Univention Bugzilla – Bug 47216
[4.2] nsupdate-check fails on UCS@school slaves
Last modified: 2020-07-03 20:54:07 CEST
This should imho be backported to UCS 4.2 +++ This bug was initially created as a clone of Bug #45584 +++ One of the plugins for the system diagnostics module also checks for DDNS updates (46_kerberos_ddns_update.py). Unfortunately this fails on UCS@school slaves with "'nsupdate' Prüfung für die Domänne (sic!) school.example.org ist fehlgeschlagen". This is a manual test on the shell, but should be the same as in the plugin: root@edu01:~# eval "$(ucr shell)" root@edu01:~# kinit --password-file=/etc/machine.secret "${hostname^^}$" root@edu01:~# klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: EDU01$@SCHOOL.EXAMPLE.ORG Issued Expires Principal Oct 24 11:11:48 2017 Oct 24 21:11:48 2017 krbtgt/SCHOOL.EXAMPLE.ORG@SCHOOL.EXAMPLE.ORG root@mz01:~# nsupdate -g <<%EOF > server $ldap_master > prereq yxdomain $hostname.$domainname > send > %EOF tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = KDC has no support for encryption type. Not sure about the error message regarding the encryption type, but testing against "$ldap_master" seems to naive to me: 1. The UCS Master might as well not be a Samba AD DC at all 2. On a UCS@school Slave, this test should be done against the UCS@school Slave itself, imho
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.