Bug 29291 – Samba4 DCs sollten den lokalen KDC verwenden

Bug 29291 - Samba4 DCs sollten den lokalen KDC verwenden


Summary:	Samba4 DCs sollten den lokalen KDC verwenden

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Samba4
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P5 enhancement (vote)
Target Milestone:	UCS 3.2
Assigned To:	Arvid Requate
QA Contact:	Felix Botner

URL:
Keywords:	interim-1

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2012-11-19 18:47 CET by Arvid Requate
Modified:	2013-11-19 06:41 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2012-11-19 18:47:34 CET

In einer Samba4-Umgebung mit Master, Backup und Slave kam es auf dem Master zu Authentifikationsfehlern für den Administrator, weil der Slave keine aktuelle Uhrzeit hatte:

root@master1:~# kinit Administrator
Administrator@ARUCS31I5.QA's Password: 
kinit: krb5_get_init_creds: Clock skew too great


Ggf. ist es besser auf Samba4 DCs den lokalen KDC zu verwenden:

ucr set kerberos/kdc=127.0.0.1 kerberos/defaults/dns_lookup_kdc=no

Comment 1 Arvid Requate

2013-03-21 20:09:02 CET

Vermutlich muss dann auch kerberos/kpasswdserver gesetzt werden, siehe Bug 30839.

Comment 2 Moritz Muehlenhoff

2013-05-31 10:44:47 CEST

We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2.

As such, this bug is moved to the new target milestone.

Comment 3 Arvid Requate

2013-07-25 21:31:36 CEST

The postinst changes kerberos/kdc in case they still show the original values during update. kerberos/defaults/dns_lookup_kdc is not changed, as the manpage states that this DNS lookup is only the fallback if no KDC is specified explicitely.

During join the two variables are unconditionally set to 172.0.0.1. (Maybe better use the fqdn?)

Changelog updated.

Comment 4 Arvid Requate

2013-07-25 21:32:11 CEST

The postinst changes kerberos/kdc and kerberos/kpasswdserver ...

Comment 5 Felix Botner

2013-08-05 17:32:30 CEST

OK - Update
     config-registry.replog:
     2013-08-05 15:43:45: set kerberos/kdc=127.0.0.1 old:[Previously undefined]
     2013-08-05 15:43:45: set kerberos/kpasswdserver=127.0.0.1 old:master.fff.ggg
     -> ucr get kerberos/kdc 
     127.0.0.1
     -> ucr get kerberos/kpasswdserver 
     127.0.0.1

OK - New Installation 

OK - Changelog

Comment 6 Stefan Gohmann

2013-11-19 06:41:44 CET

UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".