Bug 29291 - Samba4 DCs sollten den lokalen KDC verwenden
Samba4 DCs sollten den lokalen KDC verwenden
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 3.1
Other Linux
: P5 enhancement (vote)
: UCS 3.2
Assigned To: Arvid Requate
Felix Botner
: interim-1
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-19 18:47 CET by Arvid Requate
Modified: 2013-11-19 06:41 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2012-11-19 18:47:34 CET
In einer Samba4-Umgebung mit Master, Backup und Slave kam es auf dem Master zu Authentifikationsfehlern für den Administrator, weil der Slave keine aktuelle Uhrzeit hatte:

root@master1:~# kinit Administrator
Administrator@ARUCS31I5.QA's Password: 
kinit: krb5_get_init_creds: Clock skew too great


Ggf. ist es besser auf Samba4 DCs den lokalen KDC zu verwenden:

ucr set kerberos/kdc=127.0.0.1 kerberos/defaults/dns_lookup_kdc=no
Comment 1 Arvid Requate univentionstaff 2013-03-21 20:09:02 CET
Vermutlich muss dann auch kerberos/kpasswdserver gesetzt werden, siehe Bug 30839.
Comment 2 Moritz Muehlenhoff univentionstaff 2013-05-31 10:44:47 CEST
We will not ship a UCS 3.1-2 release; the next UCS release will be UCS 3.2.

As such, this bug is moved to the new target milestone.
Comment 3 Arvid Requate univentionstaff 2013-07-25 21:31:36 CEST
The postinst changes kerberos/kdc in case they still show the original values during update. kerberos/defaults/dns_lookup_kdc is not changed, as the manpage states that this DNS lookup is only the fallback if no KDC is specified explicitely.

During join the two variables are unconditionally set to 172.0.0.1. (Maybe better use the fqdn?)

Changelog updated.
Comment 4 Arvid Requate univentionstaff 2013-07-25 21:32:11 CEST
The postinst changes kerberos/kdc and kerberos/kpasswdserver ...
Comment 5 Felix Botner univentionstaff 2013-08-05 17:32:30 CEST
OK - Update
     config-registry.replog:
     2013-08-05 15:43:45: set kerberos/kdc=127.0.0.1 old:[Previously undefined]
     2013-08-05 15:43:45: set kerberos/kpasswdserver=127.0.0.1 old:master.fff.ggg
     -> ucr get kerberos/kdc 
     127.0.0.1
     -> ucr get kerberos/kpasswdserver 
     127.0.0.1

OK - New Installation 

OK - Changelog
Comment 6 Stefan Gohmann univentionstaff 2013-11-19 06:41:44 CET
UCS 3.2 has been released:
 http://docs.univention.de/release-notes-3.2-en.html
 http://docs.univention.de/release-notes-3.2-de.html

If this error occurs again, please use "Clone This Bug".