCFOUR-HMAC-MD5 (23) PA-DATA Unknown:167 padata-type: Unknown (167) padata-value: 3009a00703050010000000 req-body Padding: 0 kdc-options: 40830000 (forwardable, renewable, request-anonymous, canonicalize) realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-SRV-INST (2) sname-string: 2 items SNameString: Microsoft Virtual System Migration Service SNameString: BM-SRV-5 till: 2017-03-18 21:15:03 (UTC) nonce: 478023267 etype: 5 items ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24) ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135) enc-authorization-data etype: eTYPE-ARCFOUR-HMAC-MD5 (23) cipher: 0fa4ee9a7e16003266d7566c12c2f50748e50435090ee9e2... additional-tickets: 1 item Ticket realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-PRINCIPAL (1) SNameString: bmsrv4-hyperv$ enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) kvno: and final TGS-REP (KDC -> HOST A) krb-error pvno: 5 msg-type: krb-error (30) ctime: 2017-03-18 21:00:03 (UTC) cusec: 481 stime: 2017-03-18 21:00:03 (UTC) susec: 658781 error-code: eRR-BAD-INTEGRITY (31) realm: <unspecified realm> sname name-type: kRB5-NT-UNKNOWN (0) sname-string: 0 items
Luke Bigum
2017-Mar-19 20:18 UTC
[Samba] kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
Hello, This won't be a very helpful reply, but I can confirm I've had the exact same issue. I ran into this a few years ago and could not get HyperV migrations to work with a Samba DC. I even went so far as to install a Windows DC just to prove to myself that it is supposed to work, and it does, perfectly (with ADDC it even creates all the SPNs for you auto-magically). Unfortunately at the time I was focused on a Windows VM Disaster Recovery problem, so ended up dropping HyperV entirely in favour of KVM and DRBD. As such, I never raised a bug with Samba or Catalyst about this - I probably should have :-/ Sorry I can't be of more help other than to add my voice to "there is a bug somewhere in Samba". -- Luke Bigum Lead Engineer Information Systems ----- Original Message ----- From: "Kacper Wirski via samba" <samba at lists.samba.org> To: samba at lists.samba.org Sent: Saturday, 18 March, 2017 22:10:01 Subject: Re: [Samba] kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD) After reviewing logs I found that my previous assumption was wrong. Situation: - i'm trying to start live migration from hyper-v host A (BMSRV4-HYPERV) to hyper-v host B (BM-SRV-5) from host B (logged in as user from DOMAIN ADMINS group). Kerberos constrained delegation is set in accordnance to microsoft instructions with proper SPN's set (well, proper as in with the workaround I wrote earlier). Below logs from wireshark and Samba 4 DC (the one that handled request). kacper_wirski user, that belongs to DOMAIN ADMINS group is the one "giving" the command. I tried already with different user, also tried the other way round (from host B -> to host A when logged into host B). Same errors. Tried with different Hyper-V host C, same error I have bar to none experience with troubleshooting kerberos (up untli now everything was working flawlessly) but reading from the logs I understand that generated ticket request from Host A seems ok: it wants to "impersonate" kacper_wirski in order to get to SPN on Host B, but request fails. I admit that I already googled this error and wasted a lot of hours, but I really don't know how to handle this situation - wether it's kerberos error, or samba error, or microsoft Hyper-V was just built that way that it simply will work ONLY with microsoft AD? Every bit of advice/tip is greatly appreciated, as I feel i'm running out of ideas or options. /etc/krb5.conf is basic generated ad DC promo. Overall no issues in the domain using kerberos so far (over 6 months now), also used SSO for apache so kerberos overall seems ok. Logs below (tried my best to trim down). Samba 4 log from DC that Host A contacted (one of 3 DC's in domain): Log level 5 Kerberos: TGS-REQ BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.14:64931 for bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [canonicalize, renewable, forwardable] [2017/03/18 22:00:03.656232, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: s4u2self BMSRV4-HYPERV$@MYDOMAIN.COM.XYZ impersonating kacper_wirski at MYDOMAIN.COM.XYZ to service bmsrv4-hyperv$@MYDOMAIN.COM.XYZ [forwardable] [2017/03/18 22:00:03.656262, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ authtime: 2017-03-18T21:39:30 starttime: 2017-03-18T22:00:03 endtime: 2017-03-18T22:15:03 renew till: 2017-03-25T21:39:30 [2017/03/18 22:00:03.657328, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED' [2017/03/18 22:00:03.657340, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[kdc_tcp_call_loop: tstream_read_pdu_blob_recv() - NT_STATUS_CONNECTION_DISCONNECTED] [2017/03/18 22:00:03.658763, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed to decrypt enc-authorization-data [2017/03/18 22:00:03.658776, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Failed parsing TGS-REQ from ipv4:192.168.1.14:64932 [2017/03/18 22:00:03.658911, 3] ../source4/smbd/service_stream.c:66(stream_terminate_connection) Terminating connection - 'dcesrv: NT_STATUS_CONNECTION_DISCONNECTED' [2017/03/18 22:00:03.658920, 3] ../source4/smbd/process_single.c:114(single_terminate) single_terminate: reason[dcesrv: NT_STATUS_CONNECTION_DISCONNECTED] Wireshark relevant output: TGS-REQ (host A -> Samba 4 AD DC): Kerberos msg-type: krb-ap-req (14) ticket realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-SRV-INST (2) sname-string: 2 items SNameString: krbtgt SNameString: MYDOMAIN.COM.XYZ enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) authenticator etype: eTYPE-ARCFOUR-HMAC-MD5 (23) PA-DATA PA-FOR-USER padata-type: kRB5-PADATA-S4U2SELF (129) name name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10) name-string: 1 item KerberosString: kacper_wirski realm: MYDOMAIN.COM.XYZ cksum cksumtype: cKSUMTYPE-HMAC-MD5 (-138) auth: Kerberos req-body Padding: 0 kdc-options: 40810000 (forwardable, renewable, canonicalize) realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-PRINCIPAL (1) sname-string: 1 item SNameString: bmsrv4-hyperv$ etype: 5 items ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24) ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135) TGS-REP KDC -> HOST A tgs-rep msg-type: krb-tgs-rep (13) crealm: MYDOMAIN.COM.XYZ cname name-type: kRB5-NT-ENTERPRISE-PRINCIPAL (10) cname-string: 1 item CNameString: kacper_wirski ticket tkt-vno: 5 realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-PRINCIPAL (1) sname-string: 1 item SNameString: bmsrv4-hyperv$ enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) kvno: 1 enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) TGS-REQ (Host A -> KDC) tgs-req pvno: 5 msg-type: krb-tgs-req (12) padata: 2 items PA-DATA PA-TGS-REQ padata-type: kRB5-PADATA-TGS-REQ (1) ticket tkt-vno: 5 realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-SRV-INST (2) sname-string: 2 items SNameString: krbtgt SNameString: MYDOMAIN.COM.XYZ enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) kvno: 1 authenticator etype: eTYPE-ARCFOUR-HMAC-MD5 (23) PA-DATA Unknown:167 padata-type: Unknown (167) padata-value: 3009a00703050010000000 req-body Padding: 0 kdc-options: 40830000 (forwardable, renewable, request-anonymous, canonicalize) realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-SRV-INST (2) sname-string: 2 items SNameString: Microsoft Virtual System Migration Service SNameString: BM-SRV-5 till: 2017-03-18 21:15:03 (UTC) nonce: 478023267 etype: 5 items ENCTYPE: eTYPE-AES256-CTS-HMAC-SHA1-96 (18) ENCTYPE: eTYPE-AES128-CTS-HMAC-SHA1-96 (17) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5 (23) ENCTYPE: eTYPE-ARCFOUR-HMAC-MD5-56 (24) ENCTYPE: eTYPE-ARCFOUR-HMAC-OLD-EXP (-135) enc-authorization-data etype: eTYPE-ARCFOUR-HMAC-MD5 (23) cipher: 0fa4ee9a7e16003266d7566c12c2f50748e50435090ee9e2... additional-tickets: 1 item Ticket realm: MYDOMAIN.COM.XYZ sname name-type: kRB5-NT-PRINCIPAL (1) SNameString: bmsrv4-hyperv$ enc-part etype: eTYPE-ARCFOUR-HMAC-MD5 (23) kvno: and final TGS-REP (KDC -> HOST A) krb-error pvno: 5 msg-type: krb-error (30) ctime: 2017-03-18 21:00:03 (UTC) cusec: 481 stime: 2017-03-18 21:00:03 (UTC) susec: 658781 error-code: eRR-BAD-INTEGRITY (31) realm: <unspecified realm> sname name-type: kRB5-NT-UNKNOWN (0) sname-string: 0 items -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba --- LMAX Exchange, Yellow Building, 1A Nicholas Road, London W11 4AN http://www.LMAX.com/ Recognised by the most prestigious business and technology awards 2016 Best Trading & Execution, HFM US Technology Awards 2016, 2015, 2014, 2013 Best FX Trading Venue - ECN/MTF, WSL Institutional Trading Awards 2016, 2015 Winner, Deloitte UK Technology Fast 50 2015, 2014, 2013, One of the UK's fastest growing technology firms, The Sunday Times Tech Track 100 2016, 2015 Winner, Deloitte EMEA Technology Fast 500 2015, 2014, 2013 Best Margin Sector Platform, Profit & Loss Readers' Choice Awards --- FX and CFDs are leveraged products that can result in losses exceeding your deposit. They are not suitable for everyone so please ensure you fully understand the risks involved. This message and its attachments are confidential, may not be disclosed or used by any person other than the addressee and are intended only for the named recipient(s). This message is not intended for any recipient(s) who based on their nationality, place of business, domicile or for any other reason, is/are subject to local laws or regulations which prohibit the provision of such products and services. This message is subject to the following terms (http://lmax.com/pdf/general-disclaimers.pdf), if you cannot access these, please notify us by replying to this email and we will send you the terms. If you are not the intended recipient, please notify the sender immediately and delete any copies of this message. LMAX Exchange is the trading name of LMAX Limited. LMAX Limited operates a multilateral trading facility. LMAX Limited is authorised and regulated by the Financial Conduct Authority (firm registration number 509778) and is a company registered in England and Wales (number 6505809). LMAX Hong Kong Limited is a wholly-owned subsidiary of LMAX Limited. LMAX Hong Kong is licensed by the Securities and Futures Commission in Hong Kong to conduct Type 3 (leveraged foreign exchange trading) regulated activity with CE Number BDV088.
Possibly Parallel Threads
- kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
- kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)
- Windows 2012 s4u2self followed by s4u2proxy fails against samba
- Domain trust and browsing users and groups problem
- kerberos issue (SPN not found) with windows Hyper-V (samba 4.5.3 AD)