Bug 45985 - Kerberos_ddns_update does not work properly in school environments
Kerberos_ddns_update does not work properly in school environments
Status: RESOLVED DUPLICATE of bug 45584
Product: UCS
Classification: Unclassified
Component: UMC - System diagnostic
UCS 4.2
Other Linux
: P5 normal (vote)
: ---
Assigned To: UMC maintainers
UMC maintainers
Depends on:
  Show dependency treegraph
Reported: 2018-01-08 12:28 CET by Christina Scheinig
Modified: 2018-03-15 14:49 CET (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?: 4: Will affect most installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.137
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2017121921000103 2018020721000367
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Christina Scheinig univentionstaff 2018-01-08 12:28:05 CET
On a schoolslave the kerberos_ddns_update fails with:
Kritisch: Überprüfe Kerberos authentifizierte DNS Updtaes
Fehler traten auf bei der Ausführung von 'kinit' oder 'nsupdate'.
`nsupdate` Prüfung für die Domäne <Domainname> ist fehlgeschlagen.

But kinit and nsupdate is fine.

For the check the ucr value ldap/master is used instead of ldap/server/name which causes the problem

# IP:
root@ucs-gs:~# kinit --keytab="/var/lib/samba/private/dns.keytab" dns-$(hostname) || echo $?
root@ucs-gs:~# echo -ne "server $(ucr get ldap/master)\nprereq yxdomain $(hostname -f)\nsend\n" | nsupdate -d -g -t15
Reply from SOA query:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id:  41701
;; flags: qr aa ra; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;ucs-gs.school.support.        IN    SOA

school.support.        3600    IN    SOA    ucs-master.school.support. root.school.support. 56 28800 7200 604800 3600

Found zone name: school.support
The master is: ucs-master.school.support
Found realm from ticket: SCHOOL.SUPPORT
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = KDC has no support for encryption type.
Comment 1 Tobias Birkefeld univentionstaff 2018-03-15 14:42:07 CET
Customer affected: Ticket#2018030921000209
Comment 2 Tobias Birkefeld univentionstaff 2018-03-15 14:49:46 CET

*** This bug has been marked as a duplicate of bug 45584 ***