Web lists-archives.com

Re: [Samba] kerberos issue (SPN not found) with windows Hyper-V ( samba 4.5.3 AD)




I made some progress with the issue, but didn't solve it completely

It's basically a kind of bug (i'm not sure if it's on kerberos side or samba, I think samba is the culprit here (?).

Microsoft uses kind of weird SPN for Hyper-V. Weird as there are "spaces" in the string - which is kind of unique as far as SPN's go, usually SPN form a complete string.

So I kind of just tried the simplest solution:

The workaround/fix is this:

In AD for each Hyper-V host account (machine account that is) in servicePrincipalName attribute as such:

Hyper-V\ Replica\ Service/<NetbiosName>
Hyper-V\ Replica\ Service/<FQDN>
Microsoft\ Virtual\ Console\ Service/<NetbiosName>
Microsoft\ Virtual\ Console\ Service/FQDN>
Microsoft\ Virtual\ System\ Migration\ Service/<NetbiosName>
Microsoft \Virtual\ System\ Migration\ Service/FQDN>

I edited with ADUC from RSAT suite, but I guess any method will work (samba-tool add spn or windows "setspn -S".

So basically just add \ after each part of SPN which precedes " ". With this settings hyper-v replica and live migration from SOURCE HOST work, but i'm stuck at Constrained Delegation.


I moved my test setup to windows server 2016 and windows server 2016 hyper-v (free).

Constrained delegation is setup (with SPN's set as above), protocol in hyper-v is set to Kerberos, constrained delegations are used in accord to WIndow sserver 2016 specific (in ADUC -> machine account -> delegation -> use specific services with ANY PROTOCOL / in pre-2016 it was Kerberos Only/ -> choose hosts and SPN's as set above).

When I'm doing live migration for VM, when logged in at source host it works perfectly When i'm trying to live migrate VM from remote hyper-v to the one i'm logged in I get authentication error. The weirdest thing is the samba log, it boggles my mind and if anyone has any idea I'll be very thankful

notes: BMSRV2$ is machine added to domain with Hyper-V with all spn's and settings
kacper_wirski is DOMAIN USER account
and in the log there is clearly: "
/Kerberos: Server not found in database: kacper_wirski@xxxxxxxxxxxxxxxx: No such entry in the database/*

*Which is absurd, as obviously this account exists and is all well and fine. Relevant samba log below. When i do from console kinit kacper_wirski@xxxxxxxxxxxxxxxx i have no trouble obtaining ticket etc. Maybe constrained delegation should be setup differently (i.e. microsoft guidelines should be implemented differently for samba AD?). I tried with different DOMAIN ADMIN account on different host and exact same issue with same error in log (root@xxxxxxxxxxxxxxxx: No such entry in the database)
*
*
Kerberos: TGS-REQ BMSRV2$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.8:57775 for kacper_wirski@xxxxxxxxxxxxxxxx [canonicalize, renewable, forwardable] [2017/03/18 13:24:37.782732, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: samba_kdc_fetch: message2entry failed
[2017/03/18 13:24:37.782776, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Searching referral for kacper_wirski
[2017/03/18 13:24:37.782800, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Server not found in database: kacper_wirski@xxxxxxxxxxxxxxxx: No such entry in the database [2017/03/18 13:24:37.782819, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:192.168.1.8:57775
[2017/03/18 13:24:37.784201, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: TGS-REQ BMSRV2$@MYDOMAIN.COM.XYZ from ipv4:192.168.1.8:57776 for kacper_wirski@xxxxxxxxxxxxxxxx [canonicalize, renewable, forwardable] [2017/03/18 13:24:37.785264, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: samba_kdc_fetch: message2entry failed
[2017/03/18 13:24:37.785308, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Searching referral for kacper_wirski
[2017/03/18 13:24:37.785332, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper) Kerberos: Server not found in database: kacper_wirski@xxxxxxxxxxxxxxxx: No such entry in the database [2017/03/18 13:24:37.785352, 3] ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
  Kerberos: Failed building TGS-REP to ipv4:192.168.1.8:57776

Dnia 2017-03-16 12:17 Kacper Wirski via samba napisał(a):

   Hello,

   I've setup over 6 months ago samba 4 AD on centos 7.3 (self compiled
   from source). Up until now I didn't encounter any undocumented errors. I
   have 3 DC's (all samba 4.5.3) which are working pretty nice with over 60
   windows clients.

   The issue I've stumbled upon is when I added Windows server Hyper-V
   hosts to the domain. Tried with Hyper-V from 2012, 2012r2 and new 2016 -
   all exact same problem.

   I've searched and googled and found one old topic with the same issue in
   samba lists, but no help was given, but also - not enough info was
   supplied.

   The main issue is that Hyper-v Hosts are unable to authenticate each
   other using kerberos for live migration and replication (only two
   features that require kerberos) - windows host gives well documented
   error, that it's unable to authenticate using kerberos.

   I've gathered all the logs, which I think explain the issue quite
   clearly and hopefully someone will be able to give a viable solution.

   domain/realm let's call it:
   mydomain.com.xyz @ MYDOMAIN.COM.XYZ
   hyper-v hosts:
   BM-SRV-5 and BMSRV-WIN10 (both with windows server 2016 standard with
   hyper-v host role installed)
   DC1, DC2, DC3 are my 3 domain controllers (names not really original
   :) )

   Microsoft Hyper-V requires specific SPN's registered for hosts:

   *Microsoft Virtual Console Service**
   **Hyper-V Replica Service**
   **Microsoft Virtual System Migration Service*

   The SPN's should be automatically registered in the AD machine account
   by the windows, but this fails with windows error 14050. This error is
   well documented, but none of the solutions helped, and I think the error
   is with samba AD as I'll try to explain.

   I added the SPN's manually via windows setpsn (for both hyper-v hosts
   of course, mydomain.com.xyz is of course bogus name, real domain is
   something different)

   /setspn -S "Hyper-V Replica Service/BMSRV-WIN10" BMSRV-WIN10//
   //setspn -S "Hyper-V Replica Service/BMSRV-WIN10.mydomain.com.xyz"
   BMSRV-WIN10//
   //
   //setspn -S "Microsoft Virtual System Migration Service/BMSRV-WIN10"
   BMSRV-WIN10//
   //setspn -S "Microsoft Virtual System Migration
   Service/BMSRV-WIN10.mydomain.com.xyz" BMSRV-WIN10//
   //
   //setspn -S "Microsoft Virtual Console Service/BMSRV-WIN10"
   BMSRV-WIN10"//
   //setspn -S "Microsoft Virtual Console
   Service/BMSRV-WIN10.mydomain.com.xyz" BMSRV-WIN10//
   /
   Both windows and samba when queried show correct SPN's:
   output of windows query:

   spn -l BMSRV-WIN10

   Registered ServicePrincipalNames for
   CN=BMSRV-WIN10,CN=Computers,DC=mydomain,DC=com,DC=xyz:
   HOST/BMSRV-WIN10
   HOST/BMSRV-WIN10.mydomain.com.xyz
   Hyper-V Replica Service/BMSRV-WIN10
   Hyper-V Replica Service/BMSRV-WIN10.mydomain.com.xyz
   Microsoft Virtual Console Service/BMSRV-WIN10
   Microsoft Virtual Console Service/BMSRV-WIN10.mydomain.com.xyz
   Microsoft Virtual System Migration Service/BMSRV-WIN10
   Microsoft Virtual System Migration Service/BMSRV-WIN10.mydomain.com.xyz
   RestrictedKrbHost/BMSRV-WIN10
   RestrictedKrbHost/BMSRV-WIN10.mydomain.com.xyz
   TERMSRV/BMSRV-WIN10
   TERMSRV/BMSRV-WIN10.mydomain.com.xyz
   WSMAN/BMSRV-WIN10
   WSMAN/BMSRV-WIN10.mydomain.com.xyz

   output of samba-tool query:
   samba-tool spn list BMSRV-WIN10$

   samba-tool spn list BMSRV-WIN10$
   schema_fsmo_init: we are master[no] updates allowed[no]
   User CN=BMSRV-WIN10,CN=Computers,DC=mydomain,DC=com,DC=xyz has the
   following servicePrincipalName:
   HOST/BMSRV-WIN10
   HOST/BMSRV-WIN10.mydomain.com.xyz
   Hyper-V Replica Service/BMSRV-WIN10
   Hyper-V Replica Service/BMSRV-WIN10.mydomain.com.xyz
   Microsoft Virtual Console Service/BMSRV-WIN10
   Microsoft Virtual Console Service/BMSRV-WIN10.mydomain.com.xyz
   Microsoft Virtual System Migration Service/BMSRV-WIN10
   Microsoft Virtual System Migration
   Service/BMSRV-WIN10.mydomain.com.xyz
   RestrictedKrbHost/BMSRV-WIN10
   RestrictedKrbHost/BMSRV-WIN10.mydomain.com.xyz
   TERMSRV/BMSRV-WIN10
   TERMSRV/BMSRV-WIN10.mydomain.com.xyz
   WSMAN/BMSRV-WIN10
   WSMAN/BMSRV-WIN10.mydomain.com.xyz

   It looks all fine and well (the SPN names are 100% correct verified).

   For the hyper-v features to work (replica and live migration) with
   kerberos I need to setup delegation (it's set - verified it a milion
   times over it's set the right way, just like MS wants it).

   I know that I can obtain tickets to other SPN
   (from windows: *klist cifs/BMSRV-WIN10* grants me a valid ticket for
   example)

   Now cometh the error:
   When I try to run hyper-v replica it fails with error concerning
   kerberos and SPN not being there

   Log from samba DC3 (when trying to start Hyper-V replica from BM-SRV-5
   to BMSRV-WIN.10)

   Kerberos: TGS-REQ BM-SRV-5$@MYDOMAIN.COM.XYZ from
   ipv4:192.168.1.10:56993 for Hyper-V\ Replica\
   Service/BMSRV-WIN10.mydomain.com.xyz@xxxxxxxxxxxxxxxx [canonicalize,
   renewable, forwardable]
   [2017/03/16 10:55:07.246904, 4]
   ../source4/dsdb/samdb/cracknames.c:169(LDB_lookup_spn_alias)
   LDB_lookup_spn_alias: no alias for service Hyper-V Replica Service
   applicable
   [2017/03/16 10:55:07.246971, 3]
   ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Searching referral for BMSRV-WIN10.mydomain.com.xyz
   [2017/03/16 10:55:07.247028, 3]
   ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Server not found in database: Hyper-V\ Replica\
   Service/BMSRV-WIN10.mydomain.com.xyz@xxxxxxxxxxxxxxxx: no such entry
   found in hdb
   [2017/03/16 10:55:07.247053, 3]
   ../source4/auth/kerberos/krb5_init_context.c:80(smb_krb5_debug_wrapper)
   Kerberos: Failed building TGS-REP to ipv4:192.168.1.10:56993

   log from wireshark (earlier attempt but same issue, this time when
   trying to start live migration from BM-SRV-5 to BMSRV-WIN10):

   req-body
   Padding: 0
   kdc-options: 40810000 (forwardable, renewable, canonicalize)
   realm: MYDOMAIN.COM.XYZ
   sname
   name-type: kRB5-NT-SRV-INST (2)
   sname-string: 2 items
   SNameString: Microsoft Virtual System Migration Service
   SNameString: BMSRV-WIN10
   till: 2037-09-13 02:48:05 (UTC)
   nonce: 17847174
   etype: 5 items
   enc-authorization-data


   error:
   krb-error
   pvno: 5
   msg-type: krb-error (30)
   ctime: 2017-03-16 08:01:23 (UTC)
   cusec: 128
   stime: 2017-03-16 08:01:23 (UTC)
   susec: 66964
   error-code: eRR-S-PRINCIPAL-UNKNOWN (7)
   realm: <unspecified realm>
   sname
   name-type: kRB5-NT-UNKNOWN (0)
   sname-string: 0 items

   Same errors are when going the other way round,

   So the SPN's are clearly there (both setspn -l and samba-tool spn list
   outputs confirm that), the client sends correct request (as seen by
   wireshark and/or samba log), but suddenly samba is unable to find
   the SPN.
   I'm a complete newbie (well, sort-of) when it comes to kerberos and
   samba, but maybe because the SPN is with spaces, as it's pretty unusual,
   but that's what Microsoft wants/needs?
   I don't know, just a guess :-) . The features offered by hyper-v in AD
   are obviously beneficial and I would love to get them working.
   Any help, workaround or tip - I will be very, very thankful. If more
   info is needed I'll gladly supply logs/whatever is needed.

   Kacper Wirski

   --
   To unsubscribe from this list go to the following URL and read the
   instructions: https://lists.samba.org/mailman/options/samba

--
Z poważaniem,
Kacper Wirski

tel: + 48 608 421 424

Babka Medica Sp. z o.o. Sp. k.
ul. Słomińskiego 19/517, 00-195 Warszawa
Sąd Rejonowy dla M.St. Warszawy w Warszawie XII Wydział Gospodarczy KRS
0000298042
NIP 525-234-00-28

www.babkamedica.pl

----------------------------------------------------------------------------


Informacja zawarta w niniejszej korespondencji jest poufna. Korespondencja
skierowana jest wyłącznie do osoby (firmy) wymienionej wyżej.
Rozpowszechnianie, kopiowanie, ujawnianie lub przekazywanie osobom trzecim w
jakiejkolwiek formie informacji zawartych w niniejszym dokumencie w całości
lub w części jest zakazane bez uprzedniej pisemnej (pod rygorem nieważności)
zgody Babka Medica Sp. z o.o. Sp. k.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba