Samba 4 Active Directory Domain Controller for a Microsoft Failover Cluster

With the release of Samba 4, there’s now the possibility of running an Active Directory-compatible controller on most *nixes out there. Don’t get me wrong about the real Active Directory solution from Microsoft out there, it’s a great solution for larger enterprises, but for the others out there who are either too restricted in terms of budgeting or just don’t want to touch a Microsoft Windows Server for Active Directory; Samba 4 can be a good option.

Up until now, using a Samba 4 AD domain controller for a Microsoft Failover Cluster is almost next to impossible as the validation pages fail on this error:

An error occurred while executing the test.
There was an error initializing the network tests.

There was an error creating the server side agent (CPrepSrv).

Creating an instance of the COM component with CLSID {E1568352-586D-43E4-933F-8E6DC4DE317A} from the IClassFactory failed due to the following error: 80070721 A security package specific error occurred. (Exception from HRESULT: 0x80070721).

Fortunately there is a way to temporarily resolve this issue. That solution is to add any value to the servicePrincipalName attribute via ADSI Edit or the Active Directory Users and Computers MMC snap-in. (Sorry folks, can’t use Active Directory Administrative Center as Samba4 doesn’t currently emulate an AD DS Web Service server…). And yes the people at the Samba project are aware about this “bug” due to the way of a developer interpreting how the security should have been implemented. (Sorry Andrew, I didn’t mean to throw you under the bus 😉

After adding that attribute, you should be able to validate successfully and have a fully functional Hyper-V cluster for almost next to nothing. (Except the cost of a Windows 8 Pro license)

Edit: Apologies of me being a little ambiguous on “any value” to the servicePrincipleName attribute. What I really meant was setting a non-NULL value on servicePrincipalName on the user who’s performing the validation checks and forming the cluster, not the computer account of the cluster member.

7 Replies to “Samba 4 Active Directory Domain Controller for a Microsoft Failover Cluster”

  1. Hi thanks for this post – it is exactly what I have been banging my head against for the last few days. I was just wanting a bit of clarification about which object in the AD i should be adding/editing the servicePrincipleName.
    should I be doing it on the samba domain controller or on the servers that I wish to add to the cluster.
    also… when you say “any value” do you mean any value can be added to the existing list of values, Or should I expect to find the attribute empty.

    Thanks again

    Cheers Tony

      1. Sorry, I’m having the same problem, however, I did not figure out where to find this parameter to change.
        You can clearly cite when you have found or even link to a link that relates to that change that should be made.

  2. Thanks for the hint on Active Directory Administrative Center not working with samba4. I was sure my domain wasn’t working with the RSAT tools because ADAC wouldn’t work. I was too quick to conclude and didn’t do the obvious and check out the other RSAT tools before starting searching for a solution. I reminded myself to think first, then search ;-).

    Thanks

    Bruce

  3. Thanks very much for the post – it certainly worked for me, and I have nbot found it elsewhere when searching.

    I have a SAMBA4 DC and two Hyper-V Server 2012R2 in a cluster, but Live Migration doesn’t work. Looks to me as though it is some NTLM authentication issue of the CLIUSR accounts. Did you get as far as that with your set-up? If so, might I please ask for a pointer in the right direction? Many thanks again!

    Alistair.

    1. You may have to set up Kerberos delegation properly for it to migrate properly. Unfortunately I have not gotten that far.

Leave a Reply

Your email address will not be published. Required fields are marked *