Critical: Check kerberos authenticated DNS update (on DC Master)


#1

I upgraded to 4.3.0 and I checked with System Diagnostic my DC Master server:

Critical: Check kerberos authenticated DNS update
Errors occured while running `kinit` or `nsupdate`.
`kinit` for principal dns-hostname with keytab /var/lib/samba/private/dns.keytab failed.

I ckecked with:

kinit --password-file=/etc/machine.secret $(hostname)\$
klist

and everything is OK

Do you think is false positive (like here Critical: Check kerberos authenticated DNS update) even if is on a Master DC role?


DNS problem, after upgrade
#2

Hey,

the error message does not fit to the article you’ve linked to. It’s a different issue.

Luckily, problems with the Kerberos principal dns-… can often be recovered. There are several ways to do this. Let’s try the easiest one first. Please run the following steps on your DC Master:

# Create a backup of the file we're about to modify:
cp /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.$(date '+%Y%m%d%H%M%S')
# Re-export the Kerberos principal from the KDC into a new keytab file:
samba-tool domain exportkeytab dns.keytab.new --principal DNS/$(hostname).$(ucr get domainname)
samba-tool domain exportkeytab dns.keytab.new --principal dns-$(hostname)@$(ucr get kerberos/realm)
# Copy the new keytab over the existing one:
cp dns.keytab.new /var/lib/samba/private/dns.keytab

Afterwards run the system diagnostics again.

Kind regards,
mosu


CRITICAL : Check kerberos authenticated DNS updates
#3

Thanks Moritz, your solution worked, but now I have a new Warning:

S4 Connector Rejects
Found 1 UCS rejects and 1 S4 rejects. See Univention Support Database - How to deal with s4-connector rejects for more information.

UCS rejected:

UCS DN: cn=Console Logon,cn=Builtin,dc=domainname,dc=it
S4 DN: cn=console logon,cn=builtin,DC=domainname,DC=it
Filename: /var/lib/univention-connector/s4/1521468738.221372

S4 rejected:

S4 DN: CN=Console Logon,CN=Builtin,DC=domainname,DC=it
UCS DN: cn=console logon,cn=builtin,dc=domainname,dc=it

#4

Hey,

well, that’s a completely different issue and not related to the original one. Please open a new topic for it; otherwise things can get confusing quickly for everyone involved and other readers, too. Before you do that, please read this article and try to solve that issue yourself:

https://help.univention.com/t/how-to-deal-with-s4-connector-rejects/33

Kind regards,
mosu


#5

Ok thanks Mosu, i thought that this new issue was related because it didn’t appear before.
I’ll check the article.
Thanks.


#6

Hello, I am also seeing this on my DC Backup, do the steps apply to the Slave DC or will there be a different procedure to try ?


#7

@sgvfr Please open a new thread for this. Makes life easier on everyone. Please make sure to post the full error message
as there are several possible error messages regarding authenticated DNS update. They’re slightly different and have different root causes; therefore saying “I have the same problem” is often not exactly true. Thanks.


#8

understood, thanks. I was trying not to open new threads for what might have been a duplicate issue. I’ll start new ones for now on.