KDC service check and Kerberos authenticated DNS updates both Critical

storm · April 15, 2021, 7:02pm

Hello community. As described in the topic title i get these 2 error messages in the system diagnostic section of my Univention DC:

Critical: KDC service check
Critical: Check kerberos authenticated dns updates

Expanding the first item i see only a “ph” and some buttons that should help me solve my problem (but none of them does); Expanding the second item i get this:

Errors occurred while running kinit or nsupdate.
nsupdate check for domain fakedomain.biz failed (ucsdc.frigoimpianti.biz).
nsupdate check for domain fakedomain.biz failed (ucsdc).

Name is obviously fake, tld is correct

The problem is that when i try to update the system it miserably fails and the errors reported become way more than just those 2. I have tried every possible link i have found here but i had no luck.
Apparently all the commands with kinit and klist are all good.
I am at a loss here. I have seen this happening only in broken installations but this hasn’t been touched in a while.
The UCS version is 4.4-6 errata787.
The thing i have noticed is that it’s using samba as DNS and if i switch to bind_DLZ when i try to perform the DNS update with:

samba_dnsupdate --all-names --verbose

It throws and uncaught exception:

ERROR(runtime): uncaught exception - (9711, WERR_DNS_ERROR_RECORD_ALREADY_EXISTS’)

and everything fails.
I have also tried to look at samba4 rejects but there are none.

I think i have done whatever i could possibly think of but the errors are always there.
I hope i can find some help in here. If you need more info on the configuration please just ask and i will provide.

Thanks in advance
G

jolentes · April 22, 2021, 7:03pm

I currently have a very similar issue on my Univention DC (running virtualized on Proxmox 6.3-3):

Critical: KDC service check
Critical: Check Heimdal KDC on Samba 4 DC
Critical: Check kerberos authenticated dns updates

I looked through several post in the forum regarding KDC problems.

There are no smbd processes running, but reports running:

root@ucs:/var/run# systemctl status smbd
● smbd.service - LSB: Samba SMB/CIFS daemon (smbd)
   Loaded: loaded (/etc/init.d/smbd; generated; vendor preset: enabled)
   Active: active (exited) since Thu 2021-04-22 20:35:33 CEST; 15min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 12192 ExecStop=/etc/init.d/smbd stop (code=exited, status=0/SUCCESS)
  Process: 12306 ExecStart=/etc/init.d/smbd start (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 4915)
   Memory: 0B
      CPU: 0
   CGroup: /system.slice/smbd.service

Apr 22 20:35:32 ucs systemd[1]: Starting LSB: Samba SMB/CIFS daemon (smbd)...
Apr 22 20:35:33 ucs smbd[12306]: Samba is configured as AD DC, service smbd is controlled by the main samba daemon.
Apr 22 20:35:33 ucs systemd[1]: Started LSB: Samba SMB/CIFS daemon (smbd).

samba-tool reports no processes:

root@ucs:/var/run# samba-tool processes
 Service:                          PID
--------------------------------------

I could not find anything suspicious in UCS:

root@ucs:/var/run# ucr dump| grep -iE "^samba/|^samba4/"
samba/acl/allow/execute/always: true
samba/adminusers: administrator join-backup
samba/autostart: no
samba/deadtime: 15
samba/debug/level: 1
samba/domain/master: yes
samba/enable-msdfs: yes
samba/encrypt_passwords: yes
samba/getwd_cache: yes
samba/guest_account: nobody
samba/homedirletter: I
samba/homedirpath: %U
samba/homedirserver: ucs
samba/kernel_oplocks: yes
samba/large_readwrite: yes
samba/map_to_guest: Bad User
samba/max_open_files: 32808
samba/max_xmit: 65535
samba/oplocks: yes
samba/preserve_case: yes
samba/profilepath: %U\windows-profiles\%a
samba/profileserver: ucs
samba/quota/command: None
samba/read_raw: yes
samba/register/exclude/interfaces: docker0
samba/share/groups: no
samba/share/home: yes
samba/share/netlogon: yes
samba/short_preserve_case: yes
samba/store_dos_attributes: yes
samba/use_spnego: yes
samba/write_raw: yes
samba4/autostart: yes
samba4/backup/cron: 0 3 * * *
samba4/function/level: 2008_R2
samba4/ldap/base: DC=INT,DC=LENTES,DC=ME
samba4/ntacl/backend: native
samba4/role: DC
samba4/service/nmb: nmbd
samba4/service/smb: s3fs
samba4/sysvol/cleanup/cron: 4 4 * * *
samba4/sysvol/sync/cron: */5 * * * *
samba4/sysvol/sync/jitter: 60
samba4/sysvol/sync/setfacl/AU: false

Any hints for further diagnosis?

BR,
Jörn

jolentes · April 24, 2021, 8:06pm

I was able to get Samba / KDC running again by re-provisioning the Samba server following this HowTo: Re-Provisioning Samba4 on a DC Master

storm · April 27, 2021, 4:36pm

Thank you for your hint jolentes. I will move that instance into my test area and will perform the steps suggested in the article you linked at a later time. Although i have no reference to Heimdal in my system diagnostic page therefore i am kind of inclined to believe that your issue, even if it seems to be similar to mine, has a different root cause.

To the forum admins: This is going to be a production system, therefore, i am won’t repair it and go with it as I’d rather perform a full reinstallation since it’s basically an unconfigured UCS. I will mark this post as solved if you wish.

storm · May 6, 2021, 7:49am

After some trial and tests i have discovered that it’s related to this post https://help.univention.com/t/installing-openntpd-seems-to-break-the-installation/17767/2 therefore installing the package openntpd seems to break the installation.
Marking this as solved.