CRITICAL : Check kerberos authenticated DNS updates / Kritisch: Überprüfe Kerberos authentifizierte DNS Updates

Problem

Kritisch: Überprüfe Kerberos authentifizierte DNS Updates
Fehler traten aus bei der Ausführung von 'kinit' oder 'nsupdate'. `nsupdate` Prüfung für die Domäne <Domainname>; ist fehlgeschlagen.
CRITICAL : Check kerberos authenticated DNS updates
Errors occured while running kinit or nsupdate
kinit for principal dns-ucsdc with keytab /var/lib/samba/private/dns.keytab failed.

Investigation

First make sure you are using Samba4 as DNS backend:

root@master:~# ucr get dns/backend
samba4

Solution

Step 1

Manual testing.
Note: An issue regarding this test in ucs@school has been fixed with UCS 4.3-0e6.

Option 1

In case you get a “Password incorrect” as below, proceed to Step 2.

root@master:~# kinit --keytab="/var/lib/samba/private/dns.keytab" dns-$(hostname) || echo $?
kinit: Password incorrect
1

Option 2

All is fine, even the output appears to be huge.

root@master:~# kinit -t /var/lib/samba/private/dns.keytab dns-$(hostname)
root@master:~# 
root@master:~# echo -ne "server $(ucr get ldap/master)\nprereq yxdomain $(hostname -f)\nsend\n" | nsupdate -d -g -t15
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   9981
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;master.multi.ucs.		IN	SOA

;; AUTHORITY SECTION:
multi.ucs.		3600	IN	SOA	master.multi.ucs. root.multi.ucs. 294 28800 7200 604800 3600
[...]

Step 2

Try to fix the issue

Option 1

Restart Samba service and check if it fixes the error. If not, proceed.
/etc/init.d/samba restart

Option 2

Reset the password like this:

samba-tool user setpassword --newpassword="$(ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName=dns-$(hostname) secret | sed -ne 's/^secret: //p')" --filter=samaccountname=dns-$(hostname)

Option 3

Re-write the keytab in case you see a message: " Error updating dns-service account password in secrets.ldb: No saltPrincipal provided."

root@dcs1:~# keytab=/var/lib/samba/private/dns.keytab
root@dcs1:~# mv $keytab $keytab.$(date '+%Y%m%d%H%M%S')
root@dcs1:~# samba-tool domain exportkeytab $keytab --principal DNS/$(hostname).$(ucr get domainname)
Export one principal to /var/lib/samba/private/dns.keytab
root@dcs1:~# samba-tool domain exportkeytab $keytab "--principal=dns-$(hostname)@$(ucr get kerberos/realm)"
Export one principal to /var/lib/samba/private/dns.keytab
root@dcs1:~# kinit -t /var/lib/samba/private/dns.keytab dns-$(hostname)

see also:

1 Like