Bug 48227 - AD-Connector sync broken permanently in AD-Member mode if system time changes
AD-Connector sync broken permanently in AD-Member mode if system time changes
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: AD Connector
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-2-errata
Assigned To: Arvid Requate
Felix Botner
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-27 19:29 CET by Arvid Requate
Modified: 2018-12-05 14:39 CET (History)
0 users

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2018-11-27 19:29:41 CET
When running in ad/member mode a time skew between MS AD-DC and UCS member can beak the AD-Connector replication. I've seen this three times in the bug squashing party today, twice in my test setup and once in the test setup of a colleague.

root@member55:~# /etc/init.d/univention-ad-connector start
[ ok ] Starting univention-ad-connector (via systemctl): univention-ad-connector.service.
root@member55:~# cat /var/log/univention/connector-status.log
=====================================================================
Tue Nov 27 14:48:56 2018
Tue Nov 27 14:48:56 2018
 --- connect failed, failure was: ---
Traceback (most recent call last):
  File "/usr/share/pyshared/univention/connector/ad/main.py", line 303, in main
    connect()
  File "/usr/share/pyshared/univention/connector/ad/main.py", line 191, in connect
    baseConfig['%s/ad/listener/dir' % CONFIGBASENAME]
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 837, in __init__
    self.open_ad()
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 1034, in open_ad
    self.get_kerberos_ticket()
  File "/usr/lib/pymodules/python2.7/univention/connector/ad/__init__.py", line 1012, in get_kerberos_ticket
    raise kerberosAuthenticationFailed('The following command failed: "%s"' % string.join(cmd_block))
kerberosAuthenticationFailed: The following command failed: "kinit --no-addresses --password-file=/etc/machine.secret member55$"

 ---     retry in 30 seconds      ---
=====================================================================

After adding some debug code, the error shows as:
=====================================================================
kerberosAuthenticationFailed: The following command failed: "kinit --no-addresses --password-file=/etc/machine.secret member55$" (1): kinit: krb5_get_init_creds: Clock skew too great
=====================================================================

The really irritating thing about this situation is this:
=====================================================================
root@member55:~# kinit --no-addresses \
                 --password-file=/etc/machine.secret member55$ \
                 && echo ok || echo fail
ok
=====================================================================

But the AD-Connector uses a different KRB5 Credential Cache, and that seems to block progress here:
=====================================================================
root@member55:~# KRB5CCNAME=/var/cache/univention-ad-connector/krb5.cc \
                 kinit --no-addresses \
                 --password-file=/etc/machine.secret member55$ \
                 && echo ok || echo fail
kinit: krb5_get_init_creds: Clock skew too great
fail
=====================================================================

I think we need to kdestory the credentials cache here before running kinit.
Comment 1 Arvid Requate univentionstaff 2018-11-27 19:38:26 CET
d9bd069c5e | Fix keberos authentication error in case of time skew
841646af44 | Advisory
Comment 2 Felix Botner univentionstaff 2018-11-28 15:19:11 CET
OK - univention-ad-connector
OK - univention-ad-connector.yaml
Comment 3 Arvid Requate univentionstaff 2018-12-05 14:39:28 CET
<http://errata.software-univention.de/ucs/4.3/354.html>