Univention Bugzilla – Bug 45985
Kerberos_ddns_update does not work properly in school environments
Last modified: 2018-03-15 14:49:46 CET
On a schoolslave the kerberos_ddns_update fails with: Kritisch: Überprüfe Kerberos authentifizierte DNS Updtaes Fehler traten auf bei der Ausführung von 'kinit' oder 'nsupdate'. `nsupdate` Prüfung für die Domäne <Domainname> ist fehlgeschlagen. But kinit and nsupdate is fine. For the check the ucr value ldap/master is used instead of ldap/server/name which causes the problem # IP: 10.200.16.20 root@ucs-gs:~# kinit --keytab="/var/lib/samba/private/dns.keytab" dns-$(hostname) || echo $? root@ucs-gs:~# echo -ne "server $(ucr get ldap/master)\nprereq yxdomain $(hostname -f)\nsend\n" | nsupdate -d -g -t15 Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41701 ;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;ucs-gs.school.support. IN SOA ;; AUTHORITY SECTION: school.support. 3600 IN SOA ucs-master.school.support. root.school.support. 56 28800 7200 604800 3600 Found zone name: school.support The master is: ucs-master.school.support start_gssrequest Found realm from ticket: SCHOOL.SUPPORT tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = KDC has no support for encryption type.
Customer affected: Ticket#2018030921000209
*** This bug has been marked as a duplicate of bug 45584 ***