I keep getting this error running System diagnostics. I cant find a resolution for this.
Critical: Check kerberos authenticated DNS update
Errors occured while running kinit or nsupdate.
kinit for principal ucstest$ with password file /etc/machine.secret failed.
Hey,
what kind of a server role is this (see ucr get server/role), and is the package univention-samba4 installed (see dpkg -l univention-samba4)?
Kind regards,
mosu
Server 1. Server role is memberserver and there is no samba4 installation.
Server 2. Server role is domaincontroller_slave with samba4 installation
The error also appeared on my DC but it has now dissapeared.
Hey,
for servers where there is no Samba 4 installation I consider this to be a false positive. See this bug for details.
For servers that do have a Samba 4 installation: please post the output of the following commands run on the server where the system diagnosis shows the error:
kinit --password-file=/etc/machine.secret $(hostname)\$
klist
Thanks.
Kind regards,
mosu
root@ucskvm1:~# kinit --password-file=/etc/machine.secret $(hostname)$
root@ucskvm1:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ucskvm1$@SUNHUT.LOCAL
Issued Expires Principal
Feb 15 11:10:11 2018 Feb 15 21:10:10 2018 krbtgt/SUNHUT.LOCAL@SUNHUT.LOCAL
root@ucskvm1:~#
I am also having problem running this joinscript on the same machine.
univention-run-join-scripts started
Thu Feb 15 11:24:29 CET 2018
RUNNING 98univention-samba4-dns.inst
2018-02-15 11:24:29.118619743+01:00 (in joinscript_init)
Waiting for RID Pool replication: …
Error no rIDSetReferences replicated for ucskvm1
EXITCODE=1
Thu Feb 15 11:27:58 CET 2018
univention-run-join-scripts finished
Hey,
I’m a bit confused by what you’re writing, to be honest. Initially you talked about a server called ucstest:
Now you’re showing me output from a different server:
On this server the kinit works just fine.
Additionally you’re talking about the join script for ucskvm1 not working.
Can you please elaborate a bit? Which server showed the “Critical: Check kerberos authenticated DNS update” error in the system diagnosis?
What does the system diagnosis show for server “ucskvm1”?
And what’s the output of kinit --password-file=/etc/machine.secret $(hostname)$ when you run it on the server ucstest?
Thanks.
mosu
I have this error on more than one server, currently there are two servers, originally there were four servers of which 3 had a Samba4 installation with this error.
Server 1 is ucstest
Server 2 is ucskvm1
Well you said “for servers where there is no Samba 4 installation I consider this to be a false positive. See this bug1 for details”. Ucstest has no Samba4 so we can leave server1 for the time beeing.
The other server is ucskvm1 (server 2) where there is a Samba4 installation. This is the server that is giving me a lot of problem.
Hey,
thanks for the explanation. It all makes sense to me now, and I agree that we should ignore ucstest and focus on ucskvm1.
Can you please show me the output of ucr get samba/interfaces/bindonly and ucr get samba/interfaces from host ucskvm1?
mosu
root@ucskvm1:/var/log/univention# ucr get samba/interfaces/bindonly
yes
root@ucskvm1:/var/log/univention# ucr get samba/interfaces
lo <interfaces/primary>
root@ucskvm1:/var/log/univention#
I also get Critical: Check local AD database for error
samba-tool dbcheck returned a problem with the local AD database.
STDOUT: Checking 270 objects
No RID Set found for this server: CN=UCSKVM1,OU=Domain Controllers,DC=sunhut,DC=local, and we are not the RID Master (so can not self-allocate)
Please use --fix to fix these errors Checked 270 objects (1 errors)
You can run samba-tool dbcheck --fix to fix the issue.
Samba-tool dbcheck --fix does not help.
Thanks.
I sugget you try to re-join the server. Re-joining won’t remove any of your data, but it may actually fix issues such as the one you’re observing. Just run univeniton-join on ucskvm1.
mosu
You said kinit for ucskvm1 was OK but I still have the diagnostic error “Critical: Check kerberos authenticated DNS update”, is that a false positiv despite the server having a Samba4 installation?
The join is still stuck on 98univention-samba4-dns.inst with this error in join.log.
univention-run-join-scripts started
Fri Feb 16 14:47:48 CET 2018
RUNNING 98univention-samba4-dns.inst
2018-02-16 14:47:48.483258751+01:00 (in joinscript_init)
Waiting for RID Pool replication: …
Error no rIDSetReferences replicated for ucskvm1
EXITCODE=1
Fri Feb 16 14:51:09 CET 2018
univention-run-join-scripts finished