Self-service problem (Unable to reach any changepw server in realm)

lebernd · March 15, 2020, 6:43pm

Hello together,

after reading some threads here on the forum, knowledge base, reinstallation, removing and purging - I need a hint!

What I want:
Self-service installed on a slave-server (vserver) with public static ip-address. The server is connected via openVPN to master and backup.

Procedure:
Some time ago I’ve installed self-service on the master-server. Now I’ve installed it on the slave -> didn’t work. Deinstalled both. Installed on the slave - won’t work.

Error message on the portal:

Passwort ändern fehlgeschlagen. Der Grund konnte nicht festgestellt werden. Für den Fall, dass es hilft, hier die originale Fehlernachricht: Unable to reach any changepw server in realm INT.DOMAIN.DE. Errorcode 20: Das neue Passwort konnte nicht gesetzt werden.

On the slave I can see a failing service:

root@slave:~# systemctl status univention-self-service-passwordreset-umc
● univention-self-service-passwordreset-umc.service - memcached daemon (univention-self-service instance)
   Loaded: loaded (/lib/systemd/system/univention-self-service-passwordreset-umc.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2020-03-15 19:19:15 CET; 32s ago
  Process: 1118 ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper /etc/memcached_univention-self-service.conf (code=exited, status=67)
 Main PID: 1118 (code=exited, status=67)
      CPU: 4ms

Mär 15 19:19:14 ucsl-01 systemd[1]: Started memcached daemon (univention-self-service instance).
Mär 15 19:19:15 ucsl-01 systemd[1]: univention-self-service-passwordreset-umc.service: Main process exited, code=exited, status=67/n/a
Mär 15 19:19:15 ucsl-01 systemd-memcached-wrapper[1118]: can't find the user self-service-umc to switch to
Mär 15 19:19:15 ucsl-01 systemd[1]: univention-self-service-passwordreset-umc.service: Unit entered failed state.
Mär 15 19:19:15 ucsl-01 systemd[1]: univention-self-service-passwordreset-umc.service: Failed with result 'exit-code'.

I’ve tested:

I can reach the master ping and nmap port 88
I can’t kpasswd:

root@slave:~# kpasswd tstr
tstr@INT.DOMAIN.DE's Password:
kpasswd: krb5_get_init_creds: unable to reach any KDC in realm INT.DOMAIN.DE

And some more things - but I have no clue

Someone?
Best regards,

Bernd

lebernd · March 25, 2020, 9:16am

Anyone on how to debug this?
Some steps you would do?

Christian_Voelker · March 25, 2020, 12:01pm

I assume you have dns/firewall/vpn issues.

Check this.

/cv

lebernd · March 25, 2020, 4:58pm

Hallo @Christian_Voelker,

I’ve worked with the link and the linked link - it seams to be something else?

kinit works on master and slave
kpasswd only on the master. On the slave I get the same message:

unable to reach any KDC in realm INT.DOMAIN.DE

DNS entries seam fine to me.
Firewall? Will kpasswd need other ports than kinit?

Best,
Bernd

lebernd · March 26, 2020, 10:37am

to follow up:
master and backup with samba4 installed - both working kpasswd
slave without samba4 - kpasswd not working

I post /etc/krb5.conf (Slave):

root@slave:~# cat /etc/krb5.conf
# Warning: This file is auto-generated and might be overwritten by
#          univention-config-registry.
#          Please edit the following file(s) instead:
# Warnung: Diese Datei wurde automatisch generiert und kann durch
#          univention-config-registry ueberschrieben werden.
#          Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
#
#       /etc/univention/templates/files/etc/krb5.conf
#

[libdefaults]
        default_realm = INT.DOMAIN.DE
        default_etypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        allow_weak_crypto=true
        dns_lookup_kdc = true
        dns_lookup_realm = false
        forwardable = true
        proxiable = true
        kdc_timesync = 1
        debug = false
        #
        # The following libdefaults are for clients using the MIT Kerberos library
        #
        permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1
        default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 arcfour-hmac-md5 des-cbc-crc des-cbc-md5 des-cbc-md4 des3-hmac-sha1 des3-cbc-sha1

[realms]
INT.DOMAIN.DE = {
        acl_file = /var/lib/heimdal-kdc/kadmind.acl
        kdc = master.int.domain.de
        admin_server = master.int.domain.de
        kpasswd_server = master.int.domain.de
}
[kdc]
hdb-ldap-create-base = cn=kerberos,dc=int,dc=domain,dc=de
v4-realm = INT.DOMAIN.DE

[kadmin]
        v4-realm = INT.DOMAIN.DE
database = {
        label = {
                acl_file = /var/lib/heimdal-kdc/kadmind.acl
                dbname = ldap:dc=int,dc=domain,dc=de
                realm = INT.DOMAIN.DE

                log_file = /var/log/heimdal-database.log
                mkey_file = /var/heimdal/m-key
        }
}

And I post also a nmap of the master, seen from slave:

root@slave:~# nmap -v -p22-1024 -sT -sU master.int.domain.de
...
Completed Connect Scan at 11:33, 1009.38s elapsed (1003 total ports)
Nmap scan report for master.int.domain.de (master-IP)
Host is up (0.020s latency).
Not shown: 1983 closed ports
PORT    STATE         SERVICE
22/tcp  open          ssh
53/tcp  open          domain
80/tcp  open          http
88/tcp  open          kerberos-sec
111/tcp open          rpcbind
135/tcp open          msrpc
139/tcp open          netbios-ssn
389/tcp open          ldap
443/tcp open          https
445/tcp open          microsoft-ds
464/tcp open          kpasswd5
544/tcp open          kshell
636/tcp open          ldapssl
749/tcp open          kerberos-adm
53/udp  open          domain
67/udp  open|filtered dhcps
88/udp  open|filtered kerberos-sec
111/udp open          rpcbind
123/udp open          ntp
137/udp open          netbios-ns
138/udp open|filtered netbios-dgm
389/udp open          ldap
464/udp open|filtered kpasswd5

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2098.22 seconds
           Raw packets sent: 1449 (41.338KB) | Rcvd: 1675 (144.471KB)

Perhaps someone sees something I don’t. Or can tell me where to look.

Best,
Bernd

Christian_Voelker · March 26, 2020, 12:11pm

Does this print the correct entry?

host -t srv "_domaincontroller_master._tcp.$(ucr get domainname)."

lebernd · March 26, 2020, 12:16pm

Yes - I think so.

root@slave:~# host -t srv "_domaincontroller_master._tcp.$(ucr get domainname)."
_domaincontroller_master._tcp.int.domain.de has SRV record 0 0 0 master.int.domain.de.

lebernd · March 26, 2020, 7:09pm

I have found something else on the slave:

root@slave:/etc# systemctl status univention-self-service-passwordreset-umc
● univention-self-service-passwordreset-umc.service - memcached daemon (univention-self-service instance)
   Loaded: loaded (/lib/systemd/system/univention-self-service-passwordreset-umc.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2020-03-24 21:11:56 CET; 1 day 22h ago
  Process: 1134 ExecStart=/usr/share/memcached/scripts/systemd-memcached-wrapper /etc/memcached_univention-self-service.conf (code=exited, status=67)
 Main PID: 1134 (code=exited, status=67)
      CPU: 4ms

Mär 24 21:11:55 slave systemd[1]: Started memcached daemon (univention-self-service instance).
Mär 24 21:11:56 slave systemd[1]: univention-self-service-passwordreset-umc.service: Main process exited, code=exited, status=67/n/a
Mär 24 21:11:56 slave systemd-memcached-wrapper[1134]: can't find the user self-service-umc to switch to
Mär 24 21:11:56 slave systemd[1]: univention-self-service-passwordreset-umc.service: Unit entered failed state.
Mär 24 21:11:56 slave systemd[1]: univention-self-service-passwordreset-umc.service: Failed with result 'exit-code'.

But I’m not sure if that is just another symptom or is leading to something…

Edit1+2:
Ok - just a proof I’m running in circles…

So Edit 3 - something new:
The error-message seams to be misleading. The problem is more the signal back from the master then the signal to the master? When I initiate kpasswd from the slave and tcpdump on the master, I get:

root@master:/etc# tcpdump -i any -v  host 10.10.10.2 
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
21:09:35.119257 IP (tos 0x0, ttl 62, id 4699, offset 0, flags [DF], proto UDP (17), length 74)
    10.10.10.2.44346 > master.int.domain.de.domain: 43141+ A? slave.int.domain.de. (46)
21:09:35.121132 IP (tos 0x0, ttl 64, id 33671, offset 0, flags [none], proto UDP (17), length 216)
    master.int.domain.de.domain > 10.10.10.2.44346: 43141* 1/4/3 slave.int.domain.de. A 10.10.20.1 (188)
21:09:35.140678 IP (tos 0x0, ttl 62, id 4702, offset 0, flags [DF], proto UDP (17), length 74)
    10.10.10.2.44346 > master.int.domain.de.domain: 21394+ AAAA? slave.int.domain.de. (46)
21:09:35.141192 IP (tos 0x0, ttl 64, id 33673, offset 0, flags [none], proto UDP (17), length 122)
    master.int.domain.de.domain > 10.10.10.2.44346: 21394* 0/1/0 (94)
21:09:39.755529 IP (tos 0x0, ttl 63, id 13793, offset 0, flags [DF], proto UDP (17), length 201)
    10.10.10.2.38994 > master.int.domain.de.kerberos:  v5
21:09:39.760194 IP (tos 0x0, ttl 64, id 34456, offset 0, flags [DF], proto UDP (17), length 315)
    master.int.domain.de.kerberos > 10.10.10.2.38994:
21:09:39.795122 IP (tos 0x0, ttl 63, id 13797, offset 0, flags [DF], proto UDP (17), length 279)
    10.10.10.2.39462 > master.int.domain.de.kerberos:  v5
21:09:39.813837 IP (tos 0x0, ttl 64, id 34460, offset 0, flags [DF], proto UDP (17), length 1427)
    master.int.domain.de.kerberos > 10.10.10.2.39462:  v5
21:09:41.577679 IP (tos 0x0, ttl 63, id 24906, offset 0, flags [DF], proto TCP (6), length 60)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [S], cksum 0x28e3 (correct), seq 3220867831, win 29200, options [mss 1337,sackOK,TS val 43141063 ecr 0,nop,wscale 7], length 0
21:09:41.577744 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [S.], cksum 0x214f (incorrect -> 0x32f6), seq 1176536823, ack 3220867832, win 28960, options [mss 1460,sackOK,TS val 9382058 ecr 43141063,nop,wscale 7], length 0
21:09:41.597139 IP (tos 0x0, ttl 63, id 24907, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [.], cksum 0xd1f8 (correct), ack 1, win 229, options [nop,nop,TS val 43141068 ecr 9382058], length 0
21:09:41.597172 IP (tos 0x0, ttl 63, id 24908, offset 0, flags [DF], proto TCP (6), length 145)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [P.], cksum 0x0361 (correct), seq 1:94, ack 1, win 229, options [nop,nop,TS val 43141068 ecr 9382058], length 93
21:09:41.597181 IP (tos 0x0, ttl 64, id 27421, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [.], cksum 0x2147 (incorrect -> 0xd198), ack 94, win 227, options [nop,nop,TS val 9382063 ecr 43141068], length 0
21:09:41.601288 IP (tos 0x0, ttl 64, id 27422, offset 0, flags [DF], proto TCP (6), length 66)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [P.], cksum 0x2155 (incorrect -> 0x8e09), seq 1:15, ack 94, win 227, options [nop,nop,TS val 9382064 ecr 43141068], length 14
21:09:41.620852 IP (tos 0x0, ttl 63, id 24909, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [.], cksum 0xd181 (correct), ack 15, win 229, options [nop,nop,TS val 43141074 ecr 9382064], length 0
21:09:41.620884 IP (tos 0x0, ttl 63, id 24910, offset 0, flags [DF], proto TCP (6), length 120)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [P.], cksum 0x8f04 (correct), seq 94:162, ack 15, win 229, options [nop,nop,TS val 43141074 ecr 9382064], length 68
21:09:41.621343 IP (tos 0x0, ttl 64, id 27423, offset 0, flags [DF], proto TCP (6), length 900)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [P.], cksum 0x2497 (incorrect -> 0xbc2b), seq 15:863, ack 162, win 227, options [nop,nop,TS val 9382069 ecr 43141074], length 848
21:09:41.621369 IP (tos 0x0, ttl 64, id 27424, offset 0, flags [DF], proto TCP (6), length 66)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [P.], cksum 0x2155 (incorrect -> 0x8958), seq 863:877, ack 162, win 227, options [nop,nop,TS val 9382069 ecr 43141074], length 14
21:09:41.641476 IP (tos 0x0, ttl 63, id 24911, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [.], cksum 0xcdc8 (correct), ack 877, win 242, options [nop,nop,TS val 43141079 ecr 9382069], length 0
21:09:41.641876 IP (tos 0x0, ttl 63, id 24912, offset 0, flags [DF], proto TCP (6), length 59)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [P.], cksum 0x9871 (correct), seq 162:169, ack 877, win 242, options [nop,nop,TS val 43141079 ecr 9382069], length 7
21:09:41.641890 IP (tos 0x0, ttl 63, id 24913, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [F.], cksum 0xcdc0 (correct), seq 169, ack 877, win 242, options [nop,nop,TS val 43141079 ecr 9382069], length 0
21:09:41.642005 IP (tos 0x0, ttl 64, id 27425, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55870: Flags [F.], cksum 0x2147 (incorrect -> 0xcdc9), seq 877, ack 170, win 227, options [nop,nop,TS val 9382074 ecr 43141079], length 0
21:09:41.658536 IP (tos 0x0, ttl 63, id 30857, offset 0, flags [DF], proto TCP (6), length 60)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [S], cksum 0x1423 (correct), seq 3914102351, win 29200, options [mss 1337,sackOK,TS val 43141083 ecr 0,nop,wscale 7], length 0
21:09:41.658570 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [S.], cksum 0x214f (incorrect -> 0xed36), seq 3576899791, ack 3914102352, win 28960, options [mss 1460,sackOK,TS val 9382078 ecr 43141083,nop,wscale 7], length 0
21:09:41.661497 IP (tos 0x0, ttl 63, id 24914, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55870 > master.int.domain.de.7389: Flags [.], cksum 0xcdb5 (correct), ack 878, win 242, options [nop,nop,TS val 43141084 ecr 9382074], length 0
21:09:41.677662 IP (tos 0x0, ttl 63, id 30858, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [.], cksum 0x8c39 (correct), ack 1, win 229, options [nop,nop,TS val 43141088 ecr 9382078], length 0
21:09:41.677686 IP (tos 0x0, ttl 63, id 30859, offset 0, flags [DF], proto TCP (6), length 83)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0x10d3 (correct), seq 1:32, ack 1, win 229, options [nop,nop,TS val 43141088 ecr 9382078], length 31
21:09:41.677694 IP (tos 0x0, ttl 64, id 53433, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [.], cksum 0x2147 (incorrect -> 0x8c17), ack 32, win 227, options [nop,nop,TS val 9382083 ecr 43141088], length 0
21:09:41.677889 IP (tos 0x0, ttl 64, id 53434, offset 0, flags [DF], proto TCP (6), length 66)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x2155 (incorrect -> 0x4872), seq 1:15, ack 32, win 227, options [nop,nop,TS val 9382083 ecr 43141088], length 14
21:09:41.697214 IP (tos 0x0, ttl 63, id 30860, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [.], cksum 0x8c02 (correct), ack 15, win 229, options [nop,nop,TS val 43141093 ecr 9382083], length 0
21:09:41.701318 IP (tos 0x0, ttl 63, id 30861, offset 0, flags [DF], proto TCP (6), length 228)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0x37dc (correct), seq 32:208, ack 15, win 229, options [nop,nop,TS val 43141094 ecr 9382083], length 176
21:09:41.702261 IP (tos 0x0, ttl 64, id 53435, offset 0, flags [DF], proto TCP (6), length 2702)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [.], cksum 0x2ba1 (incorrect -> 0x23e9), seq 15:2665, ack 208, win 235, options [nop,nop,TS val 9382089 ecr 43141094], length 2650
21:09:41.702275 IP (tos 0x0, ttl 64, id 53437, offset 0, flags [DF], proto TCP (6), length 731)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x23ee (incorrect -> 0xb3a2), seq 2665:3344, ack 208, win 235, options [nop,nop,TS val 9382089 ecr 43141094], length 679
21:09:41.722743 IP (tos 0x0, ttl 63, id 30862, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [.], cksum 0x80bf (correct), ack 2665, win 274, options [nop,nop,TS val 43141099 ecr 9382089], length 0
21:09:41.724504 IP (tos 0x0, ttl 63, id 30863, offset 0, flags [DF], proto TCP (6), length 145)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0x1c8c (correct), seq 208:301, ack 3344, win 295, options [nop,nop,TS val 43141100 ecr 9382089], length 93
21:09:41.724870 IP (tos 0x0, ttl 64, id 53438, offset 0, flags [DF], proto TCP (6), length 294)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x2239 (incorrect -> 0x6807), seq 3344:3586, ack 301, win 235, options [nop,nop,TS val 9382095 ecr 43141100], length 242
21:09:41.744612 IP (tos 0x0, ttl 63, id 30864, offset 0, flags [DF], proto TCP (6), length 174)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0x5ce0 (correct), seq 301:423, ack 3586, win 315, options [nop,nop,TS val 43141105 ecr 9382095], length 122
21:09:41.748636 IP (tos 0x0, ttl 64, id 53439, offset 0, flags [DF], proto TCP (6), length 95)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x2172 (incorrect -> 0x1c43), seq 3586:3629, ack 423, win 235, options [nop,nop,TS val 9382101 ecr 43141105], length 43
21:09:41.768005 IP (tos 0x0, ttl 63, id 30865, offset 0, flags [DF], proto TCP (6), length 149)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0xc884 (correct), seq 423:520, ack 3629, win 315, options [nop,nop,TS val 43141111 ecr 9382101], length 97
21:09:41.768466 IP (tos 0x0, ttl 64, id 53440, offset 0, flags [DF], proto TCP (6), length 929)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x24b4 (incorrect -> 0xac83), seq 3629:4506, ack 520, win 235, options [nop,nop,TS val 9382105 ecr 43141111], length 877
21:09:41.768510 IP (tos 0x0, ttl 64, id 53441, offset 0, flags [DF], proto TCP (6), length 95)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x2172 (incorrect -> 0x2af8), seq 4506:4549, ack 520, win 235, options [nop,nop,TS val 9382106 ecr 43141111], length 43
21:09:41.788709 IP (tos 0x0, ttl 63, id 30866, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [.], cksum 0x77cc (correct), ack 4549, win 336, options [nop,nop,TS val 43141116 ecr 9382105], length 0
21:09:41.788901 IP (tos 0x0, ttl 63, id 30867, offset 0, flags [DF], proto TCP (6), length 88)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0x7719 (correct), seq 520:556, ack 4549, win 336, options [nop,nop,TS val 43141116 ecr 9382105], length 36
21:09:41.788917 IP (tos 0x0, ttl 63, id 30868, offset 0, flags [DF], proto TCP (6), length 83)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [P.], cksum 0xe25b (correct), seq 556:587, ack 4549, win 336, options [nop,nop,TS val 43141116 ecr 9382105], length 31
21:09:41.788977 IP (tos 0x0, ttl 64, id 53442, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [.], cksum 0x2147 (incorrect -> 0x77e8), ack 587, win 235, options [nop,nop,TS val 9382111 ecr 43141116], length 0
21:09:41.789036 IP (tos 0x0, ttl 64, id 53443, offset 0, flags [DF], proto TCP (6), length 83)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [P.], cksum 0x2166 (incorrect -> 0x0b35), seq 4549:4580, ack 587, win 235, options [nop,nop,TS val 9382111 ecr 43141116], length 31
21:09:41.789055 IP (tos 0x0, ttl 64, id 53444, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [F.], cksum 0x2147 (incorrect -> 0x77c8), seq 4580, ack 587, win 235, options [nop,nop,TS val 9382111 ecr 43141116], length 0
21:09:41.789120 IP (tos 0x0, ttl 63, id 30869, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [F.], cksum 0x7788 (correct), seq 587, ack 4549, win 336, options [nop,nop,TS val 43141116 ecr 9382105], length 0
21:09:41.789131 IP (tos 0x0, ttl 64, id 53445, offset 0, flags [DF], proto TCP (6), length 52)
    master.int.domain.de.7389 > 10.10.10.2.55872: Flags [.], cksum 0x2147 (incorrect -> 0x77c7), ack 588, win 235, options [nop,nop,TS val 9382111 ecr 43141116], length 0
21:09:41.808292 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [R], cksum 0x35bb (correct), seq 3914102938, win 0, length 0
21:09:41.808313 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [R], cksum 0x35bb (correct), seq 3914102938, win 0, length 0
21:09:41.819398 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 40)
    10.10.10.2.55872 > master.int.domain.de.7389: Flags [R], cksum 0x35ba (correct), seq 3914102939, win 0, length 0
21:09:50.806630 IP (tos 0x0, ttl 63, id 16427, offset 0, flags [DF], proto UDP (17), length 279)
    10.10.10.2.39462 > master.int.domain.de.kerberos:  v5
21:09:50.816370 IP (tos 0x0, ttl 64, id 35668, offset 0, flags [DF], proto UDP (17), length 1427)
    master.int.domain.de.kerberos > 10.10.10.2.39462:  v5
21:10:01.988005 IP (tos 0x0, ttl 63, id 18549, offset 0, flags [DF], proto UDP (17), length 279)
    10.10.10.2.39462 > master.int.domain.de.kerberos:  v5
21:10:02.018186 IP (tos 0x0, ttl 64, id 35934, offset 0, flags [DF], proto UDP (17), length 1427)
    master.int.domain.de.kerberos > 10.10.10.2.39462:  v5
21:10:02.690759 IP (tos 0x0, ttl 62, id 10388, offset 0, flags [DF], proto UDP (17), length 74)
    10.10.10.2.54659 > master.int.domain.de.domain: 45692+ A? slave.int.domain.de. (46)
21:10:02.690816 IP (tos 0x0, ttl 62, id 10389, offset 0, flags [DF], proto UDP (17), length 74)
    10.10.10.2.54659 > master.int.domain.de.domain: 39560+ AAAA? slave.int.domain.de. (46)
21:10:02.692893 IP (tos 0x0, ttl 64, id 36049, offset 0, flags [none], proto UDP (17), length 216)
    master.int.domain.de.domain > 10.10.10.2.54659: 45692* 1/4/3 slave.int.domain.de. A 10.10.20.1 (188)
21:10:02.693643 IP (tos 0x0, ttl 64, id 36050, offset 0, flags [none], proto UDP (17), length 122)
    master.int.domain.de.domain > 10.10.10.2.54659: 39560* 0/1/0 (94)
^C
60 packets captured
61 packets received by filter
0 packets dropped by kernel

10.10.10.2 = ip vpn-endpoint slave. The other end is on a firewall in front of master and backup.
10.10.20.1= local-ip slave

There is a little time gap between the last entry of the dump and the error message on the slave - perhaps one second.

Can anyone read this?
There seams to be question to LDAP initiated - which would make sens. But why is the response not received by the slave (so that he ‘thinks’ he can’t reach the passwordserver)?

Best,
Bernd

lebernd · March 27, 2020, 2:58pm

Well, it is not really solved but:

The app and kpasswd is working on the other vserver - nearly the same setup / as far as I can see.

So even if the server problem isn’t fixed the self-service problem is