When IPv6 is enabled Kerberos is started to fast, causing Nagios login problem

digitec-san · February 22, 2019, 7:26am

Hi,
After a Update with reboot, I noticed that I could not login to Nagios on a Master with UCS Version: 4.3.3-430.

I spend 2h to debug this (modified Apache Config, pam services), then I found out, that the pam_krb5.so was not able to connect to the machine.

Then I tested this with “kinit” -> No login possible,( No Connection to the heimdal service), which was on the same machine. But in the /etc/hosts file and in the DNS there are IPv6 addresses for the local machine.

After I restarted the heimdal-kdc.service, everything works. I guess that the heimdal was not listening on the IPV6 addresses on startup.

I noticed the same for the apache, I have a config file with a fixed IPv6 Address in it and the apache is not able to start, cause the IPv6 address does not exist on startup.
As the Apache failed to start, this error is not so complicated.

The Ipv6 addresses are configured with ucr variables.

interfaces/eth0/ipv6/.../address
interfaces/eth0/ipv6/.../prefix: 64

Moritz_Bunkus · February 22, 2019, 8:58am

Hey,

in general IPv6 isn’t a problem for Kerberos, nor UCS with Kerberos. We’re using it all the time, and it works fine.

However, I can reproduce your issues, and the problem seems to be that Samba isn’t started properly on boot. You can verify this by running lsof -PniTCP:88 -sTCP:LISTEN which should show a couple of samba processes listening on port 88 — but in your case it’ll probably show nothing.

Simply restarting Samba via systemctl restart samba-ad-dc.service should get things going again.

I haven’t had time to debug the boot process as to why Samba fails to start automatically.

digitec-san · February 22, 2019, 1:09pm

Hi Moritz,
in my case there is no samba-ad-dc.service, but a heimdal-kdc.service, as samba is not installed on the master.
Sven