Bug 29291 - Samba4 DCs sollten den lokalen KDC verwenden
Samba4 DCs sollten den lokalen KDC verwenden
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 3.1
Other Linux
: P5 enhancement (vote)
: UCS 3.2
Assigned To: Arvid Requate
Felix Botner
: interim-1
Depends on:
  Show dependency treegraph
Reported: 2012-11-19 18:47 CET by Arvid Requate
Modified: 2013-11-19 06:41 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2012-11-19 18:47:34 CET
In einer Samba4-Umgebung mit Master, Backup und Slave kam es auf dem Master zu Authentifikationsfehlern für den Administrator, weil der Slave keine aktuelle Uhrzeit hatte:

root@master1:~# kinit Administrator
Administrator@ARUCS31I5.QA's Password: 
kinit: krb5_get_init_creds: Clock skew too great

Ggf. ist es besser auf Samba4 DCs den lokalen KDC zu verwenden:

ucr set kerberos/kdc= kerberos/defaults/dns_lookup_kdc=no
Comment 1 Arvid Requate univentionstaff 2013-03-21 20:09:02 CET
Vermutlich muss dann auch kerberos/kpasswdserver gesetzt werden, siehe Bug 30839.
Comment 2 Moritz Muehlenhoff univentionstaff 2013-05-31 10:44:47 CEST
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2.

As such, this bug is moved to the new target milestone.
Comment 3 Arvid Requate univentionstaff 2013-07-25 21:31:36 CEST
The postinst changes kerberos/kdc in case they still show the original values during update. kerberos/defaults/dns_lookup_kdc is not changed, as the manpage states that this DNS lookup is only the fallback if no KDC is specified explicitely.

During join the two variables are unconditionally set to (Maybe better use the fqdn?)

Changelog updated.
Comment 4 Arvid Requate univentionstaff 2013-07-25 21:32:11 CEST
The postinst changes kerberos/kdc and kerberos/kpasswdserver ...
Comment 5 Felix Botner univentionstaff 2013-08-05 17:32:30 CEST
OK - Update
     2013-08-05 15:43:45: set kerberos/kdc= old:[Previously undefined]
     2013-08-05 15:43:45: set kerberos/kpasswdserver= old:master.fff.ggg
     -> ucr get kerberos/kdc
     -> ucr get kerberos/kpasswdserver

OK - New Installation 

OK - Changelog
Comment 6 Stefan Gohmann univentionstaff 2013-11-19 06:41:44 CET
UCS 3.2 has been released:

If this error occurs again, please use "Clone This Bug".