Univention Bugzilla – Bug 36748
Test kerberos/kdc
Last modified: 2018-06-25 15:30:09 CEST
We should add a test for kerberos/kdc and kerberos/kpasswdserver (default to 127.0.0.1 in S4 setups). If they can't be reached, check if "this" is a Samba 4 DC and samba/interfaces/bindonly is true. If thats the case and samba/interfaces does not contain "lo" or "127.0.0.1" or "0.0.0.0", ask the user to add "lo" as samba/interface or change kerberos/kdc and kerberos/kpasswdserver.
Created attachment 8887 [details] 36748-diagnostic-kdc-420.patch This checks for the reachability of KDCs by sending a AS-REQ per TCP and UDP. The AS-REQ is send with the fake user `kdc-reachability-check`. The KDCs will respond in several ways: either with an KRB-ERROR (PREAUTH_REQUIRED, PRINCIPAL_UNKNOWN or RESPONSE_TO_BIG) or a AS-REP with an anonymous ticket. If we do not receive one of the above, the connection is not accepted, the socket is closed or an operation times out, we can assume, that the KDCs is not reachable. This check will test the KDCs as specified in UCR `kerberos/kdc` with TCP and UDP on port 88. If `kerberos/defaults/dns_lookup_kdc` is set, KDC discovery as specified in section `7.2.3. KDC Discovery on IP Networks` [1] will be used. In this case the ports as specified in the SRV records are used. This implements a minimal number of packages as defined in [1] and does not rely on python-kerberos or python-krb5, as those are too high level and outdated. Reachability checks of kpasswd servers are not implemented, as those are a separate protocol. See [2]. [1]: https://tools.ietf.org/html/rfc4120 [2]: https://tools.ietf.org/html/rfc3244
Committed in r81611 - r81613 (advisory r81649).
REOPEN: The check is also executed on a DC Master without Samba4 and causes it to fail. "KDC Erreichbarkeit - Keine erreichbaren KDCs gefunden." → The error messages should be full sentences ("Es wurden ...") and might be more explanatory.
(In reply to Florian Best from comment #3) > REOPEN: The check is also executed on a DC Master without Samba4 and causes > it to fail. > > "KDC Erreichbarkeit - Keine erreichbaren KDCs gefunden." > → The error messages should be full sentences ("Es wurden ...") and might be > more explanatory. As far as I understand [1] there should always be a reachable KDC. Could you provide some more information about your system? I could include a link to [1] in the error message, but I think the diagnostic module is just a quick overview and not an in-depth explanation like the manual or SDB. [1]: https://docs.software-univention.de/manual.html#domain:kerberos
Okay, then it seems it fails in our Jenkins tests: http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-1/job/AutotestJoin/52/SambaVersion=s3,Systemrolle=master/testReport/60_umc/106_diagnosic_checks/test/ http://jenkins.knut.univention.de:8080/job/UCS-4.2/job/UCS-4.2-1/job/AutotestJoin/52/SambaVersion=s3,Systemrolle=member/testReport/60_umc/106_diagnosic_checks/test/
(In reply to Florian Best from comment #5) > Okay, then it seems it fails in our Jenkins tests: You were right, there was a slight logic error in the diagnostic check. Fixed in r81760.
I've a DC Master and a DC Backup and temporarily stopped samba on the DC backup. Additionally I temporarily stopped bind9 on the master. The module reports a warning about KDC connectivity with this traceback: Traceback (most recent call last): File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 263, in execute result = execute(umc_module, **kwargs) File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/kdc_service.py", line 291, in run result_tcp = dns.resolver.query(kerberos_dns_fqdn_tcp, 'SRV') File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 981, in query raise_on_no_answer, source_port) File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 901, in query timeout = self._compute_timeout(start) File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 739, in _compute_timeout raise Timeout Timeout
(In reply to Arvid Requate from comment #7) > Traceback (most recent call last): > Timeout Fixed: 4.2-1: r82620, YAML: r82626 4.2-2: r82629, YAML: r82635
Ok, nice code! Works.
<http://errata.software-univention.de/ucs/4.2/166.html>
Same problem on 4.2-3 errata421 (Lesum) The following KDCs were unreachable: tcp ucs.xxx.com:88, udp ucs.xxx.com:88 samba/interfaces does not contain lo, 127.0.0.1 or 0.0.0.0.
Answering Comment 11: This bug is closed, please use a more suitable feedback channel, like help.univention.de. To help you we probably need further information about connectivity to ucs.xxx.com:88. The second message about "samba/interfaces" looks like you have set samba/interfaces in Univention Config Registry and it doesn't include "lo". In that case Samba would not be reachable on the localhost address 127.0.0.1 which may cause problems.