samba - Aug 2018 - ODP: Re: SAMBA 4 as Active Direcotry and Hyper-V

I have a suspicion that it is related to the specific SPNs that hyperv uses.
Hyper-v tries to register 3 spn (typing from memory so I might be a bit off):
Microsoft hyper-v console/HOST.FQDN
Hyper-V Replication Servive/HOST.FQDN
Microsoft Hyper-V Live Migration Service/HOST.FQDN.

This fails because of the spaces, that is samba being on linux, not seeing
escape characters, messes up the request it up and just fails with registering.

Im hyper-v log you should see errors with failure to register spn.
 Without SPN there might be some authentication failures e.g. With live
migration kerberos based replication and probably console. As workaround You can
try manually adding SPN with escape characters as in e.g.:

Microsoft\ hyper-v\ Management\ Console/HOST.FQDN etc. (And again without FQDN)

Also doublecheck correct SPN names for hyper-v I'm not 100% sure if I typed
them correctly.

That used to work for 100% for kerberos based hyper-v vm replication (for hyperv
2012 at least).
Regards,
Kacper

<div>-------- Oryginalna wiadomość --------</div><div>Od:
"L.P.H. van Belle via samba" <samba at lists.samba.org>
</div><div>Data:02.08.2018  16:24  (GMT+01:00)
</div><div>Do: samba at lists.samba.org
</div><div>Temat: Re: [Samba] SAMBA 4 as Active Direcotry and
Hyper-V </div><div>
</div>Ok, what  you use is your choice. It's what you preffer. 
 
Few other questions then. 
If connect from you pc to the hyper-v console, it this logged in the windows
event log?
 
Can you telnet to the hyper-v console port? 
 
Somehere there is something logged. I need that. 
Start with  increase the samba logs and checking the windows event logs. 
 
 
Greetz, 
 
Louis
 
 

Van: Rados??aw Dobrowolski [mailto:radoslaw.dobrowolski at gmail.com] 
Verzonden: donderdag 2 augustus 2018 16:15
Aan: L.P.H. van Belle
CC: samba at lists.samba.org
Onderwerp: Re: [Samba] SAMBA 4 as Active Direcotry and Hyper-V



I use Hyper-V because i preffer this virtualizator. Ok. What i want. I want to
manage my Hyper-V Servers from Hyper-V console from my computer. The Hyper-V
Servers, and my computer are joined to the domain (Samba as AD DC). But it's
not working. I think, there is problem with authorization. I don't know what
is wrong.


2018-08-02 16:03 GMT+02:00 L.P.H. van Belle via samba <samba at
lists.samba.org>:
Why use hyper-V, if you can a free Xen Server : https://xcp-ng.org/ 
Which is the same as Citrix Xen but free and all licences options enabled.
Just have look. 

But for the hyperv, its not clear what you want exactly here. 
Check this link, im guessing this is close to what your looking for.
https://community.spiceworks.com/topic/2108484-adding-smb-or-usb-shares-to-standalone-hyper-v-server

Greetz, 

Louis





> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens 
> Rados??aw Dobrowolski via samba
> Verzonden: donderdag 2 augustus 2018 15:48
> Aan: samba at lists.samba.org
> Onderwerp: [Samba] SAMBA 4 as Active Direcotry and Hyper-V
> 
> Hello everybody,
> 
> I have installed SAMBA 4.8.3 as Active Directory. Everything 
> is fine but i
> have problem with Hyper-V servers. There is few servers with 
> Hyper-V Core.
> Servers of course are member of domain. But i don't have access from
> computer trough Hyper-V console.
> 
> How can I configure my environment, to work properly??
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

On Thu, 2018-08-02 at 17:32 +0200, Kacper Wirski via samba
wrote:
> I have a suspicion that it is related to the specific SPNs that hyperv
uses. Hyper-v tries to register 3 spn (typing from memory so I might be a bit
off):
> Microsoft hyper-v console/HOST.FQDN
> Hyper-V Replication Servive/HOST.FQDN
> Microsoft Hyper-V Live Migration Service/HOST.FQDN.
> 
> This fails because of the spaces, that is samba being on linux, not seeing
escape characters, messes up the request it up and just fails with registering.
It is more about how we handle the linearised SPN in the directory, but
yes, escaping sounds like a key here.
> Im hyper-v log you should see errors with failure to register spn.
>  Without SPN there might be some authentication failures e.g. With live
migration kerberos based replication and probably console. As workaround You can
try manually adding SPN with escape characters as in e.g.:
> 
> Microsoft\ hyper-v\ Management\ Console/HOST.FQDN etc. (And again without
FQDN)
> 
> Also doublecheck correct SPN names for hyper-v I'm not 100% sure if I
typed them correctly.
> 
> That used to work for 100% for kerberos based hyper-v vm replication (for
hyperv 2012 at least).
> Regards,
> Kacper
Can you (perhaps with the OP) file a bug please?  This we can fix.

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

I actually posted about this here on samba list about it last year, but 
nobody caught interest.

I used to have logs from samba and wireshark, which very nicely showed 
what's wrong (kerberos request was for SPN  eg. "Hyper-V Replication 
Service/Servername.mydomain.com" and in samba log there was an error 
with something like "Hyper-V\ Replication \Service.. not found".

I read my last year's post, and I see that samba was adding by itself 
those "escape" signs, so that's why as a workaround I added
straight up
SPN with backslashes.

Some log "snippets" can be found in my previous entry in the list:

https://lists.samba.org/archive/samba/2017-March/207145.html

If something more detailed is needed I can probably arrange some 
additional logs.

I'm not sure what's the proper way to "fix it", cam samba be
made
somehow "aware" of those 3 special hyper-v SPN's and rewrite
requests?



W dniu 02.08.2018 o 20:19, Andrew Bartlett via samba
pisze:
> On Thu, 2018-08-02 at 17:32 +0200, Kacper Wirski via samba wrote:
>> I have a suspicion that it is related to the specific SPNs that hyperv
uses. Hyper-v tries to register 3 spn (typing from memory so I might be a bit
off):
>> Microsoft hyper-v console/HOST.FQDN
>> Hyper-V Replication Servive/HOST.FQDN
>> Microsoft Hyper-V Live Migration Service/HOST.FQDN.
>>
>> This fails because of the spaces, that is samba being on linux, not
seeing escape characters, messes up the request it up and just fails with
registering.
> It is more about how we handle the linearised SPN in the directory, but
> yes, escaping sounds like a key here.
>
>> Im hyper-v log you should see errors with failure to register spn.
>>   Without SPN there might be some authentication failures e.g. With
live migration kerberos based replication and probably console. As workaround
You can try manually adding SPN with escape characters as in e.g.:
>>
>> Microsoft\ hyper-v\ Management\ Console/HOST.FQDN etc. (And again
without FQDN)
>>
>> Also doublecheck correct SPN names for hyper-v I'm not 100% sure if
I typed them correctly.
>>
>> That used to work for 100% for kerberos based hyper-v vm replication
(for hyperv 2012 at least).
>> Regards,
>> Kacper
> Can you (perhaps with the OP) file a bug please?  This we can fix.
>
> Andrew Bartlett