Univention Bugzilla – Bug 36748
Last modified: 2017-09-20 15:03:39 CEST
We should add a test for kerberos/kdc and kerberos/kpasswdserver (default to 127.0.0.1 in S4 setups).
If they can't be reached, check if "this" is a Samba 4 DC and samba/interfaces/bindonly is true. If thats the case and samba/interfaces does not contain "lo" or "127.0.0.1" or "0.0.0.0", ask the user to add "lo" as samba/interface or change kerberos/kdc and kerberos/kpasswdserver.
Created attachment 8887 [details]
This checks for the reachability of KDCs by sending a AS-REQ per TCP and UDP.
The AS-REQ is send with the fake user `kdc-reachability-check`. The KDCs will
respond in several ways: either with an KRB-ERROR (PREAUTH_REQUIRED,
PRINCIPAL_UNKNOWN or RESPONSE_TO_BIG) or a AS-REP with an anonymous ticket.
If we do not receive one of the above, the connection is not accepted, the
socket is closed or an operation times out, we can assume, that the KDCs is not
This check will test the KDCs as specified in UCR `kerberos/kdc` with TCP and
UDP on port 88. If `kerberos/defaults/dns_lookup_kdc` is set, KDC discovery as
specified in section `7.2.3. KDC Discovery on IP Networks`  will be used. In
this case the ports as specified in the SRV records are used.
This implements a minimal number of packages as defined in  and does not rely
on python-kerberos or python-krb5, as those are too high level and outdated.
Reachability checks of kpasswd servers are not implemented, as those are a
separate protocol. See .
Committed in r81611 - r81613 (advisory r81649).
REOPEN: The check is also executed on a DC Master without Samba4 and causes it to fail.
"KDC Erreichbarkeit - Keine erreichbaren KDCs gefunden."
→ The error messages should be full sentences ("Es wurden ...") and might be more explanatory.
(In reply to Florian Best from comment #3)
> REOPEN: The check is also executed on a DC Master without Samba4 and causes
> it to fail.
> "KDC Erreichbarkeit - Keine erreichbaren KDCs gefunden."
> → The error messages should be full sentences ("Es wurden ...") and might be
> more explanatory.
As far as I understand  there should always be a reachable KDC. Could you provide some more information about your system?
I could include a link to  in the error message, but I think the diagnostic module is just a quick overview and not an in-depth explanation like the manual or SDB.
Okay, then it seems it fails in our Jenkins tests:
(In reply to Florian Best from comment #5)
> Okay, then it seems it fails in our Jenkins tests:
You were right, there was a slight logic error in the diagnostic check. Fixed in r81760.
I've a DC Master and a DC Backup and temporarily stopped samba on the DC backup. Additionally I temporarily stopped bind9 on the master.
The module reports a warning about KDC connectivity with this traceback:
Traceback (most recent call last):
File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 263, in execute
result = execute(umc_module, **kwargs)
File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/kdc_service.py", line 291, in run
result_tcp = dns.resolver.query(kerberos_dns_fqdn_tcp, 'SRV')
File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 981, in query
File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 901, in query
timeout = self._compute_timeout(start)
File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 739, in _compute_timeout
(In reply to Arvid Requate from comment #7)
> Traceback (most recent call last):
4.2-1: r82620, YAML: r82626
4.2-2: r82629, YAML: r82635
Ok, nice code! Works.