Error in the system diagnosis

pixel · July 30, 2019, 6:04pm

Hello, everybody,

I have two system diagnostic errors on a UCS 4.4.1 (Master with Active Directory connection):

"Critical: Verification Kerberos authenticated DNS updates"

Errors occurred when executing `kinit` or `nsupdate`.
`nsupdate` Check for the domain stedry.local failed (tux.stedry.local).
`kinit` for the principal dns-tux with the password table /var/lib/samba/private/dns.keytab failed.

and:

"Problem: Check of SAML certificates failed!

Traceback (most recent call last):
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 275, in execute
    result = execute(umc_module, **kwargs)
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py", line 76, in run
    test_identity_provider_certificate()
  File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/04_saml_certificate_check.py", line 89, in test_identity_provider_certificate
    for host in socket.gethostbyname_ex(sso_fqdn)[2]:
gaierror: [Errno -2] The name or service is not known

How can I fix them?

Many greetings
Sven

pider · July 30, 2019, 7:11pm

Hi pixel,
is your DNS working ?
Best Reguards
pider

chrissib · July 30, 2019, 7:24pm

The error of SAML solved:
univention-run-join-scripts --force --run-scripts 91univention-saml.inst
In the terminal the reboot

pixel · July 31, 2019, 6:56am

There seems to be a problem here. When I was on the master:
IP: 192.168.1.5 / FQH: tux.stedry.local
test:

root@tux:~# dig @192.168.1.5

; <<>> DiG 9.10.3-P4-Univention <<>> @192.168.1.5
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 61002
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;.				IN	NS

;; Query time: 0 msec
;; SERVER: 192.168.1.5#53(192.168.1.5)
;; WHEN: Wed Jul 31 08:54:53 CEST 2019
;; MSG SIZE  rcvd: 28

from the client I can reach the master at: tux.stedry.local

pider · July 31, 2019, 8:59am

can you resolv and stedry.local ?

pixel · July 31, 2019, 9:18am

how do I do it?

dig @stedry.local
root@tux:~# dig @stedry.local

; <<>> DiG 9.10.3-P4-Univention <<>> @stedry.local
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21642
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 27

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;.				IN	NS

;; ANSWER SECTION:
.			4220	IN	NS	m.root-servers.net.
.			4220	IN	NS	b.root-servers.net.
.			4220	IN	NS	c.root-servers.net.
.			4220	IN	NS	d.root-servers.net.
.			4220	IN	NS	e.root-servers.net.
.			4220	IN	NS	f.root-servers.net.
.			4220	IN	NS	g.root-servers.net.
.			4220	IN	NS	h.root-servers.net.
.			4220	IN	NS	a.root-servers.net.
.			4220	IN	NS	i.root-servers.net.
.			4220	IN	NS	j.root-servers.net.
.			4220	IN	NS	k.root-servers.net.
.			4220	IN	NS	l.root-servers.net.

;; ADDITIONAL SECTION:
m.root-servers.net.	5292	IN	A	202.12.27.33
m.root-servers.net.	5292	IN	AAAA	2001:dc3::35
b.root-servers.net.	5292	IN	A	199.9.14.201
b.root-servers.net.	5292	IN	AAAA	2001:500:200::b
c.root-servers.net.	6490	IN	A	192.33.4.12
c.root-servers.net.	5292	IN	AAAA	2001:500:2::c
d.root-servers.net.	5292	IN	A	199.7.91.13
d.root-servers.net.	5292	IN	AAAA	2001:500:2d::d
e.root-servers.net.	5292	IN	A	192.203.230.10
e.root-servers.net.	5292	IN	AAAA	2001:500:a8::e
f.root-servers.net.	5292	IN	A	192.5.5.241
f.root-servers.net.	5292	IN	AAAA	2001:500:2f::f
g.root-servers.net.	4695	IN	A	192.112.36.4
g.root-servers.net.	4690	IN	AAAA	2001:500:12::d0d
h.root-servers.net.	5292	IN	A	198.97.190.53
h.root-servers.net.	5292	IN	AAAA	2001:500:1::53
a.root-servers.net.	4210	IN	A	198.41.0.4
a.root-servers.net.	5882	IN	AAAA	2001:503:ba3e::2:30
i.root-servers.net.	5292	IN	A	192.36.148.17
i.root-servers.net.	5292	IN	AAAA	2001:7fe::53
j.root-servers.net.	5292	IN	A	192.58.128.30
j.root-servers.net.	5292	IN	AAAA	2001:503:c27::2:30
k.root-servers.net.	5292	IN	A	193.0.14.129
k.root-servers.net.	5292	IN	AAAA	2001:7fd::1
l.root-servers.net.	5292	IN	A	199.7.83.42
l.root-servers.net.	5292	IN	AAAA	2001:500:9f::42

;; Query time: 22 msec
;; SERVER: 192.168.1.22#53(192.168.1.22)
;; WHEN: Wed Jul 31 11:16:11 CEST 2019
;; MSG SIZE  rcvd: 824

pider · July 31, 2019, 9:53am

Try

dig stedry.local
or
nslookup stedry.local

Moritz_Bunkus · July 31, 2019, 10:03am

Here’s a post of mine explaining how to re-create the Kerberos keytab used for DNS updates:

Follow the steps after “However, if those steps don’t work either”.