KDC Erreichbarkeit kritisch

well, hm:
The funny thing is, that kerberos (heimdal-kerberos) is working on the slave just fine (although not listed as running):

root@slave:~# kinit Administrator
Administrator@DOMAIN.NAME's Password: 
root@slave:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: Administrator@DOMAIN.NAME

  Issued                Expires               Principal
Feb 22 17:43:46 2018  Feb 23 03:43:41 2018  krbtgt/DOMAIN.NAME@DOMAIN.NAME

Slave-role servers seam to not get a host-entry on the master samba4 server (unlike member-servers). Checking with:

univention-s4search '(|(userPrincipalName=*)(servicePrincipalName=*))' userPrincipalName servicePrincipalName

on both domains. This may make sense as they are supposed to work ‘more independent’ from master-servers (local LDAP queries).
But anyway - strange error - as it is not shown on the LAN.

Still thinking about it,
Bernd