Bug 45584 - nsupdate-check fails on UCS@school slaves
nsupdate-check fails on UCS@school slaves
Product: UCS
Classification: Unclassified
Component: UMC - System diagnostic
UCS 4.2
Other other
: P5 normal (vote)
: UCS 4.3-0-errata
Assigned To: Arvid Requate
Felix Botner
: 45418 45985 (view as bug list)
Depends on: 44902
Blocks: 47216
  Show dependency treegraph
Reported: 2017-10-24 12:15 CEST by Michael Grandjean
Modified: 2018-06-20 11:51 CEST (History)
7 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.103
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017102321000555, 2018031521000171
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Michael Grandjean univentionstaff 2017-10-24 12:46:19 CEST
The original description contains customer data, so I set that one private. Here is the anonymized version:

One of the plugins for the system diagnostics module also checks for DDNS updates (46_kerberos_ddns_update.py). Unfortunately this fails on UCS@school slaves with "'nsupdate' Prüfung für die Domänne (sic!) school.example.org ist fehlgeschlagen".

This is a manual test on the shell, but should be the same as in the plugin:

root@edu01:~# eval "$(ucr shell)"
root@edu01:~# kinit --password-file=/etc/machine.secret "${hostname^^}$"
root@edu01:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: EDU01$@SCHOOL.EXAMPLE.ORG

  Issued                Expires               Principal
Oct 24 11:11:48 2017  Oct 24 21:11:48 2017  krbtgt/SCHOOL.EXAMPLE.ORG@SCHOOL.EXAMPLE.ORG
root@mz01:~# nsupdate -g <<%EOF
> server $ldap_master
> prereq yxdomain $hostname.$domainname
> send
> %EOF
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = KDC has no support for encryption type.

Not sure about the error message regarding the encryption type, but testing against "$ldap_master" seems to naive to me:

1. The UCS Master might as well not be a Samba AD DC at all
2. On a UCS@school Slave, this test should be done against the UCS@school Slave itself, imho
Comment 2 Arvid Requate univentionstaff 2017-10-24 12:48:22 CEST
*** Bug 45418 has been marked as a duplicate of this bug. ***
Comment 3 Tobias Birkefeld univentionstaff 2018-03-15 14:49:46 CET
*** Bug 45985 has been marked as a duplicate of this bug. ***
Comment 4 Tobias Birkefeld univentionstaff 2018-03-15 14:50:08 CET
Customer affected: Ticket#2018030921000209
Comment 6 Tobias Birkefeld univentionstaff 2018-03-16 21:04:04 CET
fixed in comment 034056f980e46f719d6083fb1f2ab6ec78eaf28e
Comment 7 Arvid Requate univentionstaff 2018-03-19 17:43:09 CET
> fixed in comment 034056f980e46f719d6083fb1f2ab6ec78eaf28e

doesn't work, see comment in git. I've now used the S4-Connector detection code get_available_s4connector_dc from /usr/share/univention-samba4/lib/base.sh .

9b87b9f41b | Run nsupdate checks against the S4-Connector host
391def5a95 | Advisory
Comment 8 Arvid Requate univentionstaff 2018-03-20 11:20:03 CET
2125bb8be6 | Update translation
f4dcd028ba | Advisory

I think a ucs-test case would be good too for this to see if it works in all CI scenarios.
Comment 9 Arvid Requate univentionstaff 2018-03-20 20:17:33 CET
6d31b3d0d5 | Run nsupdate check against local server if it has Samba/AD DNS
42d3a8ec07 | Run nsupdate check only on Samba 4 DCs and ad/member servers

We already have 00_checks/81_diagnostic_checks.py in ucs-test, it just skips three checks frequently failing in cloud CI.
Comment 10 Felix Botner univentionstaff 2018-03-21 12:15:28 CET
OK - nsupdate in school
Comment 11 Arvid Requate univentionstaff 2018-03-28 13:28:29 CEST