Self-service problem (Unable to reach any changepw server in realm)

Hello together,

after reading some threads here on the forum, knowledge base, reinstallation, removing and purging - I need a hint!

What I want:
Self-service installed on a slave-server (vserver) with public static ip-address. The server is connected via openVPN to master and backup.

Procedure:
Some time ago I’ve installed self-service on the master-server. Now I’ve installed it on the slave -> didn’t work. Deinstalled both. Installed on the slave - won’t work.

Error message on the portal:

Passwort ändern fehlgeschlagen. Der Grund konnte nicht festgestellt werden. Für den Fall, dass es hilft, hier die originale Fehlernachricht: Unable to reach any changepw server in realm INT.DOMAIN.DE. Errorcode 20: Das neue Passwort konnte nicht gesetzt werden.

On the slave I can see a failing service:

root@slave:~# systemctl status univention-self-service-passwordreset-umc
● univention-self-service-passwordreset-umc.service - memcached daemon (univention-self-service instance)
   Loaded: loaded (/lib/systemd/system/univention-self-service-passwordreset-umc.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2020-03-15 19:19:15 CET; 32s ago
  Process: 1118 ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper /etc/memcached_univention-self-service.conf (code=exited, status=67)
 Main PID: 1118 (code=exited, status=67)
      CPU: 4ms

Mär 15 19:19:14 ucsl-01 systemd[1]: Started memcached daemon (univention-self-service instance).
Mär 15 19:19:15 ucsl-01 systemd[1]: univention-self-service-passwordreset-umc.service: Main process exited, code=exited, status=67/n/a
Mär 15 19:19:15 ucsl-01 systemd-memcached-wrapper[1118]: can't find the user self-service-umc to switch to
Mär 15 19:19:15 ucsl-01 systemd[1]: univention-self-service-passwordreset-umc.service: Unit entered failed state.
Mär 15 19:19:15 ucsl-01 systemd[1]: univention-self-service-passwordreset-umc.service: Failed with result 'exit-code'.

I’ve tested:

  • I can reach the master ping and nmap port 88
  • I can’t kpasswd:
root@slave:~# kpasswd tstr
tstr@INT.DOMAIN.DE's Password:
kpasswd: krb5_get_init_creds: unable to reach any KDC in realm INT.DOMAIN.DE

And some more things - but I have no clue

Someone?
Best regards,

Bernd

Anyone on how to debug this?
Some steps you would do?

I assume you have dns/firewall/vpn issues.

Check this.

/cv

Hallo @Christian_Voelker,

I’ve worked with the link and the linked link - it seams to be something else?

  • kinit works on master and slave
  • kpasswd only on the master. On the slave I get the same message:

unable to reach any KDC in realm INT.DOMAIN.DE

DNS entries seam fine to me.
Firewall? Will kpasswd need other ports than kinit?

Best,
Bernd

to follow up:
master and backup with samba4 installed - both working kpasswd
slave without samba4 - kpasswd not working

I post /etc/krb5.conf (Slave):

root@slave:~# cat /etc/krb5.conf
# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
#       /etc/univention/templates/files/etc/krb5.conf
#

[libdefaults]
        default_realm = INT.DOMAIN.DE
        default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        allow_weak_crypto=true
        dns_lookup_kdc = true
        dns_lookup_realm = false
        forwardable = true
        proxiable = true
        kdc_timesync = 1
        debug = false
        #
        # The following libdefaults are for clients using the MIT Kerberos library
        #
        permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1

[realms]
INT.DOMAIN.DE = {
        acl_file = /var/lib/heimdal-kdc/kadmind.acl
        kdc = master.int.domain.de
        admin_server = master.int.domain.de
        kpasswd_server = master.int.domain.de
}
[kdc]
hdb-ldap-create-base = cn=kerberos,dc=int,dc=domain,dc=de
v4-realm = INT.DOMAIN.DE

[kadmin]
        v4-realm = INT.DOMAIN.DE
database = {
        label = {
                acl_file = /var/lib/heimdal-kdc/kadmind.acl
                dbname = ldap:dc=int,dc=domain,dc=de
                realm = INT.DOMAIN.DE

                log_file = /var/log/heimdal-database.log
                mkey_file = /var/heimdal/m-key
        }
}

And I post also a nmap of the master, seen from slave:

root@slave:~# nmap -v -p22-1024 -sT -sU master.int.domain.de
...
Completed Connect Scan at 11:33, 1009.38s elapsed (1003 total ports)
Nmap scan report for master.int.domain.de (master-IP)
Host is up (0.020s latency).
Not shown: 1983 closed ports
PORT    STATE         SERVICE
22/tcp  open          ssh
53/tcp  open          domain
80/tcp  open          http
88/tcp  open          kerberos-sec
111/tcp open          rpcbind
135/tcp open          msrpc
139/tcp open          netbios-ssn
389/tcp open          ldap
443/tcp open          https
445/tcp open          microsoft-ds
464/tcp open          kpasswd5
544/tcp open          kshell
636/tcp open          ldapssl
749/tcp open          kerberos-adm
53/udp  open          domain
67/udp  open|filtered dhcps
88/udp  open|filtered kerberos-sec
111/udp open          rpcbind
123/udp open          ntp
137/udp open          netbios-ns
138/udp open|filtered netbios-dgm
389/udp open          ldap
464/udp open|filtered kpasswd5

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2098.22 seconds
           Raw packets sent: 1449 (41.338KB) | Rcvd: 1675 (144.471KB)

Perhaps someone sees something I don’t. Or can tell me where to look.

Best,
Bernd

Does this print the correct entry?

host -t srv "_domaincontroller_master._tcp.$(ucr get domainname)." 

Yes - I think so.

root@slave:~# host -t srv "_domaincontroller_master._tcp.$(ucr get domainname)."
_domaincontroller_master._tcp.int.domain.de has SRV record 0 0 0 master.int.domain.de.

I have found something else on the slave:

root@slave:/etc# systemctl status univention-self-service-passwordreset-umc
● univention-self-service-passwordreset-umc.service - memcached daemon (univention-self-service instance)
   Loaded: loaded (/lib/systemd/system/univention-self-service-passwordreset-umc.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2020-03-24 21:11:56 CET; 1 day 22h ago
  Process: 1134 ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper /etc/memcached_univention-self-service.conf (code=exited, status=67)
 Main PID: 1134 (code=exited, status=67)
      CPU: 4ms

Mär 24 21:11:55 slave systemd[1]: Started memcached daemon (univention-self-service instance).
Mär 24 21:11:56 slave systemd[1]: univention-self-service-passwordreset-umc.service: Main process exited, code=exited, status=67/n/a
Mär 24 21:11:56 slave systemd-memcached-wrapper[1134]: can't find the user self-service-umc to switch to
Mär 24 21:11:56 slave systemd[1]: univention-self-service-passwordreset-umc.service: Unit entered failed state.
Mär 24 21:11:56 slave systemd[1]: univention-self-service-passwordreset-umc.service: Failed with result 'exit-code'.

But I’m not sure if that is just another symptom or is leading to something…

Edit1+2:
Ok - just a proof I’m running in circles… :upside_down_face:

So Edit 3 - something new:
The error-message seams to be misleading. The problem is more the signal back from the master then the signal to the master? When I initiate kpasswd from the slave and tcpdump on the master, I get:

root@master:/etc# tcpdump -i any -v  host 10.10.10.2 
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
21:09:35.119257 IP (tos 0x0, ttl 62, id 4699, offset 0, flags [DF], proto UDP (17), length 74)
    10.10.10.2.44346 > master.int.domain.de.domain: 43141+ A? slave.int.domain.de. (46)
21:09:35.121132 IP (tos 0x0, ttl 64, id 33671, offset 0, flags [none], proto UDP (17), length 216)
    master.int.domain.de.domain > 10.10.10.2.44346: 43141* 1/4/3 slave.int.domain.de. A 10.10.20.1 (188)
21:09:35.140678 IP (tos 0x0, ttl 62, id 4702, offset 0, flags [DF], proto UDP (17), length 74)
    10.10.10.2.44346 > master.int.domain.de.domain: 21394+ AAAA? slave.int.domain.de. (46)
21:09:35.141192 IP (tos 0x0, ttl 64, id 33673, offset 0, flags [none], proto UDP (17), length 122)
    master.int.domain.de.domain > 10.10.10.2.44346: 21394* 0/1/0 (94)
21:09:39.755529 IP (tos 0x0, ttl 63, id 13793, offset 0, flags [DF], proto UDP (17), length 201)
    10.10.10.2.38994 > master.int.domain.de.kerberos:  v5
21:09:39.760194 IP (tos 0x0, ttl 64, id 34456, offset 0, flags [DF], proto UDP (17), length 315)
    master.int.domain.de.kerberos > 10.10.10.2.38994:
21:09:39.795122 IP (tos 0x0, ttl 63, id 13797, offset 0, flags [DF], proto UDP (17), length 279)
    10.10.10.2.39462 > master.int.domain.de.kerberos:  v5
21:09:39.813837 IP (tos 0x0, ttl 64, id 34460, offset 0, flags [DF], proto UDP (17), length 1427)
    master.int.domain.de.kerberos > 10.10.10.2.39462:  v5
21:09:41.577679 IP (tos 0x0, ttl 63, id 24906, offset 0, flags [DF], proto TCP (6), length 60)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [S], cksum 0x28e3 (correct), seq 3220867831, win 29200, options [mss 1337,sackOK,TS val 43141063 ecr 0,nop,wscale 7], length 0
21:09:41.577744 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [S.], cksum 0x214f (incorrect -> 0x32f6), seq 1176536823, ack 3220867832, win 28960, options [mss 1460,sackOK,TS val 9382058 ecr 43141063,nop,wscale 7], length 0
21:09:41.597139 IP (tos 0x0, ttl 63, id 24907, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [.], cksum 0xd1f8 (correct), ack 1, win 229, options [nop,nop,TS val 43141068 ecr 9382058], length 0
21:09:41.597172 IP (tos 0x0, ttl 63, id 24908, offset 0, flags [DF], proto TCP (6), length 145)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [P.], cksum 0x0361 (correct), seq 1:94, ack 1, win 229, options [nop,nop,TS val 43141068 ecr 9382058], length 93
21:09:41.597181 IP (tos 0x0, ttl 64, id 27421, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [.], cksum 0x2147 (incorrect -> 0xd198), ack 94, win 227, options [nop,nop,TS val 9382063 ecr 43141068], length 0
21:09:41.601288 IP (tos 0x0, ttl 64, id 27422, offset 0, flags [DF], proto TCP (6), length 66)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [P.], cksum 0x2155 (incorrect -> 0x8e09), seq 1:15, ack 94, win 227, options [nop,nop,TS val 9382064 ecr 43141068], length 14
21:09:41.620852 IP (tos 0x0, ttl 63, id 24909, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [.], cksum 0xd181 (correct), ack 15, win 229, options [nop,nop,TS val 43141074 ecr 9382064], length 0
21:09:41.620884 IP (tos 0x0, ttl 63, id 24910, offset 0, flags [DF], proto TCP (6), length 120)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [P.], cksum 0x8f04 (correct), seq 94:162, ack 15, win 229, options [nop,nop,TS val 43141074 ecr 9382064], length 68
21:09:41.621343 IP (tos 0x0, ttl 64, id 27423, offset 0, flags [DF], proto TCP (6), length 900)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [P.], cksum 0x2497 (incorrect -> 0xbc2b), seq 15:863, ack 162, win 227, options [nop,nop,TS val 9382069 ecr 43141074], length 848
21:09:41.621369 IP (tos 0x0, ttl 64, id 27424, offset 0, flags [DF], proto TCP (6), length 66)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [P.], cksum 0x2155 (incorrect -> 0x8958), seq 863:877, ack 162, win 227, options [nop,nop,TS val 9382069 ecr 43141074], length 14
21:09:41.641476 IP (tos 0x0, ttl 63, id 24911, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [.], cksum 0xcdc8 (correct), ack 877, win 242, options [nop,nop,TS val 43141079 ecr 9382069], length 0
21:09:41.641876 IP (tos 0x0, ttl 63, id 24912, offset 0, flags [DF], proto TCP (6), length 59)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [P.], cksum 0x9871 (correct), seq 162:169, ack 877, win 242, options [nop,nop,TS val 43141079 ecr 9382069], length 7
21:09:41.641890 IP (tos 0x0, ttl 63, id 24913, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [F.], cksum 0xcdc0 (correct), seq 169, ack 877, win 242, options [nop,nop,TS val 43141079 ecr 9382069], length 0
21:09:41.642005 IP (tos 0x0, ttl 64, id 27425, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [F.], cksum 0x2147 (incorrect -> 0xcdc9), seq 877, ack 170, win 227, options [nop,nop,TS val 9382074 ecr 43141079], length 0
21:09:41.658536 IP (tos 0x0, ttl 63, id 30857, offset 0, flags [DF], proto TCP (6), length 60)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [S], cksum 0x1423 (correct), seq 3914102351, win 29200, options [mss 1337,sackOK,TS val 43141083 ecr 0,nop,wscale 7], length 0
21:09:41.658570 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [S.], cksum 0x214f (incorrect -> 0xed36), seq 3576899791, ack 3914102352, win 28960, options [mss 1460,sackOK,TS val 9382078 ecr 43141083,nop,wscale 7], length 0
21:09:41.661497 IP (tos 0x0, ttl 63, id 24914, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [.], cksum 0xcdb5 (correct), ack 878, win 242, options [nop,nop,TS val 43141084 ecr 9382074], length 0
21:09:41.677662 IP (tos 0x0, ttl 63, id 30858, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [.], cksum 0x8c39 (correct), ack 1, win 229, options [nop,nop,TS val 43141088 ecr 9382078], length 0
21:09:41.677686 IP (tos 0x0, ttl 63, id 30859, offset 0, flags [DF], proto TCP (6), length 83)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0x10d3 (correct), seq 1:32, ack 1, win 229, options [nop,nop,TS val 43141088 ecr 9382078], length 31
21:09:41.677694 IP (tos 0x0, ttl 64, id 53433, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [.], cksum 0x2147 (incorrect -> 0x8c17), ack 32, win 227, options [nop,nop,TS val 9382083 ecr 43141088], length 0
21:09:41.677889 IP (tos 0x0, ttl 64, id 53434, offset 0, flags [DF], proto TCP (6), length 66)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x2155 (incorrect -> 0x4872), seq 1:15, ack 32, win 227, options [nop,nop,TS val 9382083 ecr 43141088], length 14
21:09:41.697214 IP (tos 0x0, ttl 63, id 30860, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [.], cksum 0x8c02 (correct), ack 15, win 229, options [nop,nop,TS val 43141093 ecr 9382083], length 0
21:09:41.701318 IP (tos 0x0, ttl 63, id 30861, offset 0, flags [DF], proto TCP (6), length 228)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0x37dc (correct), seq 32:208, ack 15, win 229, options [nop,nop,TS val 43141094 ecr 9382083], length 176
21:09:41.702261 IP (tos 0x0, ttl 64, id 53435, offset 0, flags [DF], proto TCP (6), length 2702)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [.], cksum 0x2ba1 (incorrect -> 0x23e9), seq 15:2665, ack 208, win 235, options [nop,nop,TS val 9382089 ecr 43141094], length 2650
21:09:41.702275 IP (tos 0x0, ttl 64, id 53437, offset 0, flags [DF], proto TCP (6), length 731)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x23ee (incorrect -> 0xb3a2), seq 2665:3344, ack 208, win 235, options [nop,nop,TS val 9382089 ecr 43141094], length 679
21:09:41.722743 IP (tos 0x0, ttl 63, id 30862, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [.], cksum 0x80bf (correct), ack 2665, win 274, options [nop,nop,TS val 43141099 ecr 9382089], length 0
21:09:41.724504 IP (tos 0x0, ttl 63, id 30863, offset 0, flags [DF], proto TCP (6), length 145)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0x1c8c (correct), seq 208:301, ack 3344, win 295, options [nop,nop,TS val 43141100 ecr 9382089], length 93
21:09:41.724870 IP (tos 0x0, ttl 64, id 53438, offset 0, flags [DF], proto TCP (6), length 294)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x2239 (incorrect -> 0x6807), seq 3344:3586, ack 301, win 235, options [nop,nop,TS val 9382095 ecr 43141100], length 242
21:09:41.744612 IP (tos 0x0, ttl 63, id 30864, offset 0, flags [DF], proto TCP (6), length 174)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0x5ce0 (correct), seq 301:423, ack 3586, win 315, options [nop,nop,TS val 43141105 ecr 9382095], length 122
21:09:41.748636 IP (tos 0x0, ttl 64, id 53439, offset 0, flags [DF], proto TCP (6), length 95)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x2172 (incorrect -> 0x1c43), seq 3586:3629, ack 423, win 235, options [nop,nop,TS val 9382101 ecr 43141105], length 43
21:09:41.768005 IP (tos 0x0, ttl 63, id 30865, offset 0, flags [DF], proto TCP (6), length 149)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0xc884 (correct), seq 423:520, ack 3629, win 315, options [nop,nop,TS val 43141111 ecr 9382101], length 97
21:09:41.768466 IP (tos 0x0, ttl 64, id 53440, offset 0, flags [DF], proto TCP (6), length 929)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x24b4 (incorrect -> 0xac83), seq 3629:4506, ack 520, win 235, options [nop,nop,TS val 9382105 ecr 43141111], length 877
21:09:41.768510 IP (tos 0x0, ttl 64, id 53441, offset 0, flags [DF], proto TCP (6), length 95)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x2172 (incorrect -> 0x2af8), seq 4506:4549, ack 520, win 235, options [nop,nop,TS val 9382106 ecr 43141111], length 43
21:09:41.788709 IP (tos 0x0, ttl 63, id 30866, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [.], cksum 0x77cc (correct), ack 4549, win 336, options [nop,nop,TS val 43141116 ecr 9382105], length 0
21:09:41.788901 IP (tos 0x0, ttl 63, id 30867, offset 0, flags [DF], proto TCP (6), length 88)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0x7719 (correct), seq 520:556, ack 4549, win 336, options [nop,nop,TS val 43141116 ecr 9382105], length 36
21:09:41.788917 IP (tos 0x0, ttl 63, id 30868, offset 0, flags [DF], proto TCP (6), length 83)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0xe25b (correct), seq 556:587, ack 4549, win 336, options [nop,nop,TS val 43141116 ecr 9382105], length 31
21:09:41.788977 IP (tos 0x0, ttl 64, id 53442, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [.], cksum 0x2147 (incorrect -> 0x77e8), ack 587, win 235, options [nop,nop,TS val 9382111 ecr 43141116], length 0
21:09:41.789036 IP (tos 0x0, ttl 64, id 53443, offset 0, flags [DF], proto TCP (6), length 83)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x2166 (incorrect -> 0x0b35), seq 4549:4580, ack 587, win 235, options [nop,nop,TS val 9382111 ecr 43141116], length 31
21:09:41.789055 IP (tos 0x0, ttl 64, id 53444, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [F.], cksum 0x2147 (incorrect -> 0x77c8), seq 4580, ack 587, win 235, options [nop,nop,TS val 9382111 ecr 43141116], length 0
21:09:41.789120 IP (tos 0x0, ttl 63, id 30869, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [F.], cksum 0x7788 (correct), seq 587, ack 4549, win 336, options [nop,nop,TS val 43141116 ecr 9382105], length 0
21:09:41.789131 IP (tos 0x0, ttl 64, id 53445, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [.], cksum 0x2147 (incorrect -> 0x77c7), ack 588, win 235, options [nop,nop,TS val 9382111 ecr 43141116], length 0
21:09:41.808292 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [R], cksum 0x35bb (correct), seq 3914102938, win 0, length 0
21:09:41.808313 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [R], cksum 0x35bb (correct), seq 3914102938, win 0, length 0
21:09:41.819398 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [R], cksum 0x35ba (correct), seq 3914102939, win 0, length 0
21:09:50.806630 IP (tos 0x0, ttl 63, id 16427, offset 0, flags [DF], proto UDP (17), length 279)
    10.10.10.2.39462 > master.int.domain.de.kerberos:  v5
21:09:50.816370 IP (tos 0x0, ttl 64, id 35668, offset 0, flags [DF], proto UDP (17), length 1427)
    master.int.domain.de.kerberos > 10.10.10.2.39462:  v5
21:10:01.988005 IP (tos 0x0, ttl 63, id 18549, offset 0, flags [DF], proto UDP (17), length 279)
    10.10.10.2.39462 > master.int.domain.de.kerberos:  v5
21:10:02.018186 IP (tos 0x0, ttl 64, id 35934, offset 0, flags [DF], proto UDP (17), length 1427)
    master.int.domain.de.kerberos > 10.10.10.2.39462:  v5
21:10:02.690759 IP (tos 0x0, ttl 62, id 10388, offset 0, flags [DF], proto UDP (17), length 74)
    10.10.10.2.54659 > master.int.domain.de.domain: 45692+ A? slave.int.domain.de. (46)
21:10:02.690816 IP (tos 0x0, ttl 62, id 10389, offset 0, flags [DF], proto UDP (17), length 74)
    10.10.10.2.54659 > master.int.domain.de.domain: 39560+ AAAA? slave.int.domain.de. (46)
21:10:02.692893 IP (tos 0x0, ttl 64, id 36049, offset 0, flags [none], proto UDP (17), length 216)
    master.int.domain.de.domain > 10.10.10.2.54659: 45692* 1/4/3 slave.int.domain.de. A 10.10.20.1 (188)
21:10:02.693643 IP (tos 0x0, ttl 64, id 36050, offset 0, flags [none], proto UDP (17), length 122)
    master.int.domain.de.domain > 10.10.10.2.54659: 39560* 0/1/0 (94)
^C
60 packets captured
61 packets received by filter
0 packets dropped by kernel

10.10.10.2 = ip vpn-endpoint slave. The other end is on a firewall in front of master and backup.
10.10.20.1= local-ip slave

There is a little time gap between the last entry of the dump and the error message on the slave - perhaps one second.

Can anyone read this?
There seams to be question to LDAP initiated - which would make sens. But why is the response not received by the slave (so that he ‘thinks’ he can’t reach the passwordserver)?

Best,
Bernd

Well, it is not really solved but:

The app and kpasswd is working on the other vserver - nearly the same setup / as far as I can see.

So even if the server problem isn’t fixed the self-service problem is :wink: