KDC error - authentication wordpress

jra · September 16, 2018, 10:32pm

Hi everyone,

Last week we had fixed an issue regarding error on mail relay (see link below regarding the case).

By changing namesever with a public one we now got “kdc error” and we not able to authenticate to our wordpress.

Of course, If we put back UCS nameserver then it works back but we lost our relay server. Any suggestion would be appriciate.

Kind regards,

Jean-Raoul

ahrnke · September 17, 2018, 8:27am

Hi,

in this case there seems to be no other solution as to follow the other advice: creating entries for your externally managed systems in UCS. I would try to use an “IP managed client” for this purpose where you can also specify non-local IP-adresses.

Best Regards,
Dirk Ahrnke

jra · September 17, 2018, 5:17pm

Hi,

We had try to add a unmanaged client with “IP managed client” setting but it is not working. It still don’t find the host. But thanks anyway.
Kind regards,
Jean-Raoul

ahrnke · September 17, 2018, 6:18pm

I am pretty sure that it will work as long as

the DNS in UCS is thinks that it is responsible for domain.com (as mentioned in the other post)
you have configured the DNS-settings in the attributes of IP managed client

The latter will insert the host record into the DNS-module. It is also possible to add the A-record directly in the DNS-zone by using the UMC-module, but using the IP managed client will give additional capabilities.

hth,
Dirk Ahrnke

jra · September 17, 2018, 8:57pm

From DNS we had the following entry
–> create new forward zone et reverse zone
–> zone name: mydomain.com, name server=mx1.mydomain.com, IP address=8.8.8.8
–> for reverse zone setting: Public IP = mx1.mydomain.com

From computer we had the following entry
–>add “Computer: IP managed client”
–>add “Computer: IP managed name=mx1”
–>add “dns forward zone” and “reverse zone” of from step before.

It seems that the ucs is keep looking on is own dns zone and IP range.

from postfix log
–>status=deferred (Host or domain name not found. Name service error for name=mx1.mydomain.com type=MX: Host not found, try again)

ahrnke · September 18, 2018, 9:01am

first some remarks on the failed attempt

That doesnt make sense. If you really want to provide the forward zone for “domain.com” you should point to a name server you have under your control. In this case, and especially if you want to provide an A-record for mx1.domain.com by using an IP managed client this should be the UCS.

There is no need to create a reverse zone for this task.

There is some explanation of the behaviour in https://docs.software-univention.de/manual-4.3.html#computers:Configuring_the_name_servers

This means that you should rather try to configure dns/forwarder1 (and additional ones) by using the DNS provided by your internet provider or, in case you really want to feed Google, 8.8.8.8. (1.1.1.1 and 9.9.9.9 are other common public DNS servers).

After changing these UCR variables you have to restart the “bind9” service.
I’d recommend to use tools like host or dig to check if the name resolution is working instead of looking into application logs.

jra · September 18, 2018, 10:09am

Hi,
We didn’t change anything but it is now working. I think we have TTl issue.
Many thanks for yuo help.
Kind regards,
Jean-Raoul