Check Kerberos authenticated DNS update

bhagert · March 31, 2019, 9:33pm

Hi, I am getting above Error running system diagnostics on my DC-Backup.

Using this post CRITICAL : Check kerberos authenticated DNS updates trying to resolve the problem.

root@ucs-fs:~# samba-tool domain exportkeytab test-keytab --principal dns-$(ucr get hostname)@$(ucr get kerberos/realm)
Export one principal to test-keytab
root@ucs-fs:~# samba-tool domain exportkeytab test-keytab --principal DNS/$(ucr get hostname).$(ucr get kerberos/realm)
Export one principal to test-keytab
root@ucs-fs:~# kinit -t test-keytab dns-$(ucr get hostname)@$(ucr get kerberos/realm)
root@ucs-fs:~# kinit -t test-keytab DNS/$(ucr get hostname).$(ucr get kerberos/realm)
kinit: krb5_get_init_creds: Client (DNS/ucs-fs.domain.LOCAL@domain.LOCAL) unknown

Next I tried this

root@ucs-fs:~# kinit -t test-keytab dns-$(ucr get hostname)@$(ucr get kerberos/realm)
root@ucs-fs:~# eval "$(ucr shell)"
root@ucs-fs:~# nsupdate -g <<%EOF
> server $ldap_master
> prereq yxdomain $hostname.$domainname
> send
> %EOF
cns_tkey_negotiategss: TKEY is unacceptable

Still trying this

root@ucs-fs:~# udm users/user delete --dn=uid=dns-$(hostname),cn=users,$(ucr get ldap/base)
Object removed: uid=dns-ucs-fs,cn=users,dc=sunhut,dc=local
root@ucs-fs:~# ldbdel -H /var/lib/samba/private/secrets.ldb "samAccountName=dns-$(hostname),CN=Principles"
delete of 'samAccountName=dns-ucs-fs,CN=Principles' failed - (No such object) ldb_wait from (null) with LDB_WAIT_ALL: No such object (32)
root@ucs-fs:~# # Now wait until your S4 connector has finished syncing the deleted objects. Watch /var/log/univention/connector-s4.log for corresponding messages.
root@ucs-fs:~# /usr/share/univention-samba4/scripts/create_spn_account.sh --samaccountname "dns-$(hostname)" --serviceprincipalname "DNS/$(hostname).$(ucr get domainname)" --privatekeytab dns.keytab
Object created: uid=dns-ucs-fs,cn=users,dc=sunhut,dc=local
looking for spn account "dns-ucs-fs" in local samba
Modified 1 records successfully
Modified 1 records successfully
Expiry for user 'dns-ucs-fs' disabled.
root@ucs-fs:~# # Again, wait until the S4 connector has finished syncing.
root@ucs-fs:~# /usr/share/univention-s4-connector/resync_object_from_s4.py "cn=dns-$(hostname),cn=users,$(ucr get samba4/ldap/base)"
resync triggered for cn=dns-ucs-fs,cn=users,DC=SUNHUT,DC=LOCAL
Estimated sync in 50 seconds.
root@ucs-fs:~# # Wait for the S4 connector a third time.
root@ucs-fs:~# keytab=/var/lib/samba/private/dns.keytab
root@ucs-fs:~# mv $keytab $keytab.$(date '+%Y%m%d%H%M%S')
root@ucs-fs:~# samba-tool domain exportkeytab $keytab "--principal DNS/$(hostname).$(ucr get domainname)"
Usage: samba-tool domain exportkeytab <keytab> [options]

samba-tool domain exportkeytab: error: no such option: --principal DNS/ucs-fs.sunhut.local
root@ucs-fs:~# samba-tool domain exportkeytab $keytab "--principal=dns-$(hostname)@$(ucr get kerberos/realm)"
Export one principal to /var/lib/samba/private/dns.keytab
root@ucs-fs:~# chmod 0640 $keytab

Just to find a syntax error

Next I tried this

root@ucs-fs:~# samba_upgradedns --dns-backend=SAMBA_INTERNAL
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/SUNHUT.LOCAL.zone
DNS records will be automatically created
DNS partitions already exist
Finished upgrading DNS
You have switched to using SAMBA_INTERNAL as your dns backend, but you still have samba starting looking for a BIND backend. Please remove the -dns from your server services line.
root@ucs-fs:~# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/SUNHUT.LOCAL.zone
DNS records will be automatically created
DNS partitions already exist
Adding dns-ucs-fs account
Failed to create link /var/lib/samba/private/dns.keytab -> /var/lib/samba/bind-dns/dns.keytab: No such file or directory
Failed to chown /var/lib/samba/bind-dns to bind gid 125
Failed to chown /var/lib/samba/bind-dns/dns.keytab to bind gid 125
Traceback (most recent call last):
  File "/usr/sbin/samba_upgradedns", line 533, in <module>
    create_dns_dir(logger, paths)
  File "/usr/lib/python2.7/dist-packages/samba/provision/sambadns.py", line 704, in create_dns_dir
    os.mkdir(dns_dir, 0o770)
OSError: [Errno 2] No such file or directory: '/var/lib/samba/bind-dns/dns'
root@ucs-fs:~# samba_dnsupdate --verbose --all-names
Last command has no errors

I am at loss here

Moritz_Bunkus · April 2, 2019, 10:22am

Yeah, that should be "--principal=DNS/$(hostname).$(ucr get domainname)" (a = instead of a space between --principal and DNS/…). I’ve corrected the post you linked to.

Re-run those instructions starting with the line keytab=/var/lib/samba/private/dns.keytab (the last five lines in the linked post).

bhagert · April 2, 2019, 7:39pm

Thanks
Still doesn’t understand why this error appear.

root@ucs-fs:~# kinit -t test-keytab DNS/$(ucr get hostname).$(ucr get kerberos/realm)
kinit: krb5_get_init_creds: Client (DNS/ucs-fs.domain.LOCAL@domain.LOCAL) unknown

Moritz_Bunkus · April 2, 2019, 7:53pm

Because I made that syntax error in my original post in the very line that’s supposed to export the key for the principal DNS/<hostname>.<kerberosrealm> to the temporary keytab. Therefore the entry wasn’t exported, and therefore you cannot get a token for that principal from the temporary keytab.

bhagert · April 8, 2019, 6:25pm

Sorry posted the wrong lines

Did run the lines with the corrected syntax but still got an error, this is the new error:

root@ucs-fs:~# samba-tool domain exportkeytab test-keytab --principal=dns-$(ucr get hostname)@$(ucr get kerberos/realm)
Export one principal to test-keytab
root@ucs-fs:~# samba-tool domain exportkeytab test-keytab --principal=DNS/$(ucr get hostname).$(ucr get kerberos/realm)
Export one principal to test-keytab
root@ucs-fs:~# kinit -t test-keytab dns-$(ucr get hostname)@$(ucr get kerberos/realm)
kinit: krb5_get_init_creds: Client (dns-ucs-fs@Domain.LOCAL) unknown
root@ucs-fs:~# kinit -t test-keytab DNS/$(ucr get hostname).$(ucr get kerberos/realm)
kinit: krb5_get_init_creds: Client (DNS/ucs-fs.Domain.LOCAL@Domain.LOCAL) unknown

Moritz_Bunkus · April 9, 2019, 8:08am

That’s strange.

Please list the contents of the exported key tab. Run the following & post its output:

ktutil --keytab=test-keytab list

Please also post the output of the following commands, and please don’t obfuscate the data but copy it verbatim. I understand and respect that you’re trying to keep as much data as possible confidential, but debugging such issues is hard enough as it is, and each type of manual modification of said data poses the risk of masking actual problems.

bhagert · April 9, 2019, 10:15am

root@ucs-fs:~# ktutil --keytab=test-keytab list
test-keytab:

Vno  Type                     Principal                             Aliases
  1  aes256-cts-hmac-sha1-96  dns-ucs-fs@SUNHUT.LOCAL
  1  aes128-cts-hmac-sha1-96  dns-ucs-fs@SUNHUT.LOCAL
  1  arcfour-hmac-md5         dns-ucs-fs@SUNHUT.LOCAL
  1  des-cbc-md5              dns-ucs-fs@SUNHUT.LOCAL
  1  des-cbc-crc              dns-ucs-fs@SUNHUT.LOCAL
  4  aes128-cts-hmac-sha1-96  DNS/ucs-fs.SUNHUT.LOCAL@SUNHUT.LOCAL
  4  des-cbc-md5              DNS/ucs-fs.SUNHUT.LOCAL@SUNHUT.LOCAL
  4  des-cbc-crc              DNS/ucs-fs.SUNHUT.LOCAL@SUNHUT.LOCAL
  4  arcfour-hmac-md5         DNS/ucs-fs.SUNHUT.LOCAL@SUNHUT.LOCAL
  4  aes256-cts-hmac-sha1-96  DNS/ucs-fs.SUNHUT.LOCAL@SUNHUT.LOCAL

Moritz_Bunkus · April 9, 2019, 2:16pm

At the moment I’m not certain why you’re running into this particular issue. Additionally your earlier try to switch DNS backends ended in strange error messages, too. As this is a DC Backup, I suggest you re-join the machine.

bhagert · April 10, 2019, 9:28am

Rejoining does not help.

Other problems that I still havn’t addressed yet.

Portal on Master DC is suddenly reduced to “System and Domain settings” and “Univention Blog”
UVMM stopped working on my master DC, cannot be managed in app center.
UCS Dashbord is installed on DC backup and Dashboard client does not Install on Master DC.
OX Mail suddenly presenting username@domain.net as return address instead of primary email address.

So I am a bit frustrated. Will eventually start a new thread with those issues.

I’m not in anyway customizing the system. Using standard settings but still my system breaks down during updates. Trying to use this forum and articles to rectify errors and still I’m deeper in the hole. UDM synch breaks down for no apparent reason. Kerberos breaks on a regular basis. Samba4 breaks occasionally.