Hey,
There are two ways to repair such a problem, depending on what the actual problem is. First a couple of questions as you’re somewhat vague in your description:
- Do you have more than one UCS server?
- If so, what’s the name of your DC Master and which server is this problem occurring on?
You said you already tried what I wrote in this post, correct? Please really link to the topic (even better: to the post in the topic) instead of just referring to it by its subject as subjects can be ambiguous.
I assume that you only have one UCS server which is both the Kerberos KDC as well as the one your problem occurs on. If not, we’ll have to adjust the following commands.
First let’s make sure that the key the KDC has stored really doesn’t work. Please try the following (and be exact with the commands — ideally just copy & paste them; if not, be extra careful not to confuse @ with . etc.):
samba-tool domain exportkeytab test-keytab --principal=dns-$(ucr get hostname)@$(ucr get kerberos/realm)
samba-tool domain exportkeytab test-keytab --principal=DNS/$(ucr get hostname).$(ucr get kerberos/realm)
kinit -t test-keytab dns-$(ucr get hostname)@$(ucr get kerberos/realm)
kinit -t test-keytab DNS/$(ucr get hostname).$(ucr get kerberos/realm)
The first two commands should each state: Export one principal to test-keytab The latter two commands shouldn’t output anything.
If all of those succeed, we can continue to test an actual DNS update with those keys:
kinit -t test-keytab dns-$(ucr get hostname)@$(ucr get kerberos/realm)
eval "$(ucr shell)"
nsupdate -g <<%EOF
server $ldap_master
prereq yxdomain $hostname.$domainname
send
%EOF
Again, if everything works fine, the nsupdate command shouldn’t output anything. If this is the case, then please follow the steps shown in the aforementioned post precisely as they will solve your issue.
However, if those steps don’t work either, there’s one more thing you can do: re-create the whole Kerberos service account for DNS. The following steps are required:
udm users/user delete --dn=uid=dns-$(hostname),cn=users,$(ucr get ldap/base)
ldbdel -H /var/lib/samba/private/secrets.ldb "samAccountName=dns-$(hostname),CN=Principles"
# Now wait until your S4 connector has finished syncing the deleted objects. Watch /var/log/univention/connector-s4.log for corresponding messages.
/usr/share/univention-samba4/scripts/create_spn_account.sh --samaccountname "dns-$(hostname)" --serviceprincipalname "DNS/$(hostname).$(ucr get domainname)" --privatekeytab dns.keytab
# Again, wait until the S4 connector has finished syncing.
/usr/share/univention-s4-connector/resync_object_from_s4.py "cn=dns-$(hostname),cn=users,$(ucr get samba4/ldap/base)"
# Wait for the S4 connector a third time.
keytab=/var/lib/samba/private/dns.keytab
mv $keytab $keytab.$(date '+%Y%m%d%H%M%S')
samba-tool domain exportkeytab $keytab "--principal=DNS/$(hostname).$(ucr get domainname)"
samba-tool domain exportkeytab $keytab "--principal=dns-$(hostname)@$(ucr get kerberos/realm)"
chmod 0640 $keytab
Kind regards,
mosu