Check kerberos authenticated DNS update on UCS Slave and Backup

andreaussi · August 24, 2018, 9:04am

Hi I’ve 3 UCS server:
Master
Slave
Backup

On Master System diagnostic --> OK
On Slave System diagnostic --> Errors occured while running kinit or nsupdate. kinit for principal ucs-SLAVE$ with password file /etc/machine.secret failed. kinit for principal dns-ucs-SLAVE with keytab /var/lib/samba/private/dns.keytab failed.
On Backup --> Errors occured while running kinit or nsupdate. kinit for principal ucs-BACKUP$ with password file /etc/machine.secret failed. kinit for principal dns-ucs-BACKUP with keytab /var/lib/samba/private/dns.keytab failed.

How can I fix it?

ahrnke · August 24, 2018, 9:17am

There is a detailed thread regarding this issue:

andreaussi · August 24, 2018, 9:21am

Ok Thanks,these operations must be executed on Slave and Backup both?

andreaussi · August 24, 2018, 9:33am

kinit -t test-keytab dns-$(ucr get hostname)@$(ucr get kerberos/realm)
kinit: krb5_get_init_creds: unable to reach any KDC in realm

ahrnke · August 24, 2018, 10:24am

Sorry, but I can hardly see that you at least tried to search by yourself for a solution.
The search function will show you also threads in english like Kinit broken in univention/ucs-master-amd64:4.2-1 after initial config and restart which will give additional information.

In short: Something is wrong with your kerberos setup. You have to fix it before you can try to fix the DNS stuff.

In case you dont understand details feel free to ask.

Best Regards,
Dirk

andreaussi · August 24, 2018, 10:29am

Now I’ve only this error:

Errors occured while running `kinit` or `nsupdate`. `nsupdate` check for domain domain.intranet failed (ucs-slave.domain.intranet). `nsupdate` check for domain domain.intranet failed (ucs-slave).

ahrnke · August 24, 2018, 10:55am

Please be more specifc. Mention the steps you did and where exactly the error occurs.
The first thread I have linked has enough of detailed suggestions. Make sure to read them.
There may well be a different cause for you problem but we can only go further if the causes that are already solved by others are ruled out and we know details about the differences.

andreaussi · August 24, 2018, 1:51pm

I’ve few errors on kerberos config now!!!
One question: in DNS object kerberos tcp i’ve
priority 0 Master
priority 1 slave
priority 2 Backup

Is it ok?

ahrnke · August 24, 2018, 2:40pm

As far as I know these objects are automically added to the _kerberos._tcp SRV record with a priority of 0 and a weighting of 100 for all objects.