Bug 47216 – [4.2] nsupdate-check fails on UCS@school slaves

Bug 47216 - [4.2] nsupdate-check fails on UCS@school slaves


Summary:	[4.2] nsupdate-check fails on UCS@school slaves

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	UMC - System diagnostic
Version:	UCS 4.2
Hardware:	Other other

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:	UMC maintainers

URL:
Keywords:

Depends on:	44902 45584
Blocks:
	Show dependency tree / graph

Reported:	2018-06-20 11:51 CEST by Michael Grandjean
Modified:	2020-07-03 20:54 CEST (History)
CC List:	7 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	3: Simply Wrong: The implementation doesn't match the docu
Who will be affected by this bug?:	3: Will affect average number of installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.103
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2017102321000555, 2018031521000171
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michael Grandjean

2018-06-20 11:51:01 CEST

This should imho be backported to UCS 4.2

+++ This bug was initially created as a clone of Bug #45584 +++

One of the plugins for the system diagnostics module also checks for DDNS updates (46_kerberos_ddns_update.py). Unfortunately this fails on UCS@school slaves with "'nsupdate' Prüfung für die Domänne (sic!) school.example.org ist fehlgeschlagen".

This is a manual test on the shell, but should be the same as in the plugin:

root@edu01:~# eval "$(ucr shell)"
root@edu01:~# kinit --password-file=/etc/machine.secret "${hostname^^}$"
root@edu01:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: EDU01$@SCHOOL.EXAMPLE.ORG

  Issued                Expires               Principal
Oct 24 11:11:48 2017  Oct 24 21:11:48 2017  krbtgt/SCHOOL.EXAMPLE.ORG@SCHOOL.EXAMPLE.ORG
root@mz01:~# nsupdate -g <<%EOF
> server $ldap_master
> prereq yxdomain $hostname.$domainname
> send
> %EOF
tkey query failed: GSSAPI error: Major = Unspecified GSS failure.  Minor code may provide more information, Minor = KDC has no support for encryption type.

Not sure about the error message regarding the encryption type, but testing against "$ldap_master" seems to naive to me:

1. The UCS Master might as well not be a Samba AD DC at all
2. On a UCS@school Slave, this test should be done against the UCS@school Slave itself, imho

Comment 1 Ingo Steuwer

2020-07-03 20:54:07 CEST

This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.