Bug 36748 - Test kerberos/kdc
Test kerberos/kdc
Product: UCS
Classification: Unclassified
Component: UMC - System diagnostic
UCS 4.0
Other Linux
: P5 normal (vote)
: UCS 4.2-2-errata
Assigned To: Lukas Oyen
Arvid Requate
Depends on:
  Show dependency treegraph
Reported: 2014-11-17 13:29 CET by Janis Meybohm
Modified: 2018-06-25 15:30 CEST (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:
oyen: Patch_Available+

36748-diagnostic-kdc-420.patch (17.03 KB, patch)
2017-05-30 16:55 CEST, Lukas Oyen
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2014-11-17 13:29:15 CET
We should add a test for kerberos/kdc and kerberos/kpasswdserver (default to in S4 setups).

If they can't be reached, check if "this" is a Samba 4 DC and samba/interfaces/bindonly is true. If thats the case and samba/interfaces does not contain "lo" or "" or "", ask the user to add "lo" as samba/interface or change kerberos/kdc and kerberos/kpasswdserver.
Comment 1 Lukas Oyen univentionstaff 2017-05-30 16:55:04 CEST
Created attachment 8887 [details]

This checks for the reachability of KDCs by sending a AS-REQ per TCP and UDP.
The AS-REQ is send with the fake user `kdc-reachability-check`. The KDCs will
respond in several ways: either with an KRB-ERROR (PREAUTH_REQUIRED,
PRINCIPAL_UNKNOWN or RESPONSE_TO_BIG) or a AS-REP with an anonymous ticket.

If we do not receive one of the above, the connection is not accepted, the
socket is closed or an operation times out, we can assume, that the KDCs is not

This check will test the KDCs as specified in UCR `kerberos/kdc` with TCP and
UDP on port 88. If `kerberos/defaults/dns_lookup_kdc` is set, KDC discovery as
specified in section `7.2.3. KDC Discovery on IP Networks` [1] will be used. In
this case the ports as specified in the SRV records are used.

This implements a minimal number of packages as defined in [1] and does not rely
on python-kerberos or python-krb5, as those are too high level and outdated.

Reachability checks of kpasswd servers are not implemented, as those are a
separate protocol. See [2].

[1]: https://tools.ietf.org/html/rfc4120
[2]: https://tools.ietf.org/html/rfc3244
Comment 2 Lukas Oyen univentionstaff 2017-08-01 16:28:09 CEST
Committed in r81611 - r81613 (advisory r81649).
Comment 3 Florian Best univentionstaff 2017-08-02 12:31:06 CEST
REOPEN: The check is also executed on a DC Master without Samba4 and causes it to fail.

"KDC Erreichbarkeit - Keine erreichbaren KDCs gefunden."
→ The error messages should be full sentences ("Es wurden ...") and might be more explanatory.
Comment 4 Lukas Oyen univentionstaff 2017-08-02 15:09:19 CEST
(In reply to Florian Best from comment #3)
> REOPEN: The check is also executed on a DC Master without Samba4 and causes
> it to fail.
> "KDC Erreichbarkeit - Keine erreichbaren KDCs gefunden."
> → The error messages should be full sentences ("Es wurden ...") and might be
> more explanatory.

As far as I understand [1] there should always be a reachable KDC. Could you provide some more information about your system?

I could include a link to [1] in the error message, but I think the diagnostic module is just a quick overview and not an in-depth explanation like the manual or SDB.

[1]: https://docs.software-univention.de/manual.html#domain:kerberos
Comment 6 Lukas Oyen univentionstaff 2017-08-03 14:56:34 CEST
(In reply to Florian Best from comment #5)
> Okay, then it seems it fails in our Jenkins tests:

You were right, there was a slight logic error in the diagnostic check. Fixed in r81760.
Comment 7 Arvid Requate univentionstaff 2017-08-24 20:52:50 CEST
I've a DC Master and a DC Backup and temporarily stopped samba on the DC backup. Additionally I temporarily stopped bind9 on the master.

The module reports a warning about KDC connectivity with this traceback:

Traceback (most recent call last):
 File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/__init__.py", line 263, in execute
  result = execute(umc_module, **kwargs)
 File "/usr/lib/pymodules/python2.7/univention/management/console/modules/diagnostic/plugins/kdc_service.py", line 291, in run
  result_tcp = dns.resolver.query(kerberos_dns_fqdn_tcp, 'SRV')
 File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 981, in query
  raise_on_no_answer, source_port)
 File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 901, in query
  timeout = self._compute_timeout(start)
 File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 739, in _compute_timeout
   raise Timeout
Comment 8 Lukas Oyen univentionstaff 2017-09-04 15:50:51 CEST
(In reply to Arvid Requate from comment #7)
> Traceback (most recent call last):
> Timeout


4.2-1: r82620, YAML: r82626
4.2-2: r82629, YAML: r82635
Comment 9 Arvid Requate univentionstaff 2017-09-07 16:52:08 CEST
Ok, nice code! Works.
Comment 10 Erik Damrose univentionstaff 2017-09-20 15:03:39 CEST
Comment 11 Megachip 2018-06-22 15:34:15 CEST
Same problem on 4.2-3 errata421 (Lesum)

The following KDCs were unreachable: tcp ucs.xxx.com:88, udp ucs.xxx.com:88
samba/interfaces does not contain lo, or
Comment 12 Arvid Requate univentionstaff 2018-06-25 15:30:09 CEST
Answering Comment 11: This bug is closed, please use a more suitable feedback channel, like help.univention.de. To help you we probably need further information about connectivity to ucs.xxx.com:88. The second message about "samba/interfaces" looks like you have set samba/interfaces in Univention Config Registry and it doesn't include "lo". In that case Samba would not be reachable on the localhost address which may cause problems.