well, hm:
The funny thing is, that kerberos (heimdal-kerberos) is working on the slave just fine (although not listed as running):
root@slave:~# kinit Administrator
Administrator@DOMAIN.NAME's Password:
root@slave:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: Administrator@DOMAIN.NAME
Issued Expires Principal
Feb 22 17:43:46 2018 Feb 23 03:43:41 2018 krbtgt/DOMAIN.NAME@DOMAIN.NAME
Slave-role servers seam to not get a host-entry on the master samba4 server (unlike member-servers). Checking with:
univention-s4search '(|(userPrincipalName=*)(servicePrincipalName=*))' userPrincipalName servicePrincipalName
on both domains. This may make sense as they are supposed to work ‘more independent’ from master-servers (local LDAP queries).
But anyway - strange error - as it is not shown on the LAN.
Still thinking about it,
Bernd