Problem with ssl tunnel after last errata

stunnel

#1

Hi

I have a dc master and a dc backup.
I noticed that after the last errata, the following report began to appear in backup dc:
/var/log/boot.log
[OK] Started ACPI event daemon.
[OK] Started RPC Remote Quota Server.
[OK] Started LSB: saslauthd startup script.
[FAILED] Failed to start LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons).
See ‘systemctl status stunnel4.service’ for details.
[OK] Started LSB: Starts the Name Service Cache Daemon.
[OK] Started LSB: Brings up / down network automatically.

When I do System diagnostic, the following report appears

Critical: Check kerberos authenticated DNS updates
Errors occured while running kinit ornsupdate.
kinit for principal democrates $ with password file /etc/machine.secret failed.

Any suggestions of what might be happening and how to solve it?

Best Regards,

Michael Voigt


#2

Hi @mcvoigt,

do you ever tried to find out what to find inside:

systemctl status stunnel4

Please also have a look at the output of:

samba_dnsupdate --verbose

Kind Regards


#3

Hi,

This server is the backup DC ok.

root@democrates:/var/log# systemctl status stunnel4
● stunnel4.service - LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons)
Loaded: loaded (/etc/init.d/stunnel4)
Active: failed (Result: exit-code) since Mon 2017-10-16 11:28:28 BRST; 8min ago
Process: 1038 ExecStart=/etc/init.d/stunnel4 start (code=exited, status=1/FAILURE)

Oct 16 11:28:28 democrates stunnel4[1038]: [ ] Listening file descriptor cre…)
Oct 16 11:28:28 democrates stunnel4[1038]: [!] Error binding service [promet…t
Oct 16 11:28:28 democrates stunnel4[1038]: [!] bind: No such file or directo…)
Oct 16 11:28:28 democrates stunnel4[1038]: [ ] Closing service [memcached]
Oct 16 11:28:28 democrates stunnel4[1038]: [ ] Service [memcached] closed (FD=7)
Oct 16 11:28:28 democrates stunnel4[1038]: [ ] Service [memcached] closed
Oct 16 11:28:28 democrates stunnel4[1038]: [ ] Closing service [prometeus.vo…]
Oct 16 11:28:28 democrates stunnel4[1038]: [ ] Service [prometeus.vost.lan] …d
Oct 16 11:28:28 democrates stunnel4[1038]: failed
Oct 16 11:28:28 democrates stunnel4[1038]: You should check that you have sp…e
Hint: Some lines were ellipsized, use -l to show in full.

samba_dnsupdate --verbose not available in backup DC …

Is this behavior normal because it is backup dc?

Best Regards,
Michael


#4

Hi @mcvoigt,

in my testing environment my backup server also has the package ‘univention-samba4’ installed. This makes it a Samba DC with the ability to update DNS.

dpkg -l univention-samba4

What does the output of the following command shows?

univention-check-join-status

#5

Hi,

join result:
Joined successfully

However, in dc-backup the samba package is missing.
Strange, in the installation this package should already come as default? or was it even necessary to install it in hand?
In case, to leave it the way it needs to be, should I just install the univention-samba4 package? or should I follow a script?
Thank you for your support.

Best Regards,
Michael


#6

Hi @mcvoigt,

by default samba is always installed, but you have to differ between Samba and Samba/AD - which is totally not the same. The package univention-samba ships all the normal Samba functionality but if it comes to ActiveDirectory services you need univention-samba4. However, on your system either the OpenLDAP serves as DNS backend or Samba/AD does. You might check this by:

ucr get dns/backend

I suggest to install the same services on the backup like on the master are - that’s the purpose of a backup dc.
For additional services use one or more slaves. The memberserver should mostly be used as File- and Printserver.

Please also check your errata level because we published a Samba patch for the dns behavior a short while ago.

lsb_release -sr

Kind Regards


#7

Hi @stoeckigt

DC-MASTER: 4.2-2 errata202
DC-BACKUP: 4.2-2 errata202

I installed the univention-samba4 package on DC-BACKUP.
However, the error message on the DC-Backup button still remains:
[FAILED] Failed to start LSB: Start or stop stunnel 4.x (SSL tunnel for network daemons).

DC-MASTER: dns / backend — samba4
DC-BACKUP: dns / backend — ldap

What next steps should I follow?

Kind Regards,

Michael Voigt


#8

Hi @mcvoigt,

if you installed the package via apt-get install or univention-install it’s not the proper way!
You need to install the ‘Active Directory compatible DC’ from the App Center. You also might do this via terminal like:

univention-app install samba4

If you do it the right way all your system settings will correctly be set so your system acts as a Samba DC.

Before this you need to remove the wrongly installed package.

Kind Regards


#9

Hi @mcvoigt,

the problem with stunnel is not relevant in terms of samba_dnsupdate.

At all it isn’t a real problem. stunnel is a dependency of univention-saml but this comes with it’s own implementation, so stunnel is not needed and the error is a “false positive”. You might simply deactivate it to avoid that message.

systemctl disable stunnel4

see also:

Kind Regards


#10

Hi @stoeckigt,

I understood, I was able to install samba4 in backup-dc and I also disabled the stunnel message according to your suggestion. It worked, thank you very much for your support.

Kind Regards,

Michael Voigt