Check kerberos authenticated DNS update on UCS Slave and Backup


#1

Hi I’ve 3 UCS server:
Master
Slave
Backup

On Master System diagnostic --> OK
On Slave System diagnostic --> Errors occured while running kinit or nsupdate. kinit for principal ucs-SLAVE$ with password file /etc/machine.secret failed. kinit for principal dns-ucs-SLAVE with keytab /var/lib/samba/private/dns.keytab failed.
On Backup --> Errors occured while running kinit or nsupdate. kinit for principal ucs-BACKUP$ with password file /etc/machine.secret failed. kinit for principal dns-ucs-BACKUP with keytab /var/lib/samba/private/dns.keytab failed.

How can I fix it?


#2

There is a detailed thread regarding this issue:


#3

Ok Thanks,these operations must be executed on Slave and Backup both?


#4
kinit -t test-keytab dns-$(ucr get hostname)@$(ucr get kerberos/realm)
kinit: krb5_get_init_creds: unable to reach any KDC in realm

#5

Sorry, but I can hardly see that you at least tried to search by yourself for a solution.
The search function will show you also threads in english like Kinit broken in univention/ucs-master-amd64:4.2-1 after initial config and restart which will give additional information.

In short: Something is wrong with your kerberos setup. You have to fix it before you can try to fix the DNS stuff.

In case you dont understand details feel free to ask.

Best Regards,
Dirk


#6

Now I’ve only this error:

Errors occured while running `kinit` or `nsupdate`. `nsupdate` check for domain domain.intranet failed (ucs-slave.domain.intranet). `nsupdate` check for domain domain.intranet failed (ucs-slave).

#7

Please be more specifc. Mention the steps you did and where exactly the error occurs.
The first thread I have linked has enough of detailed suggestions. Make sure to read them.
There may well be a different cause for you problem but we can only go further if the causes that are already solved by others are ruled out and we know details about the differences.


#8

I’ve few errors on kerberos config now!!!
One question: in DNS object kerberos tcp i’ve
priority 0 Master
priority 1 slave
priority 2 Backup

Is it ok?


#9

As far as I know these objects are automically added to the _kerberos._tcp SRV record with a priority of 0 and a weighting of 100 for all objects.