Critical: Check kerberos authenticated DNS update

kerberos
diagnostic

#1

I keep getting this error running System diagnostics. I cant find a resolution for this.

Critical: Check kerberos authenticated DNS update

Errors occured while running kinit or nsupdate.
kinit for principal ucstest$ with password file /etc/machine.secret failed.


#2

Hey,

what kind of a server role is this (see ucr get server/role), and is the package univention-samba4 installed (see dpkg -l univention-samba4)?

Kind regards,
mosu


#3

Server 1. Server role is memberserver and there is no samba4 installation.
Server 2. Server role is domaincontroller_slave with samba4 installation

The error also appeared on my DC but it has now dissapeared.


#4

Hey,

for servers where there is no Samba 4 installation I consider this to be a false positive. See this bug for details.

For servers that do have a Samba 4 installation: please post the output of the following commands run on the server where the system diagnosis shows the error:

kinit --password-file=/etc/machine.secret $(hostname)\$
klist

Thanks.

Kind regards,
mosu


Critical: Check kerberos authenticated DNS update (on DC Master)
#5

root@ucskvm1:~# kinit --password-file=/etc/machine.secret $(hostname)$
root@ucskvm1:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ucskvm1$@SUNHUT.LOCAL

Issued Expires Principal
Feb 15 11:10:11 2018 Feb 15 21:10:10 2018 krbtgt/SUNHUT.LOCAL@SUNHUT.LOCAL
root@ucskvm1:~#


#6

I am also having problem running this joinscript on the same machine.

univention-run-join-scripts started
Thu Feb 15 11:24:29 CET 2018

RUNNING 98univention-samba4-dns.inst
2018-02-15 11:24:29.118619743+01:00 (in joinscript_init)
Waiting for RID Pool replication: …
Error no rIDSetReferences replicated for ucskvm1
EXITCODE=1

Thu Feb 15 11:27:58 CET 2018
univention-run-join-scripts finished


#7

Hey,

I’m a bit confused by what you’re writing, to be honest. Initially you talked about a server called ucstest:

Now you’re showing me output from a different server:

On this server the kinit works just fine.

Additionally you’re talking about the join script for ucskvm1 not working.

Can you please elaborate a bit? Which server showed the “Critical: Check kerberos authenticated DNS update” error in the system diagnosis?

What does the system diagnosis show for server “ucskvm1”?

And what’s the output of kinit --password-file=/etc/machine.secret $(hostname)$ when you run it on the server ucstest?

Thanks.

mosu


#8

I have this error on more than one server, currently there are two servers, originally there were four servers of which 3 had a Samba4 installation with this error.

Server 1 is ucstest
Server 2 is ucskvm1
Well you said “for servers where there is no Samba 4 installation I consider this to be a false positive. See this bug1 for details”. Ucstest has no Samba4 so we can leave server1 for the time beeing.

The other server is ucskvm1 (server 2) where there is a Samba4 installation. This is the server that is giving me a lot of problem.


#9

Hey,

thanks for the explanation. It all makes sense to me now, and I agree that we should ignore ucstest and focus on ucskvm1.

Can you please show me the output of ucr get samba/interfaces/bindonly and ucr get samba/interfaces from host ucskvm1?

mosu


#10

root@ucskvm1:/var/log/univention# ucr get samba/interfaces/bindonly
yes
root@ucskvm1:/var/log/univention# ucr get samba/interfaces
lo <interfaces/primary>
root@ucskvm1:/var/log/univention#


#11

I also get Critical: Check local AD database for error

samba-tool dbcheck returned a problem with the local AD database.
STDOUT: Checking 270 objects
No RID Set found for this server: CN=UCSKVM1,OU=Domain Controllers,DC=sunhut,DC=local, and we are not the RID Master (so can not self-allocate)
Please use --fix to fix these errors Checked 270 objects (1 errors)
You can run samba-tool dbcheck --fix to fix the issue.

Samba-tool dbcheck --fix does not help.


#12

Thanks.

I sugget you try to re-join the server. Re-joining won’t remove any of your data, but it may actually fix issues such as the one you’re observing. Just run univeniton-join on ucskvm1.

mosu


#13

You said kinit for ucskvm1 was OK but I still have the diagnostic error “Critical: Check kerberos authenticated DNS update”, is that a false positiv despite the server having a Samba4 installation?

The join is still stuck on 98univention-samba4-dns.inst with this error in join.log.
univention-run-join-scripts started
Fri Feb 16 14:47:48 CET 2018

RUNNING 98univention-samba4-dns.inst
2018-02-16 14:47:48.483258751+01:00 (in joinscript_init)
Waiting for RID Pool replication: …
Error no rIDSetReferences replicated for ucskvm1
EXITCODE=1

Fri Feb 16 14:51:09 CET 2018
univention-run-join-scripts finished