CRITICAL : Check kerberos authenticated DNS updates / Kritisch: Überprüfe Kerberos authentifizierte DNS Updates

Knowledge Base Community
, , , , ,
#1

Problem

Kritisch: Überprüfe Kerberos authentifizierte DNS Updates
Fehler traten aus bei der Ausführung von 'kinit' oder 'nsupdate'. `nsupdate` Prüfung für die Domäne <Domainname>; ist fehlgeschlagen.

CRITICAL : Check kerberos authenticated DNS updates
Errors occured while running kinit or nsupdate
kinit for principal dns-ucsdc with keytab /var/lib/samba/private/dns.keytab failed.

Critical%20-%20Check%20Kerberos%20authenticated%20DNS%20updates

Environment

First make sure you are using Samba4 as DNS backend:

root@master:~# ucr get dns/backend
samba4

Solution

Step 1

Manual testing.
Note: An issue regarding this test in ucs@school has been fixed with UCS 4.3-0e6.

Option 1

In case you get a “Password incorrect” as below, proceed to Step 2.

root@master:~# kinit --keytab="/var/lib/samba/private/dns.keytab" dns-$(hostname) || echo $?
kinit: Password incorrect
1

Option 2

All is fine, even the output appears to be huge.

root@master:~# kinit -t /var/lib/samba/private/dns.keytab dns-$(hostname)
root@master:~# 
root@master:~# echo -ne "server $(ucr get ldap/master)\nprereq yxdomain $(hostname -f)\nsend\n" | nsupdate -d -g -t15
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:   9981
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;master.multi.ucs.		IN	SOA

;; AUTHORITY SECTION:
multi.ucs.		3600	IN	SOA	master.multi.ucs. root.multi.ucs. 294 28800 7200 604800 3600
[...]

Step 2

Try to fix the issue

Option 1

Restart Samba service and check if it fixes the error. If not, proceed.
/etc/init.d/samba restart

Option 2

Reset the password like this:

samba-tool user setpassword --newpassword="$(ldbsearch -H /var/lib/samba/private/secrets.ldb samAccountName=dns-$(hostname) secret | sed -ne 's/^secret: //p')" --filter=samaccountname=dns-$(hostname)

Option 3

Re-write the keytab in case you see a message: " Error updating dns-service account password in secrets.ldb: No saltPrincipal provided."

root@dcs1:~# keytab=/var/lib/samba/private/dns.keytab
root@dcs1:~# mv $keytab $keytab.$(date '+%Y%m%d%H%M%S')
root@dcs1:~# samba-tool domain exportkeytab $keytab --principal DNS/$(hostname).$(ucr get domainname)
Export one principal to /var/lib/samba/private/dns.keytab
root@dcs1:~# samba-tool domain exportkeytab $keytab "--principal=dns-$(hostname)@$(ucr get kerberos/realm)"
Export one principal to /var/lib/samba/private/dns.keytab
root@dcs1:~# kinit -t /var/lib/samba/private/dns.keytab dns-$(hostname)

Note: Make sure the file “dns.keytab” exists after the above procedure. If not, proceed to Option 4.

Option 4

If the file did not get re-created with option 3, verify the DNS account exists:

root@ucs:~# univention-s4search "samAccountName=dns-$(hostname)" dn
# record 1
dn: CN=dns-lenaedu,CN=Users,DC=schulen,DC=ucs

[...]

In case the account is not found, re-create it by running the join-scripts again:
root@ucs:~# univention-run-join-scripts --force --run-scripts 98univention-samba4-dns.inst
After this, repeat the steps from Option 3.

see also:

1 Like
Diagnostics error Kerberos authenticated DNS updates and ldap backend
Problem: Several Issues When Accessing Shares And Warnings About DNS Update Through Kerberos
Mastodon