Critical: Check kerberos authenticated DNS update after restore

From my previous thread of a upgrade gone bad I have decided it was quicker and easier to start over and restore from a backup and followed Cool Solution - Single Server Backup and Restore and was successful with no errors during the restore process.

I performed a system diagnostic on the new DC Master and I get the error:
Critical: Check kerberos authenticated DNS update (on DC Master)

Errors occured while running `kinit` or `nsupdate`.
`kinit` for principal ad$ with password file /etc/machine.secret failed.

From the thread Critical: Check kerberos authenticated DNS update (on DC Master) I checked with:

kinit --password-file=/etc/machine.secret $(hostname)\$
klist

The output is:

# kinit --password-file=/etc/machine.secret $(hostname)\$
kinit: Password incorrect
# klist
klist: No ticket file: /tmp/krb5cc_0

And for some system info:

# univention-app info
UCS: 4.4-0 errata137
Installed: google-apps=2.3 pkgdb=11.0 prometheus-node-exporter=1.1 radius=5.0 samba4=4.10 4.3/admin-dashboard=1.2 4.3/prometheus=1.1
Upgradable: 

Where do I go from here? I know @Moritz_Bunkus has worked on threads related to this.

I had this same issue before some days. I’ve solved it by triggering a machine password change on the affected system:

Thanks, that worked like a charm.

Hello,

I am trying to trigger the script and I can’t run it. Can you explain how you run it?

If you look in the linked article in just copy/paste this into your shell.

/usr/lib/univention-server/server_password_change

that would not do anything (you have to read the linked article to the end !!!)

youo first have to set the password change interval
ucr set server/password/interval=-1

then

/usr/lib/univention-server/server_password_change

and after that reset the interval to the default :

ucr set server/password/interval=21

rg
Christian

1 Like
Mastodon