Bug 45904 - Critical: Check Kerberos authenticated DNS updates
Critical: Check Kerberos authenticated DNS updates
Product: UCS
Classification: Unclassified
Component: UMC - System diagnostic
UCS 4.2
Other Linux
: P5 normal (vote)
: UCS 4.3-0-errata
Assigned To: Arvid Requate
Felix Botner
Depends on:
  Show dependency treegraph
Reported: 2017-12-19 21:39 CET by Ingo Sieverdingbeck
Modified: 2018-03-28 13:28 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 1: Nuisance – not a big deal but noticeable
User Pain: 0.034
Enterprise Customer affected?: Yes
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017121921000103, 2018012221000269
Bug group (optional):
Max CVSS v3 score:

patch draft (2.23 KB, patch)
2018-02-05 19:48 CET, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Ingo Sieverdingbeck univentionstaff 2017-12-19 21:39:25 CET
In a domain with samba4 installed slaves without installed samba4 fail during the system diagostic 'Check Kerberos authenticated DNS updates' with the following message:

> Errors occured while running `kinit` or `nsupdate`. `kinit` for principal
> slave01$ with password file /etc/machine.secret failed.

Beside this error message, I didn't notice any misbehaviour of the affected server, so I assume it is an issue in the check.
Comment 1 Moritz Bunkus 2018-01-10 09:23:22 CET
This seems to me like a false positive, or rather, the check should only be run on machines where `univention-samba4` is installed. Here's why.

Kerberos-authenticated DNS updates are done by authenticating to the domain's Kerberos KDC (key distribution center) with the machine's Kerberos account. The corresponding code is in `/usr/share/pyshared/univention/management/console/modules/diagnostic/plugins/46_kerberos_ddns_update.py`, function `check_nsupdate` which calls `check_dns_machine_principal` with the hostname of the machine the check is running on.

This is roughly the same as the following call on the command line:

kinit --password-file=/etc/machine.secret $(hostname)\$

That kinit call actually gives us good diagnostics, e.g.:

[0 root@slave ~] kinit --password-file=/etc/machine.secret $(hostname)\$
kinit: krb5_get_init_creds: Client (slave$@MBU-TEST.INTRANET) unknown

This means that there's no Kerberos principal for the host.

After digging some more into how and when those principals for the machines are created, I'm convinced this happens in the join script for the `univention-samba4` package, `/usr/lib/univention-install/96univention-samba4.inst`. However, if that package has never been installed, no Kerberos principal will be created.

The diagnostics script does a second check, too, with the principal "dns-$hostname". That principal is created by a join script, too, `/usr/lib/univention-install/98univention-samba4-dns.inst`. This script is part of the `univention-samba4` package, too.

The following forum threads share the same problem: the test fails, and they don't have `univention-samba4` installed:


In short, the check should only be run if the `univention-samba4` package is installed, too.
Comment 2 Arvid Requate univentionstaff 2018-02-05 19:48:04 CET
Created attachment 9377 [details]
patch draft
Comment 3 Arvid Requate univentionstaff 2018-03-20 14:45:28 CET
Now the check is only run on systems with service samba or samba4:

2c2c57fdc4 | Run nsupdate check only on Samba/Samba4 systems
ffaf06672d | Advisory

The second check probably was not the problem, because there we already checked that it's only run on systems with samba4/role==DC
Comment 4 Felix Botner univentionstaff 2018-03-21 12:19:35 CET
OK - not checked on servers without samba4 or dns
OK - yaml
Comment 5 Arvid Requate univentionstaff 2018-03-28 13:28:31 CEST